SlideShare une entreprise Scribd logo
1  sur  44
OpenID, OAuth and Webservices A developers guide Web Directions 2008 -  Myles Eftos
Our lives in digits So many web apps - so many usernames, so many passwords How do we access  our  data? How can we do that  safely ? How can we do it  easily ?
Meet Jim Uses Twitter, Gmail, Digg, Newsgator, LinkedIn + many more His housemate finds his username and password Hilarity ensues
OpenID to the rescue! There are consumers, and there are providers Everyone  gets a URL Magic happens…
Step 1 User enters their OpenID URL
Step 2 Consumer discovers link tags for delegation <link rel=&quot;openid.server&quot; href=&quot;http://my.openid.server&quot;> <link rel=&quot;openid.delegate&quot; href=&quot;http://madpilot.openid.server&quot;>
Step 3 Consumer redirects to the Provider login screen openid.mode = checkid_setup openid.identity = http://myid.openid.com openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM] openid.trustroot = http://www.consumer.com
Step 4 User enters credentials
Step 5 Provider redirects to Consumer with return_url parameters openid.mode = id_res openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM] openid.identity = http://madpilot.openid.com openid.signed = mode,identity,return_to openid.assoc_handle = [some hash] openid.sig = [Base64 encoded HMAC signature]
Step 6 Consumer POSTs back to validate what was returned openid.mode = check_authentication openid.signed = mode,identity,return_to openid.assoc_handle = [same hash as before] openid.sig = [Same Base64 encoded HMAC signature as before] openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM] Openid.identity = http://madpilot.openid.com
Step 7 If the returned values look ok the Provider returns is_valid:true is_valid:true
And again with passion Dumb mode has lots of redirects Not-dumb mode asynchronously (AJAX) gets an  immediate  answer If the user is logged in, the user can continue If not, decide what to do (authenticate would be a good idea)
Simple Registration SREG to it’s friends Send your favourite parameters Pull nickname, email, date of birth, gender, country, language, time zone Consumer can request required and optional parameters
I want my data! Data in the cloud is  cool Backups, hardware upgrades – someone else’s problem Vendor lock-in is the  suck Web services are the  awse
REST  vs  SOAP The world needs more religious wars Both lie on HTTP Both use XML* Remote Procedure Pattern vs. Resource Pattern * REST doesn’t really care…
SOAP : Why no one uses it In theory it rocks. Has a description language (WDSL) It is  verbose Perhaps, something more Ideological?
REST : The web for computers The web is based on resources Type in a URL:  GET  that resource Submit a form:  POST  to that resource Forgotten verbs:  PUT  and  DELETE
One end point to  rule them all OK, maybe two Delete the company with id=1 DELETE /companies/1.xml Update the company with id=1 PUT /companies/1.xml Return the company with id=1 GET /companies/1.xml Creates a new company POST /companies.xml Returns all companies GET /companies.xml
HTTP/1.1 101 HTTP does a lot of stuff
HTTP/1.1 101 HTTP does a lot of stuff Status codes Authorization Required 401 Server Unavailable 503 Server Error 500 Invalid Entity 422 Gone 410 Not allowed 405 Not Found 404 Forbidden 403 Bad Request 400 Moved Permanently 301 Created 201 OK! 200
HTTP/1.1 101 HTTP does a lot of stuff Status codes Headers and modifiers If-Range If-None-Match If-Match If-Unmodified-Since If-Modified-Since
Communism doesn’t work You don’t want any old person changing stuff 401 Authorization Required Still needs a password though – a pure OpenID implementation is out Anti-password pattern  alert!
Check up on Jim Signs up to a new Web 2.0 CRM Offers to copy contacts from Gmail Requires your Gmail username and password… Sounds  phishy
Bloody OAuth it is… OAuth is a  machine authorisation protocol Like a Valet Key Give  permission  for a system to access your account … or  take away  permission Again, there are  Providers  and there are  Consumers
Step 1 User wants to access their photos from another service
Step 2 Consumer sends a  POST  request to the  request token URL  at the Provider. It identifies itself  using a shared secret key that was prepared earlier
Step 3 The Provider returns a  unauthorised  request token. The token is good for one use
Step 4 The consumer redirects the user to the Authorisation URL of the provider
Step 5 If the user hasn’t logged in to the Provider service, they do so now  on the Provider You could use OpenID for this bit
Step 6 The Provider asks the user if they really wants to let the Consumer have the photos
Step 7 The Provider redirects the user  back  to the Consumer and lets the Provider know that is can request a  authorized token
Step 8 The Consumer requests an authorised token using the now  authorised request token
Step 9 The Provider exchanges the request token for an access token. This token is good for a pre-determined period of time (Maybe forever)
Step 10 The Consumer can now access the data using it’s access token
Step 11 The Provider sends the data if the access token checks out
Look ma – no passwords! User  never  enters their password on the Consumer The Consumer actually has it’s own password (the token) The token can be revoked, stopping access
The Dark Side: OpenID Phishing DNS Spoofing Not an  AUTHORISATION  system Consumer has to  trust  the Provider Doesn’t really work without a browser
The Dark Side: REST No  standard ! (Lather, rinse, repeat) No description language – requires more legwork
The Dark Side: OAuth Doesn’t work so well without a browser More complex/higher overhead than username/password Doesn’t work with cURL
Yadis with egg and cheese Service discovery protocol OpenID is the only open, distributed authentication system (Surprised?) XML RDF based Allows Providers and Consumers to negotiate protocols
Yadis with egg and cheese <?xml version=“1.0” encoding=“UTF-8”?> <xrds:XRDS xmlns:xrds=“xri://$xrds” xmlns=“xri://$xrd*($v*2.0)”> <XRD> <Service> <Type>http://lid.netmesh.org/sso/2.0</Type> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD> </xrds:XRDS>
You know what would be  cool ? OpenID on your  desktop OpenID on your  mobile Webservice brokering system File system integration
Your local libraries OpenID:   http://wiki.openid.net/Libraries OAuth:   http://oauth.net/code
In conclusion, Thank You Question time starts… Now

