Upload
david-recordon
View
109
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Simon Willison and David Recordon's OpenID tutorial from O'Reilly's OSCON 07.
Citation preview
OSCONJuly 24th, 2007
Simon Willisonsimonwillison.net
Bootcamp
David Recordondavidrecordon.com
Who are We?
• David Recordon
• VeriSign Employee since May of 2006
• OpenID Foundation Vice-Chair
• Co-Author of various OpenID specifications
• Past employee ofSix Apart, where OpenID was created
Who are We?• Simon Willison
• Ex-Yahoo!, now freelance
• “Europe’s first OpenID consultant”
• Co-creator of the Django Web Framework
The Plan• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
?What is OpenID?
OpenID is a decentralised mechanism
for Single Sign On
?What problemsdoes it solve?
“Too many passwords!”
“Someone else already grabbed my username”
“My online profile is scattered across dozens of sites”
?What is an OpenID?
An OpenID is a URI
http://openid.aol.com/simonwillison/
?What can you do with an OpenID?
You can claim that you own it
You can provethat claim
?Why is that useful?
You can use it for authentication
“Who the heck are you?!”Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Login?
Search
Go
My Schedule
You need to be logged in to keep alist of talks and sessions you areinterested in attending.
login | sign up
Welcome to ExpoCal!
Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friendsare going to see, or tag surf your way to serependity.
By Day
SUNDAY, APRIL 15,2007
MONDAY, APRIL 16,2007
TUESDAY, APRIL 17, 2007WEDNESDAY, APRIL 18,
2007
Popular Today"Building SocialApplications" Stowe Boyd"High PerformanceWebpages" SteveSouders Tenni Theurer"Ignite"
Today: All
Popular Today"Conference Welcome" TimO'Reilly"A Conversation with JeffBezos" Jeffrey P. Bezos"Built to Last or Built toSell: Is There a Difference?" John Batt...
Today: All
Popular Today"Mobile 2.0" Ajit Jaokar MikeMcCue; Ilkka Raiskinen;Paola Tonelli"State of the Web 2.0:Measuring the ParticipatoryWeb" Bill Tancer"Eric Schmidt in Conversationwith John Battelle" EricSchmidt John...
Today: All
Popular Today"Welcome" Tim O'Reilly"Jeff Weiner in Conversationwith John Battelle" JeffWeiner John B..."Web 2.0 for the Enterprise: IsIt Soup Yet?" Dan FarberSatish Dha...
Today: All
Popular: Tags
Ajax Community Design and User
Experience Keynotes Marketing
and Community Strategy andBusiness Models Web 2.0Fundamentals Web 2.0 Servicesand Platforms Web Operations advertising
business design digitalid django experience
flickr free google javascript marketing microformats
openid php products and servicesrails search skypejournal social syndication
yahoo all tags
Popular: Speaker
Ajit Jaokar Bill Tancer Brian Mulloy Charlene
Li Dan Farber David Knight Dirk-Willem vanGulik Dmitry Dimov Eric Schmidt Ilkka
Raiskinen James Baty Jay Adelson Jay
Bhatti Jeff Weiner Jeffrey P. Bezos Joe
Kraus John Battelle Kathy Sierra Kelly
Goto Kerry Fleming Kevin Lynch Luke Sontag
Mena Trott Mike McCue Paola Tonelli
Rich Skrenta Ross Mayfield Satish
Dharmaraj Subrah Iyar Tim O'Reillyeverybody!
Everything!
Find: all talks, the all speakers, all tags, or users.
Random People
ChrisC1971 alexiskold atomsplitter billvision brady emccmgervasio goodsboy gustav heinika hienhuynh hotwheelhttp://jalanoly.pip.verisignlabs.com/http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/jessie jggaines leeclw maisany markgoines nborwankarpbuder philip ron_topright shameer shua slevine timknighttomas wilsonminer
Feedback?
“I’m simonwillison.net”
“prove it!”Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Login?
Search
Go
My Schedule
You need to be logged in to keep alist of talks and sessions you areinterested in attending.
login | sign up
Welcome to ExpoCal!
Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friendsare going to see, or tag surf your way to serependity.
