OpenID vs OAuth - Identity on the Web
-
Upload
richard-metzler -
Category
Technology
-
view
29.749 -
download
0
Transcript of OpenID vs OAuth - Identity on the Web
![Page 1: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/1.jpg)
Identity on the WebOpenID vs OAuth
Identity Management in SOA
Richard Metzler
May 2010
1
![Page 2: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/2.jpg)
Outline
2
I. User Authentication
II. OpenID
III. OAuth
IV. Compare OpenID & OAuth
V. My Project
![Page 3: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/3.jpg)
User Authentication
3
![Page 4: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/4.jpg)
User Authentication
• every single website needs my credentials
• username / e-mail
• password
• should be secure
• should not be reused
• how to remember?
4
![Page 5: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/5.jpg)
Resulting Problems
• identity is scattered
• passwords
• millions to remember vs recycling
• how to authorize third party access?
➡ Password Anti-Pattern
5
![Page 6: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/6.jpg)
OpenID
6
![Page 7: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/7.jpg)
OpenID
• sharing a single identity with different consumers
• decentralized
• OpenID 2.0 (without XRI)
7
http://openid.net/
![Page 8: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/8.jpg)
Roles in OpenID
• User owns account at OpenID Provider
• User proves Identity to Relying Party
8
![Page 9: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/9.jpg)
OpenID Flow
http://www.openaselect.org/trac/openaselect/wiki/OpenID
9
![Page 10: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/10.jpg)
Sign in withOpenID Identifier
10
![Page 11: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/11.jpg)
Discovery & Delegationobtain OP Endpoint
11
![Page 12: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/12.jpg)
Establish Association
• shared secret between Relying Party & OpenID Provider
• Diffie Hellman Key Exchange
• (g^xa)^xb mod p = (g^xb)^xa mod p
12
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
![Page 13: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/13.jpg)
Redirect User Agent to OP Endpoint
13
![Page 14: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/14.jpg)
Redirect User Agent to OP Endpoint
14
![Page 15: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/15.jpg)
Return URL Verification
• OpenId Provider checks:
• do Realm and return_to URL match?
15
![Page 16: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/16.jpg)
User Authentification
16
![Page 17: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/17.jpg)
OpenID Provider presents Realm
17
![Page 18: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/18.jpg)
Redirect User Agent to OP Endpoint URL
18
![Page 19: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/19.jpg)
Redirect User Agent to OP Endpoint URL
19
![Page 20: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/20.jpg)
Verification
• Relying Party checks:
• return_to URL
• OpenID Identifier
• was Nonce never used before?
• fields signed, signature valid
20
![Page 21: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/21.jpg)
Logged in
21
![Page 22: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/22.jpg)
OpenID Flow
http://www.openaselect.org/trac/openaselect/wiki/OpenID
22
![Page 23: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/23.jpg)
OAuth
23
![Page 24: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/24.jpg)
OAuth
• sharing your data without sharing your password
• centralized
• OAuth 1.0a (current version)
• Draft for OAuth 2.0
24
http://oauth.net/
![Page 25: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/25.jpg)
Roles
• User owns Resource at Service Provider
• User grants Consumer access to Resource
25
![Page 26: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/26.jpg)
OAuth Dance
http://fireeagle.yahoo.net/developer/documentation/web_auth
26
![Page 27: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/27.jpg)
Register Consumer,get Consumer Key
• manually register Consumer at Service Provider
• identified by Token / Secret
• Callback URL
• all subsequent Requests must be signed with Secret, Nonce & Timestamp
27
![Page 28: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/28.jpg)
Sign in with OAuth
28
![Page 29: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/29.jpg)
Get Request Token
• Consumer asks Service Provider for Request Token
• Request Token identifies authorization workflow
• not user specific
• transmitted in URL when User Agent is redirected
29
![Page 30: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/30.jpg)
HTTP Redirect to Service Provider
30
![Page 31: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/31.jpg)
HTTP Redirect to Service Provider
31
![Page 32: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/32.jpg)
Authenticate
32
![Page 33: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/33.jpg)
Grant Access
33
![Page 34: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/34.jpg)
HTTP Redirect to Consumer Callback
34
![Page 35: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/35.jpg)
HTTP Redirect to Consumer Callback
35
![Page 36: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/36.jpg)
Get Access Token
• Consumer trades Request Token for Access Token
• Access Token grants access to Service Provider in behalf of User
• user specific
36
![Page 37: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/37.jpg)
Logged in
37
![Page 38: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/38.jpg)
Access Resource
• authenticated access on Resource
• must be signed
• Consumer Key
• OAuth Token
• Timestamp
• Nonce
38
![Page 39: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/39.jpg)
OAuth Dance
http://fireeagle.yahoo.net/developer/documentation/web_auth
39
![Page 40: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/40.jpg)
OpenId vs OAuth
40
![Page 41: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/41.jpg)
Commonalities
• involves 3 parties
• open protocols - community driven
• HTTP based
• not mutual exclusive
41
![Page 42: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/42.jpg)
Differences
• sharing: identity vs data resources
• decentralized vs centralized
• Consumer-Provider-Relationship:
• unknown vs well-known
42
![Page 43: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/43.jpg)
My Project
43
![Page 44: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/44.jpg)
My Project
• Implement OAuth Service Provider & OAuth Consumer example
• API for manageable resources (ideas)
• profile pictures
• activity streams Atom feed extension
• RESTful API for editing RDF::FOAF data
44
http://activitystrea.ms/ http://www.foaf-project.org/
![Page 45: OpenID vs OAuth - Identity on the Web](https://reader034.fdocuments.in/reader034/viewer/2022050613/554bdd9bb4c905ac708b556a/html5/thumbnails/45.jpg)
Questions?
45