Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011."— Presentation transcript:

1 Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011

2 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 2 Presentation Scope Based on real-world examples for using OAuth and Web 2.0 mashups I will explain identity management, and privacy challenges. I will use Facebook to illustrate how Web application programmers experience OAuth. The subsequent slides have a simple scenario setup: 1.I want to outsource identity management for my own site to Facebook. 2.I want to retrieve information from user’s FB account (to push data to user’s account)

3 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 3 Simple Data Sharing: FB “Like” Button

4 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 4 ‘like’ Button: iFrame Version <iframe src="http://www.facebook.com/plugins/like.php? href=http://www.tschofenig.priv.at/wp/" scrolling="no" frameborder="0” style="border:none; width:450px;height:80px"> More details about the two possible implementations using the XFBML and the IFrame can be found here: –http://developers.facebook.com/docs/reference/plugins/likehttp://developers.facebook.com/docs/reference/plugins/like The XFBML version (next slide) uses the JavaScript SDK and allows websites more flexible control using the OpenGraph API (including posting content to the user’s website): –http://developers.facebook.com/docs/opengraphhttp://developers.facebook.com/docs/opengraph

5 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 5 ‘like’ Button: XFBML Version Easy to produce: http://developers.facebook.com/docs/reference/plugins/like http://developers.facebook.com/docs/reference/plugins/like

6 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 6 A Privacy Problem? When you load a page that contains the ‘like’ button then the iFrame actually loads the code from the Facebook webpage. Allows Facebook to know where you are browsing even if you do not click the button. –Uses existing cookie; it works because you are via the iFrame literally “browsing” to Facebook. In case you click on it you automatically add information to your profile. This, however, requires you to log-in. –Different authorization model than “normal” Facebook applications (unless you are logged-in already) –Revoking permissions also works differently than with “normal” FB apps. Getting the incentives right: –Facebook gets to see what users are doing on the Web. –Companies are excited about deploying Web technologies and they get “rewards” if their product is “liked”. –Users are happy that they can share with their friends what they like.

7 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 7 Outsourcing Identity Management Task: –I want to allow users to log on using their Facebook credentials. –I want this to be integrated into my existing environment. I am using a Wordpress blogging/content management system. –I don’t want to write code.

8 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 8 Facebook Application Needed In many cases you cannot just deploy OAuth between two sides without going through a registration step. Consequence: Using OAuth on two random web sites does not work (today) Not a technology limitation but a deployment choice! Next, we need to go through the Facebook registration pages to obtain application credentials. Facebook also requires additional information from “application developer”, such as mobile phone number and credit card information.

9 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 9

10 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 10 Obtaining the client id & key

11 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 11 Moving to the “Client”: A Wordpress Widget on my Webpage

12 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 12 Configuring the placement of the Login Page

13 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 13 Added Facebook Login

14 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 14 The NASCAR Problem The NASCAR problem To simplify user interactions websites put the logos of identity providers on their page. More identity providers  more logos More logos  users get confused Website providers only put the top IdP’s on their page  ossification

15 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 15 Login: Authentication and Authorization Login button re-directs to Facebook (if not yet logged in already) Then, there is an authorization step (see above).

16 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 16 Separate FB Application Instead of using an existing plug-in you can also write your own Web page. Example code available in a number of programming languages. My example uses PHP and retrieves user information (next slide)

17 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 17

18 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 18 PHP Example Code (shortened) // create application instance $facebook = new Facebook(array( 'appId' => '104366359641119', 'secret' => 'afa0f33f69f78fb8d3875c252b45ffad', 'cookie' => true, )); // fetch session if ($session!=null) { // session state exists try { $uid = $facebook->getUser(); $me = $facebook->api('/me'); $logoutUrl = $facebook->getLogoutUrl(); } catch (FacebookApiException $e) { error_log($e); } } else { $loginUrl = $facebook->getLoginUrl(); } // fetch public data $naitik = $facebook->api('/naitik'); ">

