SlideShare ist ein Scribd-Unternehmen logo

OpenID Authentication

Cédric Hüsler
Cédric Hüsler

Slides from the Google TechTalk (Zurich, Switzerland) in April 2007. A technical overview of OpenID. Originally posted: http://www.keepthebyte.ch/2007/04/google-tech-talk-on-openid.html

TechnologieDesign
1 von 23
Downloaden Sie, um offline zu lesen
Distributed SSO Cédric Hüsler CTO local.ch Google TechTalk Zürich - April 2007
Quick Poll Who always use the same PW for every new account on a new site? Who has a blog? Who has an OpenID?
BA BA SII SC CS prove you are really who you suppose to be S Authentication Username & Password Challenge-response Public-Private Key vs. what are you allowed to do Authorization ACL (Access Control List) RBAC (Role-based Access Control)
BA BA SIIC S CS ability to uniquely identify yourself S Identity Your Name AHV-Nr / SSN Fingerprint vs. ability to control what others know about you Privacy Can you keep a secret? Virtualization Opt-in
BA BA SII SC CS how much can I depend on you? S trust vs. control how much information am I going to give?
BA BA SII SC CS S SSO Single-Sign-On   using the same automatic credentials to access authentication beyond multiple services session and service
= Authentication Delegation = Identity Manager = Open API ≠ Authentication ≠ Trust
Use a URL as user name! I own the domain: keepthebyte.ch - why not using it as user name?
Time for demo! http://jyte.com/
Login Process Overview Download at http://www.flickr.com/photos/keepthebyte/347821691/
...with trusted site auto login on the identity provider
HTTP Level - Part 1/3 User Agent <> RP GET: %site%/login.html POST: %site%/login with OpenID RP <> IdP GET: openid url mime:application/xrds+xml (Yadis Discovery) ?xml version=quot;1.0quot; encoding=quot;UTF-8quot;? xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot; XRD Service priority=quot;0quot; Typehttp://openid.net/signon/1.0/Type Typehttp://openid.net/sreg/1.0/Type URIhttp://www.myopenid.com/server/URI openid:Delegatehttp://keepthebyte.myopenid.com//openid:Delegate /Service /XRD /xrds:XRDS Fallback: GET: openid url mime:*/*
HTTP Level - Part 2/3 RP IdP (continued) ASSOCIATE REQUEST openid.dh_gen=Ag%3D%3D openid.session_type=DH-SHA1 openid.mode=associate openid.assoc_type=HMAC-SHA1 openid.dh_consumer_public=AMEJSFuaf%2Fi73z6uGonyKZUoIJQyI7PWSZJZBhACK8qQ48%2FIkplhKv%2BajPhSiNXz43%2Bb7nO% 2FyL86LQNlzNM3rFSP7nfAVoDZXUPyuQeacsCqg8vliMwTJUzu9MecZz4ngCgNLk8tOkBazhGJ7%2BCnx1g53dUVGvvV0LHMMMjUQMSo openid.dh_modulus=ANz5OguIOXLsDhmYmsWizjEOHTdxfo2Vcbt2I3MYZuYe91ouJ4mLBX% 2BYkcLiemOcPym2CBRYHNOyyjmG0mg3BVd9RcLn5S3IHHoXGHblzqdLFEi%2F368Ygo79JRnxTkXjgmY0rxlJ5bU1zIKaSDuKdiI% 2BXUkKJX8Fvf8W8vsixYOr ASSOCIATE RESPONSE assoc_type:HMAC-SHA1 assoc_handle:netmesh-u-1168177185-50172100 expires_in:2592000 session_type:DH-SHA1 dh_server_public:AIAkjwdpUn1lCHyQEzstI40wSnbsznGV/t+AepW/he/ChsS2N2WF9DTIpNyLtGBTECmF6w/ +DgtcjfVrujm1Z26CJBuwtDbJyL3rUCsqzn55RVCcM6QmBnRBD8q/5hbcI6jiBC9Nc78NfQywGE7YG3BCZZiT3Vz1etJAcRgPgUxJ enc_mac_key:eljydY56tUILU75CjytBwNF3Ec4=
