Openid+Opensocial

OpenID + OpenSocial

Integration between two “open” technologies

Sebastiano Merlino aka [email protected]

Gtug Group - Catania - Italy

July 10th, 2010

1 / 33

OpenID + OpenSocialWhat about OpenID?

OpenID (now at version 2.0) is an open, decentralized standard forauthenticating users that can be used for access control, allowing users to logon to different services with the same digital identity where these services trustthe authentication body.

Wikipedia, the free encyclopedia

Who controls OpenID?

OpenID is decentralized and not owned by anyone. Every

person can choose to become an OpenID provider without

having to register or to be approved by any organization.

The OpenID Foundation was formed to assist the open

source community working like a legal entity.

2 / 33

OpenID + OpenSocialThe OpenID protocol

Glossary

End-User: the person who wants to log in.

Identifier: the standard URI or XRI used to identify the End-User (alsocalled OpenID).

OpenID provider: a service provider that offers the possibility to registerOpenID URLs and XRIs and providing OpenID authentication.

Relying Party: The site that wants to verify the End-User identity. It isalso called Service Provider.

Server Agent: The server that verifies the End-User’s OpenID. It usuallyis the same of the OpenID provider.

User Agent: The program used by the End-User to access to the provideror to the relying party. It usually is a browser.

3 / 33


There are two types of identifiers allowed: URLs and XRIs.There are two ways to obtain an OpenID enabled URL that can be used toaccess to a relying party:

1 To use an existing URL under user control linking to a page whichcontains OpenID tags in the HTML or serves a Yadis document.

2 To register to an OpenID provider. They usually offer to register a thirdlevel domain URL configured with OpenID HTML tags. Some providersgenerate on request a Yadis document with details about the end-user.

XRIs are a new type of internet identifier designed for cross-domain

identification. XRIs come in two forms: i-names and i-numbers that are

registered as synonims. I-names can be reassigned but an i-number is never

reassigned. An i-name is immediatly translated to it synonim i-number that is

stored as OpenID by the relying party.

4 / 33


The Login

1 The user provides his OpenID to the relying party using the form on theirpage. It is supposed that the user has already registered an OpenIDidentifier with an OpenID provider.

2 The relying party normalizes the provided OpenID. If the OpenID is anURL, the relying party implementing OpenID 1.0 requests the web pagelocated at that URL and reads the proper HTML Tag to discover theidentity provider service URL or receive a Yadis document withinformations.

With OpenID 2.0 instead, the OpenID is a XRI and the relying partydiscovers the identity provider service URL by requesting a XRDSdocument (Yadis) following the path indicated by the XRI.

5 / 33


The Login

3 At this point the communication starts. The relying party cancommunicate with the provider without interaction with the user(checkid immediate) or, like it is popular in web, notificating the user andusing his browser (checkid setup).

4 Relying party and provider establish a shared secret (starting from a nonceand using a Diffie-Hellman). With checkid setup the relying partyredirects the user to the OpenID provider.

5 The provider requires the user a permission for the relying party.

6 If the user declines, he is redirected to the relying party with an errormessage, instead, if the user confirms the relying party verifies theauthentication validating the shared secret.

7 At this point if the validation is successful, the user is considered logged in.

6 / 33


HTML with OpenID Tags

An OpenID tagged HTML page must contains these two links:

<link rel=‘‘openid2.provider openid.server’’

href=‘‘http://www.livejournal.com/openid/server.bml’’/>

<link rel=‘‘openid2.local id openid.delegate’’

href=‘‘http://exampleuser.livejournal.com/’’/>

XRIs

An XRI (eXtensible Resource Identifier) is a scheme resolution protocol forabstract identifiers. If an XRI starts with “=” it identifies a person, if startswith “@” identify an organization an if starts with “+” indicates a genericconcept. Every name (i-name) can be converted into an i-number.

xri://=Sebastiano.Merlino

xri://+phone.number

xri://mysite.it/(=Sebastiano.Merlino)

xri://=!1000.aib3.c6f2

xri://+!1000.f4f5.c3f5

xri://mysite.it/(=!1000.aib3.c6f2)

7 / 33


Yadis

Yadis is a communication protocol for discovery of services. A Yadis IDcan be a URL or a XRI i-name that can be resolved to a URL. TheYadis protocol specifies how to retrieve a service descriptor called YadisResource Descriptor. This descriptor follows the XRDS format toconnect to several services.

<?xml version=1.0 encoding=UTF-8?><xrds:XRDS xmlns:xrds=xri://$xrds xmlns=xri://$xrd*($v*2.0)xmlns:openid=http://openid.net/xmlns/1.0}

<XRD><Service priority=50}

<Type>http://openid.net/signon/1.0</Type><URI>http://www.myopenid.com/server</URI><openid:Delegate>http://smoker.myopenid.com/</openid:Delegate>

</Service></XRD>

</xrds:XRDS>

8 / 33

OpenID + OpenSocialand...OAuth?

