Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files ›...
Transcript of Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files ›...
![Page 1: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/1.jpg)
OpenID Single Sign On andOAuth Data Access
Dave PrimmerCloud Identity Summit - July 2010
Workshop:The ValueThe TechnologyThe Future
![Page 2: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/2.jpg)
Agenda
TerminologyOpen Protocols
OpenID user authenticationOAuth data accessHybrid authentication + data access
Google Apps MarketplaceCase Study - Evolution of 'SaaSy Payroll'Q&A
![Page 3: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/3.jpg)
SaaSy Payroll
![Page 4: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/4.jpg)
SaaSy Payroll
Fictitious app for handling the payroll of SMBsUsed by smart-lawfirm.com for their payroll
![Page 5: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/5.jpg)
Terminology
![Page 6: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/6.jpg)
Authentication and Authorization
AuthenticationGoal: Secure knowledge of the identity of the user
AuthorizationGoal: Appropriate access to resources, such as Google Data APIs (Calendar, Contacts, Docs, etc)
![Page 7: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/7.jpg)
OpenID Federated Identity
![Page 8: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/8.jpg)
What do we mean by Federated Identity?
Web applications (relying parties) accept the assertion of identity from identity providers, such as Google and Yahoo.
![Page 9: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/9.jpg)
What information does OpenID provide an app?
Identity of the user:http://smart-lawfirm.com/openid?id=0123456789Static each time the user visits the relying party web application
![Page 10: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/10.jpg)
OpenID Login Options
![Page 11: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/11.jpg)
OpenID Login Options
http://www.google.com/accounts/o8/id
![Page 12: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/12.jpg)
Improved UX
![Page 13: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/13.jpg)
But... what if you want to use an OpenID on your own domain without a complicated URL to
remember?
![Page 14: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/14.jpg)
Ideal User Experience: WebFinger
![Page 15: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/15.jpg)
Discovery: Determining the OpenID provider for a user.
![Page 16: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/16.jpg)
Google Accounts versus Google Apps accounts
![Page 17: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/17.jpg)
Google Apps Login
![Page 18: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/18.jpg)
Discovering the OpenID Provider
![Page 19: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/19.jpg)
Google consumer account (including Gmail accounts):https://www.google.com/accounts/o8/id?id=AItOawlTW-qs7L-bpYc0oxROHDQaFmQHyGRnaLM
Google Apps account:http://smart-lawfirm.com/openid?id=0123456789
Format of the OpenID Identity
![Page 20: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/20.jpg)
Provider Auth Policy Extension (PAPE)Allows a relying party to ask for security restrictions
OpenID User Interface ExtensionEnables pop-up UI
OAuth HybridEnables getting both the user's identity and access to some of the user's data
Attribute Exchange (AX)Provides additional info about the user
Google Supported Extensions
![Page 21: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/21.jpg)
Attribute Exchange (AX)
Remember, without AX we only get a URI:http://smart-lawfirm.com/openid?id=0123456789We want more information to improve the user experience
First NameLast NameE-mail AddressLanguage
![Page 22: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/22.jpg)
Attribute Exchange (AX) Trust
Don't trust attributes without verificationWhitelist trusted IDPsSame-origin policy for emailOne-time confirmation messages
![Page 23: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/23.jpg)
How it's done - OpenID Federated Identity
![Page 24: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/24.jpg)
Language Libraries
Java OpenID4Java, Step2
.NET DotNetOpenAuth
PHP php-openid, php-openid-apps-discovery
Ruby ruby-openid,ruby-openid-apps-discovery
Any RPX, Ping Identity
OpenID Libraries
![Page 25: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/25.jpg)
OAuth Data Access
![Page 26: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/26.jpg)
OAuth Terms
Protected Resourceresides on serverrequires authorization
![Page 27: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/27.jpg)
OAuth Terms
Protected Resourceresides on serverrequires authorization
Resource Ownerowns protected resourceapproves access
![Page 28: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/28.jpg)
OAuth Terms
Protected Resourceresides on serverrequires authorization
Resource Ownerowns protected resourceapproves access
Serverreceives http request
![Page 29: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/29.jpg)
OAuth Terms
Protected Resourceresides on serverrequires authorization
Resource Ownerowns protected resourceapproves access
Serverreceives http request
Clientmakes http request
![Page 30: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/30.jpg)
Old OAuth Terminology
Pre 2009 Current
Consumer Client
Service Provider Server / Protected Resource
User User / Resource Owner
More Info: The Authoritative Guide to OAuth 1.0
Now, with more RFC! http://www.rfc-editor.org/info/rfc5849
![Page 31: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/31.jpg)
OAuth Components
Key ManagementEstablishes trust between client and server
Access ControlGrants done per-user, or for a whole Google Apps domain.
