SlideShare uma empresa Scribd logo

OpenID Authentication

Cédric Hüsler
Cédric Hüsler

Slides from the Google TechTalk (Zurich, Switzerland) in April 2007. A technical overview of OpenID. Originally posted: http://www.keepthebyte.ch/2007/04/google-tech-talk-on-openid.html

TecnologiaDesign
1 de 23
Baixar para ler offline
Distributed SSO Cédric Hüsler CTO local.ch Google TechTalk Zürich - April 2007
Quick Poll Who always use the same PW for every new account on a new site? Who has a blog? Who has an OpenID?
BA BA SII SC CS prove you are really who you suppose to be S Authentication Username & Password Challenge-response Public-Private Key vs. what are you allowed to do Authorization ACL (Access Control List) RBAC (Role-based Access Control)
BA BA SIIC S CS ability to uniquely identify yourself S Identity Your Name AHV-Nr / SSN Fingerprint vs. ability to control what others know about you Privacy Can you keep a secret? Virtualization Opt-in
BA BA SII SC CS how much can I depend on you? S trust vs. control how much information am I going to give?
BA BA SII SC CS S SSO Single-Sign-On   using the same automatic credentials to access authentication beyond multiple services session and service
= Authentication Delegation = Identity Manager = Open API ≠ Authentication ≠ Trust
Use a URL as user name! I own the domain: keepthebyte.ch - why not using it as user name?
Time for demo! http://jyte.com/
Login Process Overview Download at http://www.flickr.com/photos/keepthebyte/347821691/
...with trusted site auto login on the identity provider
HTTP Level - Part 1/3 User Agent <> RP GET: %site%/login.html POST: %site%/login with OpenID RP <> IdP GET: openid url mime:application/xrds+xml (Yadis Discovery) ?xml version=quot;1.0quot; encoding=quot;UTF-8quot;? xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot; XRD Service priority=quot;0quot; Typehttp://openid.net/signon/1.0/Type Typehttp://openid.net/sreg/1.0/Type URIhttp://www.myopenid.com/server/URI openid:Delegatehttp://keepthebyte.myopenid.com//openid:Delegate /Service /XRD /xrds:XRDS Fallback: GET: openid url mime:*/*
HTTP Level - Part 2/3 RP IdP (continued) ASSOCIATE REQUEST openid.dh_gen=Ag%3D%3D openid.session_type=DH-SHA1 openid.mode=associate openid.assoc_type=HMAC-SHA1 openid.dh_consumer_public=AMEJSFuaf%2Fi73z6uGonyKZUoIJQyI7PWSZJZBhACK8qQ48%2FIkplhKv%2BajPhSiNXz43%2Bb7nO% 2FyL86LQNlzNM3rFSP7nfAVoDZXUPyuQeacsCqg8vliMwTJUzu9MecZz4ngCgNLk8tOkBazhGJ7%2BCnx1g53dUVGvvV0LHMMMjUQMSo openid.dh_modulus=ANz5OguIOXLsDhmYmsWizjEOHTdxfo2Vcbt2I3MYZuYe91ouJ4mLBX% 2BYkcLiemOcPym2CBRYHNOyyjmG0mg3BVd9RcLn5S3IHHoXGHblzqdLFEi%2F368Ygo79JRnxTkXjgmY0rxlJ5bU1zIKaSDuKdiI% 2BXUkKJX8Fvf8W8vsixYOr ASSOCIATE RESPONSE assoc_type:HMAC-SHA1 assoc_handle:netmesh-u-1168177185-50172100 expires_in:2592000 session_type:DH-SHA1 dh_server_public:AIAkjwdpUn1lCHyQEzstI40wSnbsznGV/t+AepW/he/ChsS2N2WF9DTIpNyLtGBTECmF6w/ +DgtcjfVrujm1Z26CJBuwtDbJyL3rUCsqzn55RVCcM6QmBnRBD8q/5hbcI6jiBC9Nc78NfQywGE7YG3BCZZiT3Vz1etJAcRgPgUxJ enc_mac_key:eljydY56tUILU75CjytBwNF3Ec4=
HTTP Level - Part 3/3 User Agent RP REDIRECT TO IdP http://mylid.net/keepthebyte? openid.mode=checkid_setup openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk openid.trust_root=http%3A%2F%2Flocalhost%3A3000%2Fauth openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte openid.assoc_handle=netmesh-u-1168177185-50172100 User Agent IdP DO THE LOGIN (not part of the OpenID spec) REDIRECT TO RP http://localhost:3000/auth/complete? nonce=Q5CG5Hfk openid.mode=id_res openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk openid.assoc_handle=netmesh-u-1168177185-50172100 openid.signed=mode,identity,return_to,assoc_handle openid.sig=c55qNAPI58pfRBDkVlRc5dbvnyU%3D
Delegated Authentication My original OpenID: 1 keepthebyte.myopenid.com Add these lines to the root HTML document of the domain “keepthebyte.ch”: 2 link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; / link rel=quot;openid.delegatequot; href=quot;http://keepthebyte.myopenid.comquot; / meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://keepthebyte.myopenid.com/xrdsquot; / Now I can use my domain as my OpenID: 3 keepthebyte.ch
... Immediate Mode - “AJAX” Ask an IdP if a End User owns the Claimed Identifier, getting back an immediate quot;yesquot; or quot;can't sayquot; answer.
...Stateless (Dump Mode) Not recommended due Security Issue - Replay Attack - use SSL!
Extension: Simple Registration Make OpenID more useful - Extension of OpenID 1.1 - Part of OpenID 2.0 (Attribute Exchange) Manage personal profile centrally on the Identity Provider Control what profile properties are allowed to be share with the site you like to login Screenshots from http://www.myopenid.com
Extension: E-Mail as OpenID PR PR O O PO PO SA SA L!! L Make OpenID easier: URL 0 vs. Email 1 Proposal for OpenID 2.0 Enter Email in OpenID field: 1 keepthebyte@myopenid.com 2 Read the transformation template from the XRDS document Converted to URL before authentication: 3 keepthebyte.myopenid.com Spec: http://www.sappenin.com/openid/ext/oet/openid-email-transform-extension-1_0.html
Integration: Browser Make OpenID easier to use! Prevent Phishing! Firefox Add-ons: - Appalachian Download: http://simile.mit.edu/wiki/Appalachian - VeriSign’s OpenID Seatbelt On the roadmap for Firefox 3.0
Integration: ??? H H YP YP E? E? Blog URL is the OpenID Microsoft announced it will integrate OpenID in CardSpace (WS-*) AOL provide an OpenID for all its users Web 2.0 Sites: Technorati, Ma.gnolia, Opinity, netvibes, Digg (soon) CMS/Blogs/Wiki: Wordpress, Drupal, MovableType, MediaWiki, phpbb
Your action is required! READ The OpenID Case - in 4-pages by Kaliya Hamlin www.kaliyasblogs.net/IdentityWebExpo.pdf Specification at openid.net Open Source Libraries for PHP, Ruby, Java... openid.net/wiki/index.php/Libraries PLAY OpenID Providers - MyOpenID.com - VeriSign PIP Y - idproxy.net (with Yahoo Auth) TR - List: openid.net/wiki/index.php/OpenIDServers A IT E IV G
it? ot G That’s it Slides on: keepthebyte.ch Links on: del.icio.us/keepthebyte/openid

