Presentation is loading. Please wait.

Presentation is loading. Please wait.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes."— Presentation transcript:

1 INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes

2 Objectives  Understanding the difference between Authentication and Authorization  Understanding OpenID and OAuth

3 Auth vs Auth  Authentication: who is this user?  Authorization: can this user do that?

4 Identity on the Web  Millions of Web sites, each with their own users  Each user needs to remember N usernames+passwords  …why not interoperate identity?  …why not interoperate more data?

5 Decentralized Identity OpenID

6 OpenID in Action  “OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts.”  www.stackoverflow.com www.stackoverflow.com

7 How it works http://yahoo.com http://openid.net/developers/specs/

8 How it works, in 11 steps http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider End Point

9 Steps 1, 2 – Post Identifier

10 How it works – Discovery http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider End Point

11 Steps 3, 4 – Normalization & Discovery  Yadis Protocol Content-Type: application/xrds+xml when performing an HTTP GET on the identity URL

12 Step 3 – XRDS response <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0"> http://openid.net/signon/1.0 http://www.myopenid.com/server http://smoker.myopenid.com/ http://openid.net/signon/1.0 http://www.livejournal.com/openid/server.bml http://www.livejournal.com/users/frank/ http://lid.netmesh.org/sso/2.0 http://mylid.net/liddemouser http://lid.netmesh.org/sso/1.0

13 Steps 3, 4 – Normalization & Discovery  Plain HTTP  Returned document must contain a element:

14 How it works – Redirect 1 http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider End Point

15 Step 5 – First redirect  Relying party parses XDSR or and retrieves the OpenID provider end point.  Then redirects (302, 303 or 307) user agent to it with query params appended to the URL: HTTP/1.1 303 See Other Location: https://login.yahoo.com? openid.ns=http://specs.openid.net/auth/2.0& openid.mode=checkid_setup& openid.claimed_id=e_mumble& openid.return_to=http://stackoverflow.com?article=123

16 How it works – Login http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider End Point

17 Steps 6, 7, 8, 9 – Login  Undefined in the Spec  Usually regular login form with POST  May include further verification with user  This is a vulnerable point in the process  more later

18 How it works – Final Redirect http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider End Point

19 Step 10 – Final Redirect  OpenID Provider End Point redirects user agent back to the “return_to” URL. HTTP/1.1 303 See Other Location: http://stackoverflow.com?article=123? openid.ns=http://specs.openid.net/auth/2.0& openid.op_endpoint=https://login.yahoo.com& openid.return_to=http://stackoverflow.com?article=123& openid.identity=e_mumble& openid.response_nonce=2005-05-15T17:11:51ZUN6TY9& openid.sig=MACsignature

20 Step 10  Relying party must verify a few things before deciding that the user is authenticated  return_to matches  identifier matches  nonce is unique  signature is valid

21 How it works – Finally! http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider End Point

22 Step 11  Relying party returns the page that user was on  http://stackoverflow.com?article=123

23 Final Remarks  The whole point of OpenID is to authenticate users  your web app wants to verify that user jonh.smith @ yahoo.com really is john.smith at yahoo.com  OpenID knows nothing about authorization  after establishing identity, your application must deciding which resources this user is allowed to access authentication ≠ authorization

24 OpenID is Phishing Heaven  idtheft.fun.de  OpenID’s adoption by major sites is a mystery to me!

25 Authorization – but not for *your* resources OAuth

26  The goal of OAuth is to acquire an access token from a 3 rd party (like Google, Facebook, etc.), which can then be used to exchange user-specific data between your application and that 3 rd party service (such as calendar information or friends list) Facebook/Google user data Your app access user data

27 OpenID+OAuth  Lets arbitrary apps (like yours) access your Twitter/Facebook/Google/etc account without having to have your password

28 OAuth 4 main steps  Your app asks for a “request” token from the 3 rd party  Your app asks the 3 rd party for the token to be authorized  3 rd party requests user approval  Your app exchanges the “request” token for an “access” token  Your app uses the “access” token to access the data

Download ppt "INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes."

Similar presentations

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
The How of OAuth OAuth Hackathon – Six Apart

The How of OAuth OAuth Hackathon – Six Apart
22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
OAuth Phil Wilson, University of Bath, 2008. what the? OAuth provides a way to grant access to your data on some website to a third website, without.

OAuth Phil Wilson, University of Bath, what the? "OAuth provides a way to grant access to your data on some website to a third website, without.
OpenID & Information Card Profiles for ICAM John Bradley

OpenID & Information Card Profiles for ICAM John Bradley
Authentication Simon Cross Partner Engineer facebook.com/sicross An Overview.

Authentication Simon Cross Partner Engineer facebook.com/sicross An Overview.
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
By: Ansuya Chauhan.

By: Ansuya Chauhan.
And YADIS David Recordon Six Apart, Ltd. / LiveJournal.com / Danga Interactive, Inc. Parts of presentation stolen from Brad Fitzpatrick.

And YADIS David Recordon Six Apart, Ltd. / LiveJournal.com / Danga Interactive, Inc. Parts of presentation stolen from Brad Fitzpatrick.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.

Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.
The Widgets Shall Inherit the Web Widget Summit 4 November 2008.

The Widgets Shall Inherit the Web Widget Summit 4 November 2008.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
Workflow OpenID Scenario Users get OpenID from provider Andy is given access to service, and then to workflow server. Andy installs workflow Workflow gets.

Workflow OpenID Scenario Users get OpenID from provider Andy is given access to service, and then to workflow server. Andy installs workflow Workflow gets.
In a world with lots of socially-aware sites… …and lots of “open social web” building blocks…

In a world with lots of socially-aware sites… …and lots of “open social web” building blocks…
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 19 Prof. Crista Lopes.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 19 Prof. Crista Lopes.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.

Similar presentations

Ads by Google