Distributed Identities with OpenID

Bastian Hofmann, VZnet Netzwerke Ltd.

Dienstag, 12. Oktober 2010

Agenda

•What are Identities?

•The history of Identity Providers

•Trying it the open way: OpenID

•The rise of Social

•OpenIDs futureDienstag, 12. Oktober 2010

Identities in real life

Do you have really only one identity?Lothar Krappmann:

- Identity is conveyed by communication

- Identity is not fixed but recreated by every communication with your fellows

- Expectations of different people result in different identities

Example:

Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2

Identities in the Web

Register, Register, Register, ...

Single Sign on

ul_Marga

Microsoft Passport / Live ID

•Windows Live ID•Launched 1999 as .net Passport

•Used mainly for Microsoft Services but not much outside

•OpenID Provider since 2008

OpenID

•Open decentralized user authentication

http://openid.net/

The Client

Discovery<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" />

Delegation

Connection Flow

Authentication vs Authorization

Who is the user?Is this really user X?

Is X allowed to do something?

Does X have the permission?

Client sites want more than just a unique identifier (Social Graph)

But there are Spec Extensions

decafinata

Simple Registration

•Allows to specify certain fields in request that must or should be returned by the Identity Provider

openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.gender

openid.sreg.fullname=Bastian&openid.sreg.gender=male

Attribute Exchange

•Two-Way exchange of data possiblepenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41

Attribute Exchange

•Two-Way exchange of data possibleopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41

Attribute Exchange

•Two-Way exchange of data possibleopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2

openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success

OpenID + OAuth

•Combines OpenID Authentication and OAuth authorization

openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.consumer=123456

openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.request_token=7890

OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+

Every Request: Client Credentials, Nonce, Timestamp, Signaturehttp://oauth.net/

Failures of OpenID 2.0

•Complex to implement

•No marketing–Do you have an OpenID?–What is it?

•URL as identifier => Bad User Experience

Proprietary strikes back

Facebook Connect

Twitter @Anywhere

And there are much, much more

Nascar problem

Vaguely Artistic

Phishing

How to fix it?

Aggregation: Janrain

http://www.janrain.com/

OpenID Connect

•Goals:–Easier to implement–More simple specification–Better user experience

•=> wider adption•Built on top of OAuth 2.0

What‘s wrong with OAuth?

•Does not work well with non web or JavaScript based clients

•The „Invalid Signature“ Problem

•Complicated Flow, many requests

What‘s new in OAuth2? (Draft 10)

•Different client profiles•No signatures•No Token Secrets•Cookie-like Bearer Token•Mandatory TSL/SSL•No Request Tokens•Much more flexible regarding extensions

http://tools.ietf.org/html/draft-ietf-oauth-v2

Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)

What happend to signatures?

•Ongoing controvers discussion

•Bearer Tokens are fine over secure connection

•Vulnerable if discovery is introduced

•Or TSL/SSL is not possible

Scopes

•Optional parameter for provider specific implementations

•For example–Additional return values–Access Control

OpenID Connect?

•Scope: „openid“

•With access token additional values are returned–UserID: URL to Portable Contacts endpoint–Signature–Timestamp

http://openidconnect.com/

OpenID Connect Discovery

•Get Identifier of user

•Call /.well-know/host-meta file at the domain of the user‘s provider

•Look for a link pointing to the OpenID Connect endpoints in the returned LRDD

When will it be available at VZ?

NOW in BETA

http://developer.studivz.net/wiki/index.php/VZ-Loginhttp://github.com/vznet/vz_os_clientlibrary_php

FOAF+SSL (WebID)

http://esw.w3.org/Foaf%2Bssl

Problems

•Bad browser UI

•Syncing between different computers?

•More than one user on the same computer?

UX Mockups Mozilla Weave

Summing it up

•We need a single sign on system for the web

•OpenID is cool, but has some problems

•Proprietary solutions are bad for users, site owners and developers

•A new more simple and flexible spec is coming up

•Browser vendors are working to solve this problem in the browser

Thank you

http://studivz.net/bastianhttp://twitter.com/BastianHofmannhttp://slideshare.net/bashofmann

http://github.com/vznethttp://developer.studivz.net

Distributed Identities with OpenID

a6b5c41 dienstag

client dienstag

web dienstag

netextensionsoaut dienstag

netsr dienstag

demo dienstag

paul adams http

openid authentication

Technology

Identity Management Systems for Collaborations and Virtual.....

OpenID Connect Conformance Profiles v3 · 1 OpenID Connect....

OpenID overview

OpenID Connect - Nat Sakimura at OpenID TechNight #7

OpenID Certification -...

Rails flavoured OpenId

Introduction to OpenID Foundation...May 21, 2020 ·...

OpenID 2009

OAuth , OpenID, SAML Making Sense of the Alphabet Soup for.....

Openid Fossconf

Implementing OpenID

Oracle Banking APIs OpenID Guide Banking API… · OPENID 5...

OpenID Security

Openid Drupalcon 2008

Distributed Identity via OpenID

OpenID Contexts