Distributed Identities with OpenID
-
Upload
bastian-hofmann -
Category
Technology
-
view
1.064 -
download
2
description
Transcript of Distributed Identities with OpenID
![Page 1: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/1.jpg)
Distributed Identities with OpenID
Bastian HofmannVZnet Netzwerke Ltd.
![Page 2: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/2.jpg)
OpenID is dead
![Page 3: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/3.jpg)
„OpenID has been a burden on support since the day it was launched.“
„Fewer than 1% of all 37signals users are currently using OpenID.“
http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
![Page 4: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/4.jpg)
„OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.“
Yishan Wong (Facebook)
http://www.quora.com/What-s-wrong-with-OpenID
![Page 5: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/5.jpg)
Facebook Connect250,000,000 monthly users
![Page 6: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/6.jpg)
So why are you here?
![Page 7: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/7.jpg)
• Why identity management is still a problem
• OpenID how it works, and why it fails
• OpenID Connect & OAuth2: OpenIDs future?
• What can browser vendors do?
![Page 8: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/8.jpg)
![Page 9: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/9.jpg)
![Page 10: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/10.jpg)
![Page 11: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/11.jpg)
![Page 12: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/12.jpg)
Questions? Ask!
![Page 14: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/14.jpg)
Only one identity?
![Page 15: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/15.jpg)
Identity is conveyed by communication
Identity is not fixed but recreated by every communication with your fellows
Expectations of different people result in different identities
Lothar Krappmann
![Page 16: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/16.jpg)
Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
![Page 17: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/17.jpg)
![Page 18: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/18.jpg)
![Page 19: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/19.jpg)
Sign up again and again
![Page 20: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/20.jpg)
Passwords are broken
Same password for more than one service
Names, birthdays, car brand, ...
Too short, too simple
Saved unsecurely in the browser
Disclosed to others
Sent over non encrypted connections
![Page 21: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/21.jpg)
Single Sign On
![Page 22: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/22.jpg)
Microsoft Live ID
Launched 1999 as .net Passport
![Page 23: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/23.jpg)
Facebook Connect
![Page 24: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/24.jpg)
![Page 25: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/25.jpg)
And there are much more
![Page 26: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/26.jpg)
Nascar problem
![Page 29: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/29.jpg)
The Client
![Page 30: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/30.jpg)
<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" />
<meta http-equiv="X-XRDS-Location" content="http://bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http://www.myopenid.com/server" /> <link rel="openid2.local_id" href="http://bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://bhofmann.myopenid.com/" />
Delegation
Discovery
![Page 31: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/31.jpg)
Connection Flow
![Page 32: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/32.jpg)
DEMO
![Page 33: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/33.jpg)
Who is the user?
Is this really user X?
Is X allowed to do something?
Does X have the permission?
VS
Client sites want more than just a unique identifier (Social Graph)
Authentication vs Authorization
![Page 34: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/34.jpg)
But there are Spec Extensions
![Page 35: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/35.jpg)
• Allows to specify certain fields in request that must or should be returned by the Identity Provider
openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.gender
openid.sreg.fullname=Bastian&openid.sreg.gender=male
Simple Registration
![Page 36: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/36.jpg)
• Fetch Requestpenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
Attribute Exchange
![Page 37: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/37.jpg)
• Fetch Responseopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
Attribute Exchange
![Page 38: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/38.jpg)
• Store Requestopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
Attribute Exchange
• Store Respons
![Page 40: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/40.jpg)
+----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+
Every Request: Client Credentials, Nonce, Timestamp, Signature
http://oauth.net/
OAuth 1.0a Flow
![Page 41: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/41.jpg)
• Combines OpenID Authentication and OAuth authorization
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.consumer=123456
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.request_token=7890
OpenID + OAuth
![Page 42: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/42.jpg)
Failures of OpenID 2.0
Complex to implement
URL as identifier => Bad User Experience
Do you have an OpenID?
What is it?
No marketing
![Page 43: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/43.jpg)
How to fix it?
![Page 44: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/44.jpg)
Easier to implement
More simple specification
Better user experience
wider adption
Built on top of OAuth 2.0
![Page 45: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/45.jpg)
What‘s wrong with OAuth?
Does not work well with non web or JavaScript based clients
The „Invalid Signature“ Problem
Complicated Flow, many requests
![Page 47: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/47.jpg)
http://tools.ietf.org/html/draft-ietf-oauth-v2
What‘s new in OAuth2? (Draft 10)
Different client profiles
No signatures
No Token Secrets
Cookie-like Bearer Token
No Request Tokens
Much more flexible regarding extensions
Mandatory TSL/SSL
![Page 48: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/48.jpg)
+----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
Web-Server Profile
![Page 49: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/49.jpg)
+----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
User-Agent Profile
![Page 50: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/50.jpg)
What happend to signatures?
Bearer Tokens are fine over secure connection
Vulnerable if discovery is introduced
Or if TSL/SSL is not possible
Ongoing controvers discussion
![Page 51: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/51.jpg)
Scopes
Optional parameter for provider specific implementations
Additional return values
Access Control
![Page 52: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/52.jpg)
http://openidconnect.com/
Scope: „openid“
With access token additional values are returned
UserID: URL to Portable Contacts endpoint
TimestampSignature
![Page 53: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/53.jpg)
http://opensocial-demo.vz-modules.net/vzid/index.php
https://github.com/vznet/vz_id_democlient
![Page 54: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/54.jpg)
DEMO
![Page 55: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/55.jpg)
OpenID Connect Discovery
Get Identifier of user
Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
Call /.well-‐known/host-‐meta file at the domain of the user‘s provider
![Page 56: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/56.jpg)
Phishing
![Page 57: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/57.jpg)
E-mail address equals identity?
@
![Page 58: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/58.jpg)
Can the browser help?
![Page 59: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/59.jpg)
http://esw.w3.org/Foaf%2Bssl
FOAF+SSL (WebID)
![Page 60: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/60.jpg)
DEMO
![Page 61: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/61.jpg)
Bad browser UI
Syncing between different computers?
More than one user on the same computer?
![Page 62: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/62.jpg)
Mozilla UX Mockups
![Page 64: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/64.jpg)
DEMO
![Page 65: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/65.jpg)
• We need a single sign on system for the web
• OpenID is cool, but has some problems
• Proprietary solutions are bad for users, site owners and developers
• A new more simple and flexible spec is coming up
• Browser vendors are working to solve this problem in the browser
Summing it up
![Page 66: Distributed Identities with OpenID](https://reader033.fdocuments.net/reader033/viewer/2022052522/554bde34b4c905706a8b5712/html5/thumbnails/66.jpg)
h"p://twi"er.com/Bas2anHofmannh"ps://profiles.google.com/bashofmannh"p://lanyrd.com/people/Bas2anHofmann/h"p://slideshare.net/bashofmann