![Page 32: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/32.jpg)
Basic steps to use OAuth
Step 1 Client Registration <- Key Management
Step 2 Resource owner grant <- Access Control
Step 3 Client Application Accesses resource
![Page 33: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/33.jpg)
SaaSy App - www.saasyapp.com
![Page 34: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/34.jpg)
SaaSy App - www.saasyapp.com
![Page 35: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/35.jpg)
Getting your OAuth client key and secret
Step 1 - For the Developer:
![Page 36: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/36.jpg)
A Google Client App Registration Page
![Page 37: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/37.jpg)
Access Control
Step 2 - For the Resource Owner:
![Page 38: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/38.jpg)
Two types of Access Control
Resource Owner: An entity capable of approving access to a protected resource.
Sometimes the resource owner is not the same as the user
Consumer Business
Individual User is Resource Owner
Company Admin is Resource Owner
![Page 39: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/39.jpg)
Two types of Access Control
Consumer Business
Individual User is Resource Owner
Company Admin is Resource Owner
Three-LeggedOAuth
Two-LeggedOAuth
![Page 40: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/40.jpg)
Two types of Access Control
Authorization using browser redirection
Requests pre-authorized for a group of users
Individual prompted User not prompted
Three-LeggedOAuth
Two-LeggedOAuth
![Page 41: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/41.jpg)
Manage OAuth Client Data Access
Approval for a group of users:
![Page 42: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/42.jpg)
Google Apps Administrator Access Control
![Page 43: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/43.jpg)
Google Apps Administrator Access Control
![Page 44: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/44.jpg)
Google Apps Administrator Access Control
![Page 45: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/45.jpg)
Google Apps Administrator Access Control
![Page 46: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/46.jpg)
Demo: Two-Legged OAuth cURL
Step #3 Access the resource
![Page 47: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/47.jpg)
Two-Legged OAuthWhat is it?
An authenticated HTTP request. Very much like HTTP Digest Auth.
Client has a role account name and password:consumer_key -> account nameconsumer_secret -> password
Request param to indicate the [email protected]
Some request attributes are bundled up and signed in a standard way. That's it.
![Page 48: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/48.jpg)
Two-Legged OAuthWhy?
You don't want to bother the user with approval
The common Enterprise IT scenario
Server to Server -- no browser involved
Main trust relationship:Resource Owner (admin) tells the Server, via ACL to trust the clientPermission stored in server ACL, not a token
![Page 49: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/49.jpg)
Three-legged OAuth
The "other" style of authorization
![Page 50: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/50.jpg)
Three-Legged OAuthWhat is it?
Describes the access control delegation to a Client by a Resource Owner
Redirection-Based AuthorizationThe authorization flow is what most people think of when they talk about OAuth. It is the process in which the user's browser is redirected to the server to approve access
![Page 51: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/51.jpg)
Three-Legged OAuthWhat is it?
Adds an Access Token to the 2LO request during data access that identifies the permission granted.
"Joe gives the SaaSy Payroll client permission to write to Joe's Google Calendar."
oauth_token=1%2FSTnrUiu8N4OQvrwEpsltnpYwFX5an2j2i-VAK5l_3No
![Page 52: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/52.jpg)
SaaSy App - www.saasyapp.com
![Page 53: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/53.jpg)
SaaSy App - www.saasyapp.com
![Page 54: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/54.jpg)
Authorization by Resource Owner
![Page 55: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/55.jpg)
Authorization by Resource Owner
![Page 56: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/56.jpg)
Three-Legged OAuthWhy?
