yahoo! openid and oauth · 2010-05-03 · – no need for users to create a site‐specific userid...
TRANSCRIPT
Yahoo!OpenIDandOAuth
1
AllenTomYahoo!MembershipArchitect
OpenIDFounda;onBoardMemberatom@yahoo‐inc.com
AllenTomBio
• UCBerkeleyBACS–1996• Netscape1997‐1999
– LDAP,NetscapeDirectoryServer• AOL1999‐2005
– Onlineshopping,browserassistants,webtoolbars,streamingmedia
• Yahoo2005‐Present– MembershipArchitect
• Accountlifecycle,Authen;ca;on,Security,Abuse2
Yahoo!Membership
3
– Over350millionac;veusers(uniqueuserswhohavesignedintotheYahoowebsiteinthelastmonth)
– AccountLifecycle:• Login• Registra;on• AccountRecovery• CustomerCaretools
• Suspension/Dele;on– Security,Abuse– SingleSignOn(OpenID,SAML)– Authoriza;on(OAuth)
Yahoo!Login:350millionuniqueusersmonthly
4
5
Yahoo!
Registra;on
Yahoo!Login:Devicesandrichapps
6
Yahoo! Mail for iPhone Yahoo! Instant Messenger
7
TheOpenStack
• OpenID–Authen;ca;on– “loggingin”toawebsite– Sharebasicprofileinforma;onusingA`ributeExchange• Name,profilepicture,emailaddress
• OAuth–Authoriza;on• APIaccess• Neededtocallwebservicesonbehalfoftheuser
8
YahooMembershipandtheOpenWeb
• OpenID:OpensYahoo’sMembershipplaformtoallwebsites– UserswhohaveaYahooAccountcanloginwithitatanywebsitethatacceptsOpenID
• OAuth:Authoriza;onprotocol(accesscontrol)forYahooDataandAPIs– Contacts(AddressBook)– YahooMail– Photos
9
YahooOpenID+OAuth
10
• YahoouserscansignintowebsitesusingtheirYahooIDviatheOpenIDProtocol
• UserscanauthorizedataaccessviaOauth• ShareyourYahooAddressBook• Letthe3rdpartyupdateyourStatus• Uploadphotos
OpenID:Authen;ca;on
• OpenIDisfor“loggingin”toawebsite• UseyourYahoo/Google/AOLaccounttologintoanywebsitethatacceptsOpenID
• OpenIDletsusersproveownershipofauserid
11
OpenID:History
• OpenIDoriginallyinventedtoallowbloggerstocommentoneachother’sblogs– Toomuchfric;oninvolvedinregisteringanewusername/passwordforeveryblogyoucommenton
– OpenID1.0finalizedin2005bygrassrootscommunity– OpenID2.0finalizedinDecember2007
• OpenIDFounda;onisthecustodianofOpenIDintellectualproperty
• OpenIDisanOpenStandard:freetoimplement• h`p://openid.net
12
OpenID:Authen;ca;on
• OpenID– SupportedbyYahoo,GoogleAccounts,GoogleApps,AOL,MySpace.Microsoj/MSNLiveID(inalpha)
– YahooOpenIDsupportlaunchedinJanuary2008– AllowsuserstologintowebsitesthatacceptOpenID
• Decentralized– Nocentralauthority– AnyonecansetupanOpenIDProvider
13
Authen;ca;on,con;nued…
• [email protected]• MyOpenIDiden;fierish`ps://me.yahoo.com/allentomdude
• OpenIDletsmeprovethatIcontrolh`ps://me.yahoo.com/allentomdude
14
YahooOpenIDExample
• LogintostackoverflowusingyourYahooID
15
16
17
18
Alterna;ve“popup”UI
•
19
TheOpenStack
• SingleSignOnusingOpenStandards– Anyoneisfreetoimplementtheprotocol
• Logintowebsitesusingexis;ngiden;;es–intendedtostreamlineoreveneliminatewebsitespecificregistra;on– Noneedforuserstocreateasite‐specificuseridorpassword
• SupportfromYahoo,Google,AOL,MySpace,PayPal– FacebookandMicrosojareac;vecontributorstothecorespecifica;ons
