Yahoo!OpenIDandOAuth

1

AllenTomYahoo!MembershipArchitect

OpenIDFounda;onBoardMemberatom@yahoo‐inc.com

AllenTomBio

•  UCBerkeleyBACS–1996•  Netscape1997‐1999

– LDAP,NetscapeDirectoryServer•  AOL1999‐2005

– Onlineshopping,browserassistants,webtoolbars,streamingmedia

•  Yahoo2005‐Present– MembershipArchitect

•  Accountlifecycle,Authen;ca;on,Security,Abuse2

Yahoo!Membership

3

– Over350millionac;veusers(uniqueuserswhohavesignedintotheYahoowebsiteinthelastmonth)

– AccountLifecycle:•  Login•  Registra;on•  AccountRecovery•  CustomerCaretools

•  Suspension/Dele;on– Security,Abuse– SingleSignOn(OpenID,SAML)– Authoriza;on(OAuth)

Yahoo!Login:350millionuniqueusersmonthly

4

5

Yahoo!

Registra;on

Yahoo!Login:Devicesandrichapps

6

Yahoo! Mail for iPhone Yahoo! Instant Messenger

7

TheOpenStack

•  OpenID–Authen;ca;on– “loggingin”toawebsite– Sharebasicprofileinforma;onusingA`ributeExchange•  Name,profilepicture,emailaddress

•  OAuth–Authoriza;on•  APIaccess•  Neededtocallwebservicesonbehalfoftheuser

8

YahooMembershipandtheOpenWeb

•  OpenID:OpensYahoo’sMembershipplaformtoallwebsites– UserswhohaveaYahooAccountcanloginwithitatanywebsitethatacceptsOpenID

•  OAuth:Authoriza;onprotocol(accesscontrol)forYahooDataandAPIs–  Contacts(AddressBook)–  YahooMail–  Photos

9

YahooOpenID+OAuth

10

•  YahoouserscansignintowebsitesusingtheirYahooIDviatheOpenIDProtocol

•  UserscanauthorizedataaccessviaOauth•  ShareyourYahooAddressBook•  Letthe3rdpartyupdateyourStatus•  Uploadphotos

OpenID:Authen;ca;on

•  OpenIDisfor“loggingin”toawebsite•  UseyourYahoo/Google/AOLaccounttologintoanywebsitethatacceptsOpenID

•  OpenIDletsusersproveownershipofauserid

11

OpenID:History

•  OpenIDoriginallyinventedtoallowbloggerstocommentoneachother’sblogs–  Toomuchfric;oninvolvedinregisteringanewusername/passwordforeveryblogyoucommenton

–  OpenID1.0finalizedin2005bygrassrootscommunity– OpenID2.0finalizedinDecember2007

•  OpenIDFounda;onisthecustodianofOpenIDintellectualproperty

•  OpenIDisanOpenStandard:freetoimplement•  h`p://openid.net

12

OpenID:Authen;ca;on

•  OpenID– SupportedbyYahoo,GoogleAccounts,GoogleApps,AOL,MySpace.Microsoj/MSNLiveID(inalpha)

– YahooOpenIDsupportlaunchedinJanuary2008– AllowsuserstologintowebsitesthatacceptOpenID

•  Decentralized– Nocentralauthority– AnyonecansetupanOpenIDProvider

13

Authen;ca;on,con;nued…

•  MyYahooIDisallentomdude@yahoo.com•  MyOpenIDiden;fierish`ps://me.yahoo.com/allentomdude

•  OpenIDletsmeprovethatIcontrolh`ps://me.yahoo.com/allentomdude

14

YahooOpenIDExample

•  LogintostackoverflowusingyourYahooID

15

16

17

18

Alterna;ve“popup”UI

• 

19

TheOpenStack

•  SingleSignOnusingOpenStandards–  Anyoneisfreetoimplementtheprotocol

•  Logintowebsitesusingexis;ngiden;;es–intendedtostreamlineoreveneliminatewebsitespecificregistra;on–  Noneedforuserstocreateasite‐specificuseridorpassword