Recomendados

Proceso y metodología de investigación
Proceso y metodología de investigaciónProceso y metodología de investigación
Proceso y metodología de investigaciónruizstvn07
 
Lg real3 d-sdk
Lg real3 d-sdkLg real3 d-sdk
Lg real3 d-sdkDroidcon Berlin
 
L'empresa al núvol v120430b
L'empresa al núvol v120430bL'empresa al núvol v120430b
L'empresa al núvol v120430bIMET Club Emprendre
 
Apocalipsis oceanico
Apocalipsis oceanicoApocalipsis oceanico
Apocalipsis oceanicoRose Menacho
 
Curso experto maitre
Curso experto maitreCurso experto maitre
Curso experto maitreEuroinnova Formación
 
Monseñor Romero, piezas para un retrato - López Vigil
Monseñor Romero, piezas para un retrato - López VigilMonseñor Romero, piezas para un retrato - López Vigil
Monseñor Romero, piezas para un retrato - López VigilMarcos Eduardo Villa Corrales
 
Material für Schnullerketten
Material für Schnullerketten Material für Schnullerketten
Material für Schnullerketten myperlenwelt715
 
Tarea3 miguel bustos martinez
Tarea3 miguel bustos martinezTarea3 miguel bustos martinez
Tarea3 miguel bustos martinezmiguel_busmar
 

Recomendados

Proceso y metodología de investigación
Proceso y metodología de investigaciónProceso y metodología de investigación
Proceso y metodología de investigaciónruizstvn07
 
