10. Identity is conveyed by communication
Identity is not fixed but recreated by every
communication with your fellows
Expectations of different people result in
different identities
Lothar Krappmann
15. Passwords are broken
Same password for more than one service
Saved unsecurely in the browser
Names, birthdays, car brand, ...
Disclosed to others
Too short, too simple
Sent over non encrypted connections
39. Authentication vs Authorization
Who is the user?
Is this really user X?
VS
Is X allowed to do something?
Does X have the permission?
Client sites want more than just a
unique identifier (Social Graph)
65. „OpenID has been a burden on support
since the day it was launched.“
„Fewer than 1% of all 37signals users are
currently using OpenID.“
http://productblog.37signals.com/products/2011/01/well-be-retiring-our-
support-of-openid-on-may-1.html
66. „OpenID is the worst possible "solution"
I have ever seen in my entire life to a
problem that most people don't really
have.“
Yishan Wong (Facebook)
http://www.quora.com/What-s-wrong-with-OpenID
67. Failures of OpenID 2.0
Complex to implement
No marketing
Do you have an OpenID?
What is it?
URL as identifier => Bad User Experience
71. Easier to implement
Better user experience
Built on top of OAuth 2.0
More simple specification
wider adption
72. What‘s wrong with OAuth?
Does not work well with non web or
JavaScript based clients
The „Invalid Signature“ Problem
Complicated Flow, many requests
74. What‘s new in OAuth2? (Draft 10)
No signatures
Cookie-like Bearer Token
Different client profiles
No Token Secrets
No Request Tokens
Mandatory TSL/SSL
Much more flexible regarding extensions
http://tools.ietf.org/html/draft-ietf-oauth-v2
101. Client Backend
lanyrd. api.twitter.com
com
AJAX
Access-Control-Allow-Origin: *
http://www.w3.org/TR/cors/
102. What happend to signatures?
Bearer Tokens are fine over secure connection
Vulnerable if discovery is introduced
Or if TSL/SSL is not possible
So OAuth 1.0 signatures alternatively available
103. Scopes
Optional parameter for provider
specific implementations
Additional return values
Access Control
104. Scope: „openid“
With access token additional values are returned
UserID: URL to Portable Contacts endpoint
Timestamp
Signature
http://openidconnect.com/
107. OpenID Connect
Discovery
Get Identifier of user
Call /.well-‐known/host-‐meta file at
the domain of the user‘s provider
Look for a link pointing to the OpenID
Connect endpoints in the returned
LRDD
120. Summing it up
• We need a single sign on system for the
web
• Proprietary solutions are bad for users, site
owners and developers
• OpenID is cool, but has some problems
• A new more simple and flexible spec is
coming up
• Browser vendors are working to solve this
problem in the browser