HTTP Level - Part 3/3 User Agent RP REDIRECT TO IdP http://mylid.net/keepthebyte? openid.mode=checkid_setup openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk openid.trust_root=http%3A%2F%2Flocalhost%3A3000%2Fauth openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte openid.assoc_handle=netmesh-u-1168177185-50172100 User Agent IdP DO THE LOGIN (not part of the OpenID spec) REDIRECT TO RP http://localhost:3000/auth/complete? nonce=Q5CG5Hfk openid.mode=id_res openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk openid.assoc_handle=netmesh-u-1168177185-50172100 openid.signed=mode,identity,return_to,assoc_handle openid.sig=c55qNAPI58pfRBDkVlRc5dbvnyU%3D
Delegated Authentication My original OpenID: 1 keepthebyte.myopenid.com Add these lines to the root HTML document of the domain “keepthebyte.ch”: 2 link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; / link rel=quot;openid.delegatequot; href=quot;http://keepthebyte.myopenid.comquot; / meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://keepthebyte.myopenid.com/xrdsquot; / Now I can use my domain as my OpenID: 3 keepthebyte.ch
... Immediate Mode - “AJAX” Ask an IdP if a End User owns the Claimed Identifier, getting back an immediate quot;yesquot; or quot;can't sayquot; answer.
...Stateless (Dump Mode) Not recommended due Security Issue - Replay Attack - use SSL!
Extension: Simple Registration Make OpenID more useful - Extension of OpenID 1.1 - Part of OpenID 2.0 (Attribute Exchange) Manage personal profile centrally on the Identity Provider Control what profile properties are allowed to be share with the site you like to login Screenshots from http://www.myopenid.com
Extension: E-Mail as OpenID PR PR O O PO PO SA SA L!! L Make OpenID easier: URL 0 vs. Email 1 Proposal for OpenID 2.0 Enter Email in OpenID field: 1 keepthebyte@myopenid.com 2 Read the transformation template from the XRDS document Converted to URL before authentication: 3 keepthebyte.myopenid.com Spec: http://www.sappenin.com/openid/ext/oet/openid-email-transform-extension-1_0.html
Integration: Browser Make OpenID easier to use! Prevent Phishing! Firefox Add-ons: - Appalachian Download: http://simile.mit.edu/wiki/Appalachian - VeriSign’s OpenID Seatbelt On the roadmap for Firefox 3.0
Integration: ??? H H YP YP E? E? Blog URL is the OpenID Microsoft announced it will integrate OpenID in CardSpace (WS-*) AOL provide an OpenID for all its users Web 2.0 Sites: Technorati, Ma.gnolia, Opinity, netvibes, Digg (soon) CMS/Blogs/Wiki: Wordpress, Drupal, MovableType, MediaWiki, phpbb
Your action is required! READ The OpenID Case - in 4-pages by Kaliya Hamlin www.kaliyasblogs.net/IdentityWebExpo.pdf Specification at openid.net Open Source Libraries for PHP, Ruby, Java... openid.net/wiki/index.php/Libraries PLAY OpenID Providers - MyOpenID.com - VeriSign PIP Y - idproxy.net (with Yahoo Auth) TR - List: openid.net/wiki/index.php/OpenIDServers A IT E IV G
it? ot G That’s it Slides on: keepthebyte.ch Links on: del.icio.us/keepthebyte/openid

