Oauth vs OpenId

OauthvsOpenId • Oauth • Introducere • Functionalitate • Concluzie • OpenId • Introducere • Functionalitate • Concluzie • OauthvsOpenId

Oauth: Introducere Oauth a fostinitiat in 2006 de catre Blaine Cook, care aveanevoie ca userii cu OpenIdsapoataautorizaDashboard Widgets pentru a accesaserviciullor de la twitter. In timp a fostdezvoltatsistandardizat de cei de la Google. Tot in timp au fostdezvoltateversiuni din ce in cemainoi, incepand cu oauth 1.0a siterminand cu oauth 2.0 . Oautheste un protocol standart de autorizare, care permiteutilizatorilorsaisipoataarataresursele private pe care le au pe un anume site farasa fie nevoitisaisidezvaluienumelesiparola. Acest protocol utilizeaza tokens pentru a inlocuinumelesiparolasi are ca scopautorizareacelei de a treiapartipentru a vedeadatele private ale unui user fara ca userulsaisioferenumelesiparolape care le are . Acest protocol estefolositpentruautorizare in principal de serviciile web (exemplu: Facebook, Twitter, Google, etc) pentru a autorizacea de a treia parte saaibaacces la datelegazduite de acestiapentru un anumit user.

Oauth: Functionalitate • In oauthestevorba de treiparti: • User care detine date gazduite de un anumeserviciusidorestesaautorizeze o anumeaplicatiesapoataaccesadatale sale gazduitepeacelserviciu; • Serviciu web esteloculundeuserul are gazduiteanumite date; • Consumerestecea de a treia parte pe care userulvreasa o autorizeze;

Oauth: Functionalitate Imagine de la: http://oauth.net/core/1.0/#signing_process

Oauth: Functionalitate • In aceastacomunicaredintre user, consumer, si service provider are treiparti: • Partea in care consumer face o cerere la service provider pentru un request token; • Partea in care consumer ilredirecteaza la service provider pe user pentru a ilautoriza; • Partea in care consumer face schimbulunui request token pentru un access token

Oauth: Functionalitate • Intai ca consumer avemnevoie de un consumer key pe care ilobtineminregistrandaplicatianoastra la service provider. • Acumputem face cererea la service provider pentru un request token. • In aceastacerereparametri pot fitrimisi in treimoduri: -ca http authorization header -ca http post -ca parte de url

Oauth: Functionalitate • AcumdescriemprotocolulOauth 1.0 pentrucazulyoutube(care face cu google): • Trebuiesamentionam ca googlesuporta RSA-SHA1 si HMAC-SHA1 ca protocoale de semnaresauputemsaavem plaintext in cas ca folosim un canal SSL. • Dupa cum spuneam ca prim pas avemnevoie de request tokensicerereaarata in felulurmator:

Oauth: Functionalitate • POST /accounts/OAuthGetRequestToken HTTP/1.1 • Host: https://www.google.com • Content-Type: application/x-www-form-urlencoded Authorization: OAuthoauth_consumer_key="msczhOK936UrGhyCAn_Dfg", oauth_signature_method="RSA-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D", • oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0" • scope=http://gdata.youtube.com

Oauth: Functionalitate • Parametrisunttrimisiprin post din acestacauzaavemurlencoded. • Consumer-key estecheiaoferita de google in urmainregistrariiaplicatiei (aceastacheie o vomfolosi in fiecarecerere de acumincolo). • Signature-method estetipul de semnatura, unul din celedoua enumerate adineaori. • Signature estesemnaturaacestui request folosindmetodaspecificatamaisus. Fiecareparametruestesemnat in felulurmator:suntsortatidupanumeiardacanumele e egalsuntsortatidupavaloare, numele e separat de valoareprin =, iarparametriintreeiprin &.

Oauth: Functionalitate • Timestamp specificatimpulcand a fosttrimisacest request( numarul de secundedupa 1 Ianuarie, 1970 00:00:00 GMT); • Nonce este un random 64 bit numarencodat ca ascii in forma decimalasiesteunic la fel ca timestamp; • Version esteversiuneautilizata de oauth care poatefi 1.0 sau 2.0; • Scope esteserviciulpe care ilapelezi.