By Day
SUNDAY, APRIL 15,2007
MONDAY, APRIL 16,2007
TUESDAY, APRIL 17, 2007WEDNESDAY, APRIL 18,
2007
Popular Today"Building SocialApplications" Stowe Boyd"High PerformanceWebpages" SteveSouders Tenni Theurer"Ignite"
Today: All
Popular Today"Conference Welcome" TimO'Reilly"A Conversation with JeffBezos" Jeffrey P. Bezos"Built to Last or Built toSell: Is There a Difference?" John Batt...
Today: All
Popular Today"Mobile 2.0" Ajit Jaokar MikeMcCue; Ilkka Raiskinen;Paola Tonelli"State of the Web 2.0:Measuring the ParticipatoryWeb" Bill Tancer"Eric Schmidt in Conversationwith John Battelle" EricSchmidt John...
Today: All
Popular Today"Welcome" Tim O'Reilly"Jeff Weiner in Conversationwith John Battelle" JeffWeiner John B..."Web 2.0 for the Enterprise: IsIt Soup Yet?" Dan FarberSatish Dha...
Today: All
Popular: Tags
Ajax Community Design and User
Experience Keynotes Marketing
and Community Strategy andBusiness Models Web 2.0Fundamentals Web 2.0 Servicesand Platforms Web Operations advertising
business design digitalid django experience
flickr free google javascript marketing microformats
openid php products and servicesrails search skypejournal social syndication
yahoo all tags
Popular: Speaker
Ajit Jaokar Bill Tancer Brian Mulloy Charlene
Li Dan Farber David Knight Dirk-Willem vanGulik Dmitry Dimov Eric Schmidt Ilkka
Raiskinen James Baty Jay Adelson Jay
Bhatti Jeff Weiner Jeffrey P. Bezos Joe
Kraus John Battelle Kathy Sierra Kelly
Goto Kerry Fleming Kevin Lynch Luke Sontag
Mena Trott Mike McCue Paola Tonelli
Rich Skrenta Ross Mayfield Satish
Dharmaraj Subrah Iyar Tim O'Reillyeverybody!
Everything!
Find: all talks, the all speakers, all tags, or users.
Random People
ChrisC1971 alexiskold atomsplitter billvision brady emccmgervasio goodsboy gustav heinika hienhuynh hotwheelhttp://jalanoly.pip.verisignlabs.com/http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/jessie jggaines leeclw maisany markgoines nborwankarpbuder philip ron_topright shameer shua slevine timknighttomas wilsonminer
Feedback?
(crypto happens)
“OK, you’re in!”Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo Login?
Search
Go
My Schedule
You need to be logged in to keep alist of talks and sessions you areinterested in attending.
login | sign up
Welcome to ExpoCal!
Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friendsare going to see, or tag surf your way to serependity.
By Day
SUNDAY, APRIL 15,2007
MONDAY, APRIL 16,2007
TUESDAY, APRIL 17, 2007WEDNESDAY, APRIL 18,
2007
Popular Today"Building SocialApplications" Stowe Boyd"High PerformanceWebpages" SteveSouders Tenni Theurer"Ignite"
Today: All
Popular Today"Conference Welcome" TimO'Reilly"A Conversation with JeffBezos" Jeffrey P. Bezos"Built to Last or Built toSell: Is There a Difference?" John Batt...
Today: All
Popular Today"Mobile 2.0" Ajit Jaokar MikeMcCue; Ilkka Raiskinen;Paola Tonelli"State of the Web 2.0:Measuring the ParticipatoryWeb" Bill Tancer"Eric Schmidt in Conversationwith John Battelle" EricSchmidt John...
Today: All
Popular Today"Welcome" Tim O'Reilly"Jeff Weiner in Conversationwith John Battelle" JeffWeiner John B..."Web 2.0 for the Enterprise: IsIt Soup Yet?" Dan FarberSatish Dha...
Today: All
Popular: Tags
Ajax Community Design and User
Experience Keynotes Marketing
and Community Strategy andBusiness Models Web 2.0Fundamentals Web 2.0 Servicesand Platforms Web Operations advertising
business design digitalid django experience
flickr free google javascript marketing microformats
openid php products and servicesrails search skypejournal social syndication
yahoo all tags
Popular: Speaker
Ajit Jaokar Bill Tancer Brian Mulloy Charlene
Li Dan Farber David Knight Dirk-Willem vanGulik Dmitry Dimov Eric Schmidt Ilkka
Raiskinen James Baty Jay Adelson Jay
Bhatti Jeff Weiner Jeffrey P. Bezos Joe
Kraus John Battelle Kathy Sierra Kelly
Goto Kerry Fleming Kevin Lynch Luke Sontag
Mena Trott Mike McCue Paola Tonelli
Rich Skrenta Ross Mayfield Satish
Dharmaraj Subrah Iyar Tim O'Reillyeverybody!