Empfohlen

Proceso y metodología de investigación
Proceso y metodología de investigaciónProceso y metodología de investigación
Proceso y metodología de investigaciónruizstvn07
 
Lg real3 d-sdk
Lg real3 d-sdkLg real3 d-sdk
Lg real3 d-sdkDroidcon Berlin
 
L'empresa al núvol v120430b
L'empresa al núvol v120430bL'empresa al núvol v120430b
L'empresa al núvol v120430bIMET Club Emprendre
 
Apocalipsis oceanico
Apocalipsis oceanicoApocalipsis oceanico
Apocalipsis oceanicoRose Menacho
 
Curso experto maitre
Curso experto maitreCurso experto maitre
Curso experto maitreEuroinnova Formación
 
Monseñor Romero, piezas para un retrato - López Vigil
Monseñor Romero, piezas para un retrato - López VigilMonseñor Romero, piezas para un retrato - López Vigil
Monseñor Romero, piezas para un retrato - López VigilMarcos Eduardo Villa Corrales
 
Material für Schnullerketten
Material für Schnullerketten Material für Schnullerketten
Material für Schnullerketten myperlenwelt715
 
Tarea3 miguel bustos martinez
Tarea3 miguel bustos martinezTarea3 miguel bustos martinez
Tarea3 miguel bustos martinezmiguel_busmar
 

Empfohlen

Proceso y metodología de investigación
Proceso y metodología de investigaciónProceso y metodología de investigación
Proceso y metodología de investigaciónruizstvn07
 
Lg real3 d-sdk
Lg real3 d-sdkLg real3 d-sdk
Lg real3 d-sdkDroidcon Berlin
 
L'empresa al núvol v120430b
L'empresa al núvol v120430bL'empresa al núvol v120430b
L'empresa al núvol v120430bIMET Club Emprendre
 
Apocalipsis oceanico
Apocalipsis oceanicoApocalipsis oceanico
Apocalipsis oceanicoRose Menacho
 
Curso experto maitre
Curso experto maitreCurso experto maitre
Curso experto maitreEuroinnova Formación
 
Monseñor Romero, piezas para un retrato - López Vigil
Monseñor Romero, piezas para un retrato - López VigilMonseñor Romero, piezas para un retrato - López Vigil
Monseñor Romero, piezas para un retrato - López VigilMarcos Eduardo Villa Corrales
 
Material für Schnullerketten
Material für Schnullerketten Material für Schnullerketten
Material für Schnullerketten myperlenwelt715
 
Tarea3 miguel bustos martinez
Tarea3 miguel bustos martinezTarea3 miguel bustos martinez
Tarea3 miguel bustos martinezmiguel_busmar
 
Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Seresco
 
RSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESRSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESManuel Bedoya D
 
27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmj27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmjAmet Arce C
 
Enfermera general
Enfermera generalEnfermera general
Enfermera generalErika Jimenes Ordoñes
 
Desechos peligrosos
Desechos peligrososDesechos peligrosos
Desechos peligrososjuan_023
 
Pitufando en valldemossa
Pitufando en valldemossaPitufando en valldemossa
Pitufando en valldemossamaryana1420
 
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...Bizitegi Bizitegi
 
Curriculo 11º
Curriculo 11ºCurriculo 11º
Curriculo 11ºHarold Moreno
 
Diccionario.....
Diccionario.....Diccionario.....
Diccionario.....jasus2311
 
Curs ubuntu
Curs ubuntuCurs ubuntu
Curs ubuntucrys72f
 
Vogue uk march_2016
Vogue uk march_2016Vogue uk march_2016
Vogue uk march_2016PrivetOUTLET
 
AoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALAoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALPeter Harden
 
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...DOMUS Software AG
 
SASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDASASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDAalvisegperu
 
Experience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsExperience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsCédric Hüsler
 
Building Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiBuilding Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiCédric Hüsler
 
CRX 2 Content Application Platform
CRX 2 Content Application PlatformCRX 2 Content Application Platform
CRX 2 Content Application PlatformCédric Hüsler
 
Day CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuDay CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuCédric Hüsler
 
Blogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareBlogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareCédric Hüsler
 
New recipes for the ever growing content cloud
New recipes for the ever growing content cloudNew recipes for the ever growing content cloud
New recipes for the ever growing content cloudCédric Hüsler
 
The 8 Don'ts of WCM
The 8 Don'ts of WCMThe 8 Don'ts of WCM
The 8 Don'ts of WCMCédric Hüsler
 
Cloud Based Content Services
Cloud Based Content ServicesCloud Based Content Services
Cloud Based Content ServicesCédric Hüsler
 

Weitere ähnliche Inhalte

Andere mochten auch

Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Seresco
 
RSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESRSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESManuel Bedoya D
 
27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmj27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmjAmet Arce C
 
Desechos peligrosos
Desechos peligrososDesechos peligrosos
Desechos peligrososjuan_023
 
Pitufando en valldemossa
Pitufando en valldemossaPitufando en valldemossa
Pitufando en valldemossamaryana1420
 
