SlideShare ist ein Scribd-Unternehmen logo

Distributed Identities with OpenID

Bastian Hofmann
Bastian Hofmann

Talk about Distributed Identities with OpenID from the Confoo Conference

Technologie
1 von 56
Downloaden Sie, um offline zu lesen
Distributed Identities with OpenID Bastian Hofmann VZnet Netzwerke Ltd.
About me
OpenID is dead
„OpenID has been a burden on support since the day it was launched.“ „Fewer than 1% of all 37signals users are currently using OpenID.“ http://productblog.37signals.com/products/2011/01/well-be-retiring-our- support-of-openid-on-may-1.html
„OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.“ Yishan Wong (Facebook) http://www.quora.com/What-s-wrong-with-OpenID
Facebook Connect 250,000,000 monthly users
So why are you here?
• Why identity management is still a problem • OpenID how it works, and why it fails • OpenID Connect & OAuth2: OpenIDs future? • What can browser vendors do?
Questions? Ask!
Only one identity?
Identity is conveyed by communication Identity is not fixed but recreated by every communication with your fellows Expectations of different people result in different identities Lothar Krappmann
Paul Adams http://www.slideshare.net/padday/the-real-life-social-network-v2
Sign up again and again
Passwords are broken Same password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
Single Sign On
Microsoft Live ID Launched 1999 as .net Passport
Facebook Connect
And there are much more
Nascar problem
Aggregation: Janrain http://www.janrain.com/
OpenID http://openid.net/
The Client
Discovery <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid2.provider" href="http://www.myopenid.com/ server" /> Delegation <meta http-equiv="X-XRDS-Location" content="http:// bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http:// www.myopenid.com/server" /> <link rel="openid2.local_id" href="http:// bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid.delegate" href="http:// bhofmann.myopenid.com/" />
Connection Flow
DEMO
Authentication vs Authorization Who is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
But there are Spec Extensions
Simple Registration • Allows to specify certain fields in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male
Attribute Exchange • Fetch Request penid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=3 openid.ax.required=fname,gender openid.ax.if_available=fav_dog,fav_movie openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
Attribute Exchange • Fetch Response openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_response openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.value.fname=John Smith openid.ax.count.gender=0 openid.ax.value.fav_dog=Spot openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
Attribute Exchange • Store Request openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.value.fname=Bob Smith openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 • Store Respons openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_response_success
OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+ Every Request: Client Credentials, Nonce, Timestamp, Signature http://oauth.net/
OpenID + OAuth • Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
Failures of OpenID 2.0 Complex to implement No marketing Do you have an OpenID? What is it? URL as identifier => Bad User Experience
How to fix it?
Easier to implement Better user experience Built on top of OAuth 2.0 More simple specification wider adption
What‘s wrong with OAuth? Does not work well with non web or JavaScript based clients The „Invalid Signature“ Problem Complicated Flow, many requests
What‘s new in OAuth2? (Draft 10) No signatures Cookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
What happend to signatures? Ongoing controvers discussion Bearer Tokens are fine over secure connection Vulnerable if discovery is introduced Or if TSL/SSL is not possible
Scopes Optional parameter for provider specific implementations Additional return values Access Control
Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signature http://openidconnect.com/
DEMO
OpenID Connect Discovery Get Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s provider Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
Phishing
@ E-mail address equals identity?
Can the browser help?
FOAF+SSL (WebID) http://esw.w3.org/Foaf%2Bssl
DEMO
Bad browser UI Syncing between different computers? More than one user on the same computer?
UX Mockups Mozilla Weave
Summing it up • We need a single sign on system for the web • OpenID is cool, but has some problems • Proprietary solutions are bad for users, site owners and developers • A new more simple and flexible spec is coming up • Browser vendors are working to solve this problem in the browser
h"p://twi"er.com/Bas2anHofmann h"p://joind.in/2874 h"p://studivz.net/bas2an h"p://slideshare.net/bashofmann bhofmann@vz.net h"p://developer.studivz.net

