Upload
chris-vertonghen
View
34.029
Download
3
Embed Size (px)
Citation preview
OpenID Authenticationby example
BPW2007chrisv.cpan.org
(introductory slides: thanks to Simon Willison)
1Saturday 27 October 2007
usernames & passwords suck
2Saturday 27 October 2007
signing up for new accounts is a pain
3Saturday 27 October 2007
my online identity exists in multiple
(hard to manage) places
4Saturday 27 October 2007
user database theft
5Saturday 27 October 2007
password/cc info theft
6Saturday 27 October 2007
too much passwords, too much userids
7Saturday 27 October 2007
we need single signon
8Saturday 27 October 2007
unified, trusted identity
9Saturday 27 October 2007
OpenID is a decentralized
mechanism for single signon
10Saturday 27 October 2007
OpenID is a URL
11Saturday 27 October 2007
http://vertonghen.livejournal.com
12Saturday 27 October 2007
http://vertonghen.myopenid.com
13Saturday 27 October 2007
http://chris.vertonghen.org
14Saturday 27 October 2007
The OpenID protocol lets you prove that you
own a specific URL
15Saturday 27 October 2007
An OpenID can be used as an
authentiation credential
16Saturday 27 October 2007
Site: “Who are you?”
17Saturday 27 October 2007
Me: “I’m chris.vertonghen.org”
18Saturday 27 October 2007
Site: “Prove it”
19Saturday 27 October 2007
(some magic happens)
20Saturday 27 October 2007
Site: “ok you’re in!”
21Saturday 27 October 2007
Picking an OpenID is like picking an email
provider - you find one that you trust
22Saturday 27 October 2007
If you have the ability to run your own server
software, you can do so yourself
23Saturday 27 October 2007
(demo)http://www.wooblelab.com/
24Saturday 27 October 2007
So my users don’t
have to sign up for an account?
25Saturday 27 October 2007
Not necessarily
26Saturday 27 October 2007
An OpenID tells you
very little about a user
27Saturday 27 October 2007
You don’t know
their name
28Saturday 27 October 2007
You don’t know
their e-mail address
29Saturday 27 October 2007
You don’t know
if they’re a person
or an evil robot
30Saturday 27 October 2007
You have to ask them!
31Saturday 27 October 2007
OpenID can help them answer
32Saturday 27 October 2007
(demo)http://www.welovelocal.com/
33Saturday 27 October 2007
So how doesOpenID work?
34Saturday 27 October 2007
35Saturday 27 October 2007
36Saturday 27 October 2007
Use multiple OpenIDs to maintain multiple online
personas
37Saturday 27 October 2007
professional
social
secret
...
38Saturday 27 October 2007
OpenID and web service APIs naturally
complement each other
39Saturday 27 October 2007
Me: “I’m vertonghen.myopenid.com”
40Saturday 27 October 2007
Site fetches HTML,
discovers identity provider
41Saturday 27 October 2007
Establishes shared secret
with identity provider
(Using Diffie-Hellman key exchange)
42Saturday 27 October 2007
Redirects you to the identity provider
43Saturday 27 October 2007
when you’re logged in there, you get redirected back
44Saturday 27 October 2007
How does my identity
provider know who I am?
45Saturday 27 October 2007
OpenID deliberately doesn’t specify
46Saturday 27 October 2007
username/password
is common
47Saturday 27 October 2007
But providers can use other methods if
they want to
48Saturday 27 October 2007
Client SSL certificates
49Saturday 27 October 2007
Out of band authentication via SMS,
e-mail or Jabber
50Saturday 27 October 2007
No authentication at all (just say “Yes”)
(which is the OpenID version of bugmenot.com)
51Saturday 27 October 2007
What if I decide I
suddenly hate my provider?
52Saturday 27 October 2007
Use your own
domain name
53Saturday 27 October 2007
and delegate to a provider you trust
54Saturday 27 October 2007
55Saturday 27 October 2007
56Saturday 27 October 2007
perl OpenID client
57Saturday 27 October 2007
Net::OpenID::Consumerby Brad Fitzpatrick (of course)
58Saturday 27 October 2007
use Net::OpenID::Consumer;
my $csr = Net::OpenID::Consumer->new( ua => LWPx::ParanoidAgent->new, cache => Some::Cache->new, args => $cgi, consumer_secret => ..., required_root => "http://chris.vertonghen.org/", );
# a user entered, say, "bradfitz.com" as their identity. The first # step is to fetch that page, parse it, and get a # Net::OpenID::ClaimedIdentity object:
my $claimed_identity = $csr->claimed_identity("bradfitz.com");
# now your app has to send them at their identity server's endpoint # to get redirected to either a positive assertion that they own # that identity, or where they need to go to login/setup trust/etc.
my $script_name = "http://" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'};
my $check_url = $claimed_identity->check_url( return_to => $script_name . "?return=true&hurl=$hurl&oid=" . $m->interp()->apply_escapes($identity), trust_root => "http://chris.vertonghen.org/", );
# so you send the user off there, and then they come back to # openid-check.mhtml, then you see what the identity server said; if ($return) { if ( $setup_url = $openid_con->user_setup_url ) { print $m->redirect($setup_url); } elsif ( $verify_identity = $openid_con->verified_identity ) { $verified_url = $verify_identity->url; print 'Congratulations your identity has been verified.<BR><BR>'; } elsif ( $openid_con->user_cancel ) { $m->redirect('http://chris.vertonghen.org/auth.html'); #use the file name of the login page } else { print "<BR><h1>Validation Error</h1>"; print 'There was an error in validating your identity. The error was ', $openid_con->err . "<BR><BR>Please <a href=\"javascript: history.go(-1);\">go back and try again</a>.<BR><BR>"; } }
59Saturday 27 October 2007
Thank you.
Questions?
60Saturday 27 October 2007