Embed Size (px)
Citation preview
The Identity Problem of the Web and how to solve it
Bastian HofmannResearchGate GmbH
Questions? Ask!
Only one identity?
Identity is conveyed by communication
Identity is not fixed but recreated by every communication with your fellows
Expectations of different people result in different identities
Lothar Krappmann
Paul Adamshttp://www.slideshare.net/padday/the-real-life-social-network-v2
Sign up again and again
Passwords are broken
Same password for more than one service
Names, birthdays, car brand, ...
Too short, too simple
Saved unsecurely in the browser
Disclosed to others
Sent over non encrypted connections
Single Sign On
Microsoft Live ID
Launched 1999 as .net Passport
Facebook Connect
And there are much more
Nascar problem
The Client
http://bhofmann.myopenid.comHTTP POST
stackoverflow.com
http://bhofmann.myopenid.comHTTP POST
stackoverflow.comHTTP GET
bhofmann.myopenid.com
http://bhofmann.myopenid.comHTTP POST
stackoverflow.com
bhofmann.myopenid.com
<link rel="openid2.provider" href="http://www.myopenid.com/server" />
http://bhofmann.myopenid.comHTTP POST
stackoverflow.com
myopenid.com/server
Establish shared secret(Diffie-Hellman)
http://myopenid.com/server?openid.identity=http://bhofmann.myopenid.com&...
HTTP Redirect
stackoverflow.com
HTTP GET
myopenid.com/server?
openid.identity=http://
bhofmann.myopenid.com&...
Login
myopenid.com/server?
openid.identity=http://
bhofmann.myopenid.com&...
Grant permission
myopenid.com/server?
openid.identity=http://
bhofmann.myopenid.com&...
myopenid.com/server?
openid.identity=http://
bhofmann.myopenid.com&...
http://stackoverflow.com/?assertion...HTTP Redirect
HTTP GET
stackoverflow.com
Verify assertion
DEMO
http://stackoverflow.com/
https://www.myopenid.com/
Who is the user?
Is this really user X?
Is X allowed to do something?
Does X have the permission?
VS
Client sites want more than just a unique identifier (Social Graph)
Authentication vs Authorization
But there are Spec Extensions
Additional parameters on the redirects
Simple Registration
openid.sreg.required=openid.sreg.fullname&openid.sreg.optional=openid.sreg.email,openid.sreg.gender
openid.sreg.fullname=Bastian&openid.sreg.gender=male
Attribute Exchange
penid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=3openid.ax.required=fname,genderopenid.ax.if_available=fav_dog,fav_movieopenid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=fetch_responseopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.type.gender=http://example.com/schema/genderopenid.ax.type.fav_dog=http://example.com/schema/favourite_dogopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.value.fname=John Smithopenid.ax.count.gender=0openid.ax.value.fav_dog=Spotopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2openid.ax.update_url=http://idconsumer.com/update?transaction_id=a6b5c41
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_requestopenid.ax.type.fname=http://example.com/schema/fullnameopenid.ax.value.fname=Bob Smithopenid.ax.type.fav_movie=http://example.com/schema/favourite_movieopenid.ax.count.fav_movie=2openid.ax.value.fav_movie.1=Movie1openid.ax.value.fav_movie.2=Movie2
openid.ns.ax=http://openid.net/srv/ax/1.0openid.ax.mode=store_response_success
lanyrd.com
twitter.com
Pre Registration of Client at Twitter:
- Shared Consumer Key- Shared Consumer Secret
HTTP POSTConnect with Twitter
lanyrd.com
twitter.com
HTTP POSTConnect with Twitter
HTTP GETConsumer KeyRedirect URISignature (Consumer Secret)
lanyrd.com
twitter.com
HTTP POSTConnect with Twitter
Request TokenRequest Token Secret
lanyrd.com
http://twitter.com/authorize?requestToken=...&consumerKey=...
HTTP Redirect
lanyrd.com
HTTP GET
twitter.com/authorize
Login
twitter.com/authorize
Grant permission
twitter.com/authorize
Create verifier and bind it to User and Request Token
Redirect URI?verifier=...&requestToken=..HTTP Redirect
twitter.com/authorize
HTTP GET
lanyrd.com(RedirectURI?
verifier=...)
HTTP GET
HTTP GETConsumer Key, RequestTokenVerifierSignature (Consumer & Request Token Secret)
twitter.com
lanyrd.com
HTTP GET
Access TokenAccess Token Secret
twitter.com
lanyrd.com
HTTP GET
API RequestConsumer Key, Access TokenSignature (Consumer & Access Token Secret)
twitter.com
lanyrd.com
• Combines OpenID Authentication and OAuth authorization
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.consumer=123456
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.request_token=7890
OpenID + OAuth
OpenID is dead
„OpenID has been a burden on support since the day it was launched.“
„Fewer than 1% of all 37signals users are currently using OpenID.“
http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
„OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.“
Yishan Wong (Facebook)
http://www.quora.com/What-s-wrong-with-OpenID
Failures of OpenID 2.0
Complex to implement
URL as identifier => Bad User Experience
Do you have an OpenID?
