F. Questier, Authentication options for Open edX: focus on OAuth and OpenID, presentation for the Erasmus+ MarMOOC project, Universidade de Vigo, Spain, 04/04/2018
Authentication options for Open edX: focus on OAuth and OpenID
1. Federated identity: a technological overview (part II/II)
Authentication options for Open edX:
focus on OAuth and OpenID
Prof. dr. Frederik Questier
Vrije Universiteit Brussel
Presented at Universidade de Vigo, Spain, April 2018
Project No. 573583-EPP-1-2016-1-ES-EPPKA2-CBHE-SP (2016-2558/001-001)
14. Use cases designed for?
➢ OpenID
➢ Federated authentication
➢ Login at site B with your credentials from site A (identity
provider) without giving B your password.
➢ E.g. login at edX by verifying at Google.
➢ Oauth
➢ Delegated authorization
➢ Authorize app/site B to access your data at site A without
giving B your password.
➢ E.g. allow mobile edX app access to your edX server data
15. In practice,
also by Open edX, ...
➢ OAuth is often abused for pseudo-authentication
➢ Possible
➢ But requires custom code for each authorization provider.
➢ Well known for the famous ones like Google and Facebook
➢ Provided by Open edX
16. Here is the Here you
go
Google –
The Identity Provider
Here is the Here you
go
Google –
The Identity Provider
OpenID Authentication
vs.
Pseudo-Authentication using OAuth
adapted from a drawing by @_nat_en
*valet key = limited scope
OAuth Token
& the API Provider
Who are YOU? Send me a
notarized referral letter.
Give me the valet key* to
your house (account) so
that I know you are the
owner of the house
Please issue me a
valet key* for the core APIs
valet key*
certificate
Please write a referral
stating that I'm user@gmail
name: Real Name
email: user@gmail
notary: Google
name: Real Name
email: user@gmail
notary: Google
17. OpenID = user-centric :)
➢ Dream: login everywhere with your preferred identity
provider or with your own URL
➢ e.g. login by writing “http://questier.com“
➢ = my server that runs openid identity server
➢ or that has rel-link to http://questier.myopenid.com
18. The user-centric dream killed :(
➢ 2014 MyOpenID shuts down
➢ Facebook OpenID connect → Facebook Connect
➢ 2018 Stackexchange OpenID support shuts down
19.
20.
21. Recommendation 1
Check which of these Open edX solutions
fit your institutional identity provider
➢ Supported Identity Providers
➢ OAuth2, OAuth1
➢ Google, Facebook, LinkedIn, Microsoft Azure AD (365),…
➢ SAML 2 / Shibboleth
➢ Learning Tools Interoperability (LTI)
➢ Provisionally Supported Identity Providers
➢ OpenID
➢ Apache-hosted Shibboleth
➢ SSL client certificates
➢ Central Authentication Service (CAS)
25. This presentation was made with 100% Free Software
No animals were harmed
Questier.com
Frederik AT Questier.com
www.linkedin.com/in/fquestie
www.diigo.com/user/frederikquestier
www.slideshare.net/Frederik_Questier
Q
uestions?
Merci!