The document discusses distributed identity and OpenID as a solution. It begins by defining digital identity and distinguishing it from authentication. It then describes the standard authentication process on the web. The document proposes using identity federation via OpenID as a way to simplify authentication by allowing users to log in using an existing identity from another site rather than having to create new accounts. It provides code examples of implementing OpenID login with Ruby on Rails.
Apidays New York 2024 - The value of a flexible API Management solution for O...
Distributed Identity via OpenID
1. OPENID AND THE CASE OF
DISTRIBUTED IDENTITY
EXPLORING THE PROBLEM OF DISTRIBUTED IDENTITY AND
OFFERING SOME SOLUTIONS
1
2. WHAT ARE WE TALKING ABOUT?
IDENTITY === AUTHENTICATION ?
DIGITAL IDENTITY REFERS TO THE ASPECT
OF DIGITAL TECHNOLOGY THAT IS
CONCERNED WITH THE MEDIATION OF
PEOPLE'S EXPERIENCE OF THEIR OWN
IDENTITY AND THE IDENTITY OF OTHER
PEOPLE AND THINGS.
“DIGITAL IDENTITY” ALSO HAS ANOTHER
COMMON USAGE AS THE DIGITAL
REPRESENTATION OF A SET OF CLAIMS
MADE BY ONE DIGITAL SUBJECT ABOUT
ITSELF OR ANOTHER DIGITAL SUBJECT.
IDENTITY == AUTHENTICATION
2
6. STANDARD AUTHENTICATION
A “USER” AGENT
REQUESTS A “PAGE”
RESOURCE
IS THE RESOURCE
REQUESTED PUBLIC?
IF NOT, IS THE
REQUESTING AGENT
AUTHENTICATED?
4
7. STANDARD AUTHENTICATION
A “USER” AGENT
REQUESTS A “PAGE”
RESOURCE
IS THE RESOURCE
REQUESTED PUBLIC?
IF NOT, IS THE
REQUESTING AGENT
AUTHENTICATED?
IF NOT, IS THE
REQUESTING AGENT
REGISTERED?
4
9. STANDARD AUTHENTICATION
IF “USER” IS REGISTERED
BUT NOT AUTHENTICATED,
THEN PRESENT THE
“LOGIN” FORM...
IF “USER” IS NEITHER
AUTHENTICATED NOR
REGISTERED, THEN
PRESENT THE
“REGISTRATION” FORM...
5
10. STANDARD AUTHENTICATION
IF “USER” IS REGISTERED
BUT NOT AUTHENTICATED,
THEN PRESENT THE
“LOGIN” FORM...
IF “USER” IS NEITHER
AUTHENTICATED NOR
REGISTERED, THEN
PRESENT THE
“REGISTRATION” FORM...
SIMILAR PROCESSING;
SUCCESS RETURNS TO THE
ORIGINAL REQUEST.
5
15. STANDARD AUTHENTICATION
INPUT FILTERING TO
COMBAT SCRIPT
! !!
INJECTION
C
UNIQUENESS OF LOCAL
A HE S
D
IDENTITY
H E A
CREDENTIAL SECURITY
PASSWORD
STRENGTH
DATA STORE
6
16. REP
ETIT
STANDARD AUTHENTICATION
INPUT FILTERING TO
ION
!!!
COMBAT SCRIPT
! !!
INJECTION
C
UNIQUENESS OF LOCAL
A HE S
D
IDENTITY
H E A
CREDENTIAL SECURITY
PASSWORD
STRENGTH
DATA STORE
6
17. REP
ETIT
STANDARD AUTHENTICATION
INPUT FILTERING TO
ION
!!!
COMBAT SCRIPT
! !!
INJECTION
C
UNIQUENESS OF LOCAL
A HE S
D
IDENTITY
A
H E
FAIL!!!
CREDENTIAL SECURITY
PASSWORD
STRENGTH
DATA STORE
6
18. INT RODUCI
NG !
IDENTITY FEDERATION
WHY CAN’T SOMEBODY ELSE DO ALL THIS FOR ME?