Lg real3 d-sdk
Lg real3 d-sdkLg real3 d-sdk
Lg real3 d-sdkDroidcon Berlin
 
L'empresa al núvol v120430b
L'empresa al núvol v120430bL'empresa al núvol v120430b
L'empresa al núvol v120430bIMET Club Emprendre
 
Apocalipsis oceanico
Apocalipsis oceanicoApocalipsis oceanico
Apocalipsis oceanicoRose Menacho
 
Curso experto maitre
Curso experto maitreCurso experto maitre
Curso experto maitreEuroinnova Formación
 
Monseñor Romero, piezas para un retrato - López Vigil
Monseñor Romero, piezas para un retrato - López VigilMonseñor Romero, piezas para un retrato - López Vigil
Monseñor Romero, piezas para un retrato - López VigilMarcos Eduardo Villa Corrales
 
Material für Schnullerketten
Material für Schnullerketten Material für Schnullerketten
Material für Schnullerketten myperlenwelt715
 
Tarea3 miguel bustos martinez
Tarea3 miguel bustos martinezTarea3 miguel bustos martinez
Tarea3 miguel bustos martinezmiguel_busmar
 
Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Seresco
 
RSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESRSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESManuel Bedoya D
 
27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmj27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmjAmet Arce C
 
Enfermera general
Enfermera generalEnfermera general
Enfermera generalErika Jimenes Ordoñes
 
Desechos peligrosos
Desechos peligrososDesechos peligrosos
Desechos peligrososjuan_023
 
Pitufando en valldemossa
Pitufando en valldemossaPitufando en valldemossa
Pitufando en valldemossamaryana1420
 
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...Bizitegi Bizitegi
 
Curriculo 11º
Curriculo 11ºCurriculo 11º
Curriculo 11ºHarold Moreno
 
Diccionario.....
Diccionario.....Diccionario.....
Diccionario.....jasus2311
 
Curs ubuntu
Curs ubuntuCurs ubuntu
Curs ubuntucrys72f
 
Vogue uk march_2016
Vogue uk march_2016Vogue uk march_2016
Vogue uk march_2016PrivetOUTLET
 
AoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALAoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALPeter Harden
 
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...DOMUS Software AG
 
SASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDASASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDAalvisegperu
 
Experience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsExperience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsCédric Hüsler
 
Building Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiBuilding Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiCédric Hüsler
 
CRX 2 Content Application Platform
CRX 2 Content Application PlatformCRX 2 Content Application Platform
CRX 2 Content Application PlatformCédric Hüsler
 
Day CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuDay CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuCédric Hüsler
 
Blogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareBlogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareCédric Hüsler
 
New recipes for the ever growing content cloud
New recipes for the ever growing content cloudNew recipes for the ever growing content cloud
New recipes for the ever growing content cloudCédric Hüsler
 
The 8 Don'ts of WCM
The 8 Don'ts of WCMThe 8 Don'ts of WCM
The 8 Don'ts of WCMCédric Hüsler
 
Cloud Based Content Services
Cloud Based Content ServicesCloud Based Content Services
Cloud Based Content ServicesCédric Hüsler
 

Mais conteúdo relacionado

Destaque

Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Seresco
 
RSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESRSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESManuel Bedoya D
 
27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmj27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmjAmet Arce C
 
Desechos peligrosos
Desechos peligrososDesechos peligrosos
Desechos peligrososjuan_023
 
Pitufando en valldemossa
Pitufando en valldemossaPitufando en valldemossa
Pitufando en valldemossamaryana1420
 
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...Bizitegi Bizitegi
 
Diccionario.....
Diccionario.....Diccionario.....
Diccionario.....jasus2311
 
Curs ubuntu
Curs ubuntuCurs ubuntu
Curs ubuntucrys72f
 
Vogue uk march_2016
Vogue uk march_2016Vogue uk march_2016
Vogue uk march_2016PrivetOUTLET
 
AoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALAoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALPeter Harden
 
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...DOMUS Software AG
 
SASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDASASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDAalvisegperu
 

Destaque (14)

Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012Jornada anual con clientes en Vigo 25/04/2012
Jornada anual con clientes en Vigo 25/04/2012
 
RSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMESRSE GUIA DE IMPLEMENTACIÒN PARA PYMES
RSE GUIA DE IMPLEMENTACIÒN PARA PYMES
 
27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmj27 04 15_guia_exprese_dmj
27 04 15_guia_exprese_dmj
 
Enfermera general
Enfermera generalEnfermera general
Enfermera general
 
Desechos peligrosos
Desechos peligrososDesechos peligrosos
Desechos peligrosos
 
Pitufando en valldemossa
Pitufando en valldemossaPitufando en valldemossa
Pitufando en valldemossa
 
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
III Congreso FEARP (Federación Española de Asociaciones de Rehabilitación Psi...
 
