OpenID & Oauth

Open Standards for

Authentication and Authorization

(An introduction)

The Open Web

• Unencumbered, Cross-Platform Standards

• Open Source / Free Software Implementations

• No Single-Vendor "Lock-In”

• Distributed Extensibility

http://developer.mozilla.org/presentations/sxsw2007/the_open_web/

OpenID is…

• Lightweight

• Distributed

• User-Centric (not Site-Centric)

OpenID is also…

Built on web standards

DNS/HTTP/SSL

Diffie-Hellman (PKI)

History

2005: Developed by Brad Fitzpatrick, Creator of LiveJournal

2006: Delegation, XRI support, extensions: OpenID 2.0

2007: OpenID Foundation

2008: More than 13,000 Consuming Sites

http://en.wikipedia.org/wiki/OpenID#History

OpenID In The Wild

A Solution For…

• Maintaining Usernames

• Password Overload (insecurity)

• Site-centric Identity

Basics

• An OpenID is a URL– http://redmonk.net

• Provider– http://myopenid.com

• Relying Parties• Delegation

– http://redmonk.myopenid.com

The Dance (Conversation)

DEMO

• LiveJournal User

• Ma.gnolia

• One-Time Authentication

• Persistent Authentication

The “Open” in OpenID

• Delegation support is required

<link rel=“openid.delegate” />

• Multiple accounts, multiple Providers

• No Lock-in

Q & A

Oauth is…

“OAuth is like a valet key for all your web services.  A valet key lets you give a valet the ability to park your car, but not the ability to get into the trunk or drive more than 2 miles or redline the RPMs on your high end German automobile.  In the same way, an OAuth key lets you give a web agent the ability to check your web mail but NOT the ability to pretend to be you and send mail to everybody in your address book.”

http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-valet-key-for-the-web/1550

Authentication

Similar to:

• AuthSub (Google)

• BBAuth (Yahoo)

• Flickr Auth

• OpenAuth (AOL)

API Level

• Application To Application

• “Agency”

Basics

• User

• Service Provider

• Consumer

• Protected Resources

• Tokens

http://oauth.net/documentation/getting-started

The Dance (Conversation)

(Developed from: http://oauth.net/core/diagram.png)

Who’s Supporting Oauth?

Google

FireEagle (Yahoo)

Ma.gnolia

Amazon

Flickr

Digg

And more…

Q & A

Sources

http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchangehttp://en.wikipedia.org/wiki/OpenID#Historyhttp://wiki.openid.net/http://openid.nethttp://oauth.nethttp://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-

valet-key-for-the-web/1550http://oauth.net/core/diagram.pnghttp://www.slideshare.net/leahculver/oauth-open-api-authenticationhttp://www.slideshare.net/daveman692/open-platforms-in-web-20

Your Host

Steve Ivysteveivy@gmail.com

Open Standards, Open Source Agitator

http://redmonk.net/