Everything!
Find: all talks, the all speakers, all tags, or users.
Random People
ChrisC1971 alexiskold atomsplitter billvision brady emccmgervasio goodsboy gustav heinika hienhuynh hotwheelhttp://jalanoly.pip.verisignlabs.com/http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/jessie jggaines leeclw maisany markgoines nborwankarpbuder philip ron_topright shameer shua slevine timknighttomas wilsonminer
Feedback?
?So it’s a bit like Microsoft Passport,
then?
Yes, at a high level
But you don’t need to ask Microsoft’s permission to
implement it
One organisation doesn’t get to own
everyone’s credentials
And the standard isn’t owned by any one company or group
?Who does get toown them?
You, the user, decide.
You pick your own provider
(just like e-mail)
?So I’m still giving someone the keys to my kingdom?
Yes, but it can be someone you trust
If you have the ability to run your own server
software, you can do it for yourself
We'll show you how to do that a little later on
?OK, how do I use it?
?So my users don’thave to sign up for an
account?
Not necessarily
An OpenID tells youvery little about a user
You don’t knowtheir name
You don’t knowtheir e-mail address
You don’t know if they’re a person or a spambot
(or a dog)
?Where do I get that information from?
You ask them!
OpenID augments your regular sign-up process;
it doesn't replace it
The simple registration extension can help users fill out your registration form
?How can I tell if they’rean evil spambot?
Same as usual: challenge them with a CAPTCHA
botbouncer.com lets you outsource your
CAPTCHAs
?So how does OpenIDactually work?
<link rel="openid.server" href="http://www.myopenid.com/server" />
“I’m simonwillison.myopenid.com”
Site fetches HTML,discovers identity provider
Establishes shared secretwith identity provider
(Using Diffie-Hellman key exchange)
Redirects you to the identity provider
If you’re logged in there, you get redirected back
?How does my identityprovider know who I am?
OpenID deliberately doesn’t specify
username/passwordis common
But providers can use other methods if
they want to
Client SSL certificates
Out of band authentication via SMS,
e-mail or Jabber
IP based login restrictions
SecurID keyfobs
The provider’s business is authentication: they can invest much more
effort than regular sites
It’s also possible for a provider to just say
“yes” to every query
?Just say “yes”?
Users can give away their passwords today - this is the OpenID equivalent
It's similar tobugmenot.com
?What if I decide I hate my provider?
Use your owndomain name
Delegate to a provider you trust
<link rel="openid.server" href="http://www.livejournal.com/openid/server.bml"><link rel="openid.delegate" href="http://swillison.livejournal.com/">
This minimises lock in and ensures easy portability
?So everyone will end upwith one OpenID that
they use for everything?
Probably not
(I have half a dozen OpenIDs already)
People like maintaining multiple online personas
professionalsocialsecret
...
OpenID makes it easier to manage multiple
online personas
Three accounts is still better than three dozen
Some providers let you host multiple OpenIDs, or create a new one for every site you sign in to
?Why is OpenID worth implementing over all the other identity standards?
It’s simple
Unix philosophy:It solves one,tiny problem
It’s a dumb network
Many of the competing standards are now on
board
?Isn’t putting all myeggs in one basketa really bad idea?
Bad news: chances are you already do
“I forgot my password” means your e-mail
account is already an SSO mechanism
OpenID just makes this a bit more obvious
?What about phishing?
Phishing is a problem
I can has lolcats!? BETA
Make your own lolcats! lol
Sign in with your OpenID:
OpenID: Sign in
http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/
Fake edition
Username and password, please!
Your identity provider
Username:
Password:Log in
Identity theft :(
An untrusted site redirects you to your
trusted provider
Sound familiar?
PayPalYahoo! BBAuthGoogle Auth
Google Checkout
We'll talk about some potential solutions later
?Doesn’t this outsource the security of my users to untrusted third parties?