Empfohlen

Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...Maarten Balliauw
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
OpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightOpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightDaisuke Fuke
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010Fabrizio Volpe
 
Lecture 20101124
Lecture 20101124Lecture 20101124
Lecture 20101124Anderson Liang
 
Why HATEOAS
Why HATEOASWhy HATEOAS
Why HATEOASLee Wayne
 

Empfohlen

Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...Maarten Balliauw
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
OpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightOpenID Connect Demo at OpenID Tech Night
OpenID Connect Demo at OpenID Tech NightDaisuke Fuke
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010Fabrizio Volpe
 
Lecture 20101124
Lecture 20101124Lecture 20101124
Lecture 20101124Anderson Liang
 
Why HATEOAS
Why HATEOASWhy HATEOAS
Why HATEOASLee Wayne
 
OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.Lorenzo Cassulo
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLkulor
 
Single Sign on e OpenID
Single Sign on e OpenIDSingle Sign on e OpenID
Single Sign on e OpenIDThomas Basciutti
 
Oauth
OauthOauth
OauthMauro Tomasella
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuthAndrea Chiodoni
 
Interface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & RESTInterface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & RESTNicolas Froment
 
Oauth
OauthOauth
Oauth立晨 代
 
How to create social apps for millions of users
How to create social apps for millions of users How to create social apps for millions of users
How to create social apps for millions of users Bastian Hofmann
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...Maarten Balliauw
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0iratao
 
Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-IDBastian Hofmann
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.jsMatthew Beale
 
Mashing up JavaScript
Mashing up JavaScriptMashing up JavaScript
Mashing up JavaScriptBastian Hofmann
 
international PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptinternational PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptsmueller_sandsmedia
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
Multi-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsMulti-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsAlexandre Verkinderen
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 

Weitere ähnliche Inhalte

Andere mochten auch

OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.Lorenzo Cassulo
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLkulor
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Interface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & RESTInterface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & RESTNicolas Froment
 

Andere mochten auch (9)

OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
 
Single Sign on e OpenID
Single Sign on e OpenIDSingle Sign on e OpenID
Single Sign on e OpenID
 
Oauth
OauthOauth
Oauth
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 
Interface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & RESTInterface Drupal with desktop or webapp via OAuth & REST
Interface Drupal with desktop or webapp via OAuth & REST
 

Ähnlich wie Distributed Identities with OpenID

How to create social apps for millions of users
How to create social apps for millions of users How to create social apps for millions of users
How to create social apps for millions of users Bastian Hofmann
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...Maarten Balliauw
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlMaarten Balliauw
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0iratao
 
Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-IDBastian Hofmann
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.jsMatthew Beale
 
international PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptinternational PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptsmueller_sandsmedia
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
Multi-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsMulti-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsAlexandre Verkinderen
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýNETWAYS
 
OpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureOpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureBastian Hofmann
 
Node js to sharepoint authentication
Node js to sharepoint authenticationNode js to sharepoint authentication
Node js to sharepoint authenticationSergei Sergeev
 

Ähnlich wie Distributed Identities with OpenID (20)

Oauth
OauthOauth
Oauth
 
How to create social apps for millions of users
How to create social apps for millions of users How to create social apps for millions of users
How to create social apps for millions of users
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-ID
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.js
 
Mashing up JavaScript
Mashing up JavaScriptMashing up JavaScript
Mashing up JavaScript
 
international PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java scriptinternational PHP2011_Bastian Hofmann_Mashing up java script
international PHP2011_Bastian Hofmann_Mashing up java script
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
 
Multi-Factor Authentication for your clouds
Multi-Factor Authentication for your cloudsMulti-Factor Authentication for your clouds
Multi-Factor Authentication for your clouds
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserver
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
 
OpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureOpenSocial - Past, Present, Future
OpenSocial - Past, Present, Future
 