Contenu connexe

Tendances

Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 

Tendances (20)

Presentation
PresentationPresentation
Presentation
 
Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
How Educational Institutions Can Provide Digital Mark Sheets To Students Us...
How Educational Institutions Can  Provide Digital Mark Sheets To Students  Us...How Educational Institutions Can  Provide Digital Mark Sheets To Students  Us...
How Educational Institutions Can Provide Digital Mark Sheets To Students Us...
 
Tags
TagsTags
Tags
 
Digg Third Party Authentication
Digg   Third Party AuthenticationDigg   Third Party Authentication
Digg Third Party Authentication
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
 
Universal login
Universal loginUniversal login
Universal login
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5
 
eSign Brochure1.5
eSign Brochure1.5eSign Brochure1.5
eSign Brochure1.5
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 

En vedette

OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11
Nov Matake
 
Unleashing the Power of XSLT: Catalog Records in Batch
Unleashing the Power of XSLT: Catalog Records in BatchUnleashing the Power of XSLT: Catalog Records in Batch
Unleashing the Power of XSLT: Catalog Records in Batch
c7002593
 
RESTful services
RESTful servicesRESTful services
RESTful services
gouthamrv
 

En vedette (20)

PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
PDSを実現するにあたっての技術動向の紹介 (OAuth, OpenID Connect, UMAなど)
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11
 
Yahoo! JAPANのOpenID Certified Mark取得について
Yahoo! JAPANのOpenID Certified Mark取得についてYahoo! JAPANのOpenID Certified Mark取得について
Yahoo! JAPANのOpenID Certified Mark取得について
 
Unleashing the Power of XSLT: Catalog Records in Batch
Unleashing the Power of XSLT: Catalog Records in BatchUnleashing the Power of XSLT: Catalog Records in Batch
Unleashing the Power of XSLT: Catalog Records in Batch
 
Web Services
Web ServicesWeb Services
Web Services
 
The Mystical Principles of XSLT: Enlightenment through Software Visualization
The Mystical Principles of XSLT: Enlightenment through Software VisualizationThe Mystical Principles of XSLT: Enlightenment through Software Visualization
The Mystical Principles of XSLT: Enlightenment through Software Visualization
 
Applying an IBM SOA Approach to Manual Processes Automation
Applying an IBM SOA Approach to Manual Processes AutomationApplying an IBM SOA Approach to Manual Processes Automation
Applying an IBM SOA Approach to Manual Processes Automation
 
XML - Displaying Data ith XSLT
XML - Displaying Data ith XSLTXML - Displaying Data ith XSLT
XML - Displaying Data ith XSLT
 
Xml part4
Xml part4Xml part4
Xml part4
 
Xml part5
Xml part5Xml part5
Xml part5
 
Interoperable Web Services with JAX-WS
Interoperable Web Services with JAX-WSInteroperable Web Services with JAX-WS
Interoperable Web Services with JAX-WS
 