20
Terminology
• OpenIDProvider(OP)– Thesitewhereyouhaveyouraccount(Yahoo)
• RelyingParty(RP)– thesitethatyou’relogginginto(Stackoverflow)
21
OpenIDUnderthecovers
22
1) User clicks on the Yahoo! Button
2) Stackoverflow redirects browser to Yahoo’s OpenID Endpoint
3) User authenticates at Yahoo and approves the authentication request
4) Yahoo redirects browser back to stackoverflow with an assertion containing the user’s identifier
5) Stackoverflow makes a direct server call back to Yahoo to verify the assertion
6) Stackoverflow sets browser session cookies. The user is now signed into stackoverflow stackoverflow Browser Yahoo
OpenIDAuthen;ca;on
• UserselectstheirOpenIDProvider(Yahoo)– TheuserclicksontheYahooBu`on– Alterna;vely,theusercantype“yahoo.com”
• RelyingPartyrequeststheOPtoauthen;catetheuser– TheRPPerformsDiscoveryonh`p://yahoo.comtofindtheOpenIDEndpoint
– TheRPredirectstheuser’sbrowsertotheOpenIDendpointwithanAuthen;ca;onRequest
• TheOPrespondswithanasser;on– TheOPredirectsthebrowserbacktotheRPwithanasser;on
– TheRPverifiestheasser;onbymakingadirectrequestbacktotheOP
23
Interes;ngOpenIDFeatures
• OpenIDIden;fiersareURLs– h`ps://me.yahoo.com/allentomdude– h`p://allentom.com– NostandardwaytotransformanemailaddresstoanOpenID
URL(thereareseveralproposals)• OpenIDDiscovery
– Fullyautoma;cdiscoveryofOpenIDendpointsandcapabili;es– Nometadatafiles– RPsandOPscaninteropwithoutanymanualsetupor
configura;on• OpenIDA`ributeExchange
– Shareusera`ributes(name,emailaddress,profilepicture,etc)
24
UserBenefits
• Faster&Easierregistra;onandlogin• PortableProfile,interests,contacts• Personaliza;on(evenonthefirstvisit)• SocialFiltering• Be`erSecurity
25
WhyisYahoosuppor;ngOpenID?
• Haveastrongerrela;onshipwithourusers– UsersareYahoo’s#1asset
• YahooIDsaremorevaluable–usedforloggingintoYahooandotherwebsites
• MoreinsightsintouserbehavioronYahooandeverywhereelse– Neededforadtarge;ngandcontentpersonaliza;on
• OpenStandard:– Noneedtoinventyetanotherauthprotocol– Canleverageindustrybestprac;ces– OpenSourcelibraries,documenta;on– DeveloperscanimplementthesameinterfaceacrossallOpsYahoo/Google/AOLarealmostcompletelyinteroperable
26
WhyshouldsitesacceptOpenID?
• Newuseronboardingexperienceisgerngincreasinglydifficult– Username/password– Name/emailaddress– ProfilePicture– Loca;on– Gender– Friends– CAPTCHA
• Security,Abuse,AccountRecoverycanbeoutsourcedtotheOpenIDProvider
• Newusersalreadyhaveareputa;on– Abuse,exper;se,etc
• ContentandAdscanbepersonalizedandrelevantevenonthefirstvisit
27
A`ributeExchange
• RPsmayop;onallyaskforuserdataviatheA`ributeExchangeExtension(supportedbyallmajorOpenIDProviders)– Name
– EmailAddress– ProfilePicture– Age– Gender– Loca;on
28
OpenIDDiscovery
• Insteadofexchangingmetadatafiles,OpenIDdefinesadiscoverymechanismforRPsandOPstopublishmetadataaboutthemselves
29
OpenIDDiscoveryonYahoo
$curl–L–head\–H“Accept:applica;on/xrds+xml”\
h`p://yahoo.com
HTTP/1.1200OK
[….]
