Distributed Identities with OpenID
-
Upload
bastian-hofmann -
Category
Technology
-
view
114 -
download
1
description
Transcript of Distributed Identities with OpenID
Bastian Hofmann, VZnet Netzwerke Ltd.
Distributed Identities with OpenID
Dienstag, 12. Oktober 2010
Agenda
•What are Identities?
•The history of Identity Providers
•Trying it the open way: OpenID
•The rise of Social
•OpenIDs futureDienstag, 12. Oktober 2010
Identities in real life
Dienstag, 12. Oktober 2010
Do you have really only one identity?Lothar Krappmann:
- Identity is conveyed by communication
- Identity is not fixed but recreated by every communication with your fellows
- Expectations of different people result in different identities
Dienstag, 12. Oktober 2010
Example:
Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
Dienstag, 12. Oktober 2010
Identities in the Web
Dienstag, 12. Oktober 2010
Register, Register, Register, ...
Dienstag, 12. Oktober 2010
Single Sign on
ul_Marga
Dienstag, 12. Oktober 2010
Microsoft Passport / Live ID
•Windows Live ID•Launched 1999 as .net Passport
•Used mainly for Microsoft Services but not much outside
•OpenID Provider since 2008
Dienstag, 12. Oktober 2010
OpenID
•Open decentralized user authentication
http://openid.net/
Dienstag, 12. Oktober 2010
The Client
Dienstag, 12. Oktober 2010
Discovery<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" />
<meta http-equiv="X-XRDS-Location" content="http://bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http://www.myopenid.com/server" /> <link rel="openid2.local_id" href="http://bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://bhofmann.myopenid.com/" />
Delegation
Dienstag, 12. Oktober 2010
Connection Flow
Dienstag, 12. Oktober 2010
DEMO
Dienstag, 12. Oktober 2010
Authentication vs Authorization
Who is the user?Is this really user X?
Is X allowed to do something?
Does X have the permission?
VS
Client sites want more than just a unique identifier (Social Graph)
Dienstag, 12. Oktober 2010
But there are Spec Extensions
decafinata
Dienstag, 12. Oktober 2010
Simple Registration
•Allows to specify certain fields in request that must or should be returned by the Identity Provider
openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.gender
openid.sreg.fullname=Bastian&openid.sreg.gender=male
Dienstag, 12. Oktober 2010
Attribute Exchange
•Two-Way exchange of data possiblepenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
Dienstag, 12. Oktober 2010
Attribute Exchange
•Two-Way exchange of data possibleopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
Dienstag, 12. Oktober 2010
Attribute Exchange
•Two-Way exchange of data possibleopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
Dienstag, 12. Oktober 2010
OpenID + OAuth
•Combines OpenID Authentication and OAuth authorization
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.consumer=123456
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.request_token=7890
Dienstag, 12. Oktober 2010
OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+
Every Request: Client Credentials, Nonce, Timestamp, Signaturehttp://oauth.net/
Dienstag, 12. Oktober 2010
Failures of OpenID 2.0
•Complex to implement
•No marketing–Do you have an OpenID?–What is it?
•URL as identifier => Bad User Experience
Dienstag, 12. Oktober 2010
Proprietary strikes back
Dienstag, 12. Oktober 2010
Facebook Connect
Dienstag, 12. Oktober 2010
Twitter @Anywhere
Dienstag, 12. Oktober 2010
And there are much, much more
Dienstag, 12. Oktober 2010
Nascar problem
Vaguely Artistic
Dienstag, 12. Oktober 2010
Phishing
Dienstag, 12. Oktober 2010
How to fix it?
Moff
Dienstag, 12. Oktober 2010
Aggregation: Janrain
http://www.janrain.com/
Dienstag, 12. Oktober 2010
OpenID Connect
•Goals:–Easier to implement–More simple specification–Better user experience
•=> wider adption•Built on top of OAuth 2.0
Dienstag, 12. Oktober 2010
What‘s wrong with OAuth?
•Does not work well with non web or JavaScript based clients
•The „Invalid Signature“ Problem
•Complicated Flow, many requests
Dienstag, 12. Oktober 2010
What‘s new in OAuth2? (Draft 10)
•Different client profiles•No signatures•No Token Secrets•Cookie-like Bearer Token•Mandatory TSL/SSL•No Request Tokens•Much more flexible regarding extensions
http://tools.ietf.org/html/draft-ietf-oauth-v2
Dienstag, 12. Oktober 2010
Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
Dienstag, 12. Oktober 2010
User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
Dienstag, 12. Oktober 2010
What happend to signatures?
•Ongoing controvers discussion
•Bearer Tokens are fine over secure connection
•Vulnerable if discovery is introduced
•Or TSL/SSL is not possible
Dienstag, 12. Oktober 2010
Scopes
•Optional parameter for provider specific implementations
•For example–Additional return values–Access Control
Dienstag, 12. Oktober 2010
OpenID Connect?
•Scope: „openid“
•With access token additional values are returned–UserID: URL to Portable Contacts endpoint–Signature–Timestamp
http://openidconnect.com/
Dienstag, 12. Oktober 2010
DEMO
Dienstag, 12. Oktober 2010
OpenID Connect Discovery
•Get Identifier of user
•Call /.well-know/host-meta file at the domain of the user‘s provider
•Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
Dienstag, 12. Oktober 2010
When will it be available at VZ?
NOW in BETA
http://developer.studivz.net/wiki/index.php/VZ-Loginhttp://github.com/vznet/vz_os_clientlibrary_php
Dienstag, 12. Oktober 2010
FOAF+SSL (WebID)
http://esw.w3.org/Foaf%2Bssl
Dienstag, 12. Oktober 2010
DEMO
Dienstag, 12. Oktober 2010
Problems
•Bad browser UI
•Syncing between different computers?
•More than one user on the same computer?
Dienstag, 12. Oktober 2010
UX Mockups Mozilla Weave
Dienstag, 12. Oktober 2010
Summing it up
•We need a single sign on system for the web
•OpenID is cool, but has some problems
•Proprietary solutions are bad for users, site owners and developers
•A new more simple and flexible spec is coming up
•Browser vendors are working to solve this problem in the browser
Dienstag, 12. Oktober 2010
Thank you
http://studivz.net/bastianhttp://twitter.com/BastianHofmannhttp://slideshare.net/bashofmann
http://github.com/vznethttp://developer.studivz.net
Dienstag, 12. Oktober 2010