hannes tschofenig mit cfp privacy & security working group feb. 2 nd 2011
Post on 15-Jan-2016
216 views
TRANSCRIPT
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
1
Hannes Tschofenig MIT CFP Privacy & Security Working Group
Feb. 2nd 2011
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
2
Presentation Scope• Based on real-world examples for using OAuth and
Web 2.0 mashups I will explain identity management, and privacy challenges.
• I will use Facebook to illustrate how Web application programmers experience OAuth.
• The subsequent slides have a simple scenario setup: 1. I want to outsource identity management for my own
site to Facebook. 2. I want to retrieve information from user’s FB account (to
push data to user’s account)
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
3
Simple Data Sharing: FB “Like” Button
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
4
‘like’ Button: iFrame Version <iframe src="http://www.facebook.com/plugins/like.php?
href=http://www.tschofenig.priv.at/wp/" scrolling="no" frameborder="0” style="border:none; width:450px;height:80px"> <iframe>
• More details about the two possible implementations using the XFBML and the IFrame can be found here:
– http://developers.facebook.com/docs/reference/plugins/like • The XFBML version (next slide) uses the JavaScript SDK and allows websites more
flexible control using the OpenGraph API (including posting content to the user’s website):
– http://developers.facebook.com/docs/opengraph
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
5
‘like’ Button: XFBML Version• Easy to produce:
http://developers.facebook.com/docs/reference/plugins/like <script
src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script><fb:like href="http://www.tschofenig.priv.at/wp/" show_faces="true" width="450" font="arial"></fb:like>
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
6
A Privacy Problem?• When you load a page that contains the ‘like’ button then the
iFrame actually loads the code from the Facebook webpage.• Allows Facebook to know where you are browsing even if you
do not click the button.– Uses existing cookie; it works because you are via the iFrame literally
“browsing” to Facebook. • In case you click on it you automatically add information to
your profile. This, however, requires you to log-in. – Different authorization model than “normal” Facebook applications
(unless you are logged-in already)– Revoking permissions also works differently than with “normal” FB apps.
• Getting the incentives right:– Facebook gets to see what users are doing on the Web.– Companies are excited about deploying Web technologies and they get
“rewards” if their product is “liked”. – Users are happy that they can share with their friends what they like.
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
7
Outsourcing Identity Management
• Task:– I want to allow users to log on using their
Facebook credentials.– I want this to be integrated into my existing
environment. I am using a Wordpress blogging/content management system.
– I don’t want to write code.
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
8
Facebook Application Needed
• In many cases you cannot just deploy OAuth between two sides without going through a registration step.
• Consequence: Using OAuth on two random web sites does not work (today)• Not a technology limitation but a deployment choice!• Next, we need to go through the Facebook registration pages to obtain application
credentials.• Facebook also requires additional information from “application developer”, such as
mobile phone number and credit card information.
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
9
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
10
Obtaining the client id & key
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
11
Moving to the “Client”: A Wordpress Widget on my Webpage
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
12
Configuring the placement of the Login Page
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
13
Added Facebook Login
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
14
The NASCAR Problem
The NASCAR problem• To simplify user interactions websites put the logos of identity providers
on their page. • More identity providers more logos• More logos users get confused• Website providers only put the top IdP’s on their page ossification
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
15
Login: Authentication and Authorization
• Login button re-directs to Facebook (if not yet logged in already)
• Then, there is an authorization step (see above).
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
16
Separate FB Application• Instead of using an
existing plug-in you can also write your own Web page.
• Example code available in a number of programming languages.
• My example uses PHP and retrieves user information (next slide)
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
17
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
18
PHP Example Code(shortened)// create application instance
$facebook = new Facebook(array( 'appId' => '104366359641119', 'secret' => 'afa0f33f69f78fb8d3875c252b45ffad', 'cookie' => true,));
// fetch session if ($session!=null) { // session state exists try {
$uid = $facebook->getUser();$me = $facebook->api('/me');$logoutUrl = $facebook->getLogoutUrl();
} catch (FacebookApiException $e) { error_log($e); }} else { $loginUrl = $facebook->getLoginUrl();}
// fetch public data$naitik = $facebook->api('/naitik');
<a href="<?php echo $loginUrl; ?>"> <img src="http://static.ak.fbcdn.net/rsrc.php/zB6N8/hash/4li2k73z.gif"> </a>
<?php print_r($session); ?>
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
19
Asking for more data
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
20
Extended Permissions• OAuth allows applications to indicate their
permissions via a scope attribute. • Content of scope attribute is not defined but rather
left application specific. • Facebook provides examples for such extended
permissions to access data beyond basic information:– Examples: “email”, ”user_photos”
• Details can be obtained from:– http://developers.facebook.com/docs/authentication/permissions/
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
21
Viewing Access Rights
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
22
FB’s Privacy