•  SupportfromYahoo,Google,AOL,MySpace,PayPal–  FacebookandMicrosojareac;vecontributorstothecorespecifica;ons

20

Terminology

•  OpenIDProvider(OP)– Thesitewhereyouhaveyouraccount(Yahoo)

•  RelyingParty(RP)–  thesitethatyou’relogginginto(Stackoverflow)

21

OpenIDUnderthecovers

22

1) User clicks on the Yahoo! Button

2) Stackoverflow redirects browser to Yahoo’s OpenID Endpoint

3) User authenticates at Yahoo and approves the authentication request

4) Yahoo redirects browser back to stackoverflow with an assertion containing the user’s identifier

5) Stackoverflow makes a direct server call back to Yahoo to verify the assertion

6) Stackoverflow sets browser session cookies. The user is now signed into stackoverflow stackoverflow Browser Yahoo

OpenIDAuthen;ca;on

•  UserselectstheirOpenIDProvider(Yahoo)–  TheuserclicksontheYahooBu`on–  Alterna;vely,theusercantype“yahoo.com”

•  RelyingPartyrequeststheOPtoauthen;catetheuser–  TheRPPerformsDiscoveryonh`p://yahoo.comtofindtheOpenIDEndpoint

–  TheRPredirectstheuser’sbrowsertotheOpenIDendpointwithanAuthen;ca;onRequest

•  TheOPrespondswithanasser;on–  TheOPredirectsthebrowserbacktotheRPwithanasser;on

–  TheRPverifiestheasser;onbymakingadirectrequestbacktotheOP

23

Interes;ngOpenIDFeatures

•  OpenIDIden;fiersareURLs–  h`ps://me.yahoo.com/allentomdude–  h`p://allentom.com–  NostandardwaytotransformanemailaddresstoanOpenID

URL(thereareseveralproposals)•  OpenIDDiscovery

–  Fullyautoma;cdiscoveryofOpenIDendpointsandcapabili;es–  Nometadatafiles–  RPsandOPscaninteropwithoutanymanualsetupor

configura;on•  OpenIDA`ributeExchange

–  Shareusera`ributes(name,emailaddress,profilepicture,etc)

24

UserBenefits

•  Faster&Easierregistra;onandlogin•  PortableProfile,interests,contacts•  Personaliza;on(evenonthefirstvisit)•  SocialFiltering•  Be`erSecurity

25

WhyisYahoosuppor;ngOpenID?

•  Haveastrongerrela;onshipwithourusers–  UsersareYahoo’s#1asset

•  YahooIDsaremorevaluable–usedforloggingintoYahooandotherwebsites

•  MoreinsightsintouserbehavioronYahooandeverywhereelse–  Neededforadtarge;ngandcontentpersonaliza;on

•  OpenStandard:–  Noneedtoinventyetanotherauthprotocol–  Canleverageindustrybestprac;ces–  OpenSourcelibraries,documenta;on–  DeveloperscanimplementthesameinterfaceacrossallOpsYahoo/Google/AOLarealmostcompletelyinteroperable

26

WhyshouldsitesacceptOpenID?

•  Newuseronboardingexperienceisgerngincreasinglydifficult–  Username/password–  Name/emailaddress–  ProfilePicture–  Loca;on–  Gender–  Friends–  CAPTCHA

•  Security,Abuse,AccountRecoverycanbeoutsourcedtotheOpenIDProvider

•  Newusersalreadyhaveareputa;on–  Abuse,exper;se,etc

•  ContentandAdscanbepersonalizedandrelevantevenonthefirstvisit

27

A`ributeExchange

•  RPsmayop;onallyaskforuserdataviatheA`ributeExchangeExtension(supportedbyallmajorOpenIDProviders)– Name

– EmailAddress– ProfilePicture– Age– Gender– Loca;on

28

OpenIDDiscovery

•  Insteadofexchangingmetadatafiles,OpenIDdefinesadiscoverymechanismforRPsandOPstopublishmetadataaboutthemselves

29

OpenIDDiscoveryonYahoo

$curl–L–head\–H“Accept:applica;on/xrds+xml”\

h`p://yahoo.com

HTTP/1.1200OK

[….]