SOA Governance and WebSphere Service Registry and Repository
SOA Governance and WebSphere Service Registry and RepositorySOA Governance and WebSphere Service Registry and Repository
SOA Governance and WebSphere Service Registry and Repository
 
XSLT for Web Developers
XSLT for Web DevelopersXSLT for Web Developers
XSLT for Web Developers
 
Web Services
Web ServicesWeb Services
Web Services
 
Web services
Web servicesWeb services
Web services
 
WebService-Java
WebService-JavaWebService-Java
WebService-Java
 
CTDA Workshop on XSL
CTDA Workshop on XSLCTDA Workshop on XSL
CTDA Workshop on XSL
 
Siebel Web Service
Siebel Web ServiceSiebel Web Service
Siebel Web Service
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
Java web services using JAX-WS
Java web services using JAX-WSJava web services using JAX-WS
Java web services using JAX-WS
 

Similaire à Open Id, O Auth And Webservices

Ntia 0900
Ntia 0900Ntia 0900
Ntia 0900
gsgiles
 
Street conf overview
Street conf overviewStreet conf overview
Street conf overview
ericsachs
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
WSO2
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
sureshattanayake
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
guestb2ed5f
 

Similaire à Open Id, O Auth And Webservices (20)

Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
The Top Tips You need to Learn about Data in your Mobile App
The Top Tips You need to Learn about Data in your Mobile AppThe Top Tips You need to Learn about Data in your Mobile App
The Top Tips You need to Learn about Data in your Mobile App
 
Ntia 0900
Ntia 0900Ntia 0900
Ntia 0900
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking Site
 
Street conf overview
Street conf overviewStreet conf overview
Street conf overview
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
 
Great webapis
Great webapisGreat webapis
Great webapis
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
 
.NET MAUI + Azure AD B2C
.NET MAUI + Azure AD B2C.NET MAUI + Azure AD B2C
.NET MAUI + Azure AD B2C
 
ISBG The 3 S's a guide to single sign on
ISBG  The 3 S's a guide to single sign onISBG  The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign on
 
Lecture 20101124
Lecture 20101124Lecture 20101124
Lecture 20101124
 
SCWCD : Session management : CHAP : 6
SCWCD : Session management : CHAP : 6SCWCD : Session management : CHAP : 6
SCWCD : Session management : CHAP : 6
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
Integrando Azure AD B2C con Xamarin.Forms
Integrando Azure AD B2C con Xamarin.FormsIntegrando Azure AD B2C con Xamarin.Forms
Integrando Azure AD B2C con Xamarin.Forms
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Open Id, O Auth And Webservices