OAuth and OpenID sounds like the same thing but they arereally different.If OpenID exists to give access to multiple web sites, OAuthlets to authorize one website (called consumer) to access datafrom another web site (provider).

The Open Authentication

Google and Plaxo have released a hybrid protocol that combines OpenID withOAuth. Often, when a site wants to use services by another site, it requireslogin access details that the user may doesn’t want to condivide. Tocircumvent this problem has been created OAuth that drive the user to theprovider, sending back him after the login. This technique can be improvedwith OpenID that can make this operation automatic.

9 / 33

OpenID + OpenSocialOpenID: Advantages and Disadvantages

Advantages

Accelerate SignUp process

Reduce frustration of mantaining multiple Username and Password

Minimize Password security risk

Gain greater control over online identity

Disadvantages

The OpenID provider may track users’ habits.

Third party authenticate your users.

10 / 33

OpenID + OpenSocialOpenID implementations

Provider

Community-ID (PHP)

Prarie (PHP)

Masquerade (Ruby)

DjangoID (Python)

Packetizer OpenID Server (Perl)

DotNetOpenID (.NET)

JOS (Java)

Relying Party

Poidsy (PHP)

Openid4Java (Java)

jopenid (Java)

DotNetOpenAuth (.NET)

11 / 33

OpenID + OpenSocialOpenID provider: Community-ID

Community-ID is an OpenID PHP implementation of a provider which isOpenID 2.0 compliant. Community-ID is totally free in use and is build 100%over Open Source software. This software is licensed under the BSD license.

To use Community-ID, you have only to install it.For the installation the software requires a WebServer installed with support forPHP 5.2.4 or greater with the MySQLi installed.It is also required a MySQL database (version 4.1 or greater).These modules are required: php5-core php5-mysql php5-pdo mysql php5-gdphp5-gmp.

12 / 33

OpenID + OpenSocialRelying Party: Poidsy

Example

<?phpsession start();if (isset($ POST[’openid url’]) ‖ isset($ REQUEST[’openid mode’])) {

if (isset($ POST[’openid type’]) && $ POST[’openid type’] != ’openid url’) {define(’OPENID URL’, $ POST[’openid type’]);

}require(’../../processor.php’); //the poidsy validation script

} else {[...some layout stuff...]if (isset($ SESSION[’openid’][’error’])) {

unset($ SESSION[’openid’][’error’]);} else if (isset($ SESSION[’openid’][’validated’]) && $ SESSION[’openid’][’validated’]) {

unset($ SESSION[’openid’][’validated’]);if (isset($ SESSION[’openid’][’sreg’])) {

[...show data...]unset($ SESSION[’openid’][’sreg’]);

}

13 / 33

OpenID + OpenSocialRelying Party: Poidsy

Poidsy is a full functional set of PHP script that serves like OpenIDrelying party. The difference between Poidsy and other libraries is theability of this implementation to not expose the OpenID logic. It canonly be used without writing a single line of code.

In the previous example, it is shown how to use the poidsy library.It is required to start a session where the library stores his values. If ispassed to the page an OpenID url, the scripts requires the processor.phpscript to validate and authenticate the user.The same page is used to receive a response from the provider. If theresponse is an error, it is possible to print on the screen an error message,otherwise it is possible to read the response and use it like user data.

14 / 33

OpenID + OpenSocialRelying Party: Pigeon

32 valor medals were consigned to pigeons during theSecond World War.Only 26 to dogs.3 to horses.Only 1 to a cat. (What has he done? He has perhaps eatena german pigeon?!?!)

Remember: when the battle starts and the situationbecomes chaotic with machine guns, artigliery and gas, wemust trust the pigeons.

Pigeon service was implemented by Dario Mazza, Sebastiano Merlino, MarcoMessina, Davide Giuseppe Monaco, Paolo Pino and Eugenio Priscimone. Ituses Openid4Java to realize a fully compatible relying party for OpenID verions:1.0, 1.1 and 2.0.

15 / 33


Classes

Pigeon consists in three classes: PigeonService, AuthenticationServlet,OIDResponseServlet.

PigeonService implementation

PigeonService consists in four methods:

getConsumerManager : necessary to obtain the Openid4JavaConsumerManager.

discoverOnIdentifier : used to obtain DiscoveryInformation necessary tothe user’s effective authentication.

createAuthRequest: method used to obtain the AuthRequest to send.

processData: necessary to obtain an userID from the provider’s response.