X‐XRDS‐Loca;on:h`p://open.login.yahooapis.com/openid20/www.yahoo.com/xrds

30

YahooOpenIDProvidermetadata• OpenIDendpointURL• Version• SupportedExtensions

InteroperableProfileviaOpenID

•  SameinterfacecanbeusedwithYahoo,Google,AOL,andMicrosojLiveID–Nearly90%oftheinternetpopula;on–  Name–  Emailaddress–  ProfileURL–  ProfilePic–  Gender–  Zipcode

•  ThesamecodecanbeusedforallOpenIDProviders

31

OpenIDSecurity

•  Implementa;onscanbebuggy•  Nostandardtestsuite•  Issueswithoutsourcingauthen;ca;on•  Orphanedaccounts•  Phishing•  Privacy–correla;on•  NoSingleLogOut

32

NoSingleLogOut

•  Authen;ca;onsessionsattheOPandRPsarenotsynchronized

•  Bydesign–loggingloggingoutofHuffingtonPostshouldnotlogtheuseroutofYahooMail

•  Difficulttosynchronizelogouteventsacrossmul;pleRPs

•  Verycontroversialtopic:MostOPsarestronglyagainstit

33

OpenID:OutsourcingAuthen;ca;on

•  SitesthatacceptOpenIDeffec;velyoutsourceauthen;ca;ontotheuser’sOpenIDProvider

•  TheOPcanbebuggyorinsecure•  EmployeesattheOPmaybeabletologinasanyoftheirusers

34

OneAccounttoRuleThemAll

•  LosingaccesstoyourOpenIDresultsinlosingaccesstoallsitesthatyouuse– Accountcompromised–thea`ackercangainaccesstoallyouraccounts

35

AccountComprise

•  Mostwebsiteswillallowpasswordstoberesetviaemail

•  Thismeansthatifyouremailaddressishacked,thea`ackercangainaccesstoallthesitesyouusethatthatallowemailbasedaccountrecovery

•  SamethingashavingyourOpenIDcompromised

36

AccountRecovery

•  ManywebsitesallowAccountRecoveryviaemail•  OutsourcedAccountRecoverytotheuser’sEmail

provider

37

EmailBasedAccountRecovery

•  Almostallconsumerorientedwebsitesallowpasswordstoberesetviaemail–  Somesiteswillrequiretheusertoanswerasecretques;onbeforereserngthepasswordviaemail

–  Secretques;onsarenotsecretanddon’twork•  Reserngyourpasswordisthesamethingasloggingin

•  Therefore,fromasecurityperspec;ve,sitesthatallowemailbasedaccountrecoveryalreadyhaveoutsourcedtheirauthen;ca;ontotheuser’semailprovider

38

OpenIDChallenges

•  UIisconfusing– “signinginwithanaccountyoualreadyhave”isanewconcept

– Usersassumesomesortofbusinessrela;onshipbetweentheOPandRP

– TheOpenIDLoginCalltoAc;onisnotscalablepast2or3choices

39

Morechallenges

•  WhatiftheuserlosesaccesstotheirOpenID?– Accountwashacked/phished– Theusergraduated,changedjobs,etc– Deac;vatedforTermsofServiceviola;ons– Usercan’tremember/recoverpassword

– Nosupportforclientapps•  Onlysupportsloggingintowebsites

– Doesn’tworkforloggingintoapps(desktop,mobile,etc)• We’reworkingonit! 40

TooManyChoices

41

TheOpenIDNASCARProblem

42

Poten;alSolu;ons

•  2steplogin:–  Enteremailaddress–  Iftheuserhasapassword,displaythepasswordfield

– Otherwise,ifthedomainisOpenIDenabled,sendtheuserthroughtheOpenIDflow

•  user@yahoo.comgoestoYahoo•  user@gmail.comgoestoGoogle

43

UIIssues

•  Plentyofusabilitytes;nginprogressbehindthescenes

•  Manytopdesignersareworkingonthis

44

Ques;ons?

