4. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
OExchange
• Common
API
for
publishing
sth.
into
social
networks
http://www.example.com/share.php?url={URI}&title={title
for the content}&description={short description of the
content}&ctype=flash&swfurl={SWF URI}&height={preferred
SWF height}&width={preferred swf width}&screenshot=
{screenshot URI}
hQp://www.oexchange.org/
10. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
Do
you
have
really
only
one
iden@ty?
Lothar
Krappmann:
-‐
IdenVty
is
conveyed
by
communicaVon
-‐
IdenVty
is
not
fixed
but
recreated
by
every
communicaVon
with
your
fellows
-‐
ExpectaVons
of
different
people
result
in
different
idenVVes
11. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
Example:
Paul
Adams
hQp://www.slideshare.net/padday/the-‐real-‐life-‐social-‐network-‐v2
15. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
MicrosoK
Passport
/
Live
ID
• Windows
Live
ID
• Launched
1999
as
.net
Passport
• Used
mainly
for
Microso]
Services
but
not
much
outside
• OpenID
Provider
since
2008
25. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
Authen@ca@on
vs
Authoriza@on
Who
is
the
user?
Is
this
really
user
X?
VS
Is
X
allowed
to
do
something?
Does
X
have
the
permission?
Client sites want more than just a
unique identifier (Social Graph)
26. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
But
there
are
Spec
Extensions
decafinata
29. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
Failures
of
OpenID
2.0
• Complex
to
implement
• No
markeVng
– Do
you
have
an
OpenID?
– What
is
it?
• URL
as
idenVfier
=>
Bad
User
Experience
30. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
OpenID
Connect
• Goals:
– Easier
to
implement
– More
simple
specificaVon
– BeQer
user
experience
• =>
wider
adpVon
• Built
on
top
of
OAuth
2.0
31. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
What‘s
wrong
with
OAuth?
• Does
not
work
well
with
non
web
or
JavaScript
based
clients
• The
„Invalid
Signature“
Problem
• Complicated
Flow,
many
requests
32. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
What‘s
new
in
OAuth2?
(DraK
10)
• Different
client
profiles
• No
signatures
• No
Token
Secrets
• Cookie-‐like
Bearer
Token
• Mandatory
TSL/SSL
• No
Request
Tokens
• Much
more
flexible
regarding
extensions
hQp://tools.iej.org/html/dra]-‐iej-‐oauth-‐v2
34. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
User-‐Agent
Profile
+----------+ Client Identifier +----------------+
| |>---(A)-- & Redirection URI --->| |
| | | |
End <--+ - - - +----(B)-- User authenticates -->| Authorization |
User | | | Server |
| |<---(C)--- Redirect URI -------<| |
| Client | with Access Token | |
| in | in Fragment +----------------+
| Browser |
| | +----------------+
| |>---(D)--- Redirect URI ------->| |
| | without Fragment | Web Server |
| | | with Client |
| (F) |<---(E)--- Web Page with ------<| Resource |
| Access | Script | |
| Token | +----------------+
+----------+
35. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
What
happend
to
signatures?
• Ongoing
controvers
discussion
• Bearer
Tokens
are
fine
over
secure
connecVon
• Vulnerable
if
discovery
is
introduced
• Or
TSL/SSL
is
not
possible
36. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
Scopes
• OpVonal
parameter
for
provider
specific
implementaVons
• For
example
– AddiVonal
return
values
– Access
Control
37. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
OpenID
Connect?
• Scope:
„openid“
• With
access
token
addiVonal
values
are
returned
– UserID:
URL
to
Portable
Contacts
endpoint
– Signature
– Timestamp
hQp://openidconnect.com/
38. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
OpenID
Connect
Discovery
• Get
IdenVfier
of
user
• Call
/.well-‐know/host-‐meta
file
at
the
domain
of
the
user‘s
provider
• Look
for
a
link
poinVng
to
the
OpenID
Connect
endpoints
in
the
returned
LRDD
39. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
OpenID
Connect
@VZ
• Available
now
• But
without
the
discovery
part
– No
discovering
clients
– No
discoverable
enVVes
40. VZnet
Netzwerke
Ltd.
-‐
Tuesday,
December
7,
2010
VZ-‐JavaScript
Library
<script src="http://static.pe.studivz.net/Js/id/v3/library.js"
data-authority="platform-redirect.vz-modules.net/r"
data-authorityssl="platform-redirect.vz-modules.net/r"
type="text/javascript"></script>
<script type="vz/share">
id: shareButton
title: title of your site
description : a description
</script>
hQp://developer.studivz.net/wiki/index.php/JS-‐Library