Appropriate for access grant by individual user(Also works for Apps users)
User identity is opaque to client application
Main trust relationship:User is the Resource Owner and trusts the client app with an Access Token
![Page 57: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/57.jpg)
OAuth 2
Already? Why?Make it IETF standardAdd new use casesAvoid crypto!
OAuth 1 + WRAP = OAuth 2
Facebook has working OAuth 2 prototypes, Microsoft Azure and Google have WRAP prototypes.
http://tools.ietf.org/html/draft-ietf-oauth-v2
![Page 58: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/58.jpg)
Hybrid OpenID + OAuth
![Page 59: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/59.jpg)
Hybrid OpenID + OAuth
Identity and Data Access in 1 step
Google Calendar
![Page 60: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/60.jpg)
Hybrid OpenID + OAuth
![Page 61: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/61.jpg)
Google Apps Marketplace
![Page 62: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/62.jpg)
Features: Simple installation flow
![Page 63: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/63.jpg)
Features: True Single Sign On
SaaSy PayrollVideo
Groups
![Page 64: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/64.jpg)
Features: True Single Sign On
![Page 65: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/65.jpg)
Features: True Single Sign On
![Page 66: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/66.jpg)
Features: 2-legged OAuth access to Data APIs
![Page 67: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/67.jpg)
Features: 2-legged OAuth access to Data APIs
Consumer Key and Secret available in the Marketplace
![Page 68: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/68.jpg)
Features: 2-legged OAuth access to Data APIs
Consumer Key and Secret available in the Marketplace
![Page 69: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/69.jpg)
Summary of Protocols
![Page 70: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/70.jpg)
Summary of Protocols
3-Legged OAuth Access data for individual users
2-Legged OAuth Pre-approved access data for a group of users.
OpenID Access a user's identity. Can be used for Gmail
OpenID with Google Apps
extensions
Access a user's identity for Google Apps accounts
OpenID / OAuth Hybrid
On-board new users and get their data in one step
![Page 71: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/71.jpg)
Evolution of an Integrated App
![Page 76: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/76.jpg)
Evolution of 'SaaSy Payroll'
email password openid [email protected] AxNAAFSnz ----- ZD1FNKL4
[email protected] ----- http://goo.com/1234 JFNB2ANS
![Page 78: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/78.jpg)
Evolution of 'SaaSy Payroll'
email password openid token type [email protected] AxNAAFSnz ----- ZD1FNKL4 AS ----
[email protected] ----- http://goo.com/1234 JFNB2ANS AS ----
[email protected] ---- http://bar.com/6780 D2FNAF7D 3LO adfa123f
![Page 80: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/80.jpg)
Evolution of 'SaaSy Payroll'
email password openid token type [email protected] AxNAAFSnz ----- ZD1FNKL4 AS ----
[email protected] ----- http://goo.com/1234 JFNB2ANS ---- ----
[email protected] ---- http://bar.com/6780 D2FNAF7D 3LO adfa123f
kim@smart-lawfi ---- http://smb.com/123 ----- 2LO ----
ryan@smart-law ---- http://smb.com/456 ----- 2LO ----
dmb@smart-law ---- http://smb.com/789 ----- 2LO ----
![Page 82: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/82.jpg)
Evolution of 'SaaSy Payroll'
Improved User ExperienceEasier on-boarding of usersAccess granted by appropriate resource owners
Access to over 2 million businessesMultiple code paths
![Page 83: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/83.jpg)
Resources
![Page 84: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/84.jpg)
Resources
Google Apps Marketplace:http://developer.googleapps.com/marketplaceTechnical docs on Google Apps:http://code.google.com/googleapps/Technical docs on OpenID and OAuth:http://code.google.com/apis/accounts/OAuth Playground:http://www.googlecodesamples.com/oauth_playground
![Page 85: Copy of Ping Summit Preso: OpenID and OAuthinnovbfa.viabloga.com › files › Cloud_Identity_Summit... · 2010-11-02 · OpenID Single Sign On and OAuth Data Access Dave Primmer](https://reader034.fdocuments.net/reader034/viewer/2022042310/5ed8c8876714ca7f47688f12/html5/thumbnails/85.jpg)
Q & A