INF 123 SW ARCH, DIST SYS & INTEROP

LECTURE 16

Prof. Crista Lopes

Objectives

Understanding the difference between Authentication and Authorization

Understanding OpenID and OAuth

Auth vs Auth

Authentication: who is this user?

Authorization: can this user do that?

Identity on the Web

Millions of Web sites, each with their own users

Each user needs to remember N usernames+passwords

…why not interoperate identity? …why not interoperate more data?

Decentralized Identity

OpenID

OpenID in Action

“OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts.”

www.stackoverflow.com

How it works

http://yahoo.com

http://openid.net/developers/specs/

How it works, in 11 steps

htt

p:/

/ww

w.w

indle

y.co

m/a

rchiv

es/

20

06

/04

/how

_does_

openid

.shtm

l

Relying party

OpenID Provider

OpenID ProviderEnd Point

Steps 1, 2 – Post Identifier

<form id="openid_form" action="/users/authenticate" method="post"> <!-- /Simple OpenID Selector --> <table id="openid-url-input"> <tr> <td><input id="openid_identifier" name="openid_identifier" type="url” ></td> <td><input id="submit-button” type="submit" value=”Sign in”></td> </tr> </table></form>

How it works – Discovery

htt

p:/

/ww

w.w

indle

y.co

m/a

rchiv

es/

20

06

/04

/how

_does_

openid

.shtm

l

Relying party

OpenID Provider

OpenID ProviderEnd Point

Steps 3, 4 – Normalization & Discovery

Yadis ProtocolContent-Type: application/xrds+xml when performing an HTTP GET on the identity URL

Step 3 – XRDS response<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"xmlns:openid="http://openid.net/xmlns/1.0"> <XRD> <Service priority="50"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.myopenid.com/server</URI> <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> </Service> <Service priority="10"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate>http://www.livejournal.com/users/frank/</openid:Delegate> </Service> <Service priority="20"> <Type>http://lid.netmesh.org/sso/2.0</Type> <URI>http://mylid.net/liddemouser</URI> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD></xrds:XRDS>

Steps 3, 4 – Normalization & Discovery

Plain HTTP

Returned document must contain a <link /> element:

<link rel=“openid2.provider” href=“http://endpoint”/>

How it works – Redirect 1

htt

p:/

/ww

w.w

indle

y.co

m/a

rchiv

es/

20

06

/04

/how

_does_

openid

.shtm

l

Relying party

OpenID Provider

OpenID ProviderEnd Point

Step 5 – First redirect

Relying party parses XDSR or <link /> and retrieves the OpenID provider end point.

Then redirects (302, 303 or 307) user agent to it with query params appended to the URL:

HTTP/1.1 303 See OtherLocation: https://login.yahoo.com? openid.ns=http://specs.openid.net/auth/2.0& openid.mode=checkid_setup& openid.claimed_id=e_mumble& openid.return_to=http://stackoverflow.com?article=123

How it works – Login

htt

p:/

/ww

w.w

indle

y.co

m/a

rchiv

es/

20

06

/04

/how

_does_

openid

.shtm

l

Relying party

OpenID Provider

OpenID ProviderEnd Point

Steps 6, 7, 8, 9 – Login

Undefined in the Spec Usually regular login form with POST May include further verification with user This is a vulnerable point in the process

more later

How it works – Final Redirect

htt

p:/

/ww

w.w

indle

y.co

m/a

rchiv

es/

20

06

/04

/how

_does_

openid

.shtm

l

Relying party

OpenID Provider

OpenID ProviderEnd Point

Step 10 – Final Redirect

OpenID Provider End Point redirects user agent back to the “return_to” URL.

HTTP/1.1 303 See OtherLocation: http://stackoverflow.com?article=123? openid.ns=http://specs.openid.net/auth/2.0& openid.op_endpoint=https://login.yahoo.com& openid.return_to=http://stackoverflow.com?article=123& openid.identity=e_mumble& openid.response_nonce=2005-05-15T17:11:51ZUN6TY9& openid.sig=MACsignature

Step 10

Relying party must verify a few things before deciding that the user is authenticated return_to matches identifier matches nonce is unique signature is valid

How it works – Finally!

htt

p:/

/ww

w.w

indle

y.co

m/a

rchiv

es/

20

06

/04

/how

_does_

openid

.shtm

l

Relying party

OpenID Provider

OpenID ProviderEnd Point

Step 11

Relying party returns the page that user was on http://stackoverflow.com?article=123

Final Remarks

The whole point of OpenID is to authenticate users your web app wants to verify that user

jonh.smith @ yahoo.com really is john.smith at yahoo.com

OpenID knows nothing about authorization after establishing identity, your application

must deciding which resources this user is allowed to access

authentication ≠ authorization

OpenID is Phishing Heaven

idtheft.fun.de

OpenID’s adoption by major sites is a mystery to me!

Authorization – but not for *your* resources

OAuth

OAuth

The goal of OAuth is to acquire an access token from a 3rd party (like Google, Facebook, etc.), which can then be used to exchange user-specific data between your application and that 3rd party service (such as calendar information or friends list)

Facebook/Google

user data

Your app

access user data

OpenID+OAuth

Lets arbitrary apps (like yours) access your Twitter/Facebook/Google/etc account without having to have your password

OAuth 4 main steps

Your app asks for a “request” token from the 3rd party

Your app asks the 3rd party for the token to be authorized 3rd party requests user approval

Your app exchanges the “request” token for an “access” token

Your app uses the “access” token to access the data