The document discusses identity management protocols OpenID and OAuth. OpenID allows users to use a single digital identity across multiple websites, while OAuth allows websites to grant third party applications access to user data without sharing passwords. The document outlines the roles, flows, and differences between the two protocols, and proposes a project to implement an OAuth service provider and consumer as an example.
4. User Authentication
• every single website needs my credentials
• username / e-mail
• password
• should be secure
• should not be reused
• how to remember?
4
5. Resulting Problems
• identity is scattered
• passwords
• millions to remember vs recycling
• how to authorize third party access?
➡ Password Anti-Pattern
5
12. Establish Association
• shared secret between Relying Party &
OpenID Provider
• Diffie Hellman Key Exchange
• (g^xa)^xb mod p = (g^xb)^xa mod p
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
12
27. Register Consumer,
get Consumer Key
• manually register Consumer at Service
Provider
• identified by Token / Secret
• Callback URL
• all subsequent Requests must be signed
with Secret, Nonce & Timestamp
27
29. Get Request Token
• Consumer asks Service Provider for
Request Token
• Request Token identifies authorization
workflow
• not user specific
• transmitted in URL when User Agent is
redirected
29
36. Get Access Token
• Consumer trades Request Token for Access
Token
• Access Token grants access to Service
Provider in behalf of User
• user specific
36
44. My Project
• Implement OAuth Service Provider &
OAuth Consumer example
• API for manageable resources (ideas)
• profile pictures
• activity streams Atom feed extension
• RESTful API for editing RDF::FOAF data
http://activitystrea.ms/ http://www.foaf-project.org/
44