Distributed Identities with OpenID
2 likes811 views
The document discusses the shortcomings of OpenID, highlighting its low adoption and user experience issues, and cites various criticisms from notable figures in the tech industry. It emphasizes the need for a simpler, more flexible identity management solution, such as OpenID Connect built on OAuth 2.0, to improve the single sign-on experience for users. The presentation also suggests potential improvements from browser vendors to streamline user authentication processes.
Distributed Identities with OpenID
- 1. Distributed Identities with OpenID Bastian Hofmann VZnet Netzwerke Ltd.
- 3. „OpenID has been a burden on support since the day it was launched.“ „Fewer than 1% of all 37signals users are currently using OpenID.“ http://productblog.37signals.com/products/2011/01/well-be-retiring-our- support-of-openid-on-may-1.html
- 4. „OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.“ Yishan Wong (Facebook) http://www.quora.com/What-s-wrong-with-OpenID
- 5. Facebook Connect 250,000,000 monthly users
- 6. So why are you here?
- 7. • Why identity management is still a problem • OpenID how it works, and why it fails • OpenID Connect & OAuth2: OpenIDs future? • What can browser vendors do?
- 12. Questions? Ask!
- 15. Identity is conveyed by communication Identity is not fixed but recreated by every communication with your fellows Expectations of different people result in different identities Lothar Krappmann
- 19. Sign up again and again
- 20. Passwords are broken Same password for more than one service Saved unsecurely in the browser Names, birthdays, car brand, ... Disclosed to others Too short, too simple Sent over non encrypted connections
- 21. Single Sign On
- 22. Microsoft Live ID Launched 1999 as .net Passport
- 23. Facebook Connect
- 25. And there are much more
- 26. Nascar problem
- 29. The Client
- 30. Discovery <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid2.provider" href="http://www.myopenid.com/ server" /> Delegation <meta http-equiv="X-XRDS-Location" content="http:// bhofmann.myopenid.com/" /> <link rel="openid2.provider" href="http:// www.myopenid.com/server" /> <link rel="openid2.local_id" href="http:// bhofmann.myopenid.com/" /> <link rel="openid.server" href="http://www.myopenid.com/ server" /> <link rel="openid.delegate" href="http:// bhofmann.myopenid.com/" />
- 31. Connection Flow
- 32. DEMO
- 33. Authentication vs Authorization Who is the user? Is this really user X? VS Is X allowed to do something? Does X have the permission? Client sites want more than just a unique identifier (Social Graph)
- 34. But there are Spec Extensions
- 35. Simple Registration • Allows to specify certain fields in request that must or should be returned by the Identity Provider openid.sreg.required=openid.sreg.fullname& openid.sreg.optional=openid.sreg.email,openid.sreg.gender openid.sreg.fullname=Bastian&openid.sreg.gender=male
- 36. Attribute Exchange • Fetch Request penid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=3 openid.ax.required=fname,gender openid.ax.if_available=fav_dog,fav_movie openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
- 37. Attribute Exchange • Fetch Response openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=fetch_response openid.ax.type.fname=http://example.com/schema/fullname openid.ax.type.gender=http://example.com/schema/gender openid.ax.type.fav_dog=http://example.com/schema/favourite_dog openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.value.fname=John Smith openid.ax.count.gender=0 openid.ax.value.fav_dog=Spot openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 openid.ax.update_url=http://idconsumer.com/update? transaction_id=a6b5c41
- 38. Attribute Exchange • Store Request openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_request openid.ax.type.fname=http://example.com/schema/fullname openid.ax.value.fname=Bob Smith openid.ax.type.fav_movie=http://example.com/schema/ favourite_movie openid.ax.count.fav_movie=2 openid.ax.value.fav_movie.1=Movie1 openid.ax.value.fav_movie.2=Movie2 • Store Respons openid.ns.ax=http://openid.net/srv/ax/1.0 openid.ax.mode=store_response_success
- 40. OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+ Every Request: Client Credentials, Nonce, Timestamp, Signature http://oauth.net/
- 41. OpenID + OAuth • Combines OpenID Authentication and OAuth authorization openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.consumer=123456 openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0 &openid.oauth.request_token=7890
- 42. Failures of OpenID 2.0 Complex to implement No marketing Do you have an OpenID? What is it? URL as identifier => Bad User Experience
- 43. How to fix it?
- 44. Easier to implement Better user experience Built on top of OAuth 2.0 More simple specification wider adption
- 45. What‘s wrong with OAuth? Does not work well with non web or JavaScript based clients The „Invalid Signature“ Problem Complicated Flow, many requests
- 47. What‘s new in OAuth2? (Draft 10) No signatures Cookie-like Bearer Token Different client profiles No Token Secrets No Request Tokens Mandatory TSL/SSL Much more flexible regarding extensions http://tools.ietf.org/html/draft-ietf-oauth-v2
- 48. Web-Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
- 49. User-Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
- 50. What happend to signatures? Ongoing controvers discussion Bearer Tokens are fine over secure connection Vulnerable if discovery is introduced Or if TSL/SSL is not possible
- 51. Scopes Optional parameter for provider specific implementations Additional return values Access Control
- 52. Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signature http://openidconnect.com/
- 54. DEMO
- 55. OpenID Connect Discovery Get Identifier of user Call /.well-‐known/host-‐meta file at the domain of the user‘s provider Look for a link pointing to the OpenID Connect endpoints in the returned LRDD
- 56. Phishing
- 57. @ E-mail address equals identity?
- 58. Can the browser help?
- 60. DEMO
- 61. Bad browser UI Syncing between different computers? More than one user on the same computer?
- 64. DEMO
- 65. Summing it up • We need a single sign on system for the web • OpenID is cool, but has some problems • Proprietary solutions are bad for users, site owners and developers • A new more simple and flexible spec is coming up • Browser vendors are working to solve this problem in the browser