OpenID Authentication by example
-
Upload
chris-vertonghen -
Category
Technology
-
view
34.024 -
download
3
Transcript of OpenID Authentication by example
![Page 1: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/1.jpg)
OpenID Authenticationby example
BPW2007chrisv.cpan.org
(introductory slides: thanks to Simon Willison)
1Saturday 27 October 2007
![Page 2: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/2.jpg)
usernames & passwords suck
2Saturday 27 October 2007
![Page 3: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/3.jpg)
signing up for new accounts is a pain
3Saturday 27 October 2007
![Page 4: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/4.jpg)
my online identity exists in multiple
(hard to manage) places
4Saturday 27 October 2007
![Page 5: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/5.jpg)
user database theft
5Saturday 27 October 2007
![Page 6: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/6.jpg)
password/cc info theft
6Saturday 27 October 2007
![Page 7: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/7.jpg)
too much passwords, too much userids
7Saturday 27 October 2007
![Page 8: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/8.jpg)
we need single signon
8Saturday 27 October 2007
![Page 9: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/9.jpg)
unified, trusted identity
9Saturday 27 October 2007
![Page 10: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/10.jpg)
OpenID is a decentralized
mechanism for single signon
10Saturday 27 October 2007
![Page 11: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/11.jpg)
OpenID is a URL
11Saturday 27 October 2007
![Page 12: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/12.jpg)
http://vertonghen.livejournal.com
12Saturday 27 October 2007
![Page 13: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/13.jpg)
http://vertonghen.myopenid.com
13Saturday 27 October 2007
![Page 14: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/14.jpg)
http://chris.vertonghen.org
14Saturday 27 October 2007
![Page 15: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/15.jpg)
The OpenID protocol lets you prove that you
own a specific URL
15Saturday 27 October 2007
![Page 16: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/16.jpg)
An OpenID can be used as an
authentiation credential
16Saturday 27 October 2007
![Page 17: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/17.jpg)
Site: “Who are you?”
17Saturday 27 October 2007
![Page 18: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/18.jpg)
Me: “I’m chris.vertonghen.org”
18Saturday 27 October 2007
![Page 19: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/19.jpg)
Site: “Prove it”
19Saturday 27 October 2007
![Page 20: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/20.jpg)
(some magic happens)
20Saturday 27 October 2007
![Page 21: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/21.jpg)
Site: “ok you’re in!”
21Saturday 27 October 2007
![Page 22: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/22.jpg)
Picking an OpenID is like picking an email
provider - you find one that you trust
22Saturday 27 October 2007
![Page 23: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/23.jpg)
If you have the ability to run your own server
software, you can do so yourself
23Saturday 27 October 2007
![Page 24: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/24.jpg)
(demo)http://www.wooblelab.com/
24Saturday 27 October 2007
![Page 25: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/25.jpg)
So my users don’t
have to sign up for an account?
25Saturday 27 October 2007
![Page 26: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/26.jpg)
Not necessarily
26Saturday 27 October 2007
![Page 27: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/27.jpg)
An OpenID tells you
very little about a user
27Saturday 27 October 2007
![Page 28: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/28.jpg)
You don’t know
their name
28Saturday 27 October 2007
![Page 29: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/29.jpg)
You don’t know
their e-mail address
29Saturday 27 October 2007
![Page 30: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/30.jpg)
You don’t know
if they’re a person
or an evil robot
30Saturday 27 October 2007
![Page 31: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/31.jpg)
You have to ask them!
31Saturday 27 October 2007
![Page 32: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/32.jpg)
OpenID can help them answer
32Saturday 27 October 2007
![Page 33: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/33.jpg)
(demo)http://www.welovelocal.com/
33Saturday 27 October 2007
![Page 34: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/34.jpg)
So how doesOpenID work?
34Saturday 27 October 2007
![Page 35: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/35.jpg)
35Saturday 27 October 2007
![Page 36: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/36.jpg)
36Saturday 27 October 2007
![Page 37: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/37.jpg)
Use multiple OpenIDs to maintain multiple online
personas
37Saturday 27 October 2007
![Page 38: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/38.jpg)
professional
social
secret
...