Curriculo 11º
Curriculo 11ºCurriculo 11º
Curriculo 11º
 
Diccionario.....
Diccionario.....Diccionario.....
Diccionario.....
 
Curs ubuntu
Curs ubuntuCurs ubuntu
Curs ubuntu
 
Vogue uk march_2016
Vogue uk march_2016Vogue uk march_2016
Vogue uk march_2016
 
AoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINALAoD Annual Report 2015 - FINAL
AoD Annual Report 2015 - FINAL
 
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
Pressebericht: DOMUS NAVI / Kommunikation und Organisation für Immobilienverw...
 
SASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDASASTRERIA BARCELONA TERNOS A LA MEDIDA
SASTRERIA BARCELONA TERNOS A LA MEDIDA
 

Mais de Cédric Hüsler

Experience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsExperience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsCédric Hüsler
 
Building Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiBuilding Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiCédric Hüsler
 
CRX 2 Content Application Platform
CRX 2 Content Application PlatformCRX 2 Content Application Platform
CRX 2 Content Application PlatformCédric Hüsler
 
Day CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuDay CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuCédric Hüsler
 
Blogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareBlogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareCédric Hüsler
 
New recipes for the ever growing content cloud
New recipes for the ever growing content cloudNew recipes for the ever growing content cloud
New recipes for the ever growing content cloudCédric Hüsler
 
Cloud Based Content Services
Cloud Based Content ServicesCloud Based Content Services
Cloud Based Content ServicesCédric Hüsler
 
Data First in Cloud Persistence
Data First in Cloud PersistenceData First in Cloud Persistence
Data First in Cloud PersistenceCédric Hüsler
 
CMIS PlugFest (April 2009) Screenshots
CMIS PlugFest (April 2009) ScreenshotsCMIS PlugFest (April 2009) Screenshots
CMIS PlugFest (April 2009) ScreenshotsCédric Hüsler
 
Imagine you blog & everybody is reading!
Imagine you blog & everybody is reading!Imagine you blog & everybody is reading!
Imagine you blog & everybody is reading!Cédric Hüsler
 
OpenID and SocialGraph/Apps
OpenID and SocialGraph/AppsOpenID and SocialGraph/Apps
OpenID and SocialGraph/AppsCédric Hüsler
 
Dataportability & Digital Identity
Dataportability & Digital IdentityDataportability & Digital Identity
Dataportability & Digital IdentityCédric Hüsler
 
Autos in Zeitung publizieren
Autos in Zeitung publizierenAutos in Zeitung publizieren
Autos in Zeitung publizierenCédric Hüsler
 
Geoweb - because location matters
Geoweb - because location mattersGeoweb - because location matters
Geoweb - because location mattersCédric Hüsler
 

Mais de Cédric Hüsler (16)

Experience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - HighlightsExperience Manager 6 Developer Features - Highlights
Experience Manager 6 Developer Features - Highlights
 
Building Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGiBuilding Content Applications with JCR and OSGi
Building Content Applications with JCR and OSGi
 
CRX 2 Content Application Platform
CRX 2 Content Application PlatformCRX 2 Content Application Platform
CRX 2 Content Application Platform
 
Day CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neuDay CQ 5.3 WCM - Was ist neu
Day CQ 5.3 WCM - Was ist neu
 
Blogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking SoftwareBlogs, Wikis and Enterprise Social Networking Software
Blogs, Wikis and Enterprise Social Networking Software
 
New recipes for the ever growing content cloud
New recipes for the ever growing content cloudNew recipes for the ever growing content cloud
New recipes for the ever growing content cloud
 
The 8 Don'ts of WCM
The 8 Don'ts of WCMThe 8 Don'ts of WCM
The 8 Don'ts of WCM
 
Cloud Based Content Services
Cloud Based Content ServicesCloud Based Content Services
Cloud Based Content Services
 
Data First in Cloud Persistence
Data First in Cloud PersistenceData First in Cloud Persistence
Data First in Cloud Persistence
 
CMIS PlugFest (April 2009) Screenshots
CMIS PlugFest (April 2009) ScreenshotsCMIS PlugFest (April 2009) Screenshots
CMIS PlugFest (April 2009) Screenshots
 
Day CRX Introduction
Day CRX IntroductionDay CRX Introduction
Day CRX Introduction
 
Imagine you blog & everybody is reading!
Imagine you blog & everybody is reading!Imagine you blog & everybody is reading!
Imagine you blog & everybody is reading!
 
