distributed identities with openid
DESCRIPTION
Talk about Distributed Identities with OpenID from the Confoo ConferenceTRANSCRIPT
Distributed Identities with OpenID
Bastian HofmannVZnet Netzwerke Ltd.
About me
OpenID is dead
„OpenID has been a burden on support since the day it was launched.“
„Fewer than 1% of all 37signals users are currently using OpenID.“
http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
„OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.“
Yishan Wong (Facebook)
http://www.quora.com/What-s-wrong-with-OpenID
Facebook Connect250,000,000 monthly users
So why are you here?
• Why identity management is still a problem
• OpenID how it works, and why it fails
• OpenID Connect & OAuth2: OpenIDs future?
• What can browser vendors do?
Questions? Ask!
Only one identity?
Identity is conveyed by communication
Identity is not fixed but recreated by every communication with your fellows
Expectations of different people result in different identities
Lothar Krappmann
Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
Sign up again and again
Passwords are broken
Same password for more than one service
Names, birthdays, car brand, ...
Too short, too simple
Saved unsecurely in the browser
Disclosed to others
Sent over non encrypted connections
Single Sign On
Microsoft Live ID
Launched 1999 as .net Passport
Facebook Connect
And there are much more
Nascar problem
The Client
<link rel="openid.server" href="http://www.myopenid.com/server" /><link rel="openid2.provider" href="http://www.myopenid.com/server" />
<meta http-equiv="X-XRDS-Location" content="http://bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http://www.myopenid.com/server" /> <link rel="openid2.local_id" href="http://bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/server" /> <link rel="openid.delegate" href="http://bhofmann.myopenid.com/" />
Delegation
Discovery
Connection Flow
DEMO
Who is the user?
Is this really user X?
Is X allowed to do something?
Does X have the permission?
VS
Client sites want more than just a unique identifier (Social Graph)
Authentication vs Authorization
But there are Spec Extensions
• Allows to specify certain fields in request that must or should be returned by the Identity Provider
openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.gender
openid.sreg.fullname=Bastian&openid.sreg.gender=male
Simple Registration
• Fetch Requestpenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
Attribute Exchange
• Fetch Responseopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
Attribute Exchange
• Store Requestopenid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
Attribute Exchange
• Store Respons
+----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+
Every Request: Client Credentials, Nonce, Timestamp, Signature
http://oauth.net/
OAuth 1.0a Flow
• Combines OpenID Authentication and OAuth authorization
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.consumer=123456
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.request_token=7890
OpenID + OAuth
Failures of OpenID 2.0
Complex to implement
URL as identifier => Bad User Experience
Do you have an OpenID?
What is it?
No marketing
How to fix it?
Easier to implement
More simple specification
Better user experience
wider adption
Built on top of OAuth 2.0
What‘s wrong with OAuth?
Does not work well with non web or JavaScript based clients
The „Invalid Signature“ Problem
Complicated Flow, many requests
http://tools.ietf.org/html/draft-ietf-oauth-v2
What‘s new in OAuth2? (Draft 10)
Different client profiles
No signatures
No Token Secrets
Cookie-like Bearer Token
No Request Tokens
Much more flexible regarding extensions
Mandatory TSL/SSL
+----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
Web-Server Profile
+----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
User-Agent Profile
What happend to signatures?
Bearer Tokens are fine over secure connection
Vulnerable if discovery is introduced
Or if TSL/SSL is not possible
Ongoing controvers discussion
Scopes
Optional parameter for provider specific implementations
Additional return values
Access Control
http://openidconnect.com/
Scope: „openid“
With access token additional values are returned
UserID: URL to Portable Contacts endpoint
TimestampSignature
DEMO
OpenID Connect Discovery
Get Identifier of user
Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
Call /.well-‐known/host-‐meta file at the domain of the user‘s provider
Phishing
E-mail address equals identity?
@
Can the browser help?
http://esw.w3.org/Foaf%2Bssl
FOAF+SSL (WebID)
DEMO
Bad browser UI
Syncing between different computers?
More than one user on the same computer?
UX Mockups Mozilla Weave
• We need a single sign on system for the web
• OpenID is cool, but has some problems
• Proprietary solutions are bad for users, site owners and developers
• A new more simple and flexible spec is coming up
• Browser vendors are working to solve this problem in the browser
Summing it up
h"p://twi"er.com/Bas2anHofmannh"p://joind.in/2874h"p://studivz.net/bas2anh"p://slideshare.net/[email protected]
h"p://developer.studivz.net