Yes it does. But...
... so do “forgotten password” e-mails!
If e-mail is secure enough for your user’s
authentication, so is OpenID
Password e-mails are essentially SSO with a bad user experience
?What are the privacy implications?
Cross correlation of accounts
Don’t publish a user’s OpenID without making it clear that you’re going
to do that
Allow users to opt-out of sharing their OpenID
?The online equivalent of a credit reporting agency?
This could be built today by sites conspiring to share e-mail addresses
IANAL, but legal protections against this
already exist
“Directed identity” in OpenID 2.0 makes it easy to use a different OpenID for every site
?Patents?
Sun, VeriSign and JanRain have both announced“patent covenants”
They won’t smack you down with their patents
for using OpenID 1.1
They will smack down anyone else who asserts their own patents against
OpenID
The OpenID Foundation is working
on an IPR Policy
?Who else is involved?
~120M OpenIDs
~4200 RPs
AOL - provider, full consumer very soon
Microsoft: Bill Gates expressed their interest at the RSA conference
(mainly as good PR for CardSpace?)
Sun: Patent Covenant, 33,000 employees
VeriSign
Symantec
37 Signals
Drupal
Plone
Rails
Six Apart
JanRain
...etcwe'll talk about this more
later
The Plan• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
http://openid.net/wiki/index.php/OpenIDServers
ClaimID.com
MyOpenID.compip.VeriSignLabs.com
FreeYourID.com
and you may already have one
Creating an OpenID
http://intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers
Jyte.com
Ma.gnolia.com WikiTravel.com
Basecamp.comPlaxo.com
HighRiseHQ.com
Blinksale.com
WetPaint.com
Wikispaces.comToodledo.com
Using Your OpenID
The Plan• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
OpenID 1.1 - Estimated from various services
~12 million OpenIDs
2006
(including every AOL user)
OpenID 1.1 - Estimated from various services
~120 million OpenIDs
0
1,125
2,250
3,375
4,500
Sep '
05 Oct
Nov Dec
Jan '0
6Fe
bMar Apr May
June
July
Aug
(aka places you can login with OpenID)
Sxip
/ Bou
nty
OpenID 1.1 - As viewed by MyOpenID.com
Total Relying Parties
2006
0
1,125
2,250
3,375
4,500
Sep '
05 Oct
Nov Dec
Jan '0
6Fe
bMar Apr May
June
July
Aug Sep
Oct
Nov Dec
Jan '0
7Fe
bMar Apr May
June
July 2
2
(aka places you can login with OpenID)
Sxip
/ Bou
nty
OpenID 1.1 - As viewed by MyOpenID.com
MSFT &
AOL
Web
2.0
Expo
Total Relying Parties
2006
Created by Brad Fitzpatrick (Summer 2005)
Yadis Discovery protocol (Jan 2006)
VeriSign launches OpenID Provider (May)
Convergence with i-names (July)
Convergence with Sxip (Aug.)
$50,000 USD Developer Bounty (Aug.)
Technorati adopts OpenID (Oct.)
Tutorials by Simon Willison (Dec.)
History 2005 & 2006
Mozilla announces intent to support OpenID in FireFox 3 (Jan.)
Microsoft support expressed by Bill Gates and Craig Mundie at RSA Conference keynote (Feb.)
AOL add OpenID to every one of their ~60M accounts (Feb.)
Symantec announces upcoming OpenID products (Feb.)
Digg and NetVibes announce OpenID support (Feb.)
Wordpress.com and 37Signals adopt OpenID (March)
USA Today publishes OpenID article on the Money section front-page (March)
History Q1 2007
Plone 3.0 ships with OpenID support (May)
Sun Microsystems adopts OpenID in enterprise product and provides employees with OpenID (May)
livedoor adds OpenID support (May)
OpenID wins Next Web Award (June)
Leo Laporte and Steve Gibson discuss OpenID (June)
OpenID wins CNET Webware 100 award (June)
Atlassian (makers of enterprise wiki software) supports OpenID (June)
Drupal 6 ships with OpenID support (June)
History Q2 2007
The OpenID Foundation
The purpose of the OpenID Foundation is to foster and promote the development and adoption of OpenID as a framework for
user-centric identity on the Internet.
