Upload
richard-metzler
View
29.749
Download
0
Embed Size (px)
Citation preview
Identity on the WebOpenID vs OAuth
Identity Management in SOA
Richard Metzler
May 2010
1
Outline
2
I. User Authentication
II. OpenID
III. OAuth
IV. Compare OpenID & OAuth
V. My Project
User Authentication
3
User Authentication
• every single website needs my credentials
• username / e-mail
• password
• should be secure
• should not be reused
• how to remember?
4
Resulting Problems
• identity is scattered
• passwords
• millions to remember vs recycling
• how to authorize third party access?
➡ Password Anti-Pattern
5
OpenID
6
OpenID
• sharing a single identity with different consumers
• decentralized
• OpenID 2.0 (without XRI)
7
http://openid.net/
Roles in OpenID
• User owns account at OpenID Provider
• User proves Identity to Relying Party
8
OpenID Flow
http://www.openaselect.org/trac/openaselect/wiki/OpenID
9
Sign in withOpenID Identifier
10
Discovery & Delegationobtain OP Endpoint
11
Establish Association
• shared secret between Relying Party & OpenID Provider
• Diffie Hellman Key Exchange
• (g^xa)^xb mod p = (g^xb)^xa mod p
12
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Redirect User Agent to OP Endpoint
13
Redirect User Agent to OP Endpoint
14
Return URL Verification
• OpenId Provider checks:
• do Realm and return_to URL match?
15
User Authentification
16
OpenID Provider presents Realm
17
Redirect User Agent to OP Endpoint URL
18
Redirect User Agent to OP Endpoint URL
19
Verification
• Relying Party checks:
• return_to URL
• OpenID Identifier
• was Nonce never used before?
• fields signed, signature valid
20
Logged in
21
OpenID Flow
http://www.openaselect.org/trac/openaselect/wiki/OpenID
22
OAuth
23
OAuth
• sharing your data without sharing your password
• centralized
• OAuth 1.0a (current version)
• Draft for OAuth 2.0
24
http://oauth.net/
Roles
• User owns Resource at Service Provider
• User grants Consumer access to Resource
25
OAuth Dance
http://fireeagle.yahoo.net/developer/documentation/web_auth
26
Register Consumer,get Consumer Key
• manually register Consumer at Service Provider
• identified by Token / Secret
• Callback URL
• all subsequent Requests must be signed with Secret, Nonce & Timestamp
27
Sign in with OAuth
28
Get Request Token
• Consumer asks Service Provider for Request Token
• Request Token identifies authorization workflow
• not user specific
• transmitted in URL when User Agent is redirected
29
HTTP Redirect to Service Provider
30
HTTP Redirect to Service Provider
31
Authenticate
32
Grant Access
33
HTTP Redirect to Consumer Callback
34
HTTP Redirect to Consumer Callback
35
Get Access Token
• Consumer trades Request Token for Access Token
• Access Token grants access to Service Provider in behalf of User
• user specific
36
Logged in
37
Access Resource
• authenticated access on Resource
• must be signed
• Consumer Key
• OAuth Token
• Timestamp
• Nonce
38
OAuth Dance
http://fireeagle.yahoo.net/developer/documentation/web_auth
39
OpenId vs OAuth
40
Commonalities
• involves 3 parties
• open protocols - community driven
• HTTP based
• not mutual exclusive
41
Differences
• sharing: identity vs data resources
• decentralized vs centralized
• Consumer-Provider-Relationship:
• unknown vs well-known
42
My Project
43
My Project
• Implement OAuth Service Provider & OAuth Consumer example
• API for manageable resources (ideas)
• profile pictures
• activity streams Atom feed extension
• RESTful API for editing RDF::FOAF data
44
http://activitystrea.ms/ http://www.foaf-project.org/
Questions?
45