INF 123 SW Arch, dist sys & interop Lecture 16
description
Transcript of INF 123 SW Arch, dist sys & interop Lecture 16
INF 123 SW ARCH, DIST SYS & INTEROP
LECTURE 16Prof. Crista Lopes
Objectives Understanding the difference between
Authentication and Authorization Understanding OpenID and OAuth
Auth vs Auth Authentication: who is this user?
Authorization: can this user do that?
Identity on the Web Millions of Web sites, each with their own
users Each user needs to remember N
usernames+passwords
…why not interoperate identity? …why not interoperate more data?
Decentralized Identity
OpenID
OpenID in Action “OpenID is a decentralized
authentication protocol that makes it easy for people to sign up and access web accounts.”
www.stackoverflow.com
How it works
http://yahoo.com
http://openid.net/developers/specs/
How it works, in 11 steps
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
Steps 1, 2 – Post Identifier <form id="openid_form" action="/users/authenticate" method="post"> <!-- /Simple OpenID Selector --> <table id="openid-url-input"> <tr> <td><input id="openid_identifier" name="openid_identifier" type="url” ></td> <td><input id="submit-button” type="submit" value=”Sign in”></td> </tr> </table></form>
How it works – Discovery
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
Steps 3, 4 – Normalization & Discovery
Yadis ProtocolContent-Type: application/xrds+xml when performing an HTTP GET on the identity URL
Step 3 – XRDS response<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"xmlns:openid="http://openid.net/xmlns/1.0"> <XRD> <Service priority="50"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.myopenid.com/server</URI> <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> </Service> <Service priority="10"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate>http://www.livejournal.com/users/frank/</openid:Delegate> </Service> <Service priority="20"> <Type>http://lid.netmesh.org/sso/2.0</Type> <URI>http://mylid.net/liddemouser</URI> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD></xrds:XRDS>
Steps 3, 4 – Normalization & Discovery
Plain HTTP
Returned document must contain a <link /> element:
<link rel=“openid2.provider” href=“http://endpoint”/>
How it works – Redirect 1
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
Step 5 – First redirect Relying party parses XDSR or <link />
and retrieves the OpenID provider end point.
Then redirects (302, 303 or 307) user agent to it with query params appended to the URL:
HTTP/1.1 303 See OtherLocation: https://login.yahoo.com? openid.ns=http://specs.openid.net/auth/2.0& openid.mode=checkid_setup& openid.claimed_id=e_mumble& openid.return_to=http://stackoverflow.com?article=123
How it works – Login
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
Steps 6, 7, 8, 9 – Login Undefined in the Spec Usually regular login form with POST May include further verification with user This is a vulnerable point in the process
more later
How it works – Final Redirect
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
Step 10 – Final Redirect OpenID Provider End Point redirects user
agent back to the “return_to” URL.
HTTP/1.1 303 See OtherLocation: http://stackoverflow.com?article=123? openid.ns=http://specs.openid.net/auth/2.0& openid.op_endpoint=https://login.yahoo.com& openid.return_to=http://stackoverflow.com?article=123& openid.identity=e_mumble& openid.response_nonce=2005-05-15T17:11:51ZUN6TY9& openid.sig=MACsignature
Step 10 Relying party must verify a few things
before deciding that the user is authenticated return_to matches identifier matches nonce is unique signature is valid
How it works – Finally!
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
Step 11 Relying party returns the page that user
was on http://stackoverflow.com?article=123
Final Remarks The whole point of OpenID is to
authenticate users your web app wants to verify that user
jonh.smith @ yahoo.com really is john.smith at yahoo.com
OpenID knows nothing about authorization after establishing identity, your application
must deciding which resources this user is allowed to access
authentication ≠ authorization
OpenID is Phishing Heaven idtheft.fun.de
OpenID’s adoption by major sites is a mystery to me!
Authorization – but not for *your* resources
OAuth
OAuth The goal of OAuth is to acquire an access
token from a 3rd party (like Google, Facebook, etc.), which can then be used to exchange user-specific data between your application and that 3rd party service (such as calendar information or friends list)
Facebook/Google
user data
Your appaccess user data
OpenID+OAuth Lets arbitrary apps (like yours) access
your Twitter/Facebook/Google/etc account without having to have your password
OAuth 4 main steps Your app asks for a “request” token from
the 3rd party Your app asks the 3rd party for the token
to be authorized 3rd party requests user approval
Your app exchanges the “request” token for an “access” token
Your app uses the “access” token to access the data