4. „OpenID has been a burden on support
since the day it was launched.“
„Fewer than 1% of all 37signals users are
currently using OpenID.“
http://productblog.37signals.com/products/2011/01/well-be-retiring-our-
support-of-openid-on-may-1.html
5. „OpenID is the worst possible "solution"
I have ever seen in my entire life to a
problem that most people don't really
have.“
Yishan Wong (Facebook)
http://www.quora.com/What-s-wrong-with-OpenID
8. • Why identity management is still a problem
• OpenID how it works, and why it fails
• OpenID Connect & OAuth2: OpenIDs
future?
• What can browser vendors do?
11. Identity is conveyed by communication
Identity is not fixed but recreated by every
communication with your fellows
Expectations of different people result in
different identities
Lothar Krappmann
15. Passwords are broken
Same password for more than one service
Saved unsecurely in the browser
Names, birthdays, car brand, ...
Disclosed to others
Too short, too simple
Sent over non encrypted connections
28. Authentication vs Authorization
Who is the user?
Is this really user X?
VS
Is X allowed to do something?
Does X have the permission?
Client sites want more than just a
unique identifier (Social Graph)
30. Simple Registration
• Allows to specify certain fields in request that
must or should be returned by the Identity
Provider
openid.sreg.required=openid.sreg.fullname&
openid.sreg.optional=openid.sreg.email,openid.sreg.gender
openid.sreg.fullname=Bastian&openid.sreg.gender=male
38. Easier to implement
Better user experience
Built on top of OAuth 2.0
More simple specification
wider adption
39. What‘s wrong with OAuth?
Does not work well with non web or
JavaScript based clients
The „Invalid Signature“ Problem
Complicated Flow, many requests
40. What‘s new in OAuth2? (Draft 10)
No signatures
Cookie-like Bearer Token
Different client profiles
No Token Secrets
No Request Tokens
Mandatory TSL/SSL
Much more flexible regarding extensions
http://tools.ietf.org/html/draft-ietf-oauth-v2
42. User-Agent Profile
+----------+ Client Identifier +----------------+
| |>---(A)-- & Redirection URI --->| |
| | | |
End <--+ - - - +----(B)-- User authenticates -->| Authorization |
User | | | Server |
| |<---(C)--- Redirect URI -------<| |
| Client | with Access Token | |
| in | in Fragment +----------------+
| Browser |
| | +----------------+
| |>---(D)--- Redirect URI ------->| |
| | without Fragment | Web Server |
| | | with Client |
| (F) |<---(E)--- Web Page with ------<| Resource |
| Access | Script | |
| Token | +----------------+
+----------+
43. What happend to signatures?
Ongoing controvers discussion
Bearer Tokens are fine over secure connection
Vulnerable if discovery is introduced
Or if TSL/SSL is not possible
44. Scopes
Optional parameter for provider
specific implementations
Additional return values
Access Control
45. Scope: „openid“
With access token additional values are returned
UserID: URL to Portable Contacts endpoint
Timestamp
Signature
http://openidconnect.com/
47. OpenID Connect
Discovery
Get Identifier of user
Call /.well-‐known/host-‐meta file at
the domain of the user‘s provider
Look for a link pointing to the OpenID
Connect endpoints in the returned
LRDD
55. Summing it up
• We need a single sign on system for the
web
• OpenID is cool, but has some problems
• Proprietary solutions are bad for users, site
owners and developers
• A new more simple and flexible spec is
coming up
• Browser vendors are working to solve this
problem in the browser