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...Bizitegi Bizitegi
 
Diccionario.....
Diccionario.....Diccionario.....
Diccionario.....jasus2311
 
Curs ubuntu
Curs ubuntuCurs ubuntu
Curs ubuntucrys72f
 
Vogue uk march_2016
Vogue uk march_2016Vogue uk march_2016
Vogue uk march_2016PrivetOUTLET
 
AoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALAoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALPeter Harden
 
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...DOMUS Software AG
 
SASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDASASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDAalvisegperu
 

Andere mochten auch (14)

Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012
 
RSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESRSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMES
 
27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmj27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmj
 
Enfermera general
Enfermera generalEnfermera general
Enfermera general
 
Desechos peligrosos
Desechos peligrososDesechos peligrosos
Desechos peligrosos
 
Pitufando en valldemossa
Pitufando en valldemossaPitufando en valldemossa
Pitufando en valldemossa
 
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
 
Curriculo 11º
Curriculo 11ºCurriculo 11º
Curriculo 11º
 
Diccionario.....
Diccionario.....Diccionario.....
Diccionario.....
 
Curs ubuntu
Curs ubuntuCurs ubuntu
Curs ubuntu
 
Vogue uk march_2016
Vogue uk march_2016Vogue uk march_2016
Vogue uk march_2016
 
AoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALAoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINAL
 
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
 
SASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDASASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDA
 

Mehr von Cédric Hüsler

Experience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsExperience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsCédric Hüsler
 
Building Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiBuilding Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiCédric Hüsler
 
CRX 2 Content Application Platform
CRX 2 Content Application PlatformCRX 2 Content Application Platform
CRX 2 Content Application PlatformCédric Hüsler
 
Day CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuDay CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuCédric Hüsler
 
Blogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareBlogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareCédric Hüsler
 
New recipes for the ever growing content cloud
New recipes for the ever growing content cloudNew recipes for the ever growing content cloud
New recipes for the ever growing content cloudCédric Hüsler
 
Cloud Based Content Services
Cloud Based Content ServicesCloud Based Content Services
Cloud Based Content ServicesCédric Hüsler
 
Data First in Cloud Persistence
Data First in Cloud PersistenceData First in Cloud Persistence
Data First in Cloud PersistenceCédric Hüsler
 
CMIS PlugFest (April 2009) Screenshots
CMIS PlugFest (April 2009) ScreenshotsCMIS PlugFest (April 2009) Screenshots
CMIS PlugFest (April 2009) ScreenshotsCédric Hüsler
 
Imagine you blog & everybody is reading!
Imagine you blog & everybody is reading!Imagine you blog & everybody is reading!
Imagine you blog & everybody is reading!Cédric Hüsler
 
OpenID and SocialGraph/Apps
OpenID and SocialGraph/AppsOpenID and SocialGraph/Apps
OpenID and SocialGraph/AppsCédric Hüsler
 
Dataportability & Digital Identity
Dataportability & Digital IdentityDataportability & Digital Identity
Dataportability & Digital IdentityCédric Hüsler
 
Autos in Zeitung publizieren
Autos in Zeitung publizierenAutos in Zeitung publizieren
Autos in Zeitung publizierenCédric Hüsler
 
Geoweb - because location matters
Geoweb - because location mattersGeoweb - because location matters
Geoweb - because location mattersCédric Hüsler
 

Mehr von Cédric Hüsler (16)

Experience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsExperience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - Highlights
 
Building Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiBuilding Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGi
 
CRX 2 Content Application Platform
CRX 2 Content Application PlatformCRX 2 Content Application Platform
CRX 2 Content Application Platform
 
Day CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuDay CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neu
 
Blogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareBlogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking Software
 
New recipes for the ever growing content cloud
New recipes for the ever growing content cloudNew recipes for the ever growing content cloud
New recipes for the ever growing content cloud
 
The 8 Don'ts of WCM
The 8 Don'ts of WCMThe 8 Don'ts of WCM
The 8 Don'ts of WCM
 
Cloud Based Content Services
Cloud Based Content ServicesCloud Based Content Services
Cloud Based Content Services
 
Data First in Cloud Persistence
Data First in Cloud PersistenceData First in Cloud Persistence
Data First in Cloud Persistence
 
CMIS PlugFest (April 2009) Screenshots
CMIS PlugFest (April 2009) ScreenshotsCMIS PlugFest (April 2009) Screenshots
CMIS PlugFest (April 2009) Screenshots
 
Day CRX Introduction
Day CRX IntroductionDay CRX Introduction
Day CRX Introduction
 
Imagine you blog & everybody is reading!
Imagine you blog & everybody is reading!Imagine you blog & everybody is reading!
Imagine you blog & everybody is reading!
 