Scott [email protected]
Dick [email protected]
Johannes [email protected]
David [email protected]
Martin [email protected]
Drummond [email protected]
Bill WashburnExecutive [email protected]
Artur [email protected]
Founding board
Current efforts
Develop an IPR policy and process for OpenID specifications to keep OpenID free and patent unencumbered
Develop a trademark policy that supports the extended OpenID community
Develop core messaging for OpenID and websites oriented toward developers, users, and other potential adopters
Coordinate World-wide joint marketing and evangelism
OpenID Auth 2.0
• Implementors draft published earlier this year
• Already seen multiple implementations in PHP, Java, Perl, and Python
• Concerns raised from service providers the size of AOL, LiveDoor, Yahoo! around identifier recycling
• Still really close to a final specification
The Plan• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
• DNS Security
• Man in the Middle Attacks
• Eavesdropping Attacks
• MAC Key Weakness
• Replay Attacks
Protocol Security
Don't Panic
An untrusted site redirects you to your trusted provider
Not just a problem for OpenID, but also for PayPal, Google Auth and Checkout, Yahoo! BBAuth, AOL
OpenAuth
Phishing
• Browsers have poor support for other means
• Users normally ignore browser chrome
• What extent are they willing to go?
• "Gang Kidnaps Gamer to Get Password Using Fake Orkut Date"
Passwords Can be Stolen
• What if I've never seen the user before?
• What if I know nothing about the OpenID Provider?
"Trust first requires identity" - Brad Fitzpatrick
OpenID does not tell you if a user is good, bad, or even human
Trust
Decoupled Authentication
• What if the user didn't authenticate at all?
• How do I know if they met my policies?
• I need strong authentication!
• The user must authenticate within the past five minutes!
The Plan• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
The Plan• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
• Use SSL correctly throughout the protocol
• Protects against man-in-the-middle, eavesdropping attacks, and DNS attacks
• Generate strong MAC keys and re-negotiate as needed
• Used to verify data integrity and authenticity of OpenID responses
• Verify NONCEs
• Protects against replay attacks
Protocol security
• Challenge them via a CAPTCHA or email verification
• Even a distributed CAPTCHA
• Use whitelists and blacklists
• Ask someone else whom you trust
"Trust first requires identity" - Brad Fitzpatrick
Trust
Decoupled authentication• OpenID Provider Authentication Policy
Extension, draft published June 2006
• Relying Parties can ask for authentication policies such as "phishing resistant" or "multi-factor"
• Providers can respond with policies the user complied with, time since they authenticated, and strength of the credential(s) used per NIST guidelines
• Still has the question of "trust"
Whitelisting Providers
• OpenID doesn't dictate that a RP accept every OpenID
• Certainly most do
• Might make sense for a bank to whitelist
• Others sites by whitelisting will only hurt themselves by cutting down the number of users who can sign in
• With Yadis Discovery, a user can list multiple providers and a RP can choose which to use
Vidoop(changes the metaphor by removing passwords)
DEMO
Client Side SSL Certificates
DEMO
Microsoft CardSpace(anti-phishing authentication built into the OS)
DEMO
(an OpenID convenience and security add-on for Firefox)
works with
VeriSign's OpenID SeatBelt
• Provide contextual information
• Am I currently logged in and if so as whom?
• Is it safe to login?
• Remove phishing opportunities
• Login when my browser opens
• Take me to my Provider if I'm not logged in
• Protect against common attacks
• Validate SSL certificates when interacting with my Provider
SeatBelt
DEMO
Provide context
Remove opportunities
Protect
the best solutions will be in the browser
Mozilla has said FireFox 3 will include some sort of
OpenID integration
IE Team has posted a job ad mentioning "OpenID""Does the idea of redefining the role of the Internet browser appeal to you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If
so, then this just might be the opportunity for you."
The Plan• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
Simplified account creation
• The classic OpenID use-case: allow users to create a regular account on your system tied to their OpenID
• Use Simple Registration to pre-fill the signup form
• Let users associate one or more OpenIDs with an existing account
Lightweight accounts
• Sometimes you just need persistent cookies
• Personalisation
• Preference saving
• Anything where users can’t spam you
• http://oscon07.icalico.org/ is a nice example
Simplified OpenID login
• Millions of people have OpenIDs but don’t know what OpenID is
• Offer them a sign-in form specific to their provider
• Construct the OpenID behind the scenes
Internal SSO
• Restrict your internal applications to only accept corporate assigned OpenIDs
• Requires an internal OpenID server
• Wikis, bug trackers, blog engines...
