inf 123 sw arch, dist sys & interop lecture 16
DESCRIPTION
INF 123 SW Arch, dist sys & interop Lecture 16. Prof. Crista Lopes. Objectives. Understanding the difference between Authentication and Authorization Understanding OpenID and OAuth. Auth vs Auth. Auth entication : who is this user ? Auth orization : can this user do that?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/1.jpg)
INF 123 SW ARCH, DIST SYS & INTEROP
LECTURE 16Prof. Crista Lopes
![Page 2: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/2.jpg)
Objectives Understanding the difference between
Authentication and Authorization Understanding OpenID and OAuth
![Page 3: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/3.jpg)
Auth vs Auth Authentication: who is this user?
Authorization: can this user do that?
![Page 4: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/4.jpg)
Identity on the Web Millions of Web sites, each with their own
users Each user needs to remember N
usernames+passwords
…why not interoperate identity? …why not interoperate more data?
![Page 5: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/5.jpg)
Decentralized Identity
OpenID
![Page 6: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/6.jpg)
OpenID in Action “OpenID is a decentralized
authentication protocol that makes it easy for people to sign up and access web accounts.”
www.stackoverflow.com
![Page 7: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/7.jpg)
How it works
http://yahoo.com
http://openid.net/developers/specs/
![Page 8: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/8.jpg)
How it works, in 11 steps
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
![Page 9: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/9.jpg)
Steps 1, 2 – Post Identifier <form id="openid_form" action="/users/authenticate" method="post"> <!-- /Simple OpenID Selector --> <table id="openid-url-input"> <tr> <td><input id="openid_identifier" name="openid_identifier" type="url” ></td> <td><input id="submit-button” type="submit" value=”Sign in”></td> </tr> </table></form>
![Page 10: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/10.jpg)
How it works – Discovery
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
![Page 11: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/11.jpg)
Steps 3, 4 – Normalization & Discovery
Yadis ProtocolContent-Type: application/xrds+xml when performing an HTTP GET on the identity URL
![Page 12: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/12.jpg)
Step 3 – XRDS response<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"xmlns:openid="http://openid.net/xmlns/1.0"> <XRD> <Service priority="50"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.myopenid.com/server</URI> <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> </Service> <Service priority="10"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate>http://www.livejournal.com/users/frank/</openid:Delegate> </Service> <Service priority="20"> <Type>http://lid.netmesh.org/sso/2.0</Type> <URI>http://mylid.net/liddemouser</URI> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD></xrds:XRDS>
![Page 13: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/13.jpg)
Steps 3, 4 – Normalization & Discovery
Plain HTTP
Returned document must contain a <link /> element:
<link rel=“openid2.provider” href=“http://endpoint”/>
![Page 14: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/14.jpg)
How it works – Redirect 1
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
![Page 15: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/15.jpg)
Step 5 – First redirect Relying party parses XDSR or <link />
and retrieves the OpenID provider end point.
Then redirects (302, 303 or 307) user agent to it with query params appended to the URL:
HTTP/1.1 303 See OtherLocation: https://login.yahoo.com? openid.ns=http://specs.openid.net/auth/2.0& openid.mode=checkid_setup& openid.claimed_id=e_mumble& openid.return_to=http://stackoverflow.com?article=123
![Page 16: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/16.jpg)
How it works – Login
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
![Page 17: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/17.jpg)
Steps 6, 7, 8, 9 – Login Undefined in the Spec Usually regular login form with POST May include further verification with user This is a vulnerable point in the process
more later
![Page 18: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/18.jpg)
How it works – Final Redirect
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
![Page 19: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/19.jpg)
Step 10 – Final Redirect OpenID Provider End Point redirects user
agent back to the “return_to” URL.
HTTP/1.1 303 See OtherLocation: http://stackoverflow.com?article=123? openid.ns=http://specs.openid.net/auth/2.0& openid.op_endpoint=https://login.yahoo.com& openid.return_to=http://stackoverflow.com?article=123& openid.identity=e_mumble& openid.response_nonce=2005-05-15T17:11:51ZUN6TY9& openid.sig=MACsignature
![Page 20: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/20.jpg)
Step 10 Relying party must verify a few things
before deciding that the user is authenticated return_to matches identifier matches nonce is unique signature is valid
![Page 21: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/21.jpg)
How it works – Finally!
http
://ww
w.wi
ndle
y.com
/arc
hive
s/20
06/0
4/ho
w_do
es_o
peni
d.sh
tml
Relying party
OpenID Provider
OpenID ProviderEnd Point
![Page 22: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/22.jpg)
Step 11 Relying party returns the page that user
was on http://stackoverflow.com?article=123
![Page 23: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/23.jpg)
Final Remarks The whole point of OpenID is to
authenticate users your web app wants to verify that user
jonh.smith @ yahoo.com really is john.smith at yahoo.com
OpenID knows nothing about authorization after establishing identity, your application
must deciding which resources this user is allowed to access
authentication ≠ authorization
![Page 24: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/24.jpg)
OpenID is Phishing Heaven idtheft.fun.de
OpenID’s adoption by major sites is a mystery to me!
![Page 25: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/25.jpg)
Authorization – but not for *your* resources
OAuth
![Page 26: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/26.jpg)
OAuth The goal of OAuth is to acquire an access
token from a 3rd party (like Google, Facebook, etc.), which can then be used to exchange user-specific data between your application and that 3rd party service (such as calendar information or friends list)
Facebook/Google
user data
Your appaccess user data
![Page 27: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/27.jpg)
OpenID+OAuth Lets arbitrary apps (like yours) access
your Twitter/Facebook/Google/etc account without having to have your password
![Page 28: INF 123 SW Arch, dist sys & interop Lecture 16](https://reader035.vdocuments.us/reader035/viewer/2022070423/56816782550346895ddc9108/html5/thumbnails/28.jpg)
OAuth 4 main steps Your app asks for a “request” token from
the 3rd party Your app asks the 3rd party for the token
to be authorized 3rd party requests user approval
Your app exchanges the “request” token for an “access” token
Your app uses the “access” token to access the data