280 likes | 296 Views
INF 123 SW Arch, dist sys & interop Lecture 16. Prof. Crista Lopes. Objectives. Understanding the difference between Authentication and Authorization Understanding OpenID and OAuth. Auth vs Auth. Auth entication : who is this user ? Auth orization : can this user do that?.
E N D
INF 123 SW Arch, dist sys & interopLecture 16 Prof. Crista Lopes
Objectives • Understanding the difference between Authentication and Authorization • Understanding OpenID and OAuth
Auth vs Auth • Authentication: who is this user? • Authorization: can this user do that?
Identity on the Web • Millions of Web sites, each with their own users • Each user needs to remember N usernames+passwords • …why not interoperate identity? • …why not interoperate more data?
OpenID Decentralized Identity
OpenID in Action • “OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts.” • www.stackoverflow.com
How it works http://openid.net/developers/specs/ http://yahoo.com
How it works, in 11 steps OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider
Steps 1, 2 – Post Identifier <form id="openid_form" action="/users/authenticate" method="post"> <!-- /Simple OpenID Selector --> <table id="openid-url-input"> <tr> <td><input id="openid_identifier" name="openid_identifier" type="url” ></td> <td><input id="submit-button” type="submit" value=”Sign in”></td> </tr> </table> </form>
How it works – Discovery OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider
Steps 3, 4 – Normalization & Discovery • Yadis ProtocolContent-Type: application/xrds+xmlwhen performing an HTTP GET on the identity URL
Step 3 – XRDS response <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDSxmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0"> <XRD> <Service priority="50"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.myopenid.com/server</URI> <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> </Service> <Service priority="10"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate>http://www.livejournal.com/users/frank/</openid:Delegate> </Service> <Service priority="20"> <Type>http://lid.netmesh.org/sso/2.0</Type> <URI>http://mylid.net/liddemouser</URI> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD> </xrds:XRDS>
Steps 3, 4 – Normalization & Discovery • Plain HTTP • Returned document must contain a <link /> element:<link rel=“openid2.provider” href=“http://endpoint”/>
How it works – Redirect 1 OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider
Step 5 – First redirect • Relying party parses XDSR or <link /> and retrieves the OpenID provider end point. • Then redirects (302, 303 or 307) user agent to it with query params appended to the URL: HTTP/1.1 303 See Other Location: https://login.yahoo.com?openid.ns=http://specs.openid.net/auth/2.0& openid.mode=checkid_setup& openid.claimed_id=e_mumble& openid.return_to=http://stackoverflow.com?article=123
How it works – Login OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider
Steps 6, 7, 8, 9 – Login • Undefined in the Spec • Usually regular login form with POST • May include further verification with user • This is a vulnerable point in the process • more later
How it works – Final Redirect OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider
Step 10 – Final Redirect • OpenID Provider End Point redirects user agent back to the “return_to” URL. HTTP/1.1 303 See Other Location: http://stackoverflow.com?article=123?openid.ns=http://specs.openid.net/auth/2.0& openid.op_endpoint=https://login.yahoo.com& openid.return_to=http://stackoverflow.com?article=123& openid.identity=e_mumble& openid.response_nonce=2005-05-15T17:11:51ZUN6TY9& openid.sig=MACsignature
Step 10 • Relying party must verify a few things before deciding that the user is authenticated • return_to matches • identifier matches • nonce is unique • signature is valid
How it works – Finally! OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider
Step 11 • Relying party returns the page that user was on • http://stackoverflow.com?article=123
Final Remarks • The whole point of OpenID is to authenticate users • your web app wants to verify that user jonh.smith @ yahoo.com really is john.smith at yahoo.com • OpenID knows nothing about authorization • after establishing identity, your application must deciding which resources this user is allowed to access authentication ≠ authorization
OpenID is Phishing Heaven • idtheft.fun.de • OpenID’s adoption by major sites is a mystery to me!
OAuth Authorization – but not for *your* resources
OAuth • The goal of OAuth is to acquire an access token from a 3rd party (like Google, Facebook, etc.), which can then be used to exchange user-specific data between your application and that 3rd party service (such as calendar information or friends list) access user data Your app Facebook/Google user data
OpenID+OAuth • Lets arbitrary apps (like yours) access your Twitter/Facebook/Google/etc account without having to have your password
OAuth 4 main steps • Your app asks for a “request” token from the 3rd party • Your app asks the 3rd party for the token to be authorized • 3rd party requests user approval • Your app exchanges the “request” token for an “access” token • Your app uses the “access” token to access the data