4. What is OpenID?
• An open standard for decentralized
authentication.
• Internet-based single sign-on.
5. What is OpenID?
• An open standard for decentralized
authentication.
• Internet-based single sign-on.
• Unique identities based on URIs (or XRIs, if
anyone cares).
6. What is OpenID?
• An open standard for decentralized
authentication.
• Internet-based single sign-on.
• Unique identities based on URIs (or XRIs, if
anyone cares).
• A failure.
14. Unwieldy usernames
Me: Hey, Dad, I'm going to set you up with
an OpenID. It'll be http://
openid.thefloreas.com/blahblah/urlghetto/
carl. Now you'll be able to use that and a
single password to log in to some sites
instead of having to create five different
accounts all named carlflorea using the
same, single password. Isn't that cool?
23. Unwieldy usernames
• A failure.
• Turns out, my friends and family (“users”)
don’t like URLs.
24. Unwieldy usernames
• A failure.
• Turns out, my friends and family (“users”)
don’t like URLs.
• Here’s one of their URLs: “google Wenatchee
falling cow.”
25. Unwieldy usernames
• A failure.
• Turns out, my friends and family (“users”)
don’t like URLs.
• Here’s one of their URLs: “google Wenatchee
falling cow.”
• Except Weird Uncle Tom, who says “bing
Wenatchee falling cow”.
26. Unwieldy usernames
• A failure.
• Turns out, my friends and family (“users”)
don’t like URLs.
• Here’s one of their URLs: “google Wenatchee
falling cow.”
• Except Weird Uncle Tom, who says “bing
Wenatchee falling cow”.
• (we don’t talk to Uncle Tom.)
29. Not very useful
• OpenID provides authentication.
• OpenID doesn’t provide anything else.
30. Not very useful
• OpenID provides authentication.
• OpenID doesn’t provide anything else.
• My friends and family (“users”) use
Facebook.
31. Not very useful
• OpenID provides authentication.
• OpenID doesn’t provide anything else.
• My friends and family (“users”) use
Facebook.
• They expect more.
33. Not very useful
• Simon Willison launched a new social
conference directory site, http://lanyrd.com.
34. Not very useful
• Simon Willison launched a new social
conference directory site, http://lanyrd.com.
• Simon Willison is a huge supporter of
OpenID.
35. Not very useful
• Simon Willison launched a new social
conference directory site, http://lanyrd.com.
• Simon Willison is a huge supporter of
OpenID.
• Lanyrd only authenticates through Twitter.
38. Not very useful
• He took some flack for that.
• His explanation:
I spent the best part of three years advocating OpenID not just because of a
belief in openness, but because of the things I wanted to build with it. I wanted
to build sites that already knew about you before you even signed in. I wanted
to be able to pull in information about you and your relationships from other
providers. I wanted to use your public, globally unique ID to share (non creepy)
information about you with other sites.
Then I got bored of waiting. By plugging in to the Twitter ecosystem I get all of
those advantages, but I can actually build something successful and popular
today.
40. Not very useful
• Developers and users are willing to give up
some control of their online identity in
exchange for cool stuff.
41. Not very useful
• Developers and users are willing to give up
some control of their online identity in
exchange for cool stuff.
• Twitter, Facebook, Google provide
authentication PLUS a social graph.
49. and Django
• You have multiple, cool Django sites.
• You are building more all the time.
50. and Django
• You have multiple, cool Django sites.
• You are building more all the time.
• You want your users to be able to use a
single account for all of your sites.
51. and Django
• You have multiple, cool Django sites.
• You are building more all the time.
• You want your users to be able to use a
single account for all of your sites.
• Solution:
52. and Django
• You have multiple, cool Django sites.
• You are building more all the time.
• You want your users to be able to use a
single account for all of your sites.
• Solution:
• Facebook!
56. and Django
• No. You want:
• Control.
• Something simple.
57. and Django
• No. You want:
• Control.
• Something simple.
• With wide support.
58. and Django
• No. You want:
• Control.
• Something simple.
• With wide support.
• You don’t need a social graph.
59. and Django
• No. You want:
• Control.
• Something simple.
• With wide support.
• You don’t need a social graph.
• You only need your users to login.
60. and Django
• No. You want:
• Control.
• Something simple.
• With wide support.
• You don’t need a social graph.
• You only need your users to login.
• Solution:
61. and Django
• No. You want:
• Control.
• Something simple.
• With wide support.
• You don’t need a social graph.
• You only need your users to login.
• Solution:
• OpenID!
64. Integrating OpenID with Django
• To use OpenID with Django, you need to:
• Setup an OpenID provider, the server to
authenticate against.
65. Integrating OpenID with Django
• To use OpenID with Django, you need to:
• Setup an OpenID provider, the server to
authenticate against.
• Install an OpenID consumer app on all of
your Django sites.
68. OpenID Enabled
• Lots of consumer apps, only a couple
providers.
