open id, o auth and webservices

OpenID, OAuth and Webservices

A developers guide

Web Directions 2008 - Myles Eftos

Our lives in digits

So many web apps - so many usernames, so many passwords

How do we access our data?

How can we do that safely?

How can we do it easily?

Meet Jim

Uses Twitter, Gmail, Digg, Newsgator, LinkedIn + many more

His housemate finds his username and password

Hilarity ensues

OpenID to the rescue!

There are consumers, and there are providers

Everyone gets a URL

Magic happens…

Step 1

User enters their OpenID URL

Step 2

Consumer discovers link tagsfor delegation

<link rel="openid.server" href="http://my.openid.server"><link rel="openid.delegate" href="http://madpilot.openid.server">

Step 3

Consumer redirects to theProvider login screen

openid.mode = checkid_setupopenid.identity = http://myid.openid.comopenid.return_to = http://www.consumer.com?rp_nouce=[RANDOM]openid.trustroot = http://www.consumer.com

Step 4

User enters credentials

Step 5

Provider redirects to Consumerwith return_url parameters

openid.mode = id_resopenid.return_to = http://www.consumer.com?rp_nouce=[RANDOM]

openid.identity = http://madpilot.openid.comopenid.signed = mode,identity,return_to

openid.assoc_handle = [some hash]openid.sig = [Base64 encoded HMAC signature]

Step 6

Consumer POSTs back tovalidate what was returned

openid.mode = check_authenticationopenid.signed = mode,identity,return_toopenid.assoc_handle = [same hash as before]openid.sig = [Same Base64 encoded HMAC signature as before]openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM]Openid.identity = http://madpilot.openid.com

Step 7

If the returned values look okthe Provider returns is_valid:true

is_valid:true

And again with passion

Dumb mode has lots of redirects

Not-dumb mode asynchronously (AJAX) gets an immediate answer

If the user is logged in, the user can continue

If not, decide what to do (authenticate would be a good idea)

Simple Registration

SREG to it’s friends

Send your favourite parameters

Pull nickname, email, date of birth, gender, country, language, time zone

Consumer can request required and optional parameters

I want my data!

Data in the cloud is cool

Backups, hardware upgrades – someone else’s problem

Vendor lock-in is the suck

Web services are the awse

REST vs SOAP

The world needs more religious wars

Both lie on HTTP

Both use XML*

Remote Procedure Pattern vs. Resource Pattern

* REST doesn’t really care…

SOAP: Why no one uses it

In theory it rocks.

Has a description language (WDSL)

It is verbose

Perhaps, something more Ideological?

REST: The web for computers

The web is based on resources

Type in a URL: GET that resource

Submit a form: POST to that resource

Forgotten verbs: PUT and DELETE

One end point to rule them all

OK, maybe two

/companies.xml GET Returns all companies

/companies.xml POST Creates a new company

/companies/1.xml GET Return the company with id=1

/companies/1.xml PUT Update the company with id=1

/companies/1.xml DELETE Delete the company with id=1

HTTP/1.1 101

HTTP does a lot of stuff

HTTP/1.1 101

HTTP does a lot of stuff

Status codes

200 OK!

201 Created

301 Moved Permanently

400 Bad Request

401 Authorization Required

403 Forbidden

404 Not Found

405 Not allowed

410 Gone

422 Invalid Entity

500 Server Error

503 Server Unavailable

HTTP/1.1 101

HTTP does a lot of stuff

Status codes

Headers and modifiers

If-Modified-Since

If-Unmodified-Since

If-Match

If-None-Match

If-Range

Communism doesn’t work

You don’t want any old person changing stuff

401 Authorization Required

Still needs a password though – a pure OpenID implementation is out

Anti-password pattern alert!

Check up on Jim

Signs up to a new Web 2.0 CRM

Offers to copy contacts from Gmail

Requires your Gmail username and password… Sounds phishy

Bloody OAuth it is…

OAuth is a machine authorisation protocol

Like a Valet Key

Give permission for a system to access your account

…or take away permission

Again, there are Providers and there are Consumers

Step 1

User wants to access their photosfrom another service

Step 2

Consumer sends a POST request to the request token URL at the Provider. It identifies itself using a shared secret key that was prepared earlier

Step 3

The Provider returns a unauthorised request token.The token is good for one use

Step 4

The consumer redirects the user to theAuthorisation URL of the provider

Step 5

If the user hasn’t logged in to the Providerservice, they do so now on the Provider

You could use OpenID for this bit

Step 6

The Provider asks the user if they reallywants to let the Consumer have the photos

Step 7

The Provider redirects the user back to the Consumerand lets the Provider know that is can request a

authorized token

Step 8

The Consumer requests an authorised tokenusing the now authorised request token

Step 9

The Provider exchanges the request tokenfor an access token. This token is

good for a pre-determined period of time(Maybe forever)

Step 10

The Consumer can now accessthe data using it’s access token

Step 11

The Provider sends the data ifthe access token checks out

Look ma – no passwords!

User never enters their password on the Consumer

The Consumer actually has it’s own password (the token)

The token can be revoked, stopping access

The Dark Side: OpenID

Phishing

DNS Spoofing

Not an AUTHORISATION system

Consumer has to trust the Provider

Doesn’t really work without a browser

The Dark Side: REST

No standard! (Lather, rinse, repeat)

No description language – requires more legwork

The Dark Side: OAuth

Doesn’t work so well without a browser

More complex/higher overhead than username/password

Doesn’t work with cURL

Yadis with egg and cheese

Service discovery protocol

OpenID is the only open, distributed authentication system (Surprised?)

XML RDF based

Allows Providers and Consumers to negotiate protocols

Yadis with egg and cheese

<?xml version=“1.0” encoding=“UTF-8”?>

<xrds:XRDS xmlns:xrds=“xri://$xrds” xmlns=“xri://$xrd*($v*2.0)”>

<XRD>

<Service>

<Type>http://lid.netmesh.org/sso/2.0</Type>

</Service>

<Service>

<Type>http://lid.netmesh.org/sso/1.0</Type>

</Service>

</XRD>

</xrds:XRDS>

You know what would be cool?

OpenID on your desktop

OpenID on your mobile

Webservice brokering system

File system integration

Your local libraries

OpenID: http://wiki.openid.net/Libraries

OAuth: http://oauth.net/code

In conclusion, Thank You

Question time starts… Now