X‐XRDS‐Loca;on:h`p://open.login.yahooapis.com/openid20/www.yahoo.com/xrds
30
YahooOpenIDProvidermetadata• OpenIDendpointURL• Version• SupportedExtensions
InteroperableProfileviaOpenID
• SameinterfacecanbeusedwithYahoo,Google,AOL,andMicrosojLiveID–Nearly90%oftheinternetpopula;on– Name– Emailaddress– ProfileURL– ProfilePic– Gender– Zipcode
• ThesamecodecanbeusedforallOpenIDProviders
31
OpenIDSecurity
• Implementa;onscanbebuggy• Nostandardtestsuite• Issueswithoutsourcingauthen;ca;on• Orphanedaccounts• Phishing• Privacy–correla;on• NoSingleLogOut
32
NoSingleLogOut
• Authen;ca;onsessionsattheOPandRPsarenotsynchronized
• Bydesign–loggingloggingoutofHuffingtonPostshouldnotlogtheuseroutofYahooMail
• Difficulttosynchronizelogouteventsacrossmul;pleRPs
• Verycontroversialtopic:MostOPsarestronglyagainstit
33
OpenID:OutsourcingAuthen;ca;on
• SitesthatacceptOpenIDeffec;velyoutsourceauthen;ca;ontotheuser’sOpenIDProvider
• TheOPcanbebuggyorinsecure• EmployeesattheOPmaybeabletologinasanyoftheirusers
34
OneAccounttoRuleThemAll
• LosingaccesstoyourOpenIDresultsinlosingaccesstoallsitesthatyouuse– Accountcompromised–thea`ackercangainaccesstoallyouraccounts
35
AccountComprise
• Mostwebsiteswillallowpasswordstoberesetviaemail
• Thismeansthatifyouremailaddressishacked,thea`ackercangainaccesstoallthesitesyouusethatthatallowemailbasedaccountrecovery
• SamethingashavingyourOpenIDcompromised
36
AccountRecovery
• ManywebsitesallowAccountRecoveryviaemail• OutsourcedAccountRecoverytotheuser’sEmail
provider
37
EmailBasedAccountRecovery
• Almostallconsumerorientedwebsitesallowpasswordstoberesetviaemail– Somesiteswillrequiretheusertoanswerasecretques;onbeforereserngthepasswordviaemail
– Secretques;onsarenotsecretanddon’twork• Reserngyourpasswordisthesamethingasloggingin
• Therefore,fromasecurityperspec;ve,sitesthatallowemailbasedaccountrecoveryalreadyhaveoutsourcedtheirauthen;ca;ontotheuser’semailprovider
38
OpenIDChallenges
• UIisconfusing– “signinginwithanaccountyoualreadyhave”isanewconcept
– Usersassumesomesortofbusinessrela;onshipbetweentheOPandRP
– TheOpenIDLoginCalltoAc;onisnotscalablepast2or3choices
39
Morechallenges
• WhatiftheuserlosesaccesstotheirOpenID?– Accountwashacked/phished– Theusergraduated,changedjobs,etc– Deac;vatedforTermsofServiceviola;ons– Usercan’tremember/recoverpassword
– Nosupportforclientapps• Onlysupportsloggingintowebsites
– Doesn’tworkforloggingintoapps(desktop,mobile,etc)• We’reworkingonit! 40
TooManyChoices
41
TheOpenIDNASCARProblem
42
Poten;alSolu;ons
• 2steplogin:– Enteremailaddress– Iftheuserhasapassword,displaythepasswordfield
– Otherwise,ifthedomainisOpenIDenabled,sendtheuserthroughtheOpenIDflow
• [email protected]• [email protected]
43
UIIssues
• Plentyofusabilitytes;nginprogressbehindthescenes
• Manytopdesignersareworkingonthis
44
Ques;ons?