OpenID and SocialGraph/Apps
OpenID and SocialGraph/AppsOpenID and SocialGraph/Apps
OpenID and SocialGraph/Apps
 
Dataportability & Digital Identity
Dataportability & Digital IdentityDataportability & Digital Identity
Dataportability & Digital Identity
 
Autos in Zeitung publizieren
Autos in Zeitung publizierenAutos in Zeitung publizieren
Autos in Zeitung publizieren
 
Geoweb - because location matters
Geoweb - because location mattersGeoweb - because location matters
Geoweb - because location matters
 

Kürzlich hochgeladen

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Kürzlich hochgeladen (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

OpenID Authentication

  • 1. Distributed SSO Cédric Hüsler CTO local.ch Google TechTalk Zürich - April 2007
  • 2. Quick Poll Who always use the same PW for every new account on a new site? Who has a blog? Who has an OpenID?
  • 3. BA BA SII SC CS prove you are really who you suppose to be S Authentication Username & Password Challenge-response Public-Private Key vs. what are you allowed to do Authorization ACL (Access Control List) RBAC (Role-based Access Control)
  • 4. BA BA SIIC S CS ability to uniquely identify yourself S Identity Your Name AHV-Nr / SSN Fingerprint vs. ability to control what others know about you Privacy Can you keep a secret? Virtualization Opt-in
  • 5. BA BA SII SC CS how much can I depend on you? S trust vs. control how much information am I going to give?
  • 6. BA BA SII SC CS S SSO Single-Sign-On   using the same automatic credentials to access authentication beyond multiple services session and service
  • 7. = Authentication Delegation = Identity Manager = Open API ≠ Authentication ≠ Trust
  • 8. Use a URL as user name! I own the domain: keepthebyte.ch - why not using it as user name?
  • 10. Login Process Overview Download at http://www.flickr.com/photos/keepthebyte/347821691/
  • 11. ...with trusted site auto login on the identity provider
  • 12. HTTP Level - Part 1/3 User Agent <> RP GET: %site%/login.html POST: %site%/login with OpenID RP <> IdP GET: openid url mime:application/xrds+xml (Yadis Discovery) ?xml version=quot;1.0quot; encoding=quot;UTF-8quot;? xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot; XRD Service priority=quot;0quot; Typehttp://openid.net/signon/1.0/Type Typehttp://openid.net/sreg/1.0/Type URIhttp://www.myopenid.com/server/URI openid:Delegatehttp://keepthebyte.myopenid.com//openid:Delegate /Service /XRD /xrds:XRDS Fallback: GET: openid url mime:*/*
  • 13. HTTP Level - Part 2/3 RP IdP (continued) ASSOCIATE REQUEST openid.dh_gen=Ag%3D%3D openid.session_type=DH-SHA1 openid.mode=associate openid.assoc_type=HMAC-SHA1 openid.dh_consumer_public=AMEJSFuaf%2Fi73z6uGonyKZUoIJQyI7PWSZJZBhACK8qQ48%2FIkplhKv%2BajPhSiNXz43%2Bb7nO% 2FyL86LQNlzNM3rFSP7nfAVoDZXUPyuQeacsCqg8vliMwTJUzu9MecZz4ngCgNLk8tOkBazhGJ7%2BCnx1g53dUVGvvV0LHMMMjUQMSo openid.dh_modulus=ANz5OguIOXLsDhmYmsWizjEOHTdxfo2Vcbt2I3MYZuYe91ouJ4mLBX% 2BYkcLiemOcPym2CBRYHNOyyjmG0mg3BVd9RcLn5S3IHHoXGHblzqdLFEi%2F368Ygo79JRnxTkXjgmY0rxlJ5bU1zIKaSDuKdiI% 2BXUkKJX8Fvf8W8vsixYOr ASSOCIATE RESPONSE assoc_type:HMAC-SHA1 assoc_handle:netmesh-u-1168177185-50172100 expires_in:2592000 session_type:DH-SHA1 dh_server_public:AIAkjwdpUn1lCHyQEzstI40wSnbsznGV/t+AepW/he/ChsS2N2WF9DTIpNyLtGBTECmF6w/ +DgtcjfVrujm1Z26CJBuwtDbJyL3rUCsqzn55RVCcM6QmBnRBD8q/5hbcI6jiBC9Nc78NfQywGE7YG3BCZZiT3Vz1etJAcRgPgUxJ enc_mac_key:eljydY56tUILU75CjytBwNF3Ec4=
