2007 Web2Expo Implementing OpenID

8/14/2019 2007 Web2Expo Implementing OpenID

1/69

Web 2.0 Expo

April 15-18, 2007

David [email protected]

Implementing

Brian [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]


2/69

brief intro...and theninto the code


3/69

What is OpenID?

Single sign-on for the web

Simple and light-weight(not going to replace your atm pin)

Easy to use and deploy

Open development processDecentralized(no single point of failure)

Free!


4/69

Proves You Control a URI

www.davidrecordon.com brianellin.com
http://www.davidrecordon.com/http://www.davidrecordon.com/http://www.davidrecordon.com/http://www.davidrecordon.com/http://www.davidrecordon.com/http://www.davidrecordon.com/


5/69

the common things we hear


6/69


7/69

"Been there, done that"

Great forthe enterprise Centralized Centralized


8/69

...but do you really trust them?


9/69


10/69

With OpenID, you get to

choose who managesyour identity.

(you can even change your mind later)


11/69

"This is a geek's toy,

nobody will ever havean OpenID!"


12/69

~90 million OpenIDs(includingeveryAOL user)

OpenID 1.1 - Estimated from various services


13/69

"Nobody will ever use this!"


14/69

Total Relying Parties

0

625

1,250

1,875

2,500

Sep'05 Oc

tNo

vDe

cJan

'06 Feb Mar

Apr

May

June July Au

gSep Oc

tNo

vDe

cJan

'07 Feb Mar

Apr17th

(aka places you can use this stuff)

Sxip/

Bounty

Webca

sts/IIW

IIW IIW

OpenID 1.1 - As viewed by MyOpenID.com

MSFT

&AO

L


15/69

"So that's great there

are so many blogs, butwhat about something

real?"


16/69


17/69


18/69
http://upload.wikimedia.org/wikipedia/en/f/f6/AOL_logo.png


19/69
http://upload.wikimedia.org/wikipedia/en/f/f6/AOL_logo.pnghttp://upload.wikimedia.org/wikipedia/en/f/f6/AOL_logo.png


20/69

"What's the big deal?"


21/69

OpenID is anotherimportant building

block.


22/69

"Why should we add

OpenID to our featurelist?"


23/69

Simon Willison - FOWA 02/07


24/69

TechCrunch and other blogs link to dozens of new

startups each week...readers aren't going to make newaccounts for every single one



25/69



Creates ability to email a friend saying, "I've added you

as an author to the blog I setup for our band"



26/69





Site specific hacks..."Login with your AOL OpenID andwe'll send you updates over AIM"



27/69





Site specific hacks..."Login with your AOL OpenID andwe'll send you updates over AIM"

If you're not managing passwords, you don't need tobuild as complex user management systems



28/69

How does it work?(protocol and flow)


29/69

Basic Terminology

OpenID Provider (OP) - Site that makesassertions about an OpenID

Relying Party (RP) - Site that wants to

verify ownership of an OpenID


30/69

Using OpenID


31/69

OpenID Enabling Your Own URL


32/69

Creating an OpenID withyour own server


33/69


34/69

* *************************************************************************** ** CONFIGURATION* *************************************************************************** ** You must change these values:* auth_username = login name* auth_password = md5(username:realm:password)** Default username = 'test', password = 'test', realm = 'phpMyID'*/

#$profile = array(# 'auth_username' => 'test',# 'auth_password' => '37fa04faebe5249023ed1f6cc867329b'#);

/** Optional - Simple Registration Extension:

** If you would like to add any of the following optional registration* parameters to your login profile, simply uncomment the line, and enter the* correct values.** Details on the exact allowed values for these paramters can be found at:* http://openid.net/specs/openid-simple-registration-extension-1_0.html*/

#$sreg = array (# 'nickname' => 'Joe',# 'email' => '[email protected]',# 'fullname' => 'Joe Example',# 'dob' => '1970-10-31',# 'gender' => 'M',# 'postcode' => '22000',# 'country' => 'US',# 'language' => 'en',# 'timezone' => 'America/New_York'

#);
mailto:[email protected]:[email protected]://openid.net/specs/openid-simple-registration-extension-1_0.htmlhttp://openid.net/specs/openid-simple-registration-extension-1_0.html


35/69

Hash My Password


36/69

* *************************************************************************** ** CONFIGURATION* *************************************************************************** ** You must change these values:* auth_username = login name* auth_password = md5(username:realm:password)** Default username = 'test', password = 'test', realm = 'phpMyID'*/

$profile = array('auth_username' => 'david','auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1'

);



#$sreg = array (# 'nickname' => 'Joe',# 'email' => '[email protected]',# 'fullname' => 'Joe Example',# 'dob' => '1970-10-31',# 'gender' => 'M',# 'postcode' => '22000',# 'country' => 'US',# 'language' => 'en',# 'timezone' => 'America/New_York'

