OpenID vs OAuth - Identity on the Web
Download as KEY, PDF29 likes13,707 views
The document discusses identity management protocols OpenID and OAuth. OpenID allows users to use a single digital identity across multiple websites, while OAuth allows websites to grant third party applications access to user data without sharing passwords. The document outlines the roles, flows, and differences between the two protocols, and proposes a project to implement an OAuth service provider and consumer as an example.
OpenID vs OAuth - Identity on the Web
- 1. Identity on the Web OpenID vs OAuth Identity Management in SOA Richard Metzler May 2010 1
- 2. Outline I. User Authentication II. OpenID III. OAuth IV. Compare OpenID & OAuth V. My Project 2
- 3. User Authentication 3
- 4. User Authentication • every single website needs my credentials • username / e-mail • password • should be secure • should not be reused • how to remember? 4
- 5. Resulting Problems • identity is scattered • passwords • millions to remember vs recycling • how to authorize third party access? ➡ Password Anti-Pattern 5
- 6. OpenID 6
- 7. OpenID • sharing a single identity with different consumers • decentralized • OpenID 2.0 (without XRI) http://openid.net/ 7
- 8. Roles in OpenID • User owns account at OpenID Provider • User proves Identity to Relying Party 8
- 9. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 9
- 10. Sign in with OpenID Identifier 10
- 11. Discovery & Delegation obtain OP Endpoint 11
- 12. Establish Association • shared secret between Relying Party & OpenID Provider • Diffie Hellman Key Exchange • (g^xa)^xb mod p = (g^xb)^xa mod p http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange 12
- 13. Redirect User Agent to OP Endpoint 13
- 14. Redirect User Agent to OP Endpoint 14
- 15. Return URL Verification • OpenId Provider checks: • do Realm and return_to URL match? 15
- 16. User Authentification 16
- 17. OpenID Provider presents Realm 17
- 18. Redirect User Agent to OP Endpoint URL 18
- 19. Redirect User Agent to OP Endpoint URL 19
- 20. Verification • Relying Party checks: • return_to URL • OpenID Identifier • was Nonce never used before? • fields signed, signature valid 20
- 21. Logged in 21
- 22. OpenID Flow http://www.openaselect.org/trac/openaselect/wiki/OpenID 22
- 23. OAuth 23
- 24. OAuth • sharing your data without sharing your password • centralized • OAuth 1.0a (current version) • Draft for OAuth 2.0 http://oauth.net/ 24
- 25. Roles • User owns Resource at Service Provider • User grants Consumer access to Resource 25
- 26. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 26
- 27. Register Consumer, get Consumer Key • manually register Consumer at Service Provider • identified by Token / Secret • Callback URL • all subsequent Requests must be signed with Secret, Nonce & Timestamp 27
- 28. Sign in with OAuth 28
- 29. Get Request Token • Consumer asks Service Provider for Request Token • Request Token identifies authorization workflow • not user specific • transmitted in URL when User Agent is redirected 29
- 30. HTTP Redirect to Service Provider 30
- 31. HTTP Redirect to Service Provider 31
- 32. Authenticate 32
- 33. Grant Access 33
- 34. HTTP Redirect to Consumer Callback 34
- 35. HTTP Redirect to Consumer Callback 35
- 36. Get Access Token • Consumer trades Request Token for Access Token • Access Token grants access to Service Provider in behalf of User • user specific 36
- 37. Logged in 37
- 38. Access Resource • authenticated access on Resource • must be signed • Consumer Key • OAuth Token • Timestamp • Nonce 38
- 39. OAuth Dance http://fireeagle.yahoo.net/developer/documentation/web_auth 39
- 40. OpenId vs OAuth 40
- 41. Commonalities • involves 3 parties • open protocols - community driven • HTTP based • not mutual exclusive 41
- 42. Differences • sharing: identity vs data resources • decentralized vs centralized • Consumer-Provider-Relationship: • unknown vs well-known 42
- 43. My Project 43
- 44. My Project • Implement OAuth Service Provider & OAuth Consumer example • API for manageable resources (ideas) • profile pictures • activity streams Atom feed extension • RESTful API for editing RDF::FOAF data http://activitystrea.ms/ http://www.foaf-project.org/ 44
- 45. Questions? 45
Editor's Notes
- #5: plus additional identity data: profile pic, friends,…
- #8: Live Journal (YADIS Protocol) OpenID Foundation: Yahoo!, Google, Facebook, PayPal, Verisign, IBM, Microsoft HIER: NO YADIS, NO XRI (Extensible Resource Identifier)
- #12: url owned by <openid2.delegate> verify at <openid2.server>
- #13: generator - g public prime - p xa = RP&#x2018;s private key xb = OP&#x2018;s private key
- #17: put in username / password credentials
- #18: User selects OpenId Identifier
- #21: url owned by <openid.delegate> verify at <openid.server>
- #25: Geschichte: -Flickr, Google AuthSub, -Yahoo! -Twitter -Facebook -> OAuth 2.0
- #28: Passiert VIEL fr&#xFC;her Signierung, damit keine Replay Attacken ausgef&#xFC;hrt werden k&#xF6;nnen
- #43: OpenID komplizierter, Indirektion
- #45: activity streams: facebook, MySpace, Google Buzz (draft)