• OpenIDisanOpenProtocol– Fullytransparentdevelopmentprocess
– Followusonh`p://openid.net• (checkwithyourIPlawyersfirst)• AllcontributorsmusthavetheiremployerssignanIPcontribu;onagreement
• InternetIden;tyWorkshop– May18‐20– MountainView,CA
– EveryoneworkingonOpenIDwillbethere45
OAuth
• Authoriza;on(notAuthen;ca;on)• The“AccessControl”layeroftheOpenWeb
• Some;mescalledtheValetKeysoftheweb
• OAuthisneededtoauthorizeAPIaccess– OpenIDdoesnotpassanycreden;alstotheRP
46
OAuth–ValetKeysfortheWeb
• OAuthallowsuserstograntcreden;alstotheiraccount,withoutgivinguptheirpassword
• LargerServiceProvidersusuallyissuescopedcreden;als
• Creden;alscanusuallyberevoked
47
ThePasswordAn;‐Pa`ern
• Manysitesaskforyourpasswordsothattheycanaccessthedatathatyouhaveonothersites
48
Sharingpasswordsisabadidea….
• Passwordsarenotscoped– Insteadofauthorizingdatasharingforaspecificresource,
you’regivingupaccesstoyouren;reaccount
• Mostusersdon’tusedifferentpasswordsfordifferentsites
• Nowaytorevokeaccesswithoutchangingyourpassword• Evenifthesiteishonest,mistakeshappen
– Extensivelogging–passwordsgetsavedtologfiles– Securitycompromises
49
WhyOAuth?
• PriortoOauth,mostserviceprovidersdefinedproprietarydelegatedauthprotocols
• OAuthcombinedthebestprac;cesofYahooBBAuth,GoogleAuthSub,FlickrAuth,WindowsLiveDelegatedAuth– Allofthemdidthesamething,slightlydifferently
50
The3LegsofOAuth
Jane
protected_resources
oauth_flow_begins
oauth_request_token
user_authen;ca;on
user_authoriza;on
consumer_callback
oauth_access_token
get_protected_resources
oauth_success
OAuthTerminology
• Consumer–Theapplica;on(client)• ServiceProvider–Thesitethattheconsumeris
tryingtoaccess• ProtectedResource–Theservicethattheconsumer
isaccessing(typicallyaWebServiceAPI)• 3LeggedOauth
– User– Consumer– ServiceProvider
• 2LeggedOauth– Consumer– ServiceProvider
61
OAuthTerminology
• ConsumerKey–Clientiden;fier,equivalenttoAppIDorAPIKeyinotherprotocols
• ConsumerSecret–sharedsecretusedtoauthen;catetheConsumer
• AccessToken–Creden;alusedbytheConsumertoaccessProtectedResources
• OAuthDance–Browsergymnas;cswherethebrowserbouncesbetweentheConsumertotheServiceProviderandbackfortheusertoapproveanAccessToken
• OauthWRAP–Nextgenera;onOAuth62
OauthProvisioning
• Applica;ondevelopersusuallymustgototheServiceProvidertoregisterforaConsumerKey– ProcessforobtainingaConsumerKeyisServiceProviderspecificandisnotdefinedintheOauthProtocol
– SPsusuallyrequiredeveloperstoregistertoagreetoTermsofService,aswellastosa;sfytheSP’slegal,business,andproductrequirements
63
YahooOAuthConsumerKeyRegistra;on
64
YahooConsumerKeyRegistra;on
• Applica;onname,descrip;on,logos• Developername,contactinforma;on(email,phonenumber,website)
• TermsofServiceagreement
65
66
67
OAuthProtocol–RequestPermission
browser
1) Consumer gets a Request Token
OAuthProtocol–RequestPermission
browser
1) Consumer gets a Request Token
2) Consumer redirects browser to Yahoo OAuth server with request token
OAuthPermissionsPage
•
UserAgrees
browser 1) YOAuth redirects browser back to consumer to indicate successful authorization