16 / 33


getConsumerManager

private static ConsumerManager getConsumerManager(){if (consumerManager == null) {[...]

consumerManager = new ConsumerManager();consumerManager.setAssociations(new InMemoryConsumerAssociationStore());consumerManager.setNonceVerifier(new InMemoryNonceVerifier(10000));

}[...]return consumerManager;

}

This method first initialize an empty ConsumerManager, then it decides whatclass is responsible to store the associations with providers. At the end themethod sets a validity time for the nonce and returns the ConsumerManager.

17 / 33


discoverOnIdentifier

public static DiscoveryInformation discoverOnIdentifier(String userSuppliedIdentifier){DiscoveryInformation ret = null;ConsumerManager consumerManager = getConsumerManager();[...]List discoveries = consumerManager.discover(userSuppliedIdentifier);ret = consumerManager.associate(discoveries);[...]return ret;

}

This method first initializes a null DiscoveryInformation and then using theConsumerManager it discovers informations about the userSuppliedIdentifier.At the end the method returns the DiscoveryInformation.

18 / 33


createAuthRequest

public static AuthRequest createAuthRequest(DiscoveryInformation discoveryInformation, StringreturnToAviary){

AuthRequest retValue = null;[..]retValue = getConsumerManager().authenticate(discoveryInformation, returnToAviary);SRegRequest req = SRegRequest.createFetchRequest();retValue.addExtension(req);[..]return retValue;

}

This method uses the DiscoveryInformation to authenticate the user imposingto redirect to the url indicated in returnToAviary after the login. The methodat the end returns the authRequest.

19 / 33


processData

public static UserId processData(DiscoveryInformation discoveryInformation, ParameterListparameterList, String returnToAviary){

UserId ret = null;[...]VerificationResult verificationResult = getConsumerManager().verify(returnToAviary,

parameterList, discoveryInformation);Identifier verifiedIdentifier = verificationResult.getVerifiedId();if (verifiedIdentifier != null) {

AuthSuccess authSuccess = (AuthSuccess) verificationResult.getAuthResponse();ret = new UserId(UserId.Type.valueOf(me), verifiedIdentifier.getIdentifier());

}[...]return ret;

}

This method first verifies the idenitfier with the nonce and then stores it insidean UserID.

20 / 33


Authentication Servlet

[...]DiscoveryInformation discoveryInformation =PigeonService.discoverOnIdentifier(userSuppliedIdentifier);req.getSession(true).setAttribute(“discoveryInformation”, discoveryInformation);AuthRequest authRequest = PigeonService.createAuthRequest(discoveryInformation, returnToUrl);res.sendRedirect(authRequest.getDestinationUrl(true));

[...]

OIDResponseServlet

[...] UserId uid = PigeonService.processData((DiscoveryInformation)req.getSession(true).getAttribute(“discoveryInformation”), newParameterList(req.getParameterMap()), returnToUrl);UserHelper.setSessionUid(req,uid.getUserId());UserHelper.setSessionUserHash(req,uid.hashCode());AuthenticationResponse ar = new AuthenticationResponse(uid.getUserId());

[...]

21 / 33


These two servlet respectively requires authentication to the provider andreceives his response. It could be seen how the servlet have only to use themethods implemented by the class Pigeon.

Like can be seen in the previous slides is really simple to implement a relyingparty also using the java api Openid4Java. In this case, unlike Poidsy, we arenot blind in front of the software implementation, so we need to have aknowledge of OpenID specification to make general at all our implementation.

22 / 33

OpenID + OpenSocialOpenSocial

It’s open, it’s social, it’s up to you

OpenSocial is a set of web API designed by Google, MySpace and many othersweb organizations with the objective to make interoperable every applicationimplementing it with any social network system that supports them.

It’s a set of two APIs, for javascript and REST. The javascriptAPI are designed for “web gadgets” written in Google’s gadgetsarchitecture. The REST API is for other apps: desktop, mobileand server.Gadgets are written using the Gadgets API. Any site that canhost gadgets is called container.

23 / 33

OpenID + OpenSocialOpenSocial: Gadgets

Structure of a Gadget

<?xml version=‘‘1.0’’ encoding=‘‘UTF-8’’ ?><Module>

<ModulePrefs title=‘‘Hello World!’’><Require feature=‘‘opensocial-0.8’’ />

</ModulePrefs><Content type=‘‘html’’>

<![CDATA[

Hello, world!

]]></Content>

</Module>

<Module> indicates that this XML contains a gadget.<ModulePrefs> contains information about the gadget.<Require feature=“opensocial-0.8” /> denotes a required feature of the gadget.

<Content type=“html”> indicates that the gadget’s content type is HTML.

