Page 1
http://andrea-chiodoni.myopenid.com/
Lugano, 16 March 2011
An introduction to OpenID and OAuth
martedì, 15 marzo 2011
Page 2
•Why OpenID and OAuth.
•What is OpenID for users, engineers and developers.
•What is OAuth for users, engineers and developers.
• Conclusions.
Agenda
martedì, 15 marzo 2011
Page 3
• Everyone is using more and more SaaS and social WEB.
• There is a vast amount of data (and functionalities) available.
•WEB based APIs are there to be used.
• It’s a great time to be a developer: you can take advantage of data and functionalities available “in the cloud”.
Why OpenID and OAuth
martedì, 15 marzo 2011
Page 4
... great but:
•too many identities!
•how to deal with authorization?
martedì, 15 marzo 2011
Page 5
<!-- Here we begin with OpenID --> <OpenID terminology="OpenID"><![CDATA[
martedì, 15 marzo 2011
Page 6
<!--.... for users...-->
martedì, 15 marzo 2011
Page 7
• Sign-in to multiple websites with one OpenID identity, from http://openid.net:
• Identities are URI: http://andrea-chiodoni.myopenid.com/
• So, how can I get an OpenID?
• google.com, yahoo.com, flicker.com, ....
•myopenid.com, claimid.com, clavid.com, ...
• http://en.wikipedia.org/wiki/List_of_OpenID_providers
• Just use it!
OpenID for users
martedì, 15 marzo 2011
Page 8
<!--.... for engineers...-->
martedì, 15 marzo 2011
Page 9
•OpenID is an identity technology (mainly a protocol).
• I’ll cover (mainly) OpenID 2.0 (December 2007).
• Authentication as a Service (AaaS) enabling Single Sign-on.
• Free and open:
• A foundation (http://openid.net/foundation/) promotes, protects and nurtures OpenID community and technologies.
• Swiss OpenID community http://www.openid.ch/en/
OpenID for engineers
martedì, 15 marzo 2011
Page 10
OpenID for engineers
“Nobody should own this. Nobody’s planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community.”
Brad Fitzpatrick (Founder of LiveJournal weblog community and father of OpenID)
martedì, 15 marzo 2011
Page 11
•Decentralised. No central authority must approve or register Relying Parties or OpenID Providers. An end user can freely choose which OpenID Provider to use, and can preserve their Identifier if they switch OpenID Providers.
• Attribute exchange: support for shorter registrations.
•No need of JavaScript (see SAML SSO Browser/POST profile).
• User-Supplied, Claimed and OP-Local Identifiers.
•OpenID discovery protocol: XRI, XRDS and Yadis.
OpenID for engineers
martedì, 15 marzo 2011
Page 12
OpenID for engineers
User-agent
Relying PartyOpenID Provider
(1) Initiation: HTTP POSTopenid_identifier
(2) Normalization, Discovery of OP endpoint
(3) Association
(4) Authentication request: HTTP 302
(7) Verification
(6) Authentication response: HTTP 302 + Assertion
[positive, negative]
(5) Authentication
OpenID Authentication protocol 2.0 (http://openid.net/developers/specs/)
martedì, 15 marzo 2011
Page 13
OpenID for real engineers(4) Authentication request: HTTP 302 (URL decoded)http://www.myopenid.com/server?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://andrea.chiodoni.myopenid.com/&openid.identity=http://andrea.chiodoni.myopenid.com/&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.realm=http://localhost:8080/&openid.assoc_handle={HMAC-SHA256}{4d63572b}{A2ZnQQ==}&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/srv/ax/1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http://axschema.org/contact/email&openid.ext1.type.firstName=http://axschema.org/namePerson/first&openid.ext1.type.lastName=http://axschema.org/namePerson/last&openid.ext1.type.email2=http://schema.openid.net/namePerson&openid.ext1.type.fullName=http://schema.openid.net/contact/email&openid.ext1.required=email,firstName,lastName,email2,fullName
martedì, 15 marzo 2011
Page 14