•  OpenIDisanOpenProtocol– Fullytransparentdevelopmentprocess

– Followusonh`p://openid.net•  (checkwithyourIPlawyersfirst)•  AllcontributorsmusthavetheiremployerssignanIPcontribu;onagreement

•  InternetIden;tyWorkshop– May18‐20– MountainView,CA

– EveryoneworkingonOpenIDwillbethere45

OAuth

•  Authoriza;on(notAuthen;ca;on)•  The“AccessControl”layeroftheOpenWeb

•  Some;mescalledtheValetKeysoftheweb

•  OAuthisneededtoauthorizeAPIaccess– OpenIDdoesnotpassanycreden;alstotheRP

46

OAuth–ValetKeysfortheWeb

•  OAuthallowsuserstograntcreden;alstotheiraccount,withoutgivinguptheirpassword

•  LargerServiceProvidersusuallyissuescopedcreden;als

•  Creden;alscanusuallyberevoked

47

ThePasswordAn;‐Pa`ern

•  Manysitesaskforyourpasswordsothattheycanaccessthedatathatyouhaveonothersites

48

Sharingpasswordsisabadidea….

•  Passwordsarenotscoped–  Insteadofauthorizingdatasharingforaspecificresource,

you’regivingupaccesstoyouren;reaccount

•  Mostusersdon’tusedifferentpasswordsfordifferentsites

•  Nowaytorevokeaccesswithoutchangingyourpassword•  Evenifthesiteishonest,mistakeshappen

–  Extensivelogging–passwordsgetsavedtologfiles–  Securitycompromises

49

WhyOAuth?

•  PriortoOauth,mostserviceprovidersdefinedproprietarydelegatedauthprotocols

•  OAuthcombinedthebestprac;cesofYahooBBAuth,GoogleAuthSub,FlickrAuth,WindowsLiveDelegatedAuth– Allofthemdidthesamething,slightlydifferently

50

The3LegsofOAuth

Jane

protected_resources

oauth_flow_begins

oauth_request_token

user_authen;ca;on

user_authoriza;on

consumer_callback

oauth_access_token

get_protected_resources

oauth_success

OAuthTerminology

•  Consumer–Theapplica;on(client)•  ServiceProvider–Thesitethattheconsumeris

tryingtoaccess•  ProtectedResource–Theservicethattheconsumer

isaccessing(typicallyaWebServiceAPI)•  3LeggedOauth

–  User–  Consumer–  ServiceProvider

•  2LeggedOauth–  Consumer–  ServiceProvider

61

OAuthTerminology

•  ConsumerKey–Clientiden;fier,equivalenttoAppIDorAPIKeyinotherprotocols

•  ConsumerSecret–sharedsecretusedtoauthen;catetheConsumer

•  AccessToken–Creden;alusedbytheConsumertoaccessProtectedResources

•  OAuthDance–Browsergymnas;cswherethebrowserbouncesbetweentheConsumertotheServiceProviderandbackfortheusertoapproveanAccessToken

•  OauthWRAP–Nextgenera;onOAuth62

OauthProvisioning

•  Applica;ondevelopersusuallymustgototheServiceProvidertoregisterforaConsumerKey– ProcessforobtainingaConsumerKeyisServiceProviderspecificandisnotdefinedintheOauthProtocol

– SPsusuallyrequiredeveloperstoregistertoagreetoTermsofService,aswellastosa;sfytheSP’slegal,business,andproductrequirements

63

YahooOAuthConsumerKeyRegistra;on

64

YahooConsumerKeyRegistra;on

•  Applica;onname,descrip;on,logos•  Developername,contactinforma;on(email,phonenumber,website)

•  TermsofServiceagreement

65

66

67

OAuthProtocol–RequestPermission

Facebook

browser

1) Consumer gets a Request Token

OAuthProtocol–RequestPermission

Facebook

browser

1) Consumer gets a Request Token

2) Consumer redirects browser to Yahoo OAuth server with request token

OAuthPermissionsPage

• 

UserAgrees

Facebook

browser 1) YOAuth redirects browser back to consumer to indicate successful authorization