UserAgrees
• TheAccessTokenisnotreturnedontheredirectbacktotheconsumer,insteadtheconsumermustmakeabackendserver‐to‐servercalltoretrievetheAccessToken
• EnablesTokentobeexchangedoverHTTPS
browser 1) YOAuth redirects browser back to consumer to indicate successful authorization
2) Consumer exchanges Request Token For Access Token/ATSecret
YahooOAuthimplementa;on
OAuth Service
1) Exchange Request Token for Access Token and Access Token Secret
2) Request user’s Address Book
CK, AT, sig(CS, ATS)
OAuthDeploymentChallenges
• Scalability• TokenRevoca;on:DatabaselookuprequiredtodetermineifATiss;llvalid• Verydifficulttoscaleforgloballydistributedwebapplica;ons• Heterogeneousanddistributedproduc;onenvironment• Securityissues
• ConsumerSecrethastobewidelydistributedtoallserviceproviders• AddressBookneedstheconsumersecrettoverifytherequest
• Verydifficulttoproperlysafeguardtheconsumersecret• AccessToken(Permanentcreden;al)directlyhandledbyServiceProviders
• IssueswithsecuritycompromisesonServiceProviders
• TheYahooOAuthServiceismuchmoresecurethantherestofYahoo• Closelymonitoredandaudited• AllowstherestofYahooquicklydeploynewservices
Consumer
OAuth Service
2) Request user’s Address Book
CK, AT, sig( CS, ATS)
PreferredSolu;on
• Yahoo’sproprietaryauthprotocolusesshort‐lived(1hour)bearertokenstoaccessprotectedresources
• ServiceProviderscanverifythebearertokenlocallywithoutadatabaselookup• BearertokensaresignedbytheAuthservice
• Persistentcreden;als(consumersecrets,AccessTokens)arenotusedtoaccessanyservices
Consumer
OAuth Service
2) Request user’s Address Book
CK, AT, sig( CS, ATS)
DeploymentIssueswithOAuthatYahoo
• Oauthsignaturesarenearlyimpossibletogeneratewithoutalibrary
• Librariesarebuggytoo• #1problemisthatdeveloperscan’tgeneratesignatures
Consumer
2) Request user’s Address Book
CK, AT, sig( CS, ATS)
Oauthsignatures
• Aauthsignaturesareusedtoprotectagainstreplaya`acks• WhynotjustuseHTTPS?• Dataisflyingaroundintheclear• Doesnotmatch“Cookie”authforBrowsers
• Allprotectedresourcescanbeaccessedviatheuser’sbrowser• Browsersarefarmoresuscep;bletoMITMthanwebapplica;ons
• Oauthissodifficultthatmostdevelopersendupphishingtheuserfortheirpasswordinstead
Consumer
2) Request user’s Address Book
CK, AT, sig( CS, ATS)
OAuthWRAP
• WRAP==WebResourceAuthoriza;onProtocol• StartedatInternetIden;tyWorkshopinMay2009• Contributors:
– Yahoo– Google– Microsoj– Facebook
• Goals– Makeiteasierfordeveloperstouse– SplitOAuth’sServiceProviderinto2parts:
• TokenIssuer–Canbeacompletelyseparateen;ty• ServiceProvider
– Definedifferent“Profiles”fordifferentusecases• WebApplica;onProfile• RichclientappProfile(nobrowser)
78
WRAPProfiles
• WRAPdefinesseveralmechanismsforuserstoauthorizeanapplica;on
• WebAppProfile– Userwantstoauthorizeawebsite– Userexperienceiden;caltoOauth
• Username/PasswordProfile– Userwantstoauthorizearichclientapplica;on– Nobrowserisrequired
• WRAPProfileonlydefinedifferentmechanismsforclientstoobtainanAccessToken