OpenID for real engineers(6) Authentication response: HTTP 302 + Assertion (URL decoded)http://localhost:7070/postcards/j_spring_openid_security_check?openid.assoc_handle={HMAC-SHA256}{4d63572b}{A2ZnQQ==}&openid.ax.count.email=0&openid.ax.count.email2=1&openid.ax.count.firstName=0&openid.ax.count.fullName=1&openid.ax.count.lastName=0&openid.ax.mode=fetch_response&openid.ax.type.email=http://axschema.org/contact/email&openid.ax.type.email2=http://schema.openid.net/namePerson&openid.ax.type.firstName=http://axschema.org/namePerson/first&openid.ax.type.fullName=http://schema.openid.net/contact/email&openid.ax.type.lastName=http://axschema.org/namePerson/last&openid.ax.value.email2.1=Andrea Chiodonia.Myopenid.Com&[email protected] &openid.claimed_id=http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed
See: http://en.wikipedia.org/wiki/Cryptographic_noncemartedì, 15 marzo 2011
http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed http://chiodonia.myopenid.com/&openid.identity=http://chiodonia.myopenid.com/&openid.mode=id_res&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ax=http://openid.net/srv/ax/1.0&openid.op_endpoint=http://www.myopenid.com/server&openid.response_nonce=2011-02-22T06:40:45ZVdy1vV&openid.return_to=http://localhost:7070/postcards/j_spring_openid_security_check&openid.sig=BpObOdfLDYjdjirp63yQeUU/kmCnvoui/Sxp1cx6AjI=&openid.signed=assoc_handle,ax.count.email,ax.count.email2,ax.count.firstName,ax.count.fullName,ax.count.lastName,ax.mode,ax.type.email,ax.type.email2,ax.type.firstName,ax.type.fullName,ax.type.lastName,ax.value.email2.1,ax.value.fullName.1,claimed_id,identity,mode,ns,ns.ax,op_endpoint,response_nonce,return_to,signed Page 15
<!--.... for developers...-->
martedì, 15 marzo 2011
Page 16
OpenID RP for developers
<input id="openid_identifier" name="openid_identifier" type="text"/>
http://code.google.com/p/openid4java/
<http auto-config="true" ...> <openid-login/></http>
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-openid</artifactId> <version>${spring.security.version}</version></dependency>
You may need a mapping between your existing user identity and their OpenID!
Easy for spring developers using spring security:
For the rest of the Java community:
martedì, 15 marzo 2011
Page 17
]]></OpenID><!-- Here we begin with OAuth --><OAuth terminology="OAuth"><![CDATA[
martedì, 15 marzo 2011
Page 18
<!--.... for users...-->
martedì, 15 marzo 2011
Page 19
OAuth for users
Browser<<User-agent>>
/postcards<<Client>>
/contacts<<Authorization Server>>
<<Resource Server>>
User<<Resource Owner>>
/contacts/mycontacts<<REST/JSON API>>
Use-case: a user wants to send postcards using the PostCards SaaS. Addresses are taken from a second service on the cloud call Contacts (see REST API).
martedì, 15 marzo 2011
Page 20
• Issues:• Clients are required to store Resource owner creds for Resource Servers.
• Clients need to support Resource servers authentication protocols.
• Clients gain full access to Resource owner protected resources.
• Resource owner can't revoke access.
•OAuth is a security protocol that enables users to grant third-party access to their web resources without sharing their passwords, from http://oauth.net:
• Passwords are not nuts: don’t give them away!
OAuth for users
martedì, 15 marzo 2011
Page 21
<!--.... for engineers...-->
martedì, 15 marzo 2011
Page 22
•OAuth is a security authorization protocol.
•OAuth 1.0 (IETF RFC5849), around since 2006.
•OAuth 2.0 (IETF draft, V2-13) will obsoletes RFC5849.
•OAuth 2.0 is incompatible with OAuth 1.0.
•OAuth 1.0 must used by OAuth 2.0 adoption is ramping-up (Facebook, Google since 14.3.2011).
•OAuth 2.0 focus on client simplicity (less cryptographic).
• I’ll cover (mainly) OAuth 2.0, 3-Legged OAuth flow.
OAuth for engineers
martedì, 15 marzo 2011
Page 23
•While OAuth can be used with other transport protocols, it is only defined (bindings) for HTTP(s) resources.
•OAuth can be used on other use-cases, see grant types:
• Authorization code: the one we are going treat.
• Implicit grant: suited for applications residing in a user-agent.
• Resource Owner password credentials: resource owner has a trust relationship with the client.
• Client credentials: when the client is requesting access to the protected resources under its control.