UserAgrees

•  TheAccessTokenisnotreturnedontheredirectbacktotheconsumer,insteadtheconsumermustmakeabackendserver‐to‐servercalltoretrievetheAccessToken

•  EnablesTokentobeexchangedoverHTTPS

Facebook

browser 1) YOAuth redirects browser back to consumer to indicate successful authorization

2) Consumer exchanges Request Token For Access Token/ATSecret

YahooOAuthimplementa;on

Facebook

OAuth Service

1)  Exchange Request Token for Access Token and Access Token Secret

2) Request user’s Address Book

CK, AT, sig(CS, ATS)

OAuthDeploymentChallenges

•  Scalability•  TokenRevoca;on:DatabaselookuprequiredtodetermineifATiss;llvalid•  Verydifficulttoscaleforgloballydistributedwebapplica;ons•  Heterogeneousanddistributedproduc;onenvironment•  Securityissues

•  ConsumerSecrethastobewidelydistributedtoallserviceproviders•  AddressBookneedstheconsumersecrettoverifytherequest

•  Verydifficulttoproperlysafeguardtheconsumersecret•  AccessToken(Permanentcreden;al)directlyhandledbyServiceProviders

•  IssueswithsecuritycompromisesonServiceProviders

•  TheYahooOAuthServiceismuchmoresecurethantherestofYahoo•  Closelymonitoredandaudited•  AllowstherestofYahooquicklydeploynewservices

Consumer

OAuth Service

2) Request user’s Address Book

CK, AT, sig( CS, ATS)

PreferredSolu;on

•  Yahoo’sproprietaryauthprotocolusesshort‐lived(1hour)bearertokenstoaccessprotectedresources

•  ServiceProviderscanverifythebearertokenlocallywithoutadatabaselookup•  BearertokensaresignedbytheAuthservice

•  Persistentcreden;als(consumersecrets,AccessTokens)arenotusedtoaccessanyservices

Consumer

OAuth Service

2) Request user’s Address Book

CK, AT, sig( CS, ATS)

DeploymentIssueswithOAuthatYahoo

•  Oauthsignaturesarenearlyimpossibletogeneratewithoutalibrary

•  Librariesarebuggytoo•  #1problemisthatdeveloperscan’tgeneratesignatures

Consumer

2) Request user’s Address Book

CK, AT, sig( CS, ATS)

Oauthsignatures

•  Aauthsignaturesareusedtoprotectagainstreplaya`acks•  WhynotjustuseHTTPS?•  Dataisflyingaroundintheclear•  Doesnotmatch“Cookie”authforBrowsers

•  Allprotectedresourcescanbeaccessedviatheuser’sbrowser•  Browsersarefarmoresuscep;bletoMITMthanwebapplica;ons

•  Oauthissodifficultthatmostdevelopersendupphishingtheuserfortheirpasswordinstead

Consumer

2) Request user’s Address Book

CK, AT, sig( CS, ATS)

OAuthWRAP

•  WRAP==WebResourceAuthoriza;onProtocol•  StartedatInternetIden;tyWorkshopinMay2009•  Contributors:

–  Yahoo–  Google–  Microsoj–  Facebook

•  Goals–  Makeiteasierfordeveloperstouse–  SplitOAuth’sServiceProviderinto2parts:

•  TokenIssuer–Canbeacompletelyseparateen;ty•  ServiceProvider

–  Definedifferent“Profiles”fordifferentusecases•  WebApplica;onProfile•  RichclientappProfile(nobrowser)

78

WRAPProfiles

•  WRAPdefinesseveralmechanismsforuserstoauthorizeanapplica;on

•  WebAppProfile–  Userwantstoauthorizeawebsite–  Userexperienceiden;caltoOauth

•  Username/PasswordProfile–  Userwantstoauthorizearichclientapplica;on–  Nobrowserisrequired

•  WRAPProfileonlydefinedifferentmechanismsforclientstoobtainanAccessToken

•  AllAccessTokensareusedthesamewayregardlesswhichProfilewasusedtoobtainthem

•  ServiceProvidersdonotneedtocarehowtheAccessTokenwasissued

79

OauthWRAP

•  ConsumersareissuedanAccessTokenwitha1hourlife;me,andaRefreshToken

•  ConsumersaccessProtectedResourcesusingtheAccessToken.NoSignaturesarerequired.•  PassedintheHTTPAuthoriza;on:header