BUT
T NE W !
NO
IM P R OVED
7
22. THAT SEEMS EASY...
EVEN EASIER WITH EXISTING LIBRARIES:
ZEND_OPENID FOR PHP5
RUBY-OPENID FOR RUBY
NET::OPENID FOR PERL
MOD_AUTH_OPENID FOR APACHE2
OPENID4JAVA FOR JAVA
CHECK THE OPENID.NET WIKI FOR MORE...!
10
23. LET’S TRY IT OUT!
views/openid/new.html.erb:
$> openid_consumer
defgem install ruby-openid
complete
create
<html>
$> Get the=OpenID parameter
home_url
# @openid_consumer.blank?
ifscript/generate controller openid new create completequot;indexquot;
url_for :controller => quot;openidquot;, :action => openid_consumer
openid_url = params[:openid_url]
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
@openid_consumer =
<head>
OpenID::Consumer.new(session,
<title>Log in with OpenID</title>
openid_response = something
# Make sure we gotopenid_consumer.complete(params, complete_url)
</head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;))
if <body>
endopenid_url.blank?
session[:openid]=flash[:error].blank? %> try againquot;
flash[:error] =quot;No OpenID was entered;
<% if not openid_response.identity_url
flash[:error] :back flash[:error] -%></b></p>
return @openid_consumer
redirect_to = quot;You have been logged in as '#{session[:openid]}'quot;
<p><b><%=
endreturn end %>
redirect_to :action => quot;newquot;
<%
return
end
{ }
end <% form_tag quot;/openid/createquot; do %>
# Get an OpenID response
<%= text_field_tag quot;openid_urlquot; %>
openid_response = openid_consumer.begin openid_url
<%= submit_tag quot;Log in with OpenIDquot; %>
<% end %>
home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot;
</body>
</html>
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
openid_redirect_url = openid_response.redirect_url(home_url, complete_url)
redirect_to openid_redirect_url
return
end
HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104
11
24. LET’S TRY IT OUT!
views/openid/new.html.erb:
$> openid_consumer
defgem install ruby-openid
complete
create
<html>
$> Get the=OpenID parameter
home_url
# @openid_consumer.blank?
ifscript/generate controller openid new create completequot;indexquot;
url_for :controller => quot;openidquot;, :action => openid_consumer
openid_url = params[:openid_url]
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
@openid_consumer =
<head>
OpenID::Consumer.new(session,
<title>Log in with OpenID</title>
openid_response = something
# Make sure we gotopenid_consumer.complete(params, complete_url)
</head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;))
if <body>
endopenid_url.blank?
session[:openid]=flash[:error].blank? %> try againquot;
flash[:error] =quot;No OpenID was entered;
<% if not openid_response.identity_url
flash[:error] :back flash[:error] -%></b></p>
return @openid_consumer
redirect_to = quot;You have been logged in as '#{session[:openid]}'quot;
<p><b><%=
endreturn end %>
redirect_to :action => quot;newquot;
<%
return
end
{ }
end <% form_tag quot;/openid/createquot; do %>
# Get an OpenID response
<%= text_field_tag quot;openid_urlquot; %>
openid_response = openid_consumer.begin openid_url
<%= submit_tag quot;Log in with OpenIDquot; %>
<% end %>
home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot;
</body>
</html>
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
openid_redirect_url = openid_response.redirect_url(home_url, complete_url)
redirect_to openid_redirect_url
return
end
HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104
11
25. LET’S TRY IT OUT!
views/openid/new.html.erb:
$> openid_consumer
defgem install ruby-openid
complete
create
<html>
$> Get the=OpenID parameter
home_url
# @openid_consumer.blank?
ifscript/generate controller openid new create completequot;indexquot;
url_for :controller => quot;openidquot;, :action => openid_consumer
openid_url = params[:openid_url]
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
@openid_consumer =
<head>
OpenID::Consumer.new(session,
<title>Log in with OpenID</title>
openid_response = something
# Make sure we gotopenid_consumer.complete(params, complete_url)
</head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;))
if <body>
endopenid_url.blank?