OpenID and SocialGraph/Apps
OpenID and SocialGraph/AppsOpenID and SocialGraph/Apps
OpenID and SocialGraph/Apps
 
Dataportability & Digital Identity
Dataportability & Digital IdentityDataportability & Digital Identity
Dataportability & Digital Identity
 
Autos in Zeitung publizieren
Autos in Zeitung publizierenAutos in Zeitung publizieren
Autos in Zeitung publizieren
 
Geoweb - because location matters
Geoweb - because location mattersGeoweb - because location matters
Geoweb - because location matters
 

Último

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

OpenID Authentication

  • 1. Distributed SSO Cédric Hüsler CTO local.ch Google TechTalk Zürich - April 2007
  • 2. Quick Poll Who always use the same PW for every new account on a new site? Who has a blog? Who has an OpenID?
  • 3. BA BA SII SC CS prove you are really who you suppose to be S Authentication Username & Password Challenge-response Public-Private Key vs. what are you allowed to do Authorization ACL (Access Control List) RBAC (Role-based Access Control)
  • 4. BA BA SIIC S CS ability to uniquely identify yourself S Identity Your Name AHV-Nr / SSN Fingerprint vs. ability to control what others know about you Privacy Can you keep a secret? Virtualization Opt-in
  • 5. BA BA SII SC CS how much can I depend on you? S trust vs. control how much information am I going to give?
  • 6. BA BA SII SC CS S SSO Single-Sign-On   using the same automatic credentials to access authentication beyond multiple services session and service
  • 7. = Authentication Delegation = Identity Manager = Open API ≠ Authentication ≠ Trust
  • 8. Use a URL as user name! I own the domain: keepthebyte.ch - why not using it as user name?
  • 10. Login Process Overview Download at http://www.flickr.com/photos/keepthebyte/347821691/
  • 11. ...with trusted site auto login on the identity provider
  • 12. HTTP Level - Part 1/3 User Agent <> RP GET: %site%/login.html POST: %site%/login with OpenID RP <> IdP GET: openid url mime:application/xrds+xml (Yadis Discovery) ?xml version=quot;1.0quot; encoding=quot;UTF-8quot;? xrds:XRDS xmlns:xrds=quot;xri://$xrdsquot; xmlns:openid=quot;http://openid.net/xmlns/1.0quot; xmlns=quot;xri://$xrd*($v*2.0)quot; XRD Service priority=quot;0quot; Typehttp://openid.net/signon/1.0/Type Typehttp://openid.net/sreg/1.0/Type URIhttp://www.myopenid.com/server/URI openid:Delegatehttp://keepthebyte.myopenid.com//openid:Delegate /Service /XRD /xrds:XRDS Fallback: GET: openid url mime:*/*
  • 13. HTTP Level - Part 2/3 RP IdP (continued) ASSOCIATE REQUEST openid.dh_gen=Ag%3D%3D openid.session_type=DH-SHA1 openid.mode=associate openid.assoc_type=HMAC-SHA1 openid.dh_consumer_public=AMEJSFuaf%2Fi73z6uGonyKZUoIJQyI7PWSZJZBhACK8qQ48%2FIkplhKv%2BajPhSiNXz43%2Bb7nO% 2FyL86LQNlzNM3rFSP7nfAVoDZXUPyuQeacsCqg8vliMwTJUzu9MecZz4ngCgNLk8tOkBazhGJ7%2BCnx1g53dUVGvvV0LHMMMjUQMSo openid.dh_modulus=ANz5OguIOXLsDhmYmsWizjEOHTdxfo2Vcbt2I3MYZuYe91ouJ4mLBX% 2BYkcLiemOcPym2CBRYHNOyyjmG0mg3BVd9RcLn5S3IHHoXGHblzqdLFEi%2F368Ygo79JRnxTkXjgmY0rxlJ5bU1zIKaSDuKdiI% 2BXUkKJX8Fvf8W8vsixYOr ASSOCIATE RESPONSE assoc_type:HMAC-SHA1 assoc_handle:netmesh-u-1168177185-50172100 expires_in:2592000 session_type:DH-SHA1 dh_server_public:AIAkjwdpUn1lCHyQEzstI40wSnbsznGV/t+AepW/he/ChsS2N2WF9DTIpNyLtGBTECmF6w/ +DgtcjfVrujm1Z26CJBuwtDbJyL3rUCsqzn55RVCcM6QmBnRBD8q/5hbcI6jiBC9Nc78NfQywGE7YG3BCZZiT3Vz1etJAcRgPgUxJ enc_mac_key:eljydY56tUILU75CjytBwNF3Ec4=
