openid vs oauth - identity on the web

45
Identity on the Web OpenID vs OAuth Identity Management in SOA Richard Metzler May 2010 1

Upload: richard-metzler

Post on 29-Jan-2018

29.748 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: OpenID vs OAuth - Identity on the Web

Identity on the WebOpenID vs OAuth

Identity Management in SOA

Richard Metzler

May 2010

1

Page 2: OpenID vs OAuth - Identity on the Web

Outline

2

I. User Authentication

II. OpenID

III. OAuth

IV. Compare OpenID & OAuth

V. My Project

Page 3: OpenID vs OAuth - Identity on the Web

User Authentication

3

Page 4: OpenID vs OAuth - Identity on the Web

User Authentication

• every single website needs my credentials

• username / e-mail

• password

• should be secure

• should not be reused

• how to remember?

4

Page 5: OpenID vs OAuth - Identity on the Web

Resulting Problems

• identity is scattered

• passwords

• millions to remember vs recycling

• how to authorize third party access?

➡ Password Anti-Pattern

5

Page 6: OpenID vs OAuth - Identity on the Web

OpenID

6

Page 7: OpenID vs OAuth - Identity on the Web

OpenID

• sharing a single identity with different consumers

• decentralized

• OpenID 2.0 (without XRI)

7

http://openid.net/

Page 8: OpenID vs OAuth - Identity on the Web

Roles in OpenID

• User owns account at OpenID Provider

• User proves Identity to Relying Party

8

Page 9: OpenID vs OAuth - Identity on the Web

OpenID Flow

http://www.openaselect.org/trac/openaselect/wiki/OpenID

9

Page 10: OpenID vs OAuth - Identity on the Web

Sign in withOpenID Identifier

10

Page 11: OpenID vs OAuth - Identity on the Web

Discovery & Delegationobtain OP Endpoint

11

Page 12: OpenID vs OAuth - Identity on the Web

Establish Association

• shared secret between Relying Party & OpenID Provider

• Diffie Hellman Key Exchange

• (g^xa)^xb mod p = (g^xb)^xa mod p

12

http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

Page 13: OpenID vs OAuth - Identity on the Web

Redirect User Agent to OP Endpoint

13

Page 14: OpenID vs OAuth - Identity on the Web

Redirect User Agent to OP Endpoint

14

Page 15: OpenID vs OAuth - Identity on the Web

Return URL Verification

• OpenId Provider checks:

• do Realm and return_to URL match?

15

Page 16: OpenID vs OAuth - Identity on the Web

User Authentification

16

Page 17: OpenID vs OAuth - Identity on the Web

OpenID Provider presents Realm

17

Page 18: OpenID vs OAuth - Identity on the Web

Redirect User Agent to OP Endpoint URL

18

Page 19: OpenID vs OAuth - Identity on the Web

Redirect User Agent to OP Endpoint URL

19

Page 20: OpenID vs OAuth - Identity on the Web

Verification

• Relying Party checks:

• return_to URL

• OpenID Identifier

• was Nonce never used before?

• fields signed, signature valid

20

Page 21: OpenID vs OAuth - Identity on the Web

Logged in

21

Page 22: OpenID vs OAuth - Identity on the Web

OpenID Flow

http://www.openaselect.org/trac/openaselect/wiki/OpenID

22

Page 23: OpenID vs OAuth - Identity on the Web

OAuth

23

Page 24: OpenID vs OAuth - Identity on the Web

OAuth

• sharing your data without sharing your password

• centralized

• OAuth 1.0a (current version)

• Draft for OAuth 2.0

24

http://oauth.net/

Page 25: OpenID vs OAuth - Identity on the Web

Roles

• User owns Resource at Service Provider

• User grants Consumer access to Resource

25

Page 26: OpenID vs OAuth - Identity on the Web

OAuth Dance

http://fireeagle.yahoo.net/developer/documentation/web_auth

26

Page 27: OpenID vs OAuth - Identity on the Web

Register Consumer,get Consumer Key

• manually register Consumer at Service Provider

• identified by Token / Secret

• Callback URL

• all subsequent Requests must be signed with Secret, Nonce & Timestamp

27

Page 28: OpenID vs OAuth - Identity on the Web

Sign in with OAuth

28

Page 29: OpenID vs OAuth - Identity on the Web

Get Request Token

• Consumer asks Service Provider for Request Token

• Request Token identifies authorization workflow

• not user specific

• transmitted in URL when User Agent is redirected

29

Page 30: OpenID vs OAuth - Identity on the Web

HTTP Redirect to Service Provider

30

Page 31: OpenID vs OAuth - Identity on the Web

HTTP Redirect to Service Provider

31

Page 32: OpenID vs OAuth - Identity on the Web

Authenticate

32

Page 33: OpenID vs OAuth - Identity on the Web

Grant Access

33

Page 34: OpenID vs OAuth - Identity on the Web

HTTP Redirect to Consumer Callback

34

Page 35: OpenID vs OAuth - Identity on the Web

HTTP Redirect to Consumer Callback

35

Page 36: OpenID vs OAuth - Identity on the Web

Get Access Token

• Consumer trades Request Token for Access Token

• Access Token grants access to Service Provider in behalf of User

• user specific

36

Page 37: OpenID vs OAuth - Identity on the Web

Logged in

37

Page 38: OpenID vs OAuth - Identity on the Web

Access Resource

• authenticated access on Resource

• must be signed

• Consumer Key

• OAuth Token

• Timestamp

• Nonce

38

Page 39: OpenID vs OAuth - Identity on the Web

OAuth Dance

http://fireeagle.yahoo.net/developer/documentation/web_auth

39

Page 40: OpenID vs OAuth - Identity on the Web

OpenId vs OAuth

40

Page 41: OpenID vs OAuth - Identity on the Web

Commonalities

• involves 3 parties

• open protocols - community driven

• HTTP based

• not mutual exclusive

41

Page 42: OpenID vs OAuth - Identity on the Web

Differences

• sharing: identity vs data resources

• decentralized vs centralized

• Consumer-Provider-Relationship:

• unknown vs well-known

42

Page 43: OpenID vs OAuth - Identity on the Web

My Project

43

Page 44: OpenID vs OAuth - Identity on the Web

My Project

• Implement OAuth Service Provider & OAuth Consumer example

• API for manageable resources (ideas)

• profile pictures

• activity streams Atom feed extension

• RESTful API for editing RDF::FOAF data

44

http://activitystrea.ms/ http://www.foaf-project.org/

Page 45: OpenID vs OAuth - Identity on the Web

Questions?

45