22
OpenID & Oauth Open Standards for Authentication and Authorization (An introduction)

Openid & Oauth: An Introduction

Embed Size (px)

DESCRIPTION

Open Standards for Authentication and Authorization (An introduction). This presentation was originally given for about 80 developers at an internal tech day.

Citation preview

Page 1: Openid & Oauth: An Introduction

OpenID & Oauth

Open Standards for

Authentication and Authorization

(An introduction)

Page 2: Openid & Oauth: An Introduction

The Open Web

• Unencumbered, Cross-Platform Standards

• Open Source / Free Software Implementations

• No Single-Vendor "Lock-In”

• Distributed Extensibility

http://developer.mozilla.org/presentations/sxsw2007/the_open_web/

Page 3: Openid & Oauth: An Introduction

OpenID is…

• Lightweight

• Distributed

• User-Centric (not Site-Centric)

Page 4: Openid & Oauth: An Introduction

OpenID is also…

Built on web standards

DNS/HTTP/SSL

Diffie-Hellman (PKI)

Page 5: Openid & Oauth: An Introduction

History

2005: Developed by Brad Fitzpatrick, Creator of LiveJournal

2006: Delegation, XRI support, extensions: OpenID 2.0

2007: OpenID Foundation

2008: More than 13,000 Consuming Sites

http://en.wikipedia.org/wiki/OpenID#History

Page 6: Openid & Oauth: An Introduction

OpenID In The Wild

Page 7: Openid & Oauth: An Introduction

A Solution For…

• Maintaining Usernames

• Password Overload (insecurity)

• Site-centric Identity

Page 8: Openid & Oauth: An Introduction

Basics

• An OpenID is a URL– http://redmonk.net

• Provider– http://myopenid.com

• Relying Parties• Delegation

– http://redmonk.myopenid.com

Page 9: Openid & Oauth: An Introduction

The Dance (Conversation)

Page 10: Openid & Oauth: An Introduction

DEMO

• LiveJournal User

• Ma.gnolia

• One-Time Authentication

• Persistent Authentication

Page 11: Openid & Oauth: An Introduction

The “Open” in OpenID

• Delegation support is required

<link rel=“openid.delegate” />

• Multiple accounts, multiple Providers

• No Lock-in

Page 12: Openid & Oauth: An Introduction

Q & A

Page 13: Openid & Oauth: An Introduction

Oauth is…

“OAuth is like a valet key for all your web services.  A valet key lets you give a valet the ability to park your car, but not the ability to get into the trunk or drive more than 2 miles or redline the RPMs on your high end German automobile.  In the same way, an OAuth key lets you give a web agent the ability to check your web mail but NOT the ability to pretend to be you and send mail to everybody in your address book.”

http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-valet-key-for-the-web/1550

Page 14: Openid & Oauth: An Introduction

Authentication

Similar to:

• AuthSub (Google)

• BBAuth (Yahoo)

• Flickr Auth

• OpenAuth (AOL)

Page 15: Openid & Oauth: An Introduction

API Level

• Application To Application

• “Agency”

Page 16: Openid & Oauth: An Introduction

Basics

• User

• Service Provider

• Consumer

• Protected Resources

• Tokens

http://oauth.net/documentation/getting-started

Page 17: Openid & Oauth: An Introduction

The Dance (Conversation)

(Developed from: http://oauth.net/core/diagram.png)

Page 18: Openid & Oauth: An Introduction

Who’s Supporting Oauth?

Google

FireEagle (Yahoo)

Ma.gnolia

Amazon

Flickr

Digg

And more…

Page 19: Openid & Oauth: An Introduction

Q & A

Page 20: Openid & Oauth: An Introduction

Sources

http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchangehttp://en.wikipedia.org/wiki/OpenID#Historyhttp://wiki.openid.net/http://openid.nethttp://oauth.nethttp://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-

valet-key-for-the-web/1550http://oauth.net/core/diagram.pnghttp://www.slideshare.net/leahculver/oauth-open-api-authenticationhttp://www.slideshare.net/daveman692/open-platforms-in-web-20

Page 21: Openid & Oauth: An Introduction

Your Host

Steve [email protected]

Open Standards, Open Source Agitator

http://redmonk.net/

Page 22: Openid & Oauth: An Introduction