Objectives
Understanding the difference between Authentication and Authorization
Understanding OpenID and OAuth
Identity on the Web
Millions of Web sites, each with their own users
Each user needs to remember N usernames+passwords
…why not interoperate identity? …why not interoperate more data?
OpenID in Action
“OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts.”
www.stackoverflow.com
How it works
http://yahoo.com
http://openid.net/developers/specs/
How it works, in 11 steps
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Steps 1, 2 – Post Identifier
<form id="openid_form" action="/users/authenticate" method="post"> <!-- /Simple OpenID Selector --> <table id="openid-url-input"> <tr> <td><input id="openid_identifier" name="openid_identifier" type="url” ></td> <td><input id="submit-button” type="submit" value=”Sign in”></td> </tr> </table></form>
How it works – Discovery
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Steps 3, 4 – Normalization & Discovery
Yadis ProtocolContent-Type: application/xrds+xml when performing an HTTP GET on the identity URL
Step 3 – XRDS response<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"xmlns:openid="http://openid.net/xmlns/1.0"> <XRD> <Service priority="50"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.myopenid.com/server</URI> <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> </Service> <Service priority="10"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate>http://www.livejournal.com/users/frank/</openid:Delegate> </Service> <Service priority="20"> <Type>http://lid.netmesh.org/sso/2.0</Type> <URI>http://mylid.net/liddemouser</URI> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD></xrds:XRDS>
Steps 3, 4 – Normalization & Discovery
Plain HTTP
Returned document must contain a <link /> element:
<link rel=“openid2.provider” href=“http://endpoint”/>
How it works – Redirect 1
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Step 5 – First redirect
Relying party parses XDSR or <link /> and retrieves the OpenID provider end point.
Then redirects (302, 303 or 307) user agent to it with query params appended to the URL:
HTTP/1.1 303 See OtherLocation: https://login.yahoo.com? openid.ns=http://specs.openid.net/auth/2.0& openid.mode=checkid_setup& openid.claimed_id=e_mumble& openid.return_to=http://stackoverflow.com?article=123
How it works – Login
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Steps 6, 7, 8, 9 – Login
Undefined in the Spec Usually regular login form with POST May include further verification with user This is a vulnerable point in the process
more later
How it works – Final Redirect
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Step 10 – Final Redirect
OpenID Provider End Point redirects user agent back to the “return_to” URL.
HTTP/1.1 303 See OtherLocation: http://stackoverflow.com?article=123? openid.ns=http://specs.openid.net/auth/2.0& openid.op_endpoint=https://login.yahoo.com& openid.return_to=http://stackoverflow.com?article=123& openid.identity=e_mumble& openid.response_nonce=2005-05-15T17:11:51ZUN6TY9& openid.sig=MACsignature
Step 10
Relying party must verify a few things before deciding that the user is authenticated return_to matches identifier matches nonce is unique signature is valid
How it works – Finally!
htt
p:/
/ww
w.w
indle
y.co
m/a
rchiv
es/
20
06
/04
/how
_does_
openid
.shtm
l
Relying party
OpenID Provider
OpenID ProviderEnd Point
Final Remarks
The whole point of OpenID is to authenticate users your web app wants to verify that user
jonh.smith @ yahoo.com really is john.smith at yahoo.com
OpenID knows nothing about authorization after establishing identity, your application
must deciding which resources this user is allowed to access
authentication ≠ authorization
OAuth
The goal of OAuth is to acquire an access token from a 3rd party (like Google, Facebook, etc.), which can then be used to exchange user-specific data between your application and that 3rd party service (such as calendar information or friends list)
Facebook/Google
user data
Your app
access user data
OpenID+OAuth
Lets arbitrary apps (like yours) access your Twitter/Facebook/Google/etc account without having to have your password
Top Related