38Saturday 27 October 2007
![Page 39: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/39.jpg)
OpenID and web service APIs naturally
complement each other
39Saturday 27 October 2007
![Page 40: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/40.jpg)
Me: “I’m vertonghen.myopenid.com”
40Saturday 27 October 2007
![Page 41: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/41.jpg)
Site fetches HTML,
discovers identity provider
41Saturday 27 October 2007
![Page 42: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/42.jpg)
Establishes shared secret
with identity provider
(Using Diffie-Hellman key exchange)
42Saturday 27 October 2007
![Page 43: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/43.jpg)
Redirects you to the identity provider
43Saturday 27 October 2007
![Page 44: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/44.jpg)
when you’re logged in there, you get redirected back
44Saturday 27 October 2007
![Page 45: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/45.jpg)
How does my identity
provider know who I am?
45Saturday 27 October 2007
![Page 46: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/46.jpg)
OpenID deliberately doesn’t specify
46Saturday 27 October 2007
![Page 47: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/47.jpg)
username/password
is common
47Saturday 27 October 2007
![Page 48: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/48.jpg)
But providers can use other methods if
they want to
48Saturday 27 October 2007
![Page 49: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/49.jpg)
Client SSL certificates
49Saturday 27 October 2007
![Page 50: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/50.jpg)
Out of band authentication via SMS,
e-mail or Jabber
50Saturday 27 October 2007
![Page 51: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/51.jpg)
No authentication at all (just say “Yes”)
(which is the OpenID version of bugmenot.com)
51Saturday 27 October 2007
![Page 52: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/52.jpg)
What if I decide I
suddenly hate my provider?
52Saturday 27 October 2007
![Page 53: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/53.jpg)
Use your own
domain name
53Saturday 27 October 2007
![Page 54: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/54.jpg)
and delegate to a provider you trust
54Saturday 27 October 2007
![Page 55: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/55.jpg)
55Saturday 27 October 2007
![Page 56: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/56.jpg)
56Saturday 27 October 2007
![Page 57: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/57.jpg)
perl OpenID client
57Saturday 27 October 2007
![Page 58: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/58.jpg)
Net::OpenID::Consumerby Brad Fitzpatrick (of course)
58Saturday 27 October 2007
![Page 59: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/59.jpg)
use Net::OpenID::Consumer;
my $csr = Net::OpenID::Consumer->new( ua => LWPx::ParanoidAgent->new, cache => Some::Cache->new, args => $cgi, consumer_secret => ..., required_root => "http://chris.vertonghen.org/", );
# a user entered, say, "bradfitz.com" as their identity. The first # step is to fetch that page, parse it, and get a # Net::OpenID::ClaimedIdentity object:
my $claimed_identity = $csr->claimed_identity("bradfitz.com");
# now your app has to send them at their identity server's endpoint # to get redirected to either a positive assertion that they own # that identity, or where they need to go to login/setup trust/etc.
my $script_name = "http://" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'};
my $check_url = $claimed_identity->check_url( return_to => $script_name . "?return=true&hurl=$hurl&oid=" . $m->interp()->apply_escapes($identity), trust_root => "http://chris.vertonghen.org/", );
# so you send the user off there, and then they come back to # openid-check.mhtml, then you see what the identity server said; if ($return) { if ( $setup_url = $openid_con->user_setup_url ) { print $m->redirect($setup_url); } elsif ( $verify_identity = $openid_con->verified_identity ) { $verified_url = $verify_identity->url; print 'Congratulations your identity has been verified.<BR><BR>'; } elsif ( $openid_con->user_cancel ) { $m->redirect('http://chris.vertonghen.org/auth.html'); #use the file name of the login page } else { print "<BR><h1>Validation Error</h1>"; print 'There was an error in validating your identity. The error was ', $openid_con->err . "<BR><BR>Please <a href=\"javascript: history.go(-1);\">go back and try again</a>.<BR><BR>"; } }
59Saturday 27 October 2007
![Page 60: OpenID Authentication by example](https://reader035.fdocuments.us/reader035/viewer/2022062503/5876e99d1a28ab046d8b6d03/html5/thumbnails/60.jpg)
Thank you.
Questions?
60Saturday 27 October 2007