  • 1. OpenID, OAuth and Webservices A developers guide Web Directions 2008 - Myles Eftos
  • 2. Our lives in digits So many web apps - so many usernames, so many passwords How do we access our data? How can we do that safely ? How can we do it easily ?
  • 3. Meet Jim Uses Twitter, Gmail, Digg, Newsgator, LinkedIn + many more His housemate finds his username and password Hilarity ensues
  • 4. OpenID to the rescue! There are consumers, and there are providers Everyone gets a URL Magic happens…
  • 5. Step 1 User enters their OpenID URL
  • 6. Step 2 Consumer discovers link tags for delegation <link rel=&quot;openid.server&quot; href=&quot;http://my.openid.server&quot;> <link rel=&quot;openid.delegate&quot; href=&quot;http://madpilot.openid.server&quot;>
  • 7. Step 3 Consumer redirects to the Provider login screen openid.mode = checkid_setup openid.identity = http://myid.openid.com openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM] openid.trustroot = http://www.consumer.com
  • 8. Step 4 User enters credentials
  • 9. Step 5 Provider redirects to Consumer with return_url parameters openid.mode = id_res openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM] openid.identity = http://madpilot.openid.com openid.signed = mode,identity,return_to openid.assoc_handle = [some hash] openid.sig = [Base64 encoded HMAC signature]
  • 10. Step 6 Consumer POSTs back to validate what was returned openid.mode = check_authentication openid.signed = mode,identity,return_to openid.assoc_handle = [same hash as before] openid.sig = [Same Base64 encoded HMAC signature as before] openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM] Openid.identity = http://madpilot.openid.com
  • 11. Step 7 If the returned values look ok the Provider returns is_valid:true is_valid:true
  • 12. And again with passion Dumb mode has lots of redirects Not-dumb mode asynchronously (AJAX) gets an immediate answer If the user is logged in, the user can continue If not, decide what to do (authenticate would be a good idea)
  • 13. Simple Registration SREG to it’s friends Send your favourite parameters Pull nickname, email, date of birth, gender, country, language, time zone Consumer can request required and optional parameters
  • 14. I want my data! Data in the cloud is cool Backups, hardware upgrades – someone else’s problem Vendor lock-in is the suck Web services are the awse
  • 15. REST vs SOAP The world needs more religious wars Both lie on HTTP Both use XML* Remote Procedure Pattern vs. Resource Pattern * REST doesn’t really care…
  • 16. SOAP : Why no one uses it In theory it rocks. Has a description language (WDSL) It is verbose Perhaps, something more Ideological?
  • 17. REST : The web for computers The web is based on resources Type in a URL: GET that resource Submit a form: POST to that resource Forgotten verbs: PUT and DELETE
  • 18. One end point to rule them all OK, maybe two Delete the company with id=1 DELETE /companies/1.xml Update the company with id=1 PUT /companies/1.xml Return the company with id=1 GET /companies/1.xml Creates a new company POST /companies.xml Returns all companies GET /companies.xml
  • 19. HTTP/1.1 101 HTTP does a lot of stuff
  • 20. HTTP/1.1 101 HTTP does a lot of stuff Status codes Authorization Required 401 Server Unavailable 503 Server Error 500 Invalid Entity 422 Gone 410 Not allowed 405 Not Found 404 Forbidden 403 Bad Request 400 Moved Permanently 301 Created 201 OK! 200
  • 21. HTTP/1.1 101 HTTP does a lot of stuff Status codes Headers and modifiers If-Range If-None-Match If-Match If-Unmodified-Since If-Modified-Since
  • 22. Communism doesn’t work You don’t want any old person changing stuff 401 Authorization Required Still needs a password though – a pure OpenID implementation is out Anti-password pattern alert!
  • 23. Check up on Jim Signs up to a new Web 2.0 CRM Offers to copy contacts from Gmail Requires your Gmail username and password… Sounds phishy
  • 24. Bloody OAuth it is… OAuth is a machine authorisation protocol Like a Valet Key Give permission for a system to access your account … or take away permission Again, there are Providers and there are Consumers
  • 25. Step 1 User wants to access their photos from another service
  • 26. Step 2 Consumer sends a POST request to the request token URL at the Provider. It identifies itself using a shared secret key that was prepared earlier
  • 27. Step 3 The Provider returns a unauthorised request token. The token is good for one use
  • 28. Step 4 The consumer redirects the user to the Authorisation URL of the provider
  • 29. Step 5 If the user hasn’t logged in to the Provider service, they do so now on the Provider You could use OpenID for this bit
  • 30. Step 6 The Provider asks the user if they really wants to let the Consumer have the photos
  • 31. Step 7 The Provider redirects the user back to the Consumer and lets the Provider know that is can request a authorized token
  • 32. Step 8 The Consumer requests an authorised token using the now authorised request token
  • 33. Step 9 The Provider exchanges the request token for an access token. This token is good for a pre-determined period of time (Maybe forever)
  • 34. Step 10 The Consumer can now access the data using it’s access token
  • 35. Step 11 The Provider sends the data if the access token checks out
  • 36. Look ma – no passwords! User never enters their password on the Consumer The Consumer actually has it’s own password (the token) The token can be revoked, stopping access
  • 37. The Dark Side: OpenID Phishing DNS Spoofing Not an AUTHORISATION system Consumer has to trust the Provider Doesn’t really work without a browser
  • 38. The Dark Side: REST No standard ! (Lather, rinse, repeat) No description language – requires more legwork
  • 39. The Dark Side: OAuth Doesn’t work so well without a browser More complex/higher overhead than username/password Doesn’t work with cURL
  • 40. Yadis with egg and cheese Service discovery protocol OpenID is the only open, distributed authentication system (Surprised?) XML RDF based Allows Providers and Consumers to negotiate protocols
  • 41. Yadis with egg and cheese <?xml version=“1.0” encoding=“UTF-8”?> <xrds:XRDS xmlns:xrds=“xri://$xrds” xmlns=“xri://$xrd*($v*2.0)”> <XRD> <Service> <Type>http://lid.netmesh.org/sso/2.0</Type> </Service> <Service> <Type>http://lid.netmesh.org/sso/1.0</Type> </Service> </XRD> </xrds:XRDS>
  • 42. You know what would be cool ? OpenID on your desktop OpenID on your mobile Webservice brokering system File system integration
  • 43. Your local libraries OpenID: http://wiki.openid.net/Libraries OAuth: http://oauth.net/code
  • 44. In conclusion, Thank You Question time starts… Now