• Applications need to be able to whitelist OpenIDs that match a certain pattern
• http://(\w+).internal.example.com/
Portable contact lists
• Re-adding your friends on every social network completely sucks
• The Facebook platform shows the importance of being able to build even trivial applications on top of an existing network
• An OpenID is globally unique; it’s the ideal hook for building a reusable friend list
Contact list options
• FOAF
• RDF format, exported by LiveJournal
• Currently adding a new “openid” field
• XFN
• Microformat for listing relationships
• Can be embedded directly in HTML
... <foaf:knows> <foaf:Person> <foaf:nick>bradfitz</foaf:nick> <foaf:member_name>Brad Fitzpatrick</foaf:member_name> <foaf:tagLine></foaf:tagLine> <foaf:image>http://userpic.livejournal.com/21628/1</foaf:image> <rdfs:seeAlso rdf:resource="http://bradfitz.livejournal.com/data/foaf" /> <foaf:weblog rdf:resource="http://bradfitz.livejournal.com/"/> </foaf:Person> </foaf:knows> ...
http://daveman692.livejournal.com/data/foaf
<ul> <li><a href="http://jane-blog.example.org/" rel="date met">Jane</a></li> <li><a href="http://dave-blog.example.org/" rel="friend met">Dave</a></li> <li><a href="http://darryl-blog.example.org/" rel="friend met">Darryl</a></li></ul>
http://gmpg.org/xfn/intro
Pre-approved accounts
• Collaboration apps (private wikis, multi-author blogs, Google Docs etc) often let you “invite” new members to your project
• With OpenID, you can pre-approve their ability to log in without needing to create them a username and password
Social whitelists
• A potential mechanism for tackling blog comment spam
• Create a list of OpenIDs that can skip your spam filter
• Share that list with your friends
• Allow people on their lists to skip your spam filters as well
• http://simonwillison.net/2007/Jan/22/whitelisting/
Group syndication
• A combination of social whitelisting and pre-approved accounts
• Syndicate groups as a list of OpenIDs
• www.jyte.com does this
• Tell another application that “anyone who is a member of that group can sign in”
http://www.jacobian.org/http://groovymother.com/http://rodbegbie.sxipper.com/http://cygnus.myopenid.com/http://www.b-tree.org/http://root.b-tree.org/http://jlam.idproxy.net/http://claimid.com/jlamhttp://openid.aol.com/jlameudaemonhttp://jlam.vox.com/http://jlam.livejournal.com/http://adamh.openid.pl/http://robhudson.myopenid.com/http://recombiant.com/public/yadis.xrdfhttp://bradpitcher.livejournal.com/http://kristate.myopenid.com/http://michele.campeotto.net/http://mderk.livejournal.com/http://meangrape.myopenid.com/http://telenieko.com/http://eas.myopenid.com/http://geekfun.livejournal.com/http://www.pauladamsmith.com/http://teknico.myopenid.com/http://adamendicott.com/http://simonwillison.net/http://azuer88.myopenid.com/http://lightlan.myopenid.com/
jyte.com/api/group/djangonauts/roster
Provider-specific services• OpenIDs from different providers can tell
you different things about a user
• An AOL OpenID “proves” their IM details
• A LiveJournal OpenID lets you discover their RSS, FOAF and LJ Jabber account
• A last.fm OpenID could indicate their taste in music
• Another reason to allow multiple OpenIDs to be associated with a single account
Identity projection
• A related concept
• OpenID lets you project your identity from one service to another
• If you can prove to site X that you are a user of site Y, what new things can you build?
• Lots of opportunities for interesting mashups here
Build a decentralised reputation network
• eBay users build up a trusted reputation over time
• Imagine if reputation could be tied to an OpenID, and aggregated by crawlers
• This wouldn’t punish the bad guys (who would just get a new OpenID), but it would reward the good guys
• Jyte lets you vote on claims about OpenIDs
Being a consumerand a provider
• Not as crazy as you might think
• Letting users sign in with OpenID is a no-brainer
• Providing OpenID as a way of proving ownership of a profile page is also useful
• You could even automatically delegate to the OpenID that they used to sign in
Proxies for proprietary authentication APIs
• Google, Yahoo! and Facebook all provide proprietary authentication APIs
• If they're supporting an authentication API, why don't they just support OpenID?