Share All The Things With UMA
Share All The Things With UMAShare All The Things With UMA
Share All The Things With UMA
 
Node js to sharepoint authentication
Node js to sharepoint authenticationNode js to sharepoint authentication
Node js to sharepoint authentication
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWS
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 

Mehr von Bastian Hofmann

Introduction to rg\injection
Introduction to rg\injectionIntroduction to rg\injection
Introduction to rg\injectionBastian Hofmann
 
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution! IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution! Bastian Hofmann
 
How to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutesHow to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutesBastian Hofmann
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the IslandsOpening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the IslandsBastian Hofmann
 
Mashing up JavaScript – Advanced Techniques for modern Web Apps
Mashing up JavaScript – Advanced Techniques for modern Web AppsMashing up JavaScript – Advanced Techniques for modern Web Apps
Mashing up JavaScript – Advanced Techniques for modern Web AppsBastian Hofmann
 
Creating social games for millions of users
Creating social games for millions of usersCreating social games for millions of users
Creating social games for millions of usersBastian Hofmann
 
Distributed Social Networking
Distributed Social NetworkingDistributed Social Networking
Distributed Social NetworkingBastian Hofmann
 
Advanced Capabilities of OpenSocial Apps
Advanced Capabilities of OpenSocial AppsAdvanced Capabilities of OpenSocial Apps
Advanced Capabilities of OpenSocial AppsBastian Hofmann
 
Creating OpenSocial Apps for millions of users
Creating OpenSocial Apps for millions of usersCreating OpenSocial Apps for millions of users
Creating OpenSocial Apps for millions of usersBastian Hofmann
 
How to make your social games successfull
How to make your social games successfullHow to make your social games successfull
How to make your social games successfullBastian Hofmann
 
Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands Bastian Hofmann
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
Creating OpenSocial Apps
Creating OpenSocial AppsCreating OpenSocial Apps
Creating OpenSocial AppsBastian Hofmann
 
OpenSocial in der Praxis
OpenSocial in der PraxisOpenSocial in der Praxis
OpenSocial in der PraxisBastian Hofmann
 

Mehr von Bastian Hofmann (19)

Introduction to rg\injection
Introduction to rg\injectionIntroduction to rg\injection
Introduction to rg\injection
 
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution! IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
IGNITE OpenSocial 2.0 - Viva La OpenAppRevolution!
 
How to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutesHow to create OpenSocial Apps in 45 minutes
How to create OpenSocial Apps in 45 minutes
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
Mashing up JavaScript
Mashing up JavaScriptMashing up JavaScript
Mashing up JavaScript
 
Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the IslandsOpening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands
 
Mashing up JavaScript – Advanced Techniques for modern Web Apps
Mashing up JavaScript – Advanced Techniques for modern Web AppsMashing up JavaScript – Advanced Techniques for modern Web Apps
Mashing up JavaScript – Advanced Techniques for modern Web Apps
 
Creating social games for millions of users
Creating social games for millions of usersCreating social games for millions of users
Creating social games for millions of users
 
Distributed Social Networking
Distributed Social NetworkingDistributed Social Networking
Distributed Social Networking
 
Advanced Capabilities of OpenSocial Apps
Advanced Capabilities of OpenSocial AppsAdvanced Capabilities of OpenSocial Apps
Advanced Capabilities of OpenSocial Apps
 
Creating OpenSocial Apps for millions of users
Creating OpenSocial Apps for millions of usersCreating OpenSocial Apps for millions of users
Creating OpenSocial Apps for millions of users
 
How to make your social games successfull
How to make your social games successfullHow to make your social games successfull
How to make your social games successfull
 
Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands Opening up the Social Web - Standards that are bridging the Islands
Opening up the Social Web - Standards that are bridging the Islands
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
 
Creating OpenSocial Apps
Creating OpenSocial AppsCreating OpenSocial Apps
Creating OpenSocial Apps
 