• Everything based off Janrain’s OpenID
libraries.
69. OpenID Enabled
• Lots of consumer apps, only a couple
providers.
• Everything based off Janrain’s OpenID
libraries.
• http://www.janrain.com/openid-enabled
70. OpenID Enabled
• Lots of consumer apps, only a couple
providers.
• Everything based off Janrain’s OpenID
libraries.
• http://www.janrain.com/openid-enabled
• Every useful web language - and PHP.
71. OpenID Enabled
• Lots of consumer apps, only a couple
providers.
• Everything based off Janrain’s OpenID
libraries.
• http://www.janrain.com/openid-enabled
• Every useful web language - and PHP.
• For Python, openid.
79. Setup the provider
• Unique URL for your OpenIDs.
• Example: http://id.mydomain.com/openid/
80. Setup the provider
• Unique URL for your OpenIDs.
• Example: http://id.mydomain.com/openid/
• Pretty straightforward
81. Setup the provider
• Unique URL for your OpenIDs.
• Example: http://id.mydomain.com/openid/
• Pretty straightforward
• Will want to create a signal on User creation to
create an OpenID at the same time.
91. Setup the consumer
• Install app on each Django site.
• Configure.
• Allows “cheating” on the OpenID URLs.
92. Setup the consumer
• Install app on each Django site.
• Configure.
• Allows “cheating” on the OpenID URLs.
• OPENID_SSO_SERVER_URL = “http://
id.mydomain/openid/”
94. That’s good. But I want a little
bit more...
• That solves authentication.
95. That’s good. But I want a little
bit more...
• That solves authentication.
• But each Django site still duplicates a lot of user
information.
96. That’s good. But I want a little
bit more...
• That solves authentication.
• But each Django site still duplicates a lot of user
information.
• How can I centralize that, too?
100. Introducing: SREG
• Simple Registration (SREG).
• Extension to OpenID.
• Allows consumers to request additional
information from providers.
101. Introducing: SREG
• Simple Registration (SREG).
• Extension to OpenID.
• Allows consumers to request additional
information from providers.
• Very basic info, such as preferred username
and e-mail, but:
102. Introducing: SREG
• Simple Registration (SREG).
• Extension to OpenID.
• Allows consumers to request additional
information from providers.
• Very basic info, such as preferred username
and e-mail, but:
• Extensible!
105. Introducing: SREG
• Can consolidate all user information on your
provider.
• Parcel out relevant information to consumers
through SREG.
106. Introducing: SREG
• Can consolidate all user information on your
provider.
• Parcel out relevant information to consumers
through SREG.
• Example: Is user subscribed to consumer1’s
newsletter? Only consumer1 cares.
107. Introducing: SREG
• Can consolidate all user information on your
provider.
• Parcel out relevant information to consumers
through SREG.
• Example: Is user subscribed to consumer1’s
newsletter? Only consumer1 cares.
• Sync only occurs on login, probably still want
to do some background syncing.
109. Result
• User with account visits consumer1.mydomain.com for
the first time and clicks the login link.
110. Result
• User with account visits consumer1.mydomain.com for
the first time and clicks the login link.
• User redirected to id.mydomain.com to login.
111. Result
• User with account visits consumer1.mydomain.com for
the first time and clicks the login link.
• User redirected to id.mydomain.com to login.
• Ajax allows this to all happen in the background.
112. Result
• User with account visits consumer1.mydomain.com for
the first time and clicks the login link.
• User redirected to id.mydomain.com to login.
• Ajax allows this to all happen in the background.
• Just uses username (e.g. “user1”), doesn’t have to worry
about URIs.
113. Result
• User with account visits consumer1.mydomain.com for
the first time and clicks the login link.
• User redirected to id.mydomain.com to login.
• Ajax allows this to all happen in the background.
• Just uses username (e.g. “user1”), doesn’t have to worry
about URIs.
• New User created on consumer1 linked to OpenID.
114. Result
• User with account visits consumer1.mydomain.com for
the first time and clicks the login link.
• User redirected to id.mydomain.com to login.
• Ajax allows this to all happen in the background.
• Just uses username (e.g. “user1”), doesn’t have to worry
about URIs.
• New User created on consumer1 linked to OpenID.
• User clicks login on consumer2.myotherdomain.com,
automatically logged in with no username or password
entry.
117. Catches
• Biggest one is session cookies:
• Consumer1, consumer2, and provider all
have different session cookies.
118. Catches
• Biggest one is session cookies:
• Consumer1, consumer2, and provider all
have different session cookies.
• User logs out of consumer1, you redirect
to also log out of provider and then
return, the user is still logged in on
consumer2. May or may not be a
problem.
120. In conclusion
Will post a live example, a provider and two
consumers, after the weekend, plus source.
Look for a tweet to #djangocon.
Contact me if you have are curious or have
questions:
@florean
florea@wenatcheeworld.com