• You can set yourself up as a proxy between their protocol and OpenID
The Plan• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
Detailed protocol flow
associate
• Back-channel between RP and Provider
• Used to establish a shared secret used for message signing
• HMAC style key calculated with SHA1 or SHA256
• Can use Diffie-Hellman or be in the clear if using SSL
checkid_setup
• Front-channel via browser redirects
• Send the user to their Provider with an OpenID request
• Provider authenticates and prompts user
• Responds with a "yes" or "cancel"
checkid_immediate
• Front-channel via browser redirects
• Send the user to their Provider with an OpenID request
• Provider immediately responds with a "yes" or "no"
• Good for AJAX type setups or "single logout"
check_authentication
• Back-channel between RP and Provider
• Used to verify a signature if there was not an existing association
• Also used to verify a signature if the Provider told the RP to invalidate the existing association
http://leancode.com http://www.windley.com
As a drawing
Creating an OpenID with your own server
* *************************************************************************** * * CONFIGURATION * *************************************************************************** * * You must change these values: * auth_username = login name * auth_password = md5(username:realm:password) * * Default username = 'test', password = 'test', realm = 'phpMyID' */
#$profile = array(# 'auth_username' => 'test',# 'auth_password' => '37fa04faebe5249023ed1f6cc867329b'#);
/* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */
#$sreg = array (# 'nickname' => 'Joe',# 'email' => '[email protected]',# 'fullname' => 'Joe Example',# 'dob' => '1970-10-31',# 'gender' => 'M',# 'postcode' => '22000',# 'country' => 'US',# 'language' => 'en',# 'timezone' => 'America/New_York'#);
* *************************************************************************** * * CONFIGURATION * *************************************************************************** * * You must change these values: * auth_username = login name * auth_password = md5(username:realm:password) * * Default username = 'test', password = 'test', realm = 'phpMyID' */
$profile = array( 'auth_username' => 'david', 'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1');
/* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */
#$sreg = array (# 'nickname' => 'Joe',# 'email' => '[email protected]',# 'fullname' => 'Joe Example',# 'dob' => '1970-10-31',# 'gender' => 'M',# 'postcode' => '22000',# 'country' => 'US',# 'language' => 'en',# 'timezone' => 'America/New_York'#);
$profile = array( 'auth_username' => 'david', 'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1');
/* * Optional - Simple Registration Extension: * * If you would like to add any of the following optional registration * parameters to your login profile, simply uncomment the line, and enter the * correct values. * * Details on the exact allowed values for these paramters can be found at: * http://openid.net/specs/openid-simple-registration-extension-1_0.html */
$sreg = array ( 'nickname' => 'daveman692', 'email' => '[email protected]', 'fullname' => 'David Recordon', 'dob' => '1986-09-04', 'gender' => 'M', 'postcode' => '941458', 'country' => 'US', 'language' => 'en', 'timezone' => 'America/Los_Angeles');
Configure Profile Data
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>David Recordon</title><style> div { text-align: center; color: #C0C0C0; } img { border: 0px; } a { color: #C0C0C0; }</style>
<link rel="openid.server" href="http://www.davidrecordon.com/myid.php" /><link rel="openid.delegate" href="http://www.davidrecordon.com/myid.php" />
</head>
(source of www.davidrecordon.com)
Configure Delegation
http://siege.org/projects/phpMyID/
Done!
