Upload
steve-ivy
View
11.013
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Open Standards for Authentication and Authorization (An introduction). This presentation was originally given for about 80 developers at an internal tech day.
Citation preview
OpenID & Oauth
Open Standards for
Authentication and Authorization
(An introduction)
The Open Web
• Unencumbered, Cross-Platform Standards
• Open Source / Free Software Implementations
• No Single-Vendor "Lock-In”
• Distributed Extensibility
http://developer.mozilla.org/presentations/sxsw2007/the_open_web/
OpenID is…
• Lightweight
• Distributed
• User-Centric (not Site-Centric)
OpenID is also…
Built on web standards
DNS/HTTP/SSL
Diffie-Hellman (PKI)
History
2005: Developed by Brad Fitzpatrick, Creator of LiveJournal
2006: Delegation, XRI support, extensions: OpenID 2.0
2007: OpenID Foundation
2008: More than 13,000 Consuming Sites
http://en.wikipedia.org/wiki/OpenID#History
OpenID In The Wild
A Solution For…
• Maintaining Usernames
• Password Overload (insecurity)
• Site-centric Identity
Basics
• An OpenID is a URL– http://redmonk.net
• Provider– http://myopenid.com
• Relying Parties• Delegation
– http://redmonk.myopenid.com
The Dance (Conversation)
DEMO
• LiveJournal User
• Ma.gnolia
• One-Time Authentication
• Persistent Authentication
The “Open” in OpenID
• Delegation support is required
<link rel=“openid.delegate” />
• Multiple accounts, multiple Providers
• No Lock-in
Q & A
Oauth is…
“OAuth is like a valet key for all your web services. A valet key lets you give a valet the ability to park your car, but not the ability to get into the trunk or drive more than 2 miles or redline the RPMs on your high end German automobile. In the same way, an OAuth key lets you give a web agent the ability to check your web mail but NOT the ability to pretend to be you and send mail to everybody in your address book.”
http://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-valet-key-for-the-web/1550
Authentication
Similar to:
• AuthSub (Google)
• BBAuth (Yahoo)
• Flickr Auth
• OpenAuth (AOL)
API Level
• Application To Application
• “Agency”
Basics
• User
• Service Provider
• Consumer
• Protected Resources
• Tokens
http://oauth.net/documentation/getting-started
The Dance (Conversation)
(Developed from: http://oauth.net/core/diagram.png)
Who’s Supporting Oauth?
FireEagle (Yahoo)
Ma.gnolia
Amazon
Flickr
Digg
And more…
Q & A
Sources
http://www.slideshare.net/daveman692/open-id-overview-seoul-july-2007http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchangehttp://en.wikipedia.org/wiki/OpenID#Historyhttp://wiki.openid.net/http://openid.nethttp://oauth.nethttp://journals.aol.com/panzerjohn/abstractioneer/entries/2007/09/21/oauth-your-
valet-key-for-the-web/1550http://oauth.net/core/diagram.pnghttp://www.slideshare.net/leahculver/oauth-open-api-authenticationhttp://www.slideshare.net/daveman692/open-platforms-in-web-20