Slides from the Google TechTalk (Zurich, Switzerland) in April 2007. A technical overview of OpenID.
Originally posted: http://www.keepthebyte.ch/2007/04/google-tech-talk-on-openid.html
1. Distributed SSO
Cédric Hüsler
CTO local.ch
Google TechTalk Zürich - April 2007
2. Quick Poll
Who always use the same PW for every new
account on a new site?
Who has a blog?
Who has an OpenID?
3. BA
BA
SII
SC
CS
prove you are really who you suppose to be
S
Authentication
Username & Password Challenge-response Public-Private Key
vs.
what are you allowed to do
Authorization
ACL (Access Control List) RBAC (Role-based Access Control)
4. BA
BA
SIIC
S
CS
ability to uniquely identify yourself
S
Identity
Your Name AHV-Nr / SSN Fingerprint
vs.
ability to control what others know about you
Privacy
Can you keep a secret? Virtualization Opt-in
5. BA
BA
SII
SC
CS
how much can I depend on you?
S
trust
vs.
control
how much information am I going to give?
6. BA
BA
SII
SC
CS
S
SSO
Single-Sign-On
using the same automatic
credentials to access authentication beyond
multiple services session and service
14. HTTP Level - Part 3/3
User Agent RP
REDIRECT TO IdP
http://mylid.net/keepthebyte?
openid.mode=checkid_setup
openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk
openid.trust_root=http%3A%2F%2Flocalhost%3A3000%2Fauth
openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte
openid.assoc_handle=netmesh-u-1168177185-50172100
User Agent IdP
DO THE LOGIN (not part of the OpenID spec)
REDIRECT TO RP
http://localhost:3000/auth/complete?
nonce=Q5CG5Hfk
openid.mode=id_res
openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte
openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk
openid.assoc_handle=netmesh-u-1168177185-50172100
openid.signed=mode,identity,return_to,assoc_handle
openid.sig=c55qNAPI58pfRBDkVlRc5dbvnyU%3D
15. Delegated Authentication
My original OpenID:
1 keepthebyte.myopenid.com
Add these lines to the root HTML document of the domain “keepthebyte.ch”:
2 link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; /
link rel=quot;openid.delegatequot; href=quot;http://keepthebyte.myopenid.comquot; /
meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://keepthebyte.myopenid.com/xrdsquot; /
Now I can use my domain as my OpenID:
3
keepthebyte.ch
16. ... Immediate Mode - “AJAX”
Ask an IdP if a End User owns the Claimed Identifier, getting back an immediate quot;yesquot; or quot;can't sayquot; answer.
18. Extension: Simple Registration
Make OpenID more useful
- Extension of OpenID 1.1
- Part of OpenID 2.0 (Attribute Exchange)
Manage personal profile
centrally on the Identity
Provider
Control what profile
properties are allowed to be
share with the site you like to
login
Screenshots from http://www.myopenid.com
19. Extension: E-Mail as OpenID
PR
PR
O
O
PO
PO
SA
SA
L!!
L
Make OpenID easier: URL 0 vs. Email 1
Proposal for OpenID 2.0
Enter Email in OpenID field:
1
keepthebyte@myopenid.com
2 Read the transformation template from the XRDS document
Converted to URL before authentication:
3 keepthebyte.myopenid.com
Spec: http://www.sappenin.com/openid/ext/oet/openid-email-transform-extension-1_0.html
20. Integration: Browser
Make OpenID easier to use!
Prevent Phishing!
Firefox Add-ons:
- Appalachian Download: http://simile.mit.edu/wiki/Appalachian
- VeriSign’s OpenID Seatbelt
On the roadmap for Firefox 3.0
21. Integration: ???
H
H
YP
YP
E?
E?
Blog URL is the OpenID
Microsoft announced it will integrate
OpenID in CardSpace (WS-*)
AOL provide an OpenID
for all its users
Web 2.0 Sites: Technorati, Ma.gnolia, Opinity, netvibes, Digg (soon)
CMS/Blogs/Wiki: Wordpress, Drupal, MovableType, MediaWiki, phpbb
22. Your action is required!
READ
The OpenID Case - in 4-pages by Kaliya Hamlin
www.kaliyasblogs.net/IdentityWebExpo.pdf
Specification at openid.net
Open Source Libraries for PHP, Ruby, Java...
openid.net/wiki/index.php/Libraries
PLAY
OpenID Providers
- MyOpenID.com
- VeriSign PIP
Y
- idproxy.net (with Yahoo Auth)
TR
- List: openid.net/wiki/index.php/OpenIDServers
A
IT
E
IV
G
23. it?
ot
G
That’s it
Slides on: keepthebyte.ch
Links on: del.icio.us/keepthebyte/openid