Time to configure and upload phpMyID:
~5 Min
Enabling a Rails app
OpenID enabling iCalico
http://oscon.icalico.org/
Existing users: Sign in and click the the "add OpenID" link at the top right
New users: Click "login" and sign in with your OpenID, skipping the signup process :)
Thanks Brian Ellin of JanRain
Tools Used
• iCalicio by Kellan Elliot-McCrea and Evan Henshaw-Plath
• Ruby and Rails
• gem install ruby-openid
iCalico User Model
• Stores login name and hashed password
• We need to add an optional OpenID column
1 class AddOpenId < ActiveRecord::Migration 2 def self.up 3 add_column :users, :openid, :string 4 add_index :users, [:openid], :name => :users_openid_index 5 end 6 7 def self.down 8 remove_column :users, :openid 9 end 10 end
Now for the best practice
1 class AddOpenId < ActiveRecord::Migration 2 def self.up 3 create_table :openids do |t| 4 t.column :identifier, :string 5 t.column :user_id, :int 6 end 7 end 8 9 def self.down 10 drop_table :openids 11 end 12 end
• Should allow multiple OpenIDs...though is slightly more complex
1 class User < ActiveRecord::Base 2 has_many :openids 3 end
Using the OpenID Library
1 def consumer 2 store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store') 3 store = OpenID::FilesystemStore.new(store_dir) 4 return OpenID::Consumer.new(session, store) 5 end
• FilesystemStore saved OpenID transaction state• OpenID::Consumer handles the protocol details
1 <h2>Or, login with OpenID</h2> 2 <%= start_form_tag(:controller=>'account', :action => 'openid_start') %> 3 <p><label for="openid_identifier">OpenID</label><br/> 4 <%= text_field_tag 'openid_identifier' %></p> 5 <%= submit_tag 'OpenID Login' %> 6 <%= end_form_tag %>
<input name="openid_identifer" />
Add OpenID UI
Handle Login Form Submit 1 def openid_start 2 openid_request = consumer.begin(params[:openid_identifier]) 3 4 case openid_request.status 5 when OpenID::SUCCESS 6 return_to = url_for(:action => 'openid_finish') 7 trust_root = url_for(:controller => '') 8 server_redirect_url = openid_request.redirect_url(trust_root, return_to) 9 redirect_to(server_redirect_url) 10 11 when OpenID::FAILURE 12 flash[:notice] = "Could not find your OpenID server." 13 redirect_back_or_default(:controller => '/account', :action => 'index') 14 15 end 16 end
(we’ll handle the server response at the return_to URL)
1. Discover2.Associate3. Redirect
Redirect to OpenID Provider
Handle Server Response 1 def openid_finish 2 openid_response = consumer.complete(params) 3 4 case openid_response.status 5 when OpenID::SUCCESS 6 openid = openid_response.identity_url 7 @user = User.find_by_openid(openid) 8 9 unless @user 10 @user = User.create(:openid => openid, :login => openid) 11 end 12 self.current_user = @user 13 flash[:notice] = "Welcome #{@user.openid}" 14 15 when OpenID::FAILURE 16 flash[:notice] = 'Verification failed.' 17 end 18 19 redirect_back_or_default(:controller => 'talk', :action => 'list') 20 end
http://oscon.icalico.org/
Done!
Time to implement OpenID in iCalico:
45 minutes
OpenID and Django
django-openid
• http://code.google.com/p/django-openid
• Convenient wrapper around JanRain library
• Currently provides tools for consuming OpenID
def index(request): if request.openid: # User is signed in with OpenID ... else: # User is not signed in return HttpResponseRedirect('/openidlogin/')
request.openid = most recently signed in OpenIDrequest.openids = ALL signed in OpenIDs
Additional features
• Simple registration support
• request.openid.sreg['email']
• Coming soon...
• Tie in with django.contrib.auth.User
• Easy creation of an OpenID provider
Best practices for OpenID relying parties
• OpenID extends rather than replaces your existing user accounts system
• Two key steps:
• Allow existing users to associate one or more OpenIDs with their account
• Allow new users to sign up using an OpenID to jump-start the process
• Provide an interface for adding and removing OpenIDs from an account
• Don’t let users associate an OpenID without first authenticating it
• Don’t let users delete the last OpenID associated with their account without having a password set (or they’ll lock themselves out)
Existing accounts
• Use Simple Registration, if available, to pre-fill fields in your registration form
• Not all providers support Simple Registration
• Don’t assume that e-mail addresses etc from Simple Registration are accurate - you may still want to send a verification e-mail
• Don’t assume the user is a human being - challenge with a CAPTCHA or use botbouncer.com
New accounts
Simple Registration• nickname
• fullname
• dob
• gender
• postcode
• country
• language
• timezone
Some providers (or users) may provide just a subset of this information
The Plan• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A
http://openid.net/http://planet.openid.net/
Thanks!
OSCONJuly 24th, 2007
Simon Willisonsimonwillison.net
David Recordondavidrecordon.com