technical background of vz-id
DESCRIPTION
TRANSCRIPT
VZ-ID The technical background
Bastian HofmannVZnet Netzwerke Ltd.
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Agenda– Sharing• OExchange• OpenGraph
– Login• OpenID• OAuth & OAuth 2• OpenID Connect
– VZ-‐JavaScript Library
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Sharing
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
OExchange• Common API for publishing sth. into social networks
http://www.example.com/share.php?url={URI}&title={title for the content}&description={short description of the content}&ctype=flash&swfurl={SWF URI}&height={preferred SWF height}&width={preferred swf width}&screenshot={screenshot URI}
hQp://www.oexchange.org/
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Discovery over XRD<?xml version='1.0' encoding='UTF-8'?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"> <Subject>http://www.example.com/linkeater</Subject> <Property type="http://www.oexchange.org/spec/0.8/prop/vendor"> Examples Inc.</Property> <Property type="http://www.oexchange.org/spec/0.8/prop/title"> A Link-Accepting Service</Property> <Link rel= "icon" href="http://www.example.com/favicon.ico" type="image/vnd.microsoft.icon" /> <Link rel= "http://www.oexchange.org/spec/0.8/rel/offer" href="http://www.example.com/linkeater/offer.php" type="text/html" /></XRD>
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
OpenGraph
hQp://opengraphprotocol.org/
<meta property="og:title" content="title" /><meta property="og:description" content="description" /><meta property="og:site_name" content="your site name" /><meta property="og:image" content="http://example.com/thumbnail.jpg" />
Retrieves meta data through meta tags in shared page
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Sharing examples @VZ
hQp://developer.studivz.net/wiki/index.php/Sharing
http://platform-redirect.vz-modules.net/r/Link/Share/?url=http%3A%2F%2Fwww.example.com&description=descripton&title=title
http://www.studivz.net/Link/Share/?url=http%3A%2F%2Fwww.example.com&description=descripton&title=title
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Login
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Iden@@es in real life
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Do you have really only one iden@ty?Lothar Krappmann:
-‐ IdenVty is conveyed by communicaVon
-‐ IdenVty is not fixed but recreated by every communicaVon with your fellows
-‐ ExpectaVons of different people result in different idenVVes
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Example:
Paul AdamshQp://www.slideshare.net/padday/the-‐real-‐life-‐social-‐network-‐v2
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Iden@@es in the Web
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Register, Register, Register, ...
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Single Sign on
ul_Marga
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
MicrosoK Passport / Live ID
• Windows Live ID• Launched 1999 as .net Passport• Used mainly for Microso] Services but not much outside
• OpenID Provider since 2008
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Facebook Connect
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
TwiSer @Anywhere
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
And there are much, much more
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Vaguely Artistic
Nascar problem
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
How to fix it?
Moff
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Aggrega@on: Janrain
hQp://www.janrain.com/
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
OpenID
• Open decentralized user authenVcaVon
hQp://openid.net/
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Connec@on Flow
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Authen@ca@on vs Authoriza@onWho is the user?
Is this really user X?
Is X allowed to do something?
Does X have the permission?
VS
Client sites want more than just a unique identifier (Social Graph)
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
But there are Spec Extensions
decafinata
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
OpenID + OAuth
• Combines OpenID AuthenVcaVon and OAuth authorizaVon
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.consumer=123456
openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0&openid.oauth.request_token=7890
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
OAuth 1.0a Flow +----------+ +---------------+ | -+----(B)-- Request Token -------->| | | End-user | | Authorization | | at |<---(C)-- User authenticates --->| Server | | Browser | | | | -+----(D)-- Verifier -------------<| | +-|----|---+ +---------------+ | | ^ v (B) (D) | | | | | | ^ v | | +---------+ | | | |>---(A)-- Redirect URL ---------------| | | Web |<---(A)-- Request Token + Secret -----| | | Client |>---(E)-- Request Token, Verifier ----' | | |<---(E)-- Access Token + Secret -------------' +---------+
Every Request: Client Credentials, Nonce, Timestamp, Signature
hQp://oauth.net/
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Failures of OpenID 2.0
• Complex to implement
• No markeVng– Do you have an OpenID?–What is it?
• URL as idenVfier => Bad User Experience
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
OpenID Connect
• Goals:– Easier to implement–More simple specificaVon– BeQer user experience
• => wider adpVon• Built on top of OAuth 2.0
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
What‘s wrong with OAuth?
• Does not work well with non web or JavaScript based clients
• The „Invalid Signature“ Problem
• Complicated Flow, many requests
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
What‘s new in OAuth2? (DraK 10)
• Different client profiles• No signatures• No Token Secrets• Cookie-‐like Bearer Token• Mandatory TSL/SSL• No Request Tokens• Much more flexible regarding extensions
hQp://tools.iej.org/html/dra]-‐iej-‐oauth-‐v2
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Web-‐Server Profile +----------+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | End-user | | Authorization | | at |<---(B)-- User authenticates --->| Server | | Browser | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | Web | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
User-‐Agent Profile +----------+ Client Identifier +----------------+ | |>---(A)-- & Redirection URI --->| | | | | | End <--+ - - - +----(B)-- User authenticates -->| Authorization | User | | | Server | | |<---(C)--- Redirect URI -------<| | | Client | with Access Token | | | in | in Fragment +----------------+ | Browser | | | +----------------+ | |>---(D)--- Redirect URI ------->| | | | without Fragment | Web Server | | | | with Client | | (F) |<---(E)--- Web Page with ------<| Resource | | Access | Script | | | Token | +----------------+ +----------+
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
What happend to signatures?
• Ongoing controvers discussion
• Bearer Tokens are fine over secure connecVon
• Vulnerable if discovery is introduced
• Or TSL/SSL is not possible
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Scopes
• OpVonal parameter for provider specific implementaVons
• For example– AddiVonal return values– Access Control
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
OpenID Connect?
• Scope: „openid“
• With access token addiVonal values are returned– UserID: URL to Portable Contacts endpoint– Signature– Timestamp
hQp://openidconnect.com/
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
OpenID Connect Discovery
• Get IdenVfier of user
• Call /.well-‐know/host-‐meta file at the domain of the user‘s provider
• Look for a link poinVng to the OpenID Connect endpoints in the returned LRDD
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
OpenID Connect @VZ
• Available now
• But without the discovery part– No discovering clients– No discoverable enVVes
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
VZ-‐JavaScript Library
hQp://developer.studivz.net/wiki/index.php/JS-‐Library
<script src="http://static.pe.studivz.net/Js/id/v3/library.js" data-authority="platform-redirect.vz-modules.net/r"data-authorityssl="platform-redirect.vz-modules.net/r" type="text/javascript"></script>
<script type="vz/share"> id: shareButton title: title of your site description : a description</script>
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
<script type="text/javascript">function callbackMethod(c) { if (c.error) { return; } var url = c.user_id; vz.id.login.callApi(url, function(data) { console.log(data.entry.displayName); });}</script><script type="vz/login"> client_id : 1234567890abcdef redirect_uri : http://example.com/callback.html callback : callbackMethod fields : name,emails</script>
Login widget
hQp://developer.studivz.net/wiki/index.php/JS-‐Library
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <script type="text/javascript"> opener.vz.id.authStorage.setAuthParameterHash(location.hash.substr(1)); window.close(); </script> </body></html>
Callback.html
VZnet Netzwerke Ltd. -‐ Tuesday, December 7, 2010
Thank you
hQp://twiQer.com/BasVanHofmannhQp://studivz.net/basVanhQp://slideshare.net/[email protected]
hQp://developer.studivz.net