Oauth: Functionalitate • Dacacererea s-a efectuat cu succesraspunsularata in felulurmator: oauth_token=ab3cd9j4ks73hf7g&oauth_token_secret=ZXhhbXBsZS5jb20 • Acumputemtrece la autorizareapentrurequest token: • https://www.google.com/accounts/OAuthAuthorizeToken?oauth_token=ab3cd9j4ks73hf7g&oauth_callback=http%3A%2F%2Fwww.example.com

Oauth: Functionalitate • Acesturl la care ilredirectampe user contine 2 parametritokenulprimitsi callback care esteurl-ulundeuserulvafiredirectat in caz ca acestaautorizeazaaccesul. • Acumuserulesteredirectat la youtubepepagina de login in caz ca nu estedejalogatsidupace se logheaza ii vaaparea o fereastra in care esteintrebatdacapermiteaccesulaplicatieinoastre la datele sale si care estenivelul de acces, iar in caz ca permitevafiredirectat la callback specificat care are forma urmatoare: http://www.example.com/ytapi.html?oauth_token=CKF50YzIHxCT85KMAg • Token este tot tokenul de adineaori.

Oauth: Functionalitate • Acumputem face cerereapentruaccess token care are aceiasiparametri ca sicerereapentru request token doar ca in plus are si request token. • Raspunsul in caz de succesvaavea forma: oauth_token=ab3cd9j4ks73hf7g&oauth_token_secret=ZXhhbXBsZS5jb20. • Acumdetinemacces token siputem face cereripentrudatele cu care vremsaoperam. • Autorizarea e completa.

Oauth: Functionalitate Imagine: http://code.google.com/apis/youtube/2.0/developers_guide_protocol_oauth.html

Oauth:Concluzie • Oauth la vremeaactualaestecelmaifolosit protocol de autorizaresi continua sa se dezvoltefiindfolositintens de servicii ca Facebook, Twitter, Youtube. • Oauth, deoarecefoloseste tokens face ca totulsa fie usorsibinesecurizat. • Ca source cod pentruoauthphpputemgasi la adresa : http://code.google.com/p/oauth-php/downloads/detail?name=oauth-php-175.tar.gz&can=2&q= atatpentrugoogleexemplu cat sipentru twitter. • Tot cod sursa se poategasisi la: http://oauth.googlecode.com/svn/code/php/ iaratatbiblioteci cat si cod sursa (un exemplutestat personal) se poategasiatat la http://oauth.net/code/ la variantaphpeste un exemplusimplu cat si walkthrough, cat si la https://github.com/willnorris/oauth-php http://apiwiki.justin.tv/mediawiki/index.php/OAuth_PHP_Tutorial .

OpenId: Introducere • OpenIddescriemodul de comunicarepentru ca un user sa se autentifice la o aplicatie cu contulpe care il are la un anumeserviciu web farasa fie nevoitsaofereparolape care o detinealteiaplicatiidecatceleiunde are deja un cont. • Acestlucruajutauserul ca sa nu fie nevoitsaisifacamaimulteconturisisatinamintemaimulte parole. • Dacaaplicatiaundevreasa se autentificefolosesteOpenId-ulserviciului web undeuserul are deja cont atunciuserul nu maiestenevoitsaisifaca un nou cont pentru a putea face anumitecereri in aceaaplicatie. • De obicei un identificatorOpenIdarata in felulurmator: numeuser.numedomeniuundenumedomeniusazicem ca poatefi blogspot.com. • OpenId a fostimplementat in May 2005 de catreBrad Fitzpatrickdenumitpentru prima data YADIS.

OpenId: Functionalitate Imagine de la: http://code.google.com/apis/accounts/docs/OpenID.html

OpenId: Functionalitate • Pentru a face rost de un openId endpoint trebuiesafacem o cerere get la adresa: https://www.google.com/accounts/o8/idiargoogleuri endpoint returnat o saaibaurmatorul format: <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server </Type> <URI>{Google's login endpoint URI}</URI> </Service> • In continuare o saaratam un exemplu de cerere cu maxim timpul de sesiune de cinci minute:

OpenId: Functionalitate • https://www.google.com/accounts/o8/id ?openid.ns=http://specs.openid.net/auth/2.0 &openid.ns.pape=http://specs.openid.net/extensions/pape/1.0 &openid.ns.max_auth_age=300 &openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select &openid.identity=http://specs.openid.net/auth/2.0/identifier_select &openid.return_to=http://www.example.com/checkauth &openid.realm=http://www.example.com/ &openid.assoc_handle=ABSmpf6DNMw &openid.mode=checkid_setup &openid.ui.ns=http://specs.openid.net/extensions/ui/1.0 &openid.ui.mode=popup &openid.ui.icon=true &openid.ns.ax=http://openid.net/srv/ax/1.0 &openid.ax.mode=fetch_request &openid.ax.type.email=http://axschema.org/contact/email &openid.ax.type.language=http://axschema.org/pref/language &openid.ax.required=email,language

