This document discusses OpenID, an open standard for decentralized authentication on the web. It notes some problems with traditional username and password systems like passwords being hard to manage and user databases being vulnerable to theft. OpenID provides a solution by allowing users to authenticate using a URL of their choice, like a personal domain name, rather than having separate usernames and passwords for each site. When authenticating with a new site, OpenID verifies the user's identity through their OpenID provider rather than the site directly. The document provides examples of how OpenID works and can be implemented using libraries like Net::OpenID::Consumer in Perl. It also addresses questions like how to choose an OpenID provider and maintain multiple personas.

1. OpenID Authentication
by example
BPW2007
chrisv.cpan.org
(introductory slides: thanks to Simon Willison)
Saturday 27 October 2007 1

2. usernames & passwords
suck
Saturday 27 October 2007 2

3. signing up for new
accounts is a pain
Saturday 27 October 2007 3

4. my online identity
exists in multiple
(hard to manage) places
Saturday 27 October 2007 4

5. user database theft
Saturday 27 October 2007 5

6. password/cc info theft
Saturday 27 October 2007 6

7. too much passwords,
too much userids
Saturday 27 October 2007 7

8. we need single signon
Saturday 27 October 2007 8

9. unified, trusted
identity
Saturday 27 October 2007 9

10. OpenID is a
decentralized
mechanism for
single signon
Saturday 27 October 2007 10

11. OpenID is a URL
Saturday 27 October 2007 11

12. http://vertonghen.livejournal.com
Saturday 27 October 2007 12

13. http://vertonghen.myopenid.com
Saturday 27 October 2007 13

14. http://chris.vertonghen.org
Saturday 27 October 2007 14

15. The OpenID protocol
lets you prove that you
own a specific URL
Saturday 27 October 2007 15

16. An OpenID can be
used as an
authentiation credential
Saturday 27 October 2007 16

17. Site: “Who are you?”
Saturday 27 October 2007 17

18. Me: “I’m chris.vertonghen.org”
Saturday 27 October 2007 18

19. Site: “Prove it”
Saturday 27 October 2007 19

20. (some magic happens)
Saturday 27 October 2007 20

21. Site: “ok you’re in!”
Saturday 27 October 2007 21

22. Picking an OpenID is
like picking an email
provider - you find one
that you trust
Saturday 27 October 2007 22

23. If you have the ability to
run your own server
software, you can do so
yourself
Saturday 27 October 2007 23

24. http://www.wooblelab.com/
(demo)
Saturday 27 October 2007 24

25. So my users don’t
have to sign up for an
account?
Saturday 27 October 2007 25

26. Not necessarily
Saturday 27 October 2007 26

27. An OpenID tells you
very little about a user
Saturday 27 October 2007 27

28. You don’t know
their name
Saturday 27 October 2007 28

29. You don’t know
their e-mail address
Saturday 27 October 2007 29

30. You don’t know
if they’re a person
or an evil robot
Saturday 27 October 2007 30

31. You have to ask them!
Saturday 27 October 2007 31

32. OpenID can help them answer
Saturday 27 October 2007 32

33. (demo)
http://www.welovelocal.com/
Saturday 27 October 2007 33

34. So how does
OpenID work?
Saturday 27 October 2007 34

35. Saturday 27 October 2007 35

36. Saturday 27 October 2007 36

37. Use multiple OpenIDs to
maintain multiple online
personas
Saturday 27 October 2007 37

38. professional
social
secret
...
Saturday 27 October 2007 38

39. OpenID and web
service APIs naturally
complement each other
Saturday 27 October 2007 39

40. Me: “I’m
vertonghen.myopenid.com”
Saturday 27 October 2007 40

41. Site fetches HTML,
discovers identity provider
Saturday 27 October 2007 41

42. Establishes shared secret
with identity provider
(Using Diffie-Hellman key exchange)
Saturday 27 October 2007 42

43. Redirects you to the
identity provider
Saturday 27 October 2007 43

44. when you’re logged in there,
you get redirected back
Saturday 27 October 2007 44

45. How does my identity
provider know who I am?
Saturday 27 October 2007 45

46. OpenID deliberately
doesn’t specify
Saturday 27 October 2007 46

47. username/password
is common
Saturday 27 October 2007 47

48. But providers can
use other methods if
they want to
Saturday 27 October 2007 48

49. Client SSL certificates
Saturday 27 October 2007 49

50. Out of band
authentication via SMS,
e-mail or Jabber
Saturday 27 October 2007 50

51. No authentication at all
(just say “Yes”)
(which is the OpenID version of bugmenot.com)
Saturday 27 October 2007 51

52. What if I decide I
suddenly hate my provider?
Saturday 27 October 2007 52

53. Use your own
domain name
Saturday 27 October 2007 53

54. and delegate to a
provider you trust
Saturday 27 October 2007 54

55. Saturday 27 October 2007 55

56. Saturday 27 October 2007 56

57. perl OpenID client
Saturday 27 October 2007 57

58. Net::OpenID::Consumer
by Brad Fitzpatrick (of course)
Saturday 27 October 2007 58

59. use Net::OpenID::Consumer;
my $csr = Net::OpenID::Consumer->new(
ua => LWPx::ParanoidAgent->new,
cache => Some::Cache->new,
args => $cgi,
consumer_secret => ...,
required_root => quot;http://chris.vertonghen.org/quot;,
);
# a user entered, say, quot;bradfitz.comquot; as their identity. The first
# step is to fetch that page, parse it, and get a
# Net::OpenID::ClaimedIdentity object:
my $claimed_identity = $csr->claimed_identity(quot;bradfitz.comquot;);
# now your app has to send them at their identity server's endpoint
# to get redirected to either a positive assertion that they own
# that identity, or where they need to go to login/setup trust/etc.
my $script_name = quot;http://quot; . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'};
my $check_url = $claimed_identity->check_url(
return_to => $script_name
. quot;?return=true&hurl=$hurl&oid=quot;
. $m->interp()->apply_escapes($identity),
trust_root => quot;http://chris.vertonghen.org/quot;,
);
# so you send the user off there, and then they come back to
# openid-check.mhtml, then you see what the identity server said;
if ($return) {
if ( $setup_url = $openid_con->user_setup_url ) {
print $m->redirect($setup_url);
}
elsif ( $verify_identity = $openid_con->verified_identity ) {
$verified_url = $verify_identity->url;
print 'Congratulations your identity has been verified.<BR><BR>';
}
elsif ( $openid_con->user_cancel ) {
$m->redirect('http://chris.vertonghen.org/auth.html'); #use the file name of the login page
}
else {
print quot;<BR><h1>Validation Error</h1>quot;;
print 'There was an error in validating your identity. The error was ', $openid_con->err
. quot;<BR><BR>Please <a href=quot;javascript: history.go(-1);quot;>go back and try again</a>.<BR><BR>quot;;
}
}
Saturday 27 October 2007 59

60. Thank you.
Questions?
Saturday 27 October 2007 60