  • 14. HTTP Level - Part 3/3 User Agent RP REDIRECT TO IdP http://mylid.net/keepthebyte? openid.mode=checkid_setup openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk openid.trust_root=http%3A%2F%2Flocalhost%3A3000%2Fauth openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte openid.assoc_handle=netmesh-u-1168177185-50172100 User Agent IdP DO THE LOGIN (not part of the OpenID spec) REDIRECT TO RP http://localhost:3000/auth/complete? nonce=Q5CG5Hfk openid.mode=id_res openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk openid.assoc_handle=netmesh-u-1168177185-50172100 openid.signed=mode,identity,return_to,assoc_handle openid.sig=c55qNAPI58pfRBDkVlRc5dbvnyU%3D
  • 15. Delegated Authentication My original OpenID: 1 keepthebyte.myopenid.com Add these lines to the root HTML document of the domain “keepthebyte.ch”: 2 link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; / link rel=quot;openid.delegatequot; href=quot;http://keepthebyte.myopenid.comquot; / meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://keepthebyte.myopenid.com/xrdsquot; / Now I can use my domain as my OpenID: 3 keepthebyte.ch
  • 16. ... Immediate Mode - “AJAX” Ask an IdP if a End User owns the Claimed Identifier, getting back an immediate quot;yesquot; or quot;can't sayquot; answer.
  • 17. ...Stateless (Dump Mode) Not recommended due Security Issue - Replay Attack - use SSL!
  • 18. Extension: Simple Registration Make OpenID more useful - Extension of OpenID 1.1 - Part of OpenID 2.0 (Attribute Exchange) Manage personal profile centrally on the Identity Provider Control what profile properties are allowed to be share with the site you like to login Screenshots from http://www.myopenid.com
  • 19. Extension: E-Mail as OpenID PR PR O O PO PO SA SA L!! L Make OpenID easier: URL 0 vs. Email 1 Proposal for OpenID 2.0 Enter Email in OpenID field: 1 keepthebyte@myopenid.com 2 Read the transformation template from the XRDS document Converted to URL before authentication: 3 keepthebyte.myopenid.com Spec: http://www.sappenin.com/openid/ext/oet/openid-email-transform-extension-1_0.html
  • 20. Integration: Browser Make OpenID easier to use! Prevent Phishing! Firefox Add-ons: - Appalachian Download: http://simile.mit.edu/wiki/Appalachian - VeriSign’s OpenID Seatbelt On the roadmap for Firefox 3.0
  • 21. Integration: ??? H H YP YP E? E? Blog URL is the OpenID Microsoft announced it will integrate OpenID in CardSpace (WS-*) AOL provide an OpenID for all its users Web 2.0 Sites: Technorati, Ma.gnolia, Opinity, netvibes, Digg (soon) CMS/Blogs/Wiki: Wordpress, Drupal, MovableType, MediaWiki, phpbb
  • 22. Your action is required! READ The OpenID Case - in 4-pages by Kaliya Hamlin www.kaliyasblogs.net/IdentityWebExpo.pdf Specification at openid.net Open Source Libraries for PHP, Ruby, Java... openid.net/wiki/index.php/Libraries PLAY OpenID Providers - MyOpenID.com - VeriSign PIP Y - idproxy.net (with Yahoo Auth) TR - List: openid.net/wiki/index.php/OpenIDServers A IT E IV G
  • 23. it? ot G That’s it Slides on: keepthebyte.ch Links on: del.icio.us/keepthebyte/openid