What is it?
No marketing
Facebook Connect250,000,000 monthly users
So let‘s all use Facebook?
How to fix it?
Easier to implement
More simple specification
Better user experience
wider adption
Built on top of OAuth 2.0
What‘s wrong with OAuth?
Does not work well with non web or JavaScript based clients
The „Invalid Signature“ Problem
Complicated Flow, many requests
http://tools.ietf.org/html/draft-ietf-oauth-v2
What‘s new in OAuth2? (Draft 10)
Different client profiles
No signatures
No Token Secrets
Cookie-like Bearer Token
No Request Tokens
Much more flexible regarding extensions
Mandatory TSL/SSL
Web-Server Profile
lanyrd.com
twitter.com
Pre Registration of Client at Twitter:
- Shared Client ID- Shared Client Secret- Redirect URI
HTTP(S) POSTConnect with Twitter
lanyrd.com
http://twitter.com/authorize?&clientId=...
HTTPS Redirect
lanyrd.com
HTTPS GET
twitter.com/authorize
Login
twitter.com/authorize
Grant permission
twitter.com/authorize
Create authorization code and bind it to User and ClientID
Redirect URI?authorizationCode=...HTTPS Redirect
twitter.com/authorize
HTTPS GET
lanyrd.com(RedirectURI?
authorizationCode=...)
HTTPS GET
HTTPS GETConsumer KeyAuthorization CodeConsumer Secret
twitter.com
lanyrd.com
HTTPS GET
Access Token(Refresh Token)
twitter.com
lanyrd.com
HTTPS GET
HTTPS API RequestAccess Token
twitter.com
lanyrd.com
HTTPS GET
HTTPS GETConsumer KeyRefresh TokenConsumer Secret
twitter.com
lanyrd.com
HTTPS GET
Access TokenRefresh Token
twitter.com
lanyrd.com
User-Agent Profile
http://twitter.com/authorize?&clientId=...
Open Popup
lanyrd.com
http://twitter.com/authorize?&clientId=...
Open Popup
lanyrd.com
HTTPS GET
twitter.com/authorize
http://twitter.com/authorize?&clientId=...
Open Popup
lanyrd.com
Login
twitter.com/authorize
http://twitter.com/authorize?&clientId=...
Open Popup
lanyrd.com
Grant Permission
twitter.com/authorize
lanyrd.com
HTTPS RedirectRedirectURI#acces
sToken
twitter.com/authorize
RedirectURI#accessToken
lanyrd.com
lanyrd.com
RedirectURI#accessToken
Parse Access Token from FragmentSend it to opening window
Close popup lanyrd.com
Same Origin Policy
lanyrd.com
HTTPS Ajax Request to APIAccess Token
twitter.com
Same Origin Policy
JSONP
Cross Origin Request Sharing (CORS)
Backendapi.twitter.com
Client lanyrd.com
AJAX
Access-Control-Allow-Origin: *
http://www.w3.org/TR/cors/
What happend to signatures?
Bearer Tokens are fine over secure connection
Vulnerable if discovery is introduced
Or if TSL/SSL is not possible
So OAuth 1.0 signatures alternatively available
Scopes
Optional parameter for provider specific implementations
Additional return values
Access Control
http://openidconnect.com/
Scope: „openid“
With access token additional values are returned
UserID: URL to Portable Contacts endpoint
TimestampSignature
http://opensocial-demo.vz-modules.net/vzid/index.php
https://github.com/vznet/vz_id_democlient
DEMO
OpenID Connect Discovery
Get Identifier of user
Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
Call /.well-‐known/host-‐meta file at the domain of the user‘s provider
http://example.com/.well-known/host-meta
http://tools.ietf.org/html/draft-nottingham-site-meta
http://code.google.com/p/webfinger/
Phishing
E-mail address equals identity?
@
Can the browser help?
http://esw.w3.org/Foaf%2Bssl
FOAF+SSL (WebID)
DEMO
http://trunk.ontowiki.net/
http://www.w3.org/wiki/Foaf%2Bssl/IDP
Bad browser UI
Syncing between different computers?
More than one user on the same computer?
Mozilla UX Mockups
DEMO
http://myfavoritebeer.org/
https://addons.mozilla.org/en-US/firefox/addon/browser-sign-in/
• We need a single sign on system for the web
• Proprietary solutions are bad for users, site owners and developers
• OpenID is cool, but has some problems
• A new more simple and flexible spec is coming up
• Browser vendors are working to solve this problem in the browser
Summing it up
h"p://twi"er.com/Bas2anHofmannh"ps://profiles.google.com/bashofmannh"p://lanyrd.com/people/Bas2anHofmann/h"p://slideshare.net/bashofmann
