Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011

Feb, 2nd 2011 MIT CFP Privacy & Security Working Group

1

Hannes Tschofenig MIT CFP Privacy & Security Working Group

Feb. 2nd 2011


2

Presentation Scope• Based on real-world examples for using OAuth and

Web 2.0 mashups I will explain identity management, and privacy challenges.

• I will use Facebook to illustrate how Web application programmers experience OAuth.

• The subsequent slides have a simple scenario setup: 1. I want to outsource identity management for my own

site to Facebook. 2. I want to retrieve information from user’s FB account (to

push data to user’s account)


3

Simple Data Sharing: FB “Like” Button


4

‘like’ Button: iFrame Version <iframe src="http://www.facebook.com/plugins/like.php?

href=http://www.tschofenig.priv.at/wp/" scrolling="no" frameborder="0” style="border:none; width:450px;height:80px"> <iframe>

• More details about the two possible implementations using the XFBML and the IFrame can be found here:

– http://developers.facebook.com/docs/reference/plugins/like • The XFBML version (next slide) uses the JavaScript SDK and allows websites more

flexible control using the OpenGraph API (including posting content to the user’s website):

– http://developers.facebook.com/docs/opengraph


5

‘like’ Button: XFBML Version• Easy to produce:

http://developers.facebook.com/docs/reference/plugins/like <script

src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script><fb:like href="http://www.tschofenig.priv.at/wp/" show_faces="true" width="450" font="arial"></fb:like>


6

A Privacy Problem?• When you load a page that contains the ‘like’ button then the

iFrame actually loads the code from the Facebook webpage.• Allows Facebook to know where you are browsing even if you

do not click the button.– Uses existing cookie; it works because you are via the iFrame literally

“browsing” to Facebook. • In case you click on it you automatically add information to

your profile. This, however, requires you to log-in. – Different authorization model than “normal” Facebook applications

(unless you are logged-in already)– Revoking permissions also works differently than with “normal” FB apps.

• Getting the incentives right:– Facebook gets to see what users are doing on the Web.– Companies are excited about deploying Web technologies and they get

“rewards” if their product is “liked”. – Users are happy that they can share with their friends what they like.


7

Outsourcing Identity Management

• Task:– I want to allow users to log on using their

Facebook credentials.– I want this to be integrated into my existing

environment. I am using a Wordpress blogging/content management system.

– I don’t want to write code.


8

Facebook Application Needed

• In many cases you cannot just deploy OAuth between two sides without going through a registration step.

• Consequence: Using OAuth on two random web sites does not work (today)• Not a technology limitation but a deployment choice!• Next, we need to go through the Facebook registration pages to obtain application

credentials.• Facebook also requires additional information from “application developer”, such as

mobile phone number and credit card information.


9


10

Obtaining the client id & key


11

Moving to the “Client”: A Wordpress Widget on my Webpage


12

Configuring the placement of the Login Page


13

Added Facebook Login


14

The NASCAR Problem

The NASCAR problem• To simplify user interactions websites put the logos of identity providers

on their page. • More identity providers more logos• More logos users get confused• Website providers only put the top IdP’s on their page ossification


15

Login: Authentication and Authorization

• Login button re-directs to Facebook (if not yet logged in already)

• Then, there is an authorization step (see above).


16

Separate FB Application• Instead of using an

existing plug-in you can also write your own Web page.

• Example code available in a number of programming languages.

• My example uses PHP and retrieves user information (next slide)


17


18

PHP Example Code(shortened)// create application instance

$facebook = new Facebook(array( 'appId' => '104366359641119', 'secret' => 'afa0f33f69f78fb8d3875c252b45ffad', 'cookie' => true,));

// fetch session if ($session!=null) { // session state exists try {

$uid = $facebook->getUser();$me = $facebook->api('/me');$logoutUrl = $facebook->getLogoutUrl();

} catch (FacebookApiException $e) { error_log($e); }} else { $loginUrl = $facebook->getLoginUrl();}

// fetch public data$naitik = $facebook->api('/naitik');

<a href="<?php echo $loginUrl; ?>"> <img src="http://static.ak.fbcdn.net/rsrc.php/zB6N8/hash/4li2k73z.gif"> </a>

<?php print_r($session); ?>


19

Asking for more data


20

Extended Permissions• OAuth allows applications to indicate their

permissions via a scope attribute. • Content of scope attribute is not defined but rather

left application specific. • Facebook provides examples for such extended

permissions to access data beyond basic information:– Examples: “email”, ”user_photos”

• Details can be obtained from:– http://developers.facebook.com/docs/authentication/permissions/


21

Viewing Access Rights


22

FB’s Privacy Dashboard: Access Log


23

OAuth 2.0 and Identity Management

• http://tools.ietf.org/html/draft-hansen-privacy-terminology says – An identity is any subset of attribute values of an individual person

which sufficiently identifies this individual person within any set of persons. So usually there is no such thing as "the identity", but several of them.

– An identity of an individual person may comprise many partial identities of which each represents the person in a specific context or role.

– Identity management means managing various partial identities of an individual person, i.e., administration of identity attributes including the development and choice of the partial identity and pseudonym to be (re-)used in a specific context or role.


24

OAuth 2.0 and Identity Management, cont.

• OAuth 2.0 does not mandate – a specific user identifier format, – any authentication mechanism, – a specific credential type, – specific type of data to be stored at the resource

server, – management features for creating, modifying, and

deleting data


25

OAuth 2.0 and Identity Management, cont.

• Facebook, deploying OAuth 2.0, defines– a specific user identifier format (for logon),– Password-based authentication using a browser interface,– Data to be stored, – management features for creating, modifying, and deleting data (and access

permissions) using a Web browser.• OAuth provides the functionality of OpenID but in a different style.

OpenID’s initial design did not envision any relationship between the relying party and the identity provider. In practice, this turned out to be a no-go.

• From a standardization point of view, OAuth and OpenID started at different places.

– For example, OpenID has standardized APIs for exchange of data while OAuth does not have such APIs. See http://openid.net/specs/openid-attribute-exchange-1_0.html and http://www.axschema.org/types/

– Next slide shows the OAuth standardization status.


26OAuth Profiles

Token Request

Standardization Status of the OAuth Framework

User Agent

Authorization Server

Resource Server

Resource Consumer

Access Request(incl. Token)

Authorization Request

User Interface

Token FormatAnd Content

Authz ServerInteractionData Exchange

Authentication

Request Security

User

Legend: - Red box: Currently covered by OAuth WG


27

Summary• Open Web Authentication (OAuth) is developed in the IETF

OAuth working group:– http://datatracker.ietf.org/wg/oauth/

• Code available (see http://oauth.net/code/) and deployment going fine.

• Working group is trying hard to finish OAuth 2.0:http://tools.ietf.org/html/draft-ietf-oauth-v2

• Security and privacy turns out to be challenging. – Largely a deployment challenge!– See http://zachholman.com/2011/01/oauth_will_murder_your_children/

• WG rechartering process ongoing to standardize other parts of the OAuth framework.

http://oauth.net/code/

http://tools.ietf.org/html/draft-ietf-oauth-v2

Documents

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011