OpenSocial in der Praxis
OpenSocial in der PraxisOpenSocial in der Praxis
OpenSocial in der Praxis
 
OpenSocial Done Right
OpenSocial Done RightOpenSocial Done Right
OpenSocial Done Right
 
Social apps done right
Social apps done rightSocial apps done right
Social apps done right
 

Kürzlich hochgeladen

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 

Kürzlich hochgeladen (20)

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 

Distributed Identities with OpenID

  • 1. Distributed Identities with OpenID Bastian Hofmann VZnet Netzwerke Ltd.
  • 4. „OpenID has been a burden on support since the day it was launched.“ „Fewer than 1% of all 37signals users are currently using OpenID.“ http://productblog.37signals.com/products/2011/01/well-be-retiring-our- support-of-openid-on-may-1.html
  • 5. „OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.“ Yishan Wong (Facebook) http://www.quora.com/What-s-wrong-with-OpenID
  • 7. So why are you here?
  • 8. • Why identity management is still a problem • OpenID how it works, and why it fails • OpenID Connect & OAuth2: OpenIDs future? • What can browser vendors do?
  • 11. Identity is conveyed by communication Identity is not fixed but recreated by every communication with your fellows Expectations of different people result in different identities Lothar Krappmann
  • 13.
  • 14. Sign up again and again
  • 15. Passwords are broken Same password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
  • 17. Microsoft Live ID Launched 1999 as .net Passport
  • 19.
  • 20. And there are much more
  • 25. Discovery <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid2.provider" href="http://www.myopenid.com/ server" /> Delegation <meta http-equiv="X-XRDS-Location" content="http:// bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http:// www.myopenid.com/server" /> <link rel="openid2.local_id" href="http:// bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid.delegate" href="http:// bhofmann.myopenid.com/" />
  • 27. DEMO
  • 28. Authentication vs Authorization Who is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
  • 29. But there are Spec Extensions
  • 30. Simple Registration • Allows to specify certain fields in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male
  • 31. Attribute Exchange • Fetch Request penid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=3 openid.ax.required=fname,gender openid.ax.if_available=fav_dog,fav_movie openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
  • 32. Attribute Exchange • Fetch Response openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_response openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.value.fname=John Smith openid.ax.count.gender=0 openid.ax.value.fav_dog=Spot openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
  • 33. Attribute Exchange • Store Request openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.value.fname=Bob Smith openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 • Store Respons openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_response_success
  • 34. OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+ Every Request: Client Credentials, Nonce, Timestamp, Signature http://oauth.net/
  • 35. OpenID + OAuth • Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
  • 36. Failures of OpenID 2.0 Complex to implement No marketing Do you have an OpenID? What is it? URL as identifier => Bad User Experience
  • 37. How to fix it?
  • 38. Easier to implement Better user experience Built on top of OAuth 2.0 More simple specification wider adption
  • 39. What‘s wrong with OAuth? Does not work well with non web or JavaScript based clients The „Invalid Signature“ Problem Complicated Flow, many requests
  • 40. What‘s new in OAuth2? (Draft 10) No signatures Cookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
  • 41. Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
  • 42. User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
  • 43. What happend to signatures? Ongoing controvers discussion Bearer Tokens are fine over secure connection Vulnerable if discovery is introduced Or if TSL/SSL is not possible
  • 44. Scopes Optional parameter for provider specific implementations Additional return values Access Control
  • 45. Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signature http://openidconnect.com/
  • 46. DEMO
  • 47. OpenID Connect Discovery Get Identifier of user Call /.well-­‐known/host-­‐meta file at the domain of the user‘s provider Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
  • 49. @ E-mail address equals identity?
  • 52. DEMO
  • 53. Bad browser UI Syncing between different computers? More than one user on the same computer?
  • 55. Summing it up • We need a single sign on system for the web • OpenID is cool, but has some problems • Proprietary solutions are bad for users, site owners and developers • A new more simple and flexible spec is coming up • Browser vendors are working to solve this problem in the browser