Post on 31-May-2018
8/14/2019 2007 Web2Expo Implementing OpenID
1/69
Web 2.0 Expo
April 15-18, 2007
David Recordondrecordon@verisign.com
Implementing
Brian Ellinbrian@janrain.com
mailto:drecordon@verisign.commailto:drecordon@verisign.commailto:drecordon@verisign.commailto:drecordon@verisign.com8/14/2019 2007 Web2Expo Implementing OpenID
2/69
brief intro...and theninto the code
8/14/2019 2007 Web2Expo Implementing OpenID
3/69
What is OpenID?
Single sign-on for the web
Simple and light-weight(not going to replace your atm pin)
Easy to use and deploy
Open development processDecentralized(no single point of failure)
Free!
8/14/2019 2007 Web2Expo Implementing OpenID
4/69
Proves You Control a URI
www.davidrecordon.com brianellin.com
http://www.davidrecordon.com/http://www.davidrecordon.com/http://www.davidrecordon.com/http://www.davidrecordon.com/http://www.davidrecordon.com/http://www.davidrecordon.com/8/14/2019 2007 Web2Expo Implementing OpenID
5/69
the common things we hear
8/14/2019 2007 Web2Expo Implementing OpenID
6/69
8/14/2019 2007 Web2Expo Implementing OpenID
7/69
"Been there, done that"
Great forthe enterprise Centralized Centralized
8/14/2019 2007 Web2Expo Implementing OpenID
8/69
...but do you really trust them?
8/14/2019 2007 Web2Expo Implementing OpenID
9/69
8/14/2019 2007 Web2Expo Implementing OpenID
10/69
With OpenID, you get to
choose who managesyour identity.
(you can even change your mind later)
8/14/2019 2007 Web2Expo Implementing OpenID
11/69
"This is a geek's toy,
nobody will ever havean OpenID!"
8/14/2019 2007 Web2Expo Implementing OpenID
12/69
~90 million OpenIDs(includingeveryAOL user)
OpenID 1.1 - Estimated from various services
8/14/2019 2007 Web2Expo Implementing OpenID
13/69
"Nobody will ever use this!"
8/14/2019 2007 Web2Expo Implementing OpenID
14/69
Total Relying Parties
0
625
1,250
1,875
2,500
Sep'05 Oc
tNo
vDe
cJan
'06 Feb Mar
Apr
May
June July Au
gSep Oc
tNo
vDe
cJan
'07 Feb Mar
Apr17th
(aka places you can use this stuff)
Sxip/
Bounty
Webca
sts/IIW
IIW IIW
OpenID 1.1 - As viewed by MyOpenID.com
MSFT
&AO
L
8/14/2019 2007 Web2Expo Implementing OpenID
15/69
"So that's great there
are so many blogs, butwhat about something
real?"
8/14/2019 2007 Web2Expo Implementing OpenID
16/69
8/14/2019 2007 Web2Expo Implementing OpenID
17/69
8/14/2019 2007 Web2Expo Implementing OpenID
18/69
http://upload.wikimedia.org/wikipedia/en/f/f6/AOL_logo.png8/14/2019 2007 Web2Expo Implementing OpenID
19/69
http://upload.wikimedia.org/wikipedia/en/f/f6/AOL_logo.pnghttp://upload.wikimedia.org/wikipedia/en/f/f6/AOL_logo.png8/14/2019 2007 Web2Expo Implementing OpenID
20/69
"What's the big deal?"
8/14/2019 2007 Web2Expo Implementing OpenID
21/69
OpenID is anotherimportant building
block.
8/14/2019 2007 Web2Expo Implementing OpenID
22/69
"Why should we add
OpenID to our featurelist?"