24 / 33

OpenID + OpenSocialOpenSocial: Container

Apache Shindig

The reference implementation for anOpenSocial Container is Apache Shindig.

An OpenSocial container is not merely a box designed to contains gadget but italso involves in the creation of a social infrastructure between members of thesite implementing the API.There are two implementation for the Shindig Container: Java and PHP; thesetwo versions have 3 major server side components:

Persistent Data Loading Mechanism;

Gadget Rendering Infrastructure

OpenSocial server-side Implementation

25 / 33

OpenID + OpenSocialOpenSocial: Container

Some features are client side, like:

The real gadget container (in javascript)

The OpenSocial container

JSon, Restful and Caja support

OpenSocial APIs

OpenSocial’s API implemented are:

OpenSocial REST : for Server-to-Server communications

OpenSocial JSON-RPC : for Gadget-to-Server communications

Javascript: for Gadgets implementation

26 / 33

OpenID + OpenSocialOpenSocial: Container Implementation

Shindig Installation

The shindig installation system is really simple. It just consists in extracting thedownloaded archive to the directory where you wish install Apache Shindig.

For the J2EE version the installation consists in copying the WAR file to$TOMCAT HOME/webapps if the server used is Tomcat.Building from source requires Java 1.5 or later with JAVA HOMEenvironment variable set and Apache Maven already installed.

For the PHP version you have just to copy shindig-php into a directory in/var/www obviously intending you have installed an Apache PHP server.Prerequisites are PHP 5.2.x with mod rewrite enabled with the json,simplexml, mcrypt and curl extensions enabled.

27 / 33


To personalize your container (client-side in js) you have to override methodsfrom the default implementation changing functionalities to resemble what youwant.Usually you have rewrite the main funcion renderGadgets.

M4P2

M4P2 is an extension of the javascript client-side shindig container adding to itsome functionalities using jQuery library. It has been realized by Dario Mazza,Sebastiano Merlino, Marco Messina, Davide Giuseppe Monaco, Paolo Pino andEugenio Priscimone.It just consists in a single js script that can be used like container forOpenSocial Gadgets.

28 / 33


M4P2

In the previous slide is presented a piece of code from the overriding of thefunction renderGadgets.This function accepts three params: incoming, enable cb, disable cb. The firstparameter is a string in JSON format:[{’id’:’gadget-chrome-x’,’url’: ’gadgets/Login/Login.xml’},{’id’:’gadget-chrome-y’,

’url’:’http://localhost:8080/examples/getFriendsHasApp.xml’ }]

“id” indicates the name of the div that has to contain the gadget.“url” is the path to reach the gadget.

The block that follows registers the gadget and renderizes it.

30 / 33

OpenID + OpenSocialA final merge

<?xml version=“1.0” encoding=“UTF-8”?>

<Module>

<ModulePrefs title=“OpenSocial - Login utente” height=“250”>

</ModulePrefs>

<Content type=“html”>

<![CDATA[

[...javascript inclusions...]

[...do some stuff to print layout...]

function accesso(){var parametri = document.getElementById(“logstring”).value.split(“-”);

var username = parametri[0];

var opname = parametri[1];

if(username==none){window.location = “http://www.example.com:8080/openid/auth?op=” + opname;

} else {var uid = document.getElementById(“userid”).value;

window.location = “http://www.example.com:8080/openid/auth?op=” + opname + “&uid=” + uid; }[...do some stuff to fill form...]

}]]>

</Content>

</Module>

31 / 33

OpenID + OpenSocialA final merge

An OpenID gadget

In the previous slide it can be seen an example of a OpenID login gadget. Inthis example have been used a modified shindig container (M4P2) that uses arelying party “Pigeon” developed on openid4java connecting with a hugenumber of provider.

At this point we have realized our global authentication tool that using OpenIDmakes easy the life of the user. In addiction to this, we can distribute ourgadget to any site implementing OpenSocial containers and that wants to useit. Supposing we want to start our OpenID provider it could be an extremelyinteressant example of software distribution as advertisement.

An interessant plan for the future could be to implement support also to OAuthallowing easy data exchange and creating an automatic site ring.

32 / 33

OpenID + OpenSocialLinks...

openid.net/developers/specs/ - to read about OpenID specifications.

step2.googlecode.com/svn/spec/openid oauth extension/latest/ - article andspecifications about the OAuth extension of OpenID.

wiki.openid.net/Run-your-own-identity-server - A link to a collection of library torealize an OpenID provider.

code.google.com/intl/it-IT/apis/opensocial/ - The official OpenSocial projectpage.

shindig.apache.org/ - Shindig official web page.

33 / 33

Openid+Opensocial

Technology

Transcript of Openid+Opensocial