• AllAccessTokensareusedthesamewayregardlesswhichProfilewasusedtoobtainthem
• ServiceProvidersdonotneedtocarehowtheAccessTokenwasissued
79
OauthWRAP
• ConsumersareissuedanAccessTokenwitha1hourlife;me,andaRefreshToken
• ConsumersaccessProtectedResourcesusingtheAccessToken.NoSignaturesarerequired.• PassedintheHTTPAuthoriza;on:header
• IftheAccessTokenisexpired,theConsumercanrequestanewAccessTokenfromtheTokenIssuerusingtheRefreshToken
Consumer
WRAP Auth Server
2) Request user’s Address Book using AT
1) Consumer obtains Access Token 3) If AT was expired, Consumer refreshes it
OAuthWRAPExample
• $curl–header\‘Authoriza;on:[WRAP]access_token=”accesstoken”‘\h`p://api.example.com/get_data
HTTP/1.1200OK
[…]
Data
81
ExpiredAccessTokenExample
• $curl–header‘Authoriza;on:[WRAP]access_token=”accesstoken”‘\h`p://api.example.com/get_data
HTTP/1.1401Unauthorized
• $curl–dwrap_refresh_token=refreshtoken\h`ps://auth.example.com/refresh_token
HTTP/1.1200OKaccess_token=access_token2
• $curl–header‘Authoriza;on:[WRAP]access_token=“accesstoken2”’h`p://api.example.com/get_data
HTTP/1.1OK
data82
OAuthExample
• $curl–header\“Authoriza;on:[WRAP]AccessToken”\
h`p://api.example.com/get_data
HTTP/1.1200OK
[…]
Data
83
WRAPAdvantages
• ServiceProviderscanverifycreden;alswithoutaDBlookup
• ConsumerSecretsandPersistentcreden;alsdonotneedtobedistributedtoServiceProviders
• Developerscanjustcurltherequests• Richclientappsdonotneedtouseabrowser• ServiceProvidersandAuthServerscanbeseparateen;;es–Assumingtheycanagreeonthetokenformat– SimpleWebToken(SWT)Spec
84
DeployingWRAPatYahoo
• WRAPProtectedResourcesonlyneedtoknowhowtovalidateaWRAPAccessToken• AccessTokencontains
• UserID• Scopethatwasauthorized(eg:AddressBook)• ConsumerKey• Expira;on;me• SignedbytheYahooAuthServer
• Servicesdon’tneedtoworryaboutdeterminingiftheuserortheconsumerkeyisvalid
• TheYahooAuthSerververifiesthatboththeuserandtheconsumerares;llvalidbeforeissuingtheAccessToken
• Cons:itcantakeanhourtorevokeaccesstoanapportodeac;vateauser
Consumer
WRAP Access Token
WhydoesYahoosupportOAuth?
• OpenstandardsmakeiteasierfordeveloperstouseourAPIs– Reuseexperience,documenta;on,andexper;seacrossServiceProviders
• Leverageindustrybestprac;ces
86
OAuth/OAuthWRAPques;ons?
• GoogleGroups– OAuth– OAuth‐wrap‐wg
• InternetIden;tyWorkshop– SamegroupofpeoplewhoworkonOpenID– OpenID,Oauth,andOauth‐WRAPallresultedfromdiscussionsatIIW
87
What’snext?
• OpenID+OAutharethebuildingblocksofthenextgenera;onofinternetiden;ty– Elimina;nglogin/registra;onfric;oncaneliminatetheAnonymousWeb
• Usersmustberecognizedtoserveop;mizedcontentandads
• Over60millionuniqueuserslogintowebsitesusingFacebookConnect
• Proprietarysolu;onsareojenbe`er,butusersandthemarketdemandopenandinteroperablestandards
• Nearly100%ofallinternetusershaveanaccountthatcanbeusedtosignintoothersites
• Yahoo/Google/GoogleApps/AOL/Hotmail/Facebook/Twi`er
• Sitespecificregistra;onwillbecomeathingofthepast
88
89
AllenTomatom@yahoo‐inc.com
h`p://openid.neth`p://groups.google.com/
– OAuth– OAuth‐WRAP‐WG
h`p://www.interne;den;tyworkshop.com/