8/14/2019 2007 Web2Expo Implementing OpenID
23/69
Simon Willison - FOWA 02/07
8/14/2019 2007 Web2Expo Implementing OpenID
24/69
TechCrunch and other blogs link to dozens of new
startups each week...readers aren't going to make newaccounts for every single one
Simon Willison - FOWA 02/07
8/14/2019 2007 Web2Expo Implementing OpenID
25/69
TechCrunch and other blogs link to dozens of new
startups each week...readers aren't going to make newaccounts for every single one
Creates ability to email a friend saying, "I've added you
as an author to the blog I setup for our band"
Simon Willison - FOWA 02/07
8/14/2019 2007 Web2Expo Implementing OpenID
26/69
TechCrunch and other blogs link to dozens of new
startups each week...readers aren't going to make newaccounts for every single one
Creates ability to email a friend saying, "I've added you
as an author to the blog I setup for our band"
Site specific hacks..."Login with your AOL OpenID andwe'll send you updates over AIM"
Simon Willison - FOWA 02/07
8/14/2019 2007 Web2Expo Implementing OpenID
27/69
TechCrunch and other blogs link to dozens of new
startups each week...readers aren't going to make newaccounts for every single one
Creates ability to email a friend saying, "I've added you
as an author to the blog I setup for our band"
Site specific hacks..."Login with your AOL OpenID andwe'll send you updates over AIM"
If you're not managing passwords, you don't need tobuild as complex user management systems
Simon Willison - FOWA 02/07
8/14/2019 2007 Web2Expo Implementing OpenID
28/69
How does it work?(protocol and flow)
8/14/2019 2007 Web2Expo Implementing OpenID
29/69
Basic Terminology
OpenID Provider (OP) - Site that makesassertions about an OpenID
Relying Party (RP) - Site that wants to
verify ownership of an OpenID
8/14/2019 2007 Web2Expo Implementing OpenID
30/69
Using OpenID
8/14/2019 2007 Web2Expo Implementing OpenID
31/69
OpenID Enabling Your Own URL
8/14/2019 2007 Web2Expo Implementing OpenID
32/69
Creating an OpenID withyour own server
8/14/2019 2007 Web2Expo Implementing OpenID
33/69
8/14/2019 2007 Web2Expo Implementing OpenID
34/69
* *************************************************************************** ** CONFIGURATION* *************************************************************************** ** You must change these values:* auth_username = login name* auth_password = md5(username:realm:password)** Default username = 'test', password = 'test', realm = 'phpMyID'*/
#$profile = array(# 'auth_username' => 'test',# 'auth_password' => '37fa04faebe5249023ed1f6cc867329b'#);
/** Optional - Simple Registration Extension:
** If you would like to add any of the following optional registration* parameters to your login profile, simply uncomment the line, and enter the* correct values.** Details on the exact allowed values for these paramters can be found at:* http://openid.net/specs/openid-simple-registration-extension-1_0.html*/
#$sreg = array (# 'nickname' => 'Joe',# 'email' => 'joe@example.com',# 'fullname' => 'Joe Example',# 'dob' => '1970-10-31',# 'gender' => 'M',# 'postcode' => '22000',# 'country' => 'US',# 'language' => 'en',# 'timezone' => 'America/New_York'
#);
mailto:joe@example.commailto:joe@example.comhttp://openid.net/specs/openid-simple-registration-extension-1_0.htmlhttp://openid.net/specs/openid-simple-registration-extension-1_0.html8/14/2019 2007 Web2Expo Implementing OpenID
35/69
Hash My Password
8/14/2019 2007 Web2Expo Implementing OpenID
36/69
* *************************************************************************** ** CONFIGURATION* *************************************************************************** ** You must change these values:* auth_username = login name* auth_password = md5(username:realm:password)** Default username = 'test', password = 'test', realm = 'phpMyID'*/
$profile = array('auth_username' => 'david','auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1'
);
/** Optional - Simple Registration Extension:
** If you would like to add any of the following optional registration* parameters to your login profile, simply uncomment the line, and enter the* correct values.** Details on the exact allowed values for these paramters can be found at:* http://openid.net/specs/openid-simple-registration-extension-1_0.html*/
#$sreg = array (# 'nickname' => 'Joe',# 'email' => 'joe@example.com',# 'fullname' => 'Joe Example',# 'dob' => '1970-10-31',# 'gender' => 'M',# 'postcode' => '22000',# 'country' => 'US',# 'language' => 'en',# 'timezone' => 'America/New_York'