•  IftheAccessTokenisexpired,theConsumercanrequestanewAccessTokenfromtheTokenIssuerusingtheRefreshToken

Consumer

WRAP Auth Server

2) Request user’s Address Book using AT

1) Consumer obtains Access Token 3) If AT was expired, Consumer refreshes it

OAuthWRAPExample

•  $curl–header\‘Authoriza;on:[WRAP]access_token=”accesstoken”‘\h`p://api.example.com/get_data

HTTP/1.1200OK

[…]

Data

81

ExpiredAccessTokenExample

•  $curl–header‘Authoriza;on:[WRAP]access_token=”accesstoken”‘\h`p://api.example.com/get_data

HTTP/1.1401Unauthorized

•  $curl–dwrap_refresh_token=refreshtoken\h`ps://auth.example.com/refresh_token

HTTP/1.1200OKaccess_token=access_token2

•  $curl–header‘Authoriza;on:[WRAP]access_token=“accesstoken2”’h`p://api.example.com/get_data

HTTP/1.1OK

data82

OAuthExample

•  $curl–header\“Authoriza;on:[WRAP]AccessToken”\

h`p://api.example.com/get_data

HTTP/1.1200OK

[…]

Data

83

WRAPAdvantages

•  ServiceProviderscanverifycreden;alswithoutaDBlookup

•  ConsumerSecretsandPersistentcreden;alsdonotneedtobedistributedtoServiceProviders

•  Developerscanjustcurltherequests•  Richclientappsdonotneedtouseabrowser•  ServiceProvidersandAuthServerscanbeseparateen;;es–Assumingtheycanagreeonthetokenformat–  SimpleWebToken(SWT)Spec

84

DeployingWRAPatYahoo

•  WRAPProtectedResourcesonlyneedtoknowhowtovalidateaWRAPAccessToken•  AccessTokencontains

•  UserID•  Scopethatwasauthorized(eg:AddressBook)•  ConsumerKey•  Expira;on;me•  SignedbytheYahooAuthServer

•  Servicesdon’tneedtoworryaboutdeterminingiftheuserortheconsumerkeyisvalid

•  TheYahooAuthSerververifiesthatboththeuserandtheconsumerares;llvalidbeforeissuingtheAccessToken

•  Cons:itcantakeanhourtorevokeaccesstoanapportodeac;vateauser

Consumer

WRAP Access Token

WhydoesYahoosupportOAuth?

•  OpenstandardsmakeiteasierfordeveloperstouseourAPIs– Reuseexperience,documenta;on,andexper;seacrossServiceProviders

•  Leverageindustrybestprac;ces

86

OAuth/OAuthWRAPques;ons?

•  GoogleGroups– OAuth– OAuth‐wrap‐wg

•  InternetIden;tyWorkshop– SamegroupofpeoplewhoworkonOpenID– OpenID,Oauth,andOauth‐WRAPallresultedfromdiscussionsatIIW

87

What’snext?

•  OpenID+OAutharethebuildingblocksofthenextgenera;onofinternetiden;ty–  Elimina;nglogin/registra;onfric;oncaneliminatetheAnonymousWeb

•  Usersmustberecognizedtoserveop;mizedcontentandads

•  Over60millionuniqueuserslogintowebsitesusingFacebookConnect

•  Proprietarysolu;onsareojenbe`er,butusersandthemarketdemandopenandinteroperablestandards

•  Nearly100%ofallinternetusershaveanaccountthatcanbeusedtosignintoothersites

•  Yahoo/Google/GoogleApps/AOL/Hotmail/Facebook/Twi`er

•  Sitespecificregistra;onwillbecomeathingofthepast

88

89

AllenTomatom@yahoo‐inc.com

h`p://openid.neth`p://groups.google.com/

– OAuth– OAuth‐WRAP‐WG

h`p://www.interne;den;tyworkshop.com/