#);


37/69

$profile = array('auth_username' => 'david','auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1'

);



$sreg = array ('nickname' => 'daveman692','email' => '[email protected]','fullname' => 'David Recordon','dob' => '1986-09-04','gender' => 'M','postcode' => '941458','country' => 'US','language' => 'en','timezone' => 'America/Los_Angeles'

);

Configure Profile Data


38/69

Upload


39/69

Configure Delegation

David Recordondiv {

text-align: center;color: #C0C0C0;

}img {

border: 0px;}

a {color: #C0C0C0;

}

(source of www.davidrecordon.com)
https://pip.verisignlabs.com/serverhttps://pip.verisignlabs.com/serverhttps://pip.verisignlabs.com/serverhttps://pip.verisignlabs.com/serverhttp://www.w3.org/1999/xhtmlhttp://www.w3.org/1999/xhtml


40/69

Done!

Time to configure and upload phpMyID:


41/69

http://cal.web2expo.com/

Existing users: Sign in and click the the "add OpenID"link at the top right

New users: Click "login" and sign in with your OpenID,

skipping the signup process :)

OpenID Enabling ExpoCal


42/69

Tools Used

iCalicio by Kellan Elliot-McCrea and EvanHenshaw-Plath

Ruby and Rails

gem install ruby-openid


43/69

ExpoCal User Model

Stores login name and hashed password

We need to add an optional OpenID column

1classAddOpenId < ActiveRecord::Migration2 defself.up

3 add_column :users, :openid, :string4 add_index :users, [:openid], :name => :users_openid_index

5 end67 defself.down8 remove_column :users, :openid9 end10end


44/69

Using the OpenID Library

1defconsumer2 store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store')3 store = OpenID::FilesystemStore.new(store_dir)4 returnOpenID::Consumer.new(session, store)5end

FilesystemStore saved OpenID transaction stateOpenID::Consumer handles the protocol details


45/69

1Or, login with OpenID

2 'account', :action => 'openid_start') %>3

OpenID
4
5 6
Add OpenID UI


46/69

Handle Login Form Submit1defopenid_start

2 openid_request = consumer.begin(params[:openid_identifier])34 case openid_request.status5 whenOpenID::SUCCESS

6 return_to = url_for(:action => 'openid_finish') 7 trust_root = url_for(:controller => '') 8 server_redirect_url = openid_request.redirect_url(trust_root, return_to)

9 redirect_to(server_redirect_url)1011 whenOpenID::FAILURE12 flash[:notice] = "Could not find your OpenID server."13 redirect_back_or_default(:controller => '/account', :action => 'index')1415 end16end

(well handle the server response at the return_to URL)

1. Discover2.Associate3. Redirect


47/69

Redirect to OpenID Provider


48/69

Handle Server Response1defopenid_finish

2 openid_response = consumer.complete(params)34 case openid_response.status5 whenOpenID::SUCCESS6 openid = openid_response.identity_url

7 @user = User.find_by_openid(openid)

89 unless @user

10 @user = User.create(:openid => openid, :login => openid)11 end

12 self.current_user = @user13 flash[:notice] = "Welcome #{@user.openid}"1415 whenOpenID::FAILURE

16 flash[:notice] = 'Verification failed.'17 end1819 redirect_back_or_default(:controller => 'talk', :action => 'list')20end


49/69

Done!

Time to implement OpenID in iCalico:45 minutes

http://cal.web2expo.com/
http://cal.web2expo.com/http://cal.web2expo.com/


50/69

"So this all looks great,

but what are thedownsides?"


51/69

More kittens!

Kitten Overload!



52/69

Kitten Overload!

FAKE


More kittens!


53/69

Identity theft!:'(

Kitten Overload!

FAKE



54/69

You could just remove passwords

Cl S d C


55/69

Client Side Certs

Mi f C dS


56/69

Microsoft CardSpace

(UI for certs)

Vid


57/69

Vidoop

(changing the metaphor)


58/69

...but passwords are stillwidely used


59/69

VeriSign's OpenID Seatbelt(demoing today)


60/69


61/69


62/69


63/69


64/69

OpenID is great for innovation!(authentication method is up to the provider and user)


65/69

"I don't wantjust one

identity...I mean I don'twant my boss to know

I'm a furry!"


66/69

Well you don't wear yourfurry suit to work do you?


67/69

So use multiple OpenIDs!(you already do this with email addresses today)


68/69

Go code!(and join the conversation at OpenID.net)


69/69

Thanks!

David [email protected]

(and don't forget to grab a CD)

Brian [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]

Documents

2007 Web2Expo Implementing OpenID