  • 14. HTTP Level - Part 3/3 User Agent RP REDIRECT TO IdP http://mylid.net/keepthebyte? openid.mode=checkid_setup openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk openid.trust_root=http%3A%2F%2Flocalhost%3A3000%2Fauth openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte openid.assoc_handle=netmesh-u-1168177185-50172100 User Agent IdP DO THE LOGIN (not part of the OpenID spec) REDIRECT TO RP http://localhost:3000/auth/complete? nonce=Q5CG5Hfk openid.mode=id_res openid.identity=http%3A%2F%2Fmylid.net%2Fkeepthebyte openid.return_to=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcomplete%3Fnonce%3DQ5CG5Hfk openid.assoc_handle=netmesh-u-1168177185-50172100 openid.signed=mode,identity,return_to,assoc_handle openid.sig=c55qNAPI58pfRBDkVlRc5dbvnyU%3D
  • 15. Delegated Authentication My original OpenID: 1 keepthebyte.myopenid.com Add these lines to the root HTML document of the domain “keepthebyte.ch”: 2 link rel=quot;openid.serverquot; href=quot;http://www.myopenid.com/serverquot; / link rel=quot;openid.delegatequot; href=quot;http://keepthebyte.myopenid.comquot; / meta http-equiv=quot;X-XRDS-Locationquot; content=quot;http://keepthebyte.myopenid.com/xrdsquot; / Now I can use my domain as my OpenID: 3 keepthebyte.ch
  • 16. ... Immediate Mode - “AJAX” Ask an IdP if a End User owns the Claimed Identifier, getting back an immediate quot;yesquot; or quot;can't sayquot; answer.
  • 17. ...Stateless (Dump Mode) Not recommended due Security Issue - Replay Attack - use SSL!
  • 18. Extension: Simple Registration Make OpenID more useful - Extension of OpenID 1.1 - Part of OpenID 2.0 (Attribute Exchange) Manage personal profile centrally on the Identity Provider Control what profile properties are allowed to be share with the site you like to login Screenshots from http://www.myopenid.com
  • 19. Extension: E-Mail as OpenID PR PR O O PO PO SA SA L!! L Make OpenID easier: URL 0 vs. Email 1 Proposal for OpenID 2.0 Enter Email in OpenID field: 1 keepthebyte@myopenid.com 2 Read the transformation template from the XRDS document Converted to URL before authentication: 3 keepthebyte.myopenid.com Spec: http://www.sappenin.com/openid/ext/oet/openid-email-transform-extension-1_0.html
  • 20. Integration: Browser Make OpenID easier to use! Prevent Phishing! Firefox Add-ons: - Appalachian Download: http://simile.mit.edu/wiki/Appalachian - VeriSign’s OpenID Seatbelt On the roadmap for Firefox 3.0
  • 21. Integration: ??? H H YP YP E? E? Blog URL is the OpenID Microsoft announced it will integrate OpenID in CardSpace (WS-*) AOL provide an OpenID for all its users Web 2.0 Sites: Technorati, Ma.gnolia, Opinity, netvibes, Digg (soon) CMS/Blogs/Wiki: Wordpress, Drupal, MovableType, MediaWiki, phpbb
  • 22. Your action is required! READ The OpenID Case - in 4-pages by Kaliya Hamlin www.kaliyasblogs.net/IdentityWebExpo.pdf Specification at openid.net Open Source Libraries for PHP, Ruby, Java... openid.net/wiki/index.php/Libraries PLAY OpenID Providers - MyOpenID.com - VeriSign PIP Y - idproxy.net (with Yahoo Auth) TR - List: openid.net/wiki/index.php/OpenIDServers A IT E IV G
  • 23. it? ot G That’s it Slides on: keepthebyte.ch Links on: del.icio.us/keepthebyte/openid