Strategies for Landing an Oracle DBA Job as a Fresher
Distributed Identities with OpenID
1. Bastian Hofmann, VZnet Netzwerke Ltd.
Distributed Identities with
OpenID
Dienstag, 12. Oktober 2010
2. Agenda
•What are Identities?
•The history of Identity Providers
•Trying it the open way: OpenID
•The rise of Social
•OpenIDs future
Dienstag, 12. Oktober 2010
4. Do you have really only one
identity?
Lothar Krappmann:
- Identity is conveyed by communication
- Identity is not fixed but recreated by every
communication with your fellows
- Expectations of different people result in
different identities
Dienstag, 12. Oktober 2010
5. Example:
Paul Adams
http://www.slideshare.net/padday/the-real-life-social-network-v2
Dienstag, 12. Oktober 2010
9. Microsoft Passport / Live ID
•Windows Live ID
•Launched 1999
as .net Passport
•Used mainly for
Microsoft
Services but not
much outside
•OpenID Provider
since 2008
Dienstag, 12. Oktober 2010
10. OpenID
•Open decentralized user
authentication
http://openid.net/
Dienstag, 12. Oktober 2010
15. Authentication vs Authorization
Who is the user?
Is this really user X?
VS
Is X allowed to do something?
Does X have the permission?
Client sites want more than just a
unique identifier (Social Graph)
Dienstag, 12. Oktober 2010
16. But there are Spec Extensions
decafinata
Dienstag, 12. Oktober 2010
17. Simple Registration
•Allows to specify certain fields in
request that must or should be
returned by the Identity Provider
openid.sreg.required=openid.sreg.fullname&
openid.sreg.optional=openid.sreg.email,openid.sreg.gender
openid.sreg.fullname=Bastian&openid.sreg.gender=male
Dienstag, 12. Oktober 2010
18. Attribute Exchange
•Two-Way exchange of data possible
penid.ns.ax=http://openid.net/srv/ax/1.0
openid.ax.mode=fetch_request
openid.ax.type.fname=http://example.com/schema/fullname
openid.ax.type.gender=http://example.com/schema/gender
openid.ax.type.fav_dog=http://example.com/schema/favourite_dog
openid.ax.type.fav_movie=http://example.com/schema/
favourite_movie
openid.ax.count.fav_movie=3
openid.ax.required=fname,gender
openid.ax.if_available=fav_dog,fav_movie
openid.ax.update_url=http://idconsumer.com/update?
transaction_id=a6b5c41
Dienstag, 12. Oktober 2010
19. Attribute Exchange
•Two-Way exchange of data possible
openid.ns.ax=http://openid.net/srv/ax/1.0
openid.ax.mode=fetch_response
openid.ax.type.fname=http://example.com/schema/fullname
openid.ax.type.gender=http://example.com/schema/gender
openid.ax.type.fav_dog=http://example.com/schema/favourite_dog
openid.ax.type.fav_movie=http://example.com/schema/
favourite_movie
openid.ax.value.fname=John Smith
openid.ax.count.gender=0
openid.ax.value.fav_dog=Spot
openid.ax.count.fav_movie=2
openid.ax.value.fav_movie.1=Movie1
openid.ax.value.fav_movie.2=Movie2
openid.ax.update_url=http://idconsumer.com/update?
transaction_id=a6b5c41
Dienstag, 12. Oktober 2010
20. Attribute Exchange
•Two-Way exchange of data possible
openid.ns.ax=http://openid.net/srv/ax/1.0
openid.ax.mode=store_request
openid.ax.type.fname=http://example.com/schema/fullname
openid.ax.value.fname=Bob Smith
openid.ax.type.fav_movie=http://example.com/schema/
favourite_movie
openid.ax.count.fav_movie=2
openid.ax.value.fav_movie.1=Movie1
openid.ax.value.fav_movie.2=Movie2
openid.ns.ax=http://openid.net/srv/ax/1.0
openid.ax.mode=store_response_success
Dienstag, 12. Oktober 2010
21. OpenID + OAuth
•Combines OpenID Authentication and
OAuth authorization
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0
&openid.oauth.consumer=123456
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0
&openid.oauth.request_token=7890
Dienstag, 12. Oktober 2010
23. Failures of OpenID 2.0
•Complex to implement
•No marketing
–Do you have an OpenID?
–What is it?
•URL as identifier => Bad User
Experience
Dienstag, 12. Oktober 2010
32. OpenID Connect
•Goals:
–Easier to implement
–More simple specification
–Better user experience
•=> wider adption
•Built on top of OAuth 2.0
Dienstag, 12. Oktober 2010
33. What‘s wrong with OAuth?
•Does not work well with non web or
JavaScript based clients
•The „Invalid Signature“ Problem
•Complicated Flow, many requests
Dienstag, 12. Oktober 2010
34. What‘s new in OAuth2? (Draft 10)
•Different client profiles
•No signatures
•No Token Secrets
•Cookie-like Bearer Token
•Mandatory TSL/SSL
•No Request Tokens
•Much more flexible regarding
extensions
http://tools.ietf.org/html/draft-ietf-oauth-v2
Dienstag, 12. Oktober 2010
36. User-Agent Profile
+----------+ Client Identifier +----------------+
| |>---(A)-- & Redirection URI --->| |
| | | |
End <--+ - - - +----(B)-- User authenticates -->| Authorization |
User | | | Server |
| |<---(C)--- Redirect URI -------<| |
| Client | with Access Token | |
| in | in Fragment +----------------+
| Browser |
| | +----------------+
| |>---(D)--- Redirect URI ------->| |
| | without Fragment | Web Server |
| | | with Client |
| (F) |<---(E)--- Web Page with ------<| Resource |
| Access | Script | |
| Token | +----------------+
+----------+
Dienstag, 12. Oktober 2010
37. What happend to signatures?
•Ongoing controvers discussion
•Bearer Tokens are fine over secure
connection
•Vulnerable if discovery is introduced
•Or TSL/SSL is not possible
Dienstag, 12. Oktober 2010
38. Scopes
•Optional parameter for provider
specific implementations
•For example
–Additional return values
–Access Control
Dienstag, 12. Oktober 2010
39. OpenID Connect?
•Scope: „openid“
•With access token additional values
are returned
–UserID: URL to Portable Contacts endpoint
–Signature
–Timestamp
http://openidconnect.com/
Dienstag, 12. Oktober 2010
41. OpenID Connect Discovery
•Get Identifier of user
•Call /.well-know/host-meta file at the
domain of the user‘s provider
•Look for a link pointing to the OpenID
Connect endpoints in the returned
LRDD
Dienstag, 12. Oktober 2010
42. When will it be available at VZ?
NOW in BETA
http://developer.studivz.net/wiki/index.php/VZ-Login
http://github.com/vznet/vz_os_clientlibrary_php
Dienstag, 12. Oktober 2010
43. FOAF+SSL (WebID)
http://esw.w3.org/Foaf%2Bssl
Dienstag, 12. Oktober 2010
47. Summing it up
•We need a single sign on system for
the web
•OpenID is cool, but has some
problems
•Proprietary solutions are bad for
users, site owners and developers
•A new more simple and flexible spec
is coming up
•Browser vendors are working to solve
this problem in the browser
Dienstag, 12. Oktober 2010
48. Thank you
http://studivz.net/bastian
http://twitter.com/BastianHofmann
http://slideshare.net/bashofmann
http://github.com/vznet
http://developer.studivz.net
Dienstag, 12. Oktober 2010