• Additional grant types (extensions) like the OAuth-SAML bridge
OAuth for engineers
martedì, 15 marzo 2011
Page 24
/contacts
OAuth for engineers
OAuth protocol 2.0: Authorization Code Flow(http://oauth.net/2/)
Browser<<User-agent>>
/postcards<<Client>> <<Resource Server>>
User<<Resource Owner>>
<<Authorization Server>>
<<
API
>>
<<Redirection URI>>
<<Token Endpoint>>
<<
Aut
horiz
atio
n En
dpoi
nt>
>
(2.2) Authentication
(2.1
) O
btai
ning
A
utho
rizat
ion
(1) Authentication(3
) Acc
essin
g Pr
otec
ted
Res
ourc
es
(2.3) Grant access
(2.5) Obtaining Authorization
(2.4)
(2.6)
martedì, 15 marzo 2011
Page 25
OAuth for real engineers
OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849)
(2) Obtaining Authorization: Authorization Code (URL decoded)
(2.1) Authorization Request: client redirects to authorization endpoint
(2.2) Authorization Response: authorization server issues an authorization code and redirects back to the redirection URI
HTTP/1.1 302 FoundLocation: http://localhost:8080/contacts/oauth/user/authorize?client_id=postcards&redirect_uri=http://localhost:7070/postcards/contacts&response_type=code
HTTP/1.1 302 FoundLocation: http://localhost:7070/postcards/contacts?code=lrbwoF
martedì, 15 marzo 2011
Page 26
OAuth for real engineers
OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849)
(2.5) Access Token Request: client POST to token endpoint
(2.6) Access Token Response (Issuing an Access Token): HTTP response to (5.1)
POST /contacts/oauth/authorize HTTP/1.1Accept: application/json, application/x-www-form-urlencodedContent-Type: application/x-www-form-urlencoded
grant_type=authorization_code&redirect_uri=http://localhost:7070/postcards/contacts&code=lrbwoF&client_id=postcards
HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-store{ "access_token": "4f919d60-5751-4860-8f3a-253c5700b9c1", "expires_in": 43199, "refresh_token": "611ef1d8-d7ed-4a02-9fcb-4dd36468d00c", "token_type": "undefined"}
martedì, 15 marzo 2011
Page 27
OAuth for real engineers
OAuth protocol 2.0 (http://tools.ietf.org/html/rfc5849)
(3) Accessing Protected Resources
... and without a valid OAuth token!
GET /contacts/mycontacts HTTP/1.1Authorization: OAuth 4f919d60-5751-4860-8f3a-253c5700b9c1Accept: application/json
curl -i -H Accept:application/json http://localhost:8080/contacts/mycontactsHTTP/1.1 302 FoundWWW-Authenticate: OAuth2
... even with curl...curl -i -H Accept:application/json -H "Authorization: OAuth 4f919d60-5751-4860-8f3a-253c5700b9c1" http://localhost:8080/contacts/mycontacts
martedì, 15 marzo 2011
Page 28
<!--.... for developers...-->
martedì, 15 marzo 2011
Page 29
OAuth for developers
<dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth</artifactId> <version>${spring.security.oauth.version}</version></dependency>
http://code.google.com/p/oauth/
Easy for spring developers using spring security and OAuth extension:
For the rest of the Java community:
On the both client and resource server :
martedì, 15 marzo 2011
Page 30
OAuth for developers
Modify your spring security context:
<oauth:client /><oauth:resource id="contacts" type="authorization_code" clientId="postcards" accessTokenUri="http://localhost:8080/contacts/oauth/authorize" userAuthorizationUri="http://localhost:8080/contacts/oauth/user/authorize" />
Use the OAuth REST template:
org.springframework.security.oauth2.consumer.OAuth2RestTemplate
On the client:
martedì, 15 marzo 2011
Page 31
OAuth for developers... and the resource server :
Modify your spring security context: <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices"> <beans:property name="supportRefreshToken" value="true" /></beans:bean>
<oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:verification-code user-approval-page="/oauth/confirm_access" /></oauth:provider>
<oauth:client-details-service id="clientDetails"> <oauth:client clientId="postcards" authorizedGrantTypes="authorization_code" /></oauth:client-details-service>
Provide an approval page, see accessConfirmation.jsp
martedì, 15 marzo 2011
Page 32
]]></OAuth>
martedì, 15 marzo 2011
Page 33
• “Free” identities, make data portable!
• Today OpenID is the most successful way to AaaS, maybe not free of issues (http://www.infoq.com/news/2011/01/OpenID). OpenID 3.0 should fix most of those issues.
• Initiatives around DataPortability (http://en.wikipedia.org/wiki/DataPortability):
•OData, http://www.odata.org/ (Microsoft)
• GData, http://code.google.com/intl/it-IT/apis/gdata/ (Google)
• You may be interested in http://www.springsource.org/spring-social/
Conclusions
martedì, 15 marzo 2011
Page 34
Thanks!http://andrea-chiodoni.myopenid.com/
martedì, 15 marzo 2011