1 / 28

INF 123 SW Arch, dist sys & interop Lecture 16

INF 123 SW Arch, dist sys & interop Lecture 16. Prof. Crista Lopes. Objectives. Understanding the difference between Authentication and Authorization Understanding OpenID and OAuth. Auth vs Auth. Auth entication : who is this user ? Auth orization : can this user do that?.

dawnshirley
Download Presentation

INF 123 SW Arch, dist sys & interop Lecture 16

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. INF 123 SW Arch, dist sys & interopLecture 16 Prof. Crista Lopes

  2. Objectives • Understanding the difference between Authentication and Authorization • Understanding OpenID and OAuth

  3. Auth vs Auth • Authentication: who is this user? • Authorization: can this user do that?

  4. Identity on the Web • Millions of Web sites, each with their own users • Each user needs to remember N usernames+passwords • …why not interoperate identity? • …why not interoperate more data?

  5. OpenID Decentralized Identity

  6. OpenID in Action • “OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts.” • www.stackoverflow.com

  7. How it works http://openid.net/developers/specs/ http://yahoo.com

  8. How it works, in 11 steps OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider

  9. Steps 1, 2 – Post Identifier <form id="openid_form" action="/users/authenticate" method="post"> <!-- /Simple OpenID Selector --> <table id="openid-url-input"> <tr> <td><input id="openid_identifier" name="openid_identifier" type="url” ></td> <td><input id="submit-button” type="submit" value=”Sign in”></td> </tr> </table> </form>

  10. How it works – Discovery OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider

  11. Steps 3, 4 – Normalization & Discovery • Yadis ProtocolContent-Type: application/xrds+xmlwhen performing an HTTP GET on the identity URL

  12. Step 3 – XRDS response <?xml version="1.0" encoding="UTF-8"?> <xrds:XRDSxmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0"> <XRD> <Service priority="50"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.myopenid.com/server</URI> <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> </Service> <Service priority="10"> <Type>http://openid.net/signon/1.0</Type> <URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate>http://www.livejournal.com/users/frank/</openid:Delegate> </Service> <Service priority="20"> <Type>http://lid.netmesh.org/sso/2.0</Type> <URI>http://mylid.net/liddemouser</URI> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD> </xrds:XRDS>

  13. Steps 3, 4 – Normalization & Discovery • Plain HTTP • Returned document must contain a <link /> element:<link rel=“openid2.provider” href=“http://endpoint”/>

  14. How it works – Redirect 1 OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider

  15. Step 5 – First redirect • Relying party parses XDSR or <link /> and retrieves the OpenID provider end point. • Then redirects (302, 303 or 307) user agent to it with query params appended to the URL: HTTP/1.1 303 See Other Location: https://login.yahoo.com?openid.ns=http://specs.openid.net/auth/2.0& openid.mode=checkid_setup& openid.claimed_id=e_mumble& openid.return_to=http://stackoverflow.com?article=123

  16. How it works – Login OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider

  17. Steps 6, 7, 8, 9 – Login • Undefined in the Spec • Usually regular login form with POST • May include further verification with user • This is a vulnerable point in the process • more later

  18. How it works – Final Redirect OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider

  19. Step 10 – Final Redirect • OpenID Provider End Point redirects user agent back to the “return_to” URL. HTTP/1.1 303 See Other Location: http://stackoverflow.com?article=123?openid.ns=http://specs.openid.net/auth/2.0& openid.op_endpoint=https://login.yahoo.com& openid.return_to=http://stackoverflow.com?article=123& openid.identity=e_mumble& openid.response_nonce=2005-05-15T17:11:51ZUN6TY9& openid.sig=MACsignature

  20. Step 10 • Relying party must verify a few things before deciding that the user is authenticated • return_to matches • identifier matches • nonce is unique • signature is valid

  21. How it works – Finally! OpenID Provider End Point http://www.windley.com/archives/2006/04/how_does_openid.shtml Relying party OpenID Provider

  22. Step 11 • Relying party returns the page that user was on • http://stackoverflow.com?article=123

  23. Final Remarks • The whole point of OpenID is to authenticate users • your web app wants to verify that user jonh.smith @ yahoo.com really is john.smith at yahoo.com • OpenID knows nothing about authorization • after establishing identity, your application must deciding which resources this user is allowed to access authentication ≠ authorization

  24. OpenID is Phishing Heaven • idtheft.fun.de • OpenID’s adoption by major sites is a mystery to me!

  25. OAuth Authorization – but not for *your* resources

  26. OAuth • The goal of OAuth is to acquire an access token from a 3rd party (like Google, Facebook, etc.), which can then be used to exchange user-specific data between your application and that 3rd party service (such as calendar information or friends list) access user data Your app Facebook/Google user data

  27. OpenID+OAuth • Lets arbitrary apps (like yours) access your Twitter/Facebook/Google/etc account without having to have your password

  28. OAuth 4 main steps • Your app asks for a “request” token from the 3rd party • Your app asks the 3rd party for the token to be authorized • 3rd party requests user approval • Your app exchanges the “request” token for an “access” token • Your app uses the “access” token to access the data

More Related