Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 2 Presentation Scope Based on real-world examples for using OAuth and Web 2.0 mashups I will explain identity management, and privacy challenges. I will use Facebook to illustrate how Web application programmers experience OAuth. The subsequent slides have a simple scenario setup: 1.I want to outsource identity management for my own site to Facebook. 2.I want to retrieve information from user’s FB account (to push data to user’s account)
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 3 Simple Data Sharing: FB “Like” Button
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 4 ‘like’ Button: iFrame Version <iframe src=" href= scrolling="no" frameborder="0” style="border:none; width:450px;height:80px"> More details about the two possible implementations using the XFBML and the IFrame can be found here: – The XFBML version (next slide) uses the JavaScript SDK and allows websites more flexible control using the OpenGraph API (including posting content to the user’s website): –
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 5 ‘like’ Button: XFBML Version Easy to produce:
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 6 A Privacy Problem? When you load a page that contains the ‘like’ button then the iFrame actually loads the code from the Facebook webpage. Allows Facebook to know where you are browsing even if you do not click the button. –Uses existing cookie; it works because you are via the iFrame literally “browsing” to Facebook. In case you click on it you automatically add information to your profile. This, however, requires you to log-in. –Different authorization model than “normal” Facebook applications (unless you are logged-in already) –Revoking permissions also works differently than with “normal” FB apps. Getting the incentives right: –Facebook gets to see what users are doing on the Web. –Companies are excited about deploying Web technologies and they get “rewards” if their product is “liked”. –Users are happy that they can share with their friends what they like.
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 7 Outsourcing Identity Management Task: –I want to allow users to log on using their Facebook credentials. –I want this to be integrated into my existing environment. I am using a Wordpress blogging/content management system. –I don’t want to write code.
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 8 Facebook Application Needed In many cases you cannot just deploy OAuth between two sides without going through a registration step. Consequence: Using OAuth on two random web sites does not work (today) Not a technology limitation but a deployment choice! Next, we need to go through the Facebook registration pages to obtain application credentials. Facebook also requires additional information from “application developer”, such as mobile phone number and credit card information.
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 9
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 10 Obtaining the client id & key
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 11 Moving to the “Client”: A Wordpress Widget on my Webpage
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 12 Configuring the placement of the Login Page
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 13 Added Facebook Login
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 14 The NASCAR Problem The NASCAR problem To simplify user interactions websites put the logos of identity providers on their page. More identity providers more logos More logos users get confused Website providers only put the top IdP’s on their page ossification
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 15 Login: Authentication and Authorization Login button re-directs to Facebook (if not yet logged in already) Then, there is an authorization step (see above).
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 16 Separate FB Application Instead of using an existing plug-in you can also write your own Web page. Example code available in a number of programming languages. My example uses PHP and retrieves user information (next slide)
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 17
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 18 PHP Example Code (shortened) // create application instance $facebook = new Facebook(array( 'appId' => ' ', 'secret' => 'afa0f33f69f78fb8d3875c252b45ffad', 'cookie' => true, )); // fetch session if ($session!=null) { // session state exists try { $uid = $facebook->getUser(); $me = $facebook->api('/me'); $logoutUrl = $facebook->getLogoutUrl(); } catch (FacebookApiException $e) { error_log($e); } } else { $loginUrl = $facebook->getLoginUrl(); } // fetch public data $naitik = $facebook->api('/naitik'); ">
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 19 Asking for more data
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 20 Extended Permissions OAuth allows applications to indicate their permissions via a scope attribute. Content of scope attribute is not defined but rather left application specific. Facebook provides examples for such extended permissions to access data beyond basic information: –Examples: “ ”, ”user_photos” Details can be obtained from: –
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 21 Viewing Access Rights
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 22 FB’s Privacy Dashboard: Access Log
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 23 OAuth 2.0 and Identity Management sayshttp://tools.ietf.org/html/draft-hansen-privacy-terminology –An identity is any subset of attribute values of an individual person which sufficiently identifies this individual person within any set of persons. So usually there is no such thing as "the identity", but several of them. –An identity of an individual person may comprise many partial identities of which each represents the person in a specific context or role. –Identity management means managing various partial identities of an individual person, i.e., administration of identity attributes including the development and choice of the partial identity and pseudonym to be (re-)used in a specific context or role.
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 24 OAuth 2.0 and Identity Management, cont. OAuth 2.0 does not mandate –a specific user identifier format, –any authentication mechanism, –a specific credential type, –specific type of data to be stored at the resource server, –management features for creating, modifying, and deleting data
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 25 OAuth 2.0 and Identity Management, cont. Facebook, deploying OAuth 2.0, defines –a specific user identifier format (for logon), –Password-based authentication using a browser interface, –Data to be stored, –management features for creating, modifying, and deleting data (and access permissions) using a Web browser. OAuth provides the functionality of OpenID but in a different style. OpenID’s initial design did not envision any relationship between the relying party and the identity provider. In practice, this turned out to be a no-go. From a standardization point of view, OAuth and OpenID started at different places. –For example, OpenID has standardized APIs for exchange of data while OAuth does not have such APIs. See exchange-1_0.html and exchange-1_0.htmlhttp:// –Next slide shows the OAuth standardization status.
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 26 OAuth Profiles Token Request Standardization Status of the OAuth Framework User Agent Authorization Server Resource Server Resource Consumer Access Request (incl. Token) Authorization Request User Interface Token Format And Content Authz Server Interaction Data ExchangeAuthentication Request Security Token Request/ Response Exchange User Legend: - Red box: Currently covered by OAuth WG
Feb, 2nd 2011MIT CFP Privacy & Security Working Group 27 Summary Open Web Authentication (OAuth) is developed in the IETF OAuth working group: – Code available (see and deployment going fine. Working group is trying hard to finish OAuth 2.0: Security and privacy turns out to be challenging. –Largely a deployment challenge! –See WG rechartering process ongoing to standardize other parts of the OAuth framework.