19 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 19 Asking for more data

20 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 20 Extended Permissions OAuth allows applications to indicate their permissions via a scope attribute. Content of scope attribute is not defined but rather left application specific. Facebook provides examples for such extended permissions to access data beyond basic information: –Examples: “email”, ”user_photos” Details can be obtained from: –http://developers.facebook.com/docs/authentication/permissions/http://developers.facebook.com/docs/authentication/permissions/

21 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 21 Viewing Access Rights

22 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 22 FB’s Privacy Dashboard: Access Log

23 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 23 OAuth 2.0 and Identity Management http://tools.ietf.org/html/draft-hansen-privacy-terminology sayshttp://tools.ietf.org/html/draft-hansen-privacy-terminology –An identity is any subset of attribute values of an individual person which sufficiently identifies this individual person within any set of persons. So usually there is no such thing as "the identity", but several of them. –An identity of an individual person may comprise many partial identities of which each represents the person in a specific context or role. –Identity management means managing various partial identities of an individual person, i.e., administration of identity attributes including the development and choice of the partial identity and pseudonym to be (re-)used in a specific context or role.

24 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 24 OAuth 2.0 and Identity Management, cont. OAuth 2.0 does not mandate –a specific user identifier format, –any authentication mechanism, –a specific credential type, –specific type of data to be stored at the resource server, –management features for creating, modifying, and deleting data

25 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 25 OAuth 2.0 and Identity Management, cont. Facebook, deploying OAuth 2.0, defines –a specific user identifier format (for logon), –Password-based authentication using a browser interface, –Data to be stored, –management features for creating, modifying, and deleting data (and access permissions) using a Web browser. OAuth provides the functionality of OpenID but in a different style. OpenID’s initial design did not envision any relationship between the relying party and the identity provider. In practice, this turned out to be a no-go. From a standardization point of view, OAuth and OpenID started at different places. –For example, OpenID has standardized APIs for exchange of data while OAuth does not have such APIs. See http://openid.net/specs/openid-attribute- exchange-1_0.html and http://www.axschema.org/types/http://openid.net/specs/openid-attribute- exchange-1_0.htmlhttp://www.axschema.org/types/ –Next slide shows the OAuth standardization status.

26 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 26 OAuth Profiles Token Request Standardization Status of the OAuth Framework User Agent Authorization Server Resource Server Resource Consumer Access Request (incl. Token) Authorization Request User Interface Token Format And Content Authz Server Interaction Data ExchangeAuthentication Request Security Token Request/ Response Exchange User Legend: - Red box: Currently covered by OAuth WG

27 Feb, 2nd 2011MIT CFP Privacy & Security Working Group 27 Summary Open Web Authentication (OAuth) is developed in the IETF OAuth working group: –http://datatracker.ietf.org/wg/oauth/http://datatracker.ietf.org/wg/oauth/ Code available (see http://oauth.net/code/) and deployment going fine.http://oauth.net/code/ Working group is trying hard to finish OAuth 2.0: http://tools.ietf.org/html/draft-ietf-oauth-v2 Security and privacy turns out to be challenging. –Largely a deployment challenge! –See http://zachholman.com/2011/01/oauth_will_murder_your_children/ http://zachholman.com/2011/01/oauth_will_murder_your_children/ WG rechartering process ongoing to standardize other parts of the OAuth framework.

Download ppt "Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011."

Similar presentations

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
By: Ansuya Chauhan.

By: Ansuya Chauhan.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Google App Engine Google APIs OAuth Facebook Graph API

Google App Engine Google APIs OAuth Facebook Graph API
OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.

OAuth/UMA for ACE 24 th March 2015 draft-maler-ace-oauth-uma-00.txt Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig.
Hosted Exchange 2007. The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.
Social Media Apps Programming Min-Yuh Day, Ph.D. Assistant Professor Department of Information Management Tamkang University

Social Media Apps Programming Min-Yuh Day, Ph.D. Assistant Professor Department of Information Management Tamkang University
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Social Media Apps Programming Min-Yuh Day, Ph.D. Assistant Professor Department of Information Management Tamkang University

Social Media Apps Programming Min-Yuh Day, Ph.D. Assistant Professor Department of Information Management Tamkang University

Similar presentations

Ads by Google