session[:openid]=flash[:error].blank? %> try againquot;
flash[:error] =quot;No OpenID was entered;
<% if not openid_response.identity_url
flash[:error] :back flash[:error] -%></b></p>
return @openid_consumer
redirect_to = quot;You have been logged in as '#{session[:openid]}'quot;
<p><b><%=
endreturn end %>
redirect_to :action => quot;newquot;
<%
return
end
{ }
end <% form_tag quot;/openid/createquot; do %>
# Get an OpenID response
<%= text_field_tag quot;openid_urlquot; %>
openid_response = openid_consumer.begin openid_url
<%= submit_tag quot;Log in with OpenIDquot; %>
<% end %>
home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot;
</body>
</html>
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
openid_redirect_url = openid_response.redirect_url(home_url, complete_url)
redirect_to openid_redirect_url
return
end
HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104
11
26. LET’S TRY IT OUT!
views/openid/new.html.erb:
$> openid_consumer
defgem install ruby-openid
complete
create
<html>
$> Get the=OpenID parameter
home_url
# @openid_consumer.blank?
ifscript/generate controller openid new create completequot;indexquot;
url_for :controller => quot;openidquot;, :action => openid_consumer
openid_url = params[:openid_url]
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
@openid_consumer =
<head>
OpenID::Consumer.new(session,
<title>Log in with OpenID</title>
openid_response = something
# Make sure we gotopenid_consumer.complete(params, complete_url)
</head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;))
if <body>
endopenid_url.blank?
session[:openid]=flash[:error].blank? %> try againquot;
flash[:error] =quot;No OpenID was entered;
<% if not openid_response.identity_url
flash[:error] :back flash[:error] -%></b></p>
return @openid_consumer
redirect_to = quot;You have been logged in as '#{session[:openid]}'quot;
<p><b><%=
endreturn end %>
redirect_to :action => quot;newquot;
<%
return
end
{ }
end <% form_tag quot;/openid/createquot; do %>
# Get an OpenID response
<%= text_field_tag quot;openid_urlquot; %>
openid_response = openid_consumer.begin openid_url
<%= submit_tag quot;Log in with OpenIDquot; %>
<% end %>
home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot;
</body>
</html>
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
openid_redirect_url = openid_response.redirect_url(home_url, complete_url)
redirect_to openid_redirect_url
return
end
HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104
11
27. LET’S TRY IT OUT!
views/openid/new.html.erb:
$> openid_consumer
defgem install ruby-openid
complete
create
<html>
$> Get the=OpenID parameter
home_url
# @openid_consumer.blank?
ifscript/generate controller openid new create completequot;indexquot;
url_for :controller => quot;openidquot;, :action => openid_consumer
openid_url = params[:openid_url]
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
@openid_consumer =
<head>
OpenID::Consumer.new(session,
<title>Log in with OpenID</title>
openid_response = something
# Make sure we gotopenid_consumer.complete(params, complete_url)
</head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;))
if <body>
endopenid_url.blank?
session[:openid]=flash[:error].blank? %> try againquot;
flash[:error] =quot;No OpenID was entered;
<% if not openid_response.identity_url
flash[:error] :back flash[:error] -%></b></p>
return @openid_consumer
redirect_to = quot;You have been logged in as '#{session[:openid]}'quot;
<p><b><%=
endreturn end %>
redirect_to :action => quot;newquot;
<%
return
end
{ }
end <% form_tag quot;/openid/createquot; do %>
# Get an OpenID response
<%= text_field_tag quot;openid_urlquot; %>
openid_response = openid_consumer.begin openid_url
<%= submit_tag quot;Log in with OpenIDquot; %>
<% end %>
home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot;
</body>
</html>
complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot;
openid_redirect_url = openid_response.redirect_url(home_url, complete_url)
redirect_to openid_redirect_url
return
end
HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104
11