#);
mailto:joe@example.commailto:joe@example.comhttp://openid.net/specs/openid-simple-registration-extension-1_0.htmlhttp://openid.net/specs/openid-simple-registration-extension-1_0.html8/14/2019 2007 Web2Expo Implementing OpenID
37/69
$profile = array('auth_username' => 'david','auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1'
);
/** Optional - Simple Registration Extension:
** If you would like to add any of the following optional registration* parameters to your login profile, simply uncomment the line, and enter the* correct values.** Details on the exact allowed values for these paramters can be found at:* http://openid.net/specs/openid-simple-registration-extension-1_0.html*/
$sreg = array ('nickname' => 'daveman692','email' => 'recordond@gmail.com','fullname' => 'David Recordon','dob' => '1986-09-04','gender' => 'M','postcode' => '941458','country' => 'US','language' => 'en','timezone' => 'America/Los_Angeles'
);
Configure Profile Data
mailto:drecordon@verisign.commailto:drecordon@verisign.comhttp://openid.net/specs/openid-simple-registration-extension-1_0.htmlhttp://openid.net/specs/openid-simple-registration-extension-1_0.html8/14/2019 2007 Web2Expo Implementing OpenID
38/69
Upload
8/14/2019 2007 Web2Expo Implementing OpenID
39/69
Configure Delegation
David Recordondiv {
text-align: center;color: #C0C0C0;
}img {
border: 0px;}
a {color: #C0C0C0;
}
(source of www.davidrecordon.com)
https://pip.verisignlabs.com/serverhttps://pip.verisignlabs.com/serverhttps://pip.verisignlabs.com/serverhttps://pip.verisignlabs.com/serverhttp://www.w3.org/1999/xhtmlhttp://www.w3.org/1999/xhtml8/14/2019 2007 Web2Expo Implementing OpenID
40/69
Done!
Time to configure and upload phpMyID:
8/14/2019 2007 Web2Expo Implementing OpenID
41/69
http://cal.web2expo.com/
Existing users: Sign in and click the the "add OpenID"link at the top right
New users: Click "login" and sign in with your OpenID,
skipping the signup process :)
OpenID Enabling ExpoCal
8/14/2019 2007 Web2Expo Implementing OpenID
42/69
Tools Used
iCalicio by Kellan Elliot-McCrea and EvanHenshaw-Plath
Ruby and Rails
gem install ruby-openid
8/14/2019 2007 Web2Expo Implementing OpenID
43/69
ExpoCal User Model
Stores login name and hashed password
We need to add an optional OpenID column
1classAddOpenId < ActiveRecord::Migration2 defself.up
3 add_column :users, :openid, :string4 add_index :users, [:openid], :name => :users_openid_index
5 end67 defself.down8 remove_column :users, :openid9 end10end
8/14/2019 2007 Web2Expo Implementing OpenID
44/69
Using the OpenID Library
1defconsumer2 store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store')3 store = OpenID::FilesystemStore.new(store_dir)4 returnOpenID::Consumer.new(session, store)5end
FilesystemStore saved OpenID transaction stateOpenID::Consumer handles the protocol details
8/14/2019 2007 Web2Expo Implementing OpenID
45/69
1Or, login with OpenID
2 'account', :action => 'openid_start') %>3
OpenID
4
Add OpenID UI
8/14/2019 2007 Web2Expo Implementing OpenID
46/69
Handle Login Form Submit1defopenid_start
2 openid_request = consumer.begin(params[:openid_identifier])34 case openid_request.status5 whenOpenID::SUCCESS
6 return_to = url_for(:action => 'openid_finish') 7 trust_root = url_for(:controller => '') 8 server_redirect_url = openid_request.redirect_url(trust_root, return_to)
9 redirect_to(server_redirect_url)1011 whenOpenID::FAILURE12 flash[:notice] = "Could not find your OpenID server."13 redirect_back_or_default(:controller => '/account', :action => 'index')1415 end16end
(well handle the server response at the return_to URL)
1. Discover2.Associate3. Redirect
8/14/2019 2007 Web2Expo Implementing OpenID
47/69
Redirect to OpenID Provider
8/14/2019 2007 Web2Expo Implementing OpenID
48/69
Handle Server Response1defopenid_finish
2 openid_response = consumer.complete(params)34 case openid_response.status5 whenOpenID::SUCCESS6 openid = openid_response.identity_url
7 @user = User.find_by_openid(openid)
89 unless @user
10 @user = User.create(:openid => openid, :login => openid)11 end
12 self.current_user = @user13 flash[:notice] = "Welcome #{@user.openid}"1415 whenOpenID::FAILURE
16 flash[:notice] = 'Verification failed.'17 end1819 redirect_back_or_default(:controller => 'talk', :action => 'list')20end
8/14/2019 2007 Web2Expo Implementing OpenID
49/69
Done!
Time to implement OpenID in iCalico:45 minutes
http://cal.web2expo.com/
http://cal.web2expo.com/http://cal.web2expo.com/8/14/2019 2007 Web2Expo Implementing OpenID
50/69
"So this all looks great,
but what are thedownsides?"
8/14/2019 2007 Web2Expo Implementing OpenID
51/69
More kittens!
Kitten Overload!
Simon Willison - FOWA 02/07
8/14/2019 2007 Web2Expo Implementing OpenID
52/69
Kitten Overload!
FAKE
Simon Willison - FOWA 02/07
More kittens!
8/14/2019 2007 Web2Expo Implementing OpenID
53/69
Identity theft!:'(
Kitten Overload!
FAKE
Simon Willison - FOWA 02/07
8/14/2019 2007 Web2Expo Implementing OpenID
54/69
You could just remove passwords
Cl S d C
8/14/2019 2007 Web2Expo Implementing OpenID
55/69
Client Side Certs
Mi f C dS
8/14/2019 2007 Web2Expo Implementing OpenID
56/69
Microsoft CardSpace
(UI for certs)
Vid
8/14/2019 2007 Web2Expo Implementing OpenID
57/69
Vidoop
(changing the metaphor)
8/14/2019 2007 Web2Expo Implementing OpenID
58/69
...but passwords are stillwidely used
8/14/2019 2007 Web2Expo Implementing OpenID
59/69
VeriSign's OpenID Seatbelt(demoing today)
8/14/2019 2007 Web2Expo Implementing OpenID
60/69
8/14/2019 2007 Web2Expo Implementing OpenID
61/69
8/14/2019 2007 Web2Expo Implementing OpenID
62/69
8/14/2019 2007 Web2Expo Implementing OpenID
63/69
8/14/2019 2007 Web2Expo Implementing OpenID
64/69
OpenID is great for innovation!(authentication method is up to the provider and user)
8/14/2019 2007 Web2Expo Implementing OpenID
65/69
"I don't wantjust one
identity...I mean I don'twant my boss to know
I'm a furry!"
8/14/2019 2007 Web2Expo Implementing OpenID
66/69
Well you don't wear yourfurry suit to work do you?
8/14/2019 2007 Web2Expo Implementing OpenID
67/69
So use multiple OpenIDs!(you already do this with email addresses today)
8/14/2019 2007 Web2Expo Implementing OpenID
68/69
Go code!(and join the conversation at OpenID.net)
8/14/2019 2007 Web2Expo Implementing OpenID
69/69
Thanks!
David Recordondrecordon@verisign.com
(and don't forget to grab a CD)
Brian Ellinbrian@janrain.com
mailto:drecordon@verisign.commailto:drecordon@verisign.commailto:drecordon@verisign.commailto:drecordon@verisign.com