OpenId: Functionalitate • openid.ns = identificaversiuneaprotocoluluiOpenID care se foloseste. Aceastavaloareatrebuiesa fie: "http://specs.openid.net/auth/2.0". • openid.claimed_id = identificator optional pentrucerere. Valoarealuitrebuiesetata cu: "http://specs.openid.net/auth/2.0/identifier_select". • openid.identityeste optional; • openid.return_to=indicaurl-ulundeuserultrebuiereturnatdupalogare; • Openin.mode=modul de interactiune cu userul : dacaestepermissau nu; • openid.ns.ui=pagina de autentificarevaapareaseparat

OpenId: Functionalitate • openid.ns.ax=cerereapentruinformatiiledespre user; • openid.ax.required=specificaatributul care estecerutspreexemplu email, nume. • Restulparametrilor care nu suntexplicatiinseamna ca suntoptionali. • In continuare o saaratam cum o saaibaformatulraspunsul in caz de succesavand in vedere ca in cerere am avutinclussitimpul de autentificare, email silimba:

OpenId: Functionalitate • http://www.example.com/8080/checkauth ?openid.ns=http://specs.openid.net/auth/2.0 &openid.mode=id_res &openid.op_endpoint=https://www.google.com/accounts/o8/ud &openid.response_nonce=2008-09-18T04:14:41Zt6shNlcz-MBdaw &openid.return_to=http://www.example.com:8080/checkauth &openid.assoc_handle=ABSmpf6DNMw &openid.ns.pape=http://specs.openid.net/extensions/pape/1.0 &openid.pape.auth_time=2005-05-15T17:11:51Z &openid.pape.auth_policies=http://schemas.openid.net/pape/policies/2007/06/none &openid.signed=op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ax.mode,ax.type.email,ax.value.email &openid.sig=s/gfiWSVLBQcmkjvsKvbIShczH2NOisjzBLZOsfizkI= &openid.identity=https://www.google.com/accounts/o8/id/id=ACyQatixLeLODscWvwqsCXWQ2sa3RRaBhaKTkcsvUElI6tNHIQ1_egX_wt1x3fAY983DpW4UQV_U &openid.claimed_id=https://www.google.com/accounts/o8/id/id=ACyQatixLeLODscWvwqsCXWQ2sa3RRaBhaKTkcsvUElI6tNHIQ1_egX_wt1x3fAY983DpW4UQV_U &openid.ns.ax=http://openid.net/srv/ax/1.0 • &openid.ax.mode=fetch_response • &openid.ax.type.email=http://axschema.org/contact/email &openid.ax.value.email=fred.example@gmail.com &openid.ax.type.language=http://axschema.org/pref/language &openid.ax.value.language=english

OpenId:Concluzie • Ca source code am descarcatultimaversiune de Zendsi am instalat-o iar in folderul demos avem un exemplusimplu de autentificare cu OpenId. Ultimaversiune de Zend se poategasi la adresa: http://www.zend.com/en/community/downloads estezend framework 1.11. • Ca instructiuni de instalareputetisa le urmatipecele de la adresa: http://www.lametadesign.com/blog/admin/how-install-zend-framework-using-wamp-20-windows-xp in caz ca avetiwamp.

OauthvsOpenId • Daca in oauthestevorbadespreaccesarearesurselorpe care le detineidentitatea in openIdestevorbadespreaccesareaindentitatii; • DacaopenIdestedecentralizat, oauthestecentralizat; • DacaopenIdutilizeazaprotocolulDiffieHelmanpentruschimbareacheii, oauthutilizeazauna din semnaturileRSA-SHA1 sau HMAC-SHA1; • In ambeleestevorba de treipartiparticipante; • Putemspune ca oauthcompleteazaopenId.

Resurse Principaleleresurse: • http://openid.net/developers/specs/ • http://code.google.com/apis/youtube/2.0/developers_guide_protocol_oauth.html • Wikipedia • http://googlecodesamples.com/oauth_playground/ • Zend Framework • http://oauth.net/core/1.0/#anchor14 • http://code.google.com/apis/accounts/docs/OpenID.html

Oauth vs OpenId

Oauth vs OpenId

Presentation Transcript

OAuth vs. OpenID – What’s the difference

OpenID

Federated Shibboleth, OpenID , oAuth , and Multifactor

SIP OAuth

OpenID

OAuth Security

OpenID

OAuth 与 openID

An introduction to OAuth and OpenID Connect

OAuth Profile

Using OpenID/OAuth to access Federated Data Services

OpenID

Siteminder/OpenID

PROTOCOLO OAUTH

OpenID libek

OpenID

Yahoo! OpenID and OAuth

OpenId

Securing RESTful APIs using OAuth 2 and OpenID Connect

OAuth WG

OAuth Profile