Distributed Identities with OpenID

Bastian Hofmann, VZnet Netzwerke Ltd.

Distributed Identities with OpenID

Dienstag, 12. Oktober 2010

Agenda

•What are Identities?

•The history of Identity Providers

•Trying it the open way: OpenID

•The rise of Social

•OpenIDs futureDienstag, 12. Oktober 2010

Identities in real life


Do you have really only one identity?Lothar Krappmann:

- Identity is conveyed by communication

- Identity is not fixed but recreated by every communication with your fellows

- Expectations of different people result in different identities


Example:

Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2


Identities in the Web


Register, Register, Register, ...


Single Sign on

ul_Marga


http://www.flickr.com/photos/ul_marga/

http://www.flickr.com/photos/ul_marga/

Microsoft Passport / Live ID

•Windows Live ID•Launched 1999 as .net Passport

•Used mainly for Microsoft Services but not much outside

•OpenID Provider since 2008


OpenID

•Open decentralized user authentication

http://openid.net/


http://openid.net

http://openid.net

The Client


Discovery<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" />

<meta http-equiv="X-XRDS-Location" content="http://bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http://www.myopenid.com/server" /> <link rel="openid2.local_id" href="http://bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://bhofmann.myopenid.com/" />

Delegation


http://bhofmann.myopenid.com




http://www.myopenid.com/server
















Connection Flow


DEMO


Authentication vs Authorization

Who is the user?Is this really user X?

Is X allowed to do something?

Does X have the permission?

VS

Client sites want more than just a unique identifier (Social Graph)


But there are Spec Extensions

decafinata


http://www.flickr.com/photos/decafinata/

http://www.flickr.com/photos/decafinata/

Simple Registration

•Allows to specify certain fields in request that must or should be returned by the Identity Provider

openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.gender

openid.sreg.fullname=Bastian&openid.sreg.gender=male


Attribute Exchange

•Two-Way exchange of data possiblepenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41


Attribute Exchange

•Two-Way exchange of data possibleopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41


Attribute Exchange

•Two-Way exchange of data possibleopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2

openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success


OpenID + OAuth

•Combines OpenID Authentication and OAuth authorization

openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.consumer=123456

openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.request_token=7890


http://specs.openid.net/extensions/oauth/1.0




OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+

Every Request: Client Credentials, Nonce, Timestamp, Signaturehttp://oauth.net/


http://oauth.net

http://oauth.net

Failures of OpenID 2.0

•Complex to implement

•No marketing–Do you have an OpenID?–What is it?

•URL as identifier => Bad User Experience


Proprietary strikes back


Facebook Connect


Twitter @Anywhere


And there are much, much more


Nascar problem

Vaguely Artistic


http://www.flickr.com/photos/vaguelyartistic/

http://www.flickr.com/photos/vaguelyartistic/

Phishing


How to fix it?

Moff


http://www.flickr.com/photos/moff/

http://www.flickr.com/photos/moff/

Aggregation: Janrain

http://www.janrain.com/


http://www.janrain.com

http://www.janrain.com

OpenID Connect

•Goals:–Easier to implement–More simple specification–Better user experience

•=> wider adption•Built on top of OAuth 2.0


What‘s wrong with OAuth?

•Does not work well with non web or JavaScript based clients

•The „Invalid Signature“ Problem

•Complicated Flow, many requests


What‘s new in OAuth2? (Draft 10)

•Different client profiles•No signatures•No Token Secrets•Cookie-like Bearer Token•Mandatory TSL/SSL•No Request Tokens•Much more flexible regarding extensions

http://tools.ietf.org/html/draft-ietf-oauth-v2




Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)


What happend to signatures?

•Ongoing controvers discussion

•Bearer Tokens are fine over secure connection

•Vulnerable if discovery is introduced

•Or TSL/SSL is not possible


Scopes

•Optional parameter for provider specific implementations

•For example–Additional return values–Access Control


OpenID Connect?

•Scope: „openid“

•With access token additional values are returned–UserID: URL to Portable Contacts endpoint–Signature–Timestamp

http://openidconnect.com/


http://openidconnect.com

http://openidconnect.com

DEMO


OpenID Connect Discovery

•Get Identifier of user

•Call /.well-know/host-meta file at the domain of the user‘s provider

•Look for a link pointing to the OpenID Connect endpoints in the returned LRDD


When will it be available at VZ?

NOW in BETA

http://developer.studivz.net/wiki/index.php/VZ-Loginhttp://github.com/vznet/vz_os_clientlibrary_php


http://developer.studivz.net/wiki/index.php/VZ-Login

http://developer.studivz.net/wiki/index.php/VZ-Login

http://github.com/vznet/vz_os_clientlibrary_php

http://github.com/vznet/vz_os_clientlibrary_php

FOAF+SSL (WebID)

http://esw.w3.org/Foaf%2Bssl




DEMO


Problems

•Bad browser UI

•Syncing between different computers?

•More than one user on the same computer?


UX Mockups Mozilla Weave


Summing it up

•We need a single sign on system for the web

•OpenID is cool, but has some problems

•Proprietary solutions are bad for users, site owners and developers

•A new more simple and flexible spec is coming up

•Browser vendors are working to solve this problem in the browser


Thank you

http://studivz.net/bastianhttp://twitter.com/BastianHofmannhttp://slideshare.net/bashofmann

http://github.com/vznethttp://developer.studivz.net


http://www.studivz.net/bastian

http://www.studivz.net/bastian

http://www.twitter.com/BastianHofmann

http://www.twitter.com/BastianHofmann

http://slideshare.net/bashofmann

http://slideshare.net/bashofmann

http://github.com/vznet

http://github.com/vznet

http://developer.studivz.net

http://developer.studivz.net

Distributed Identities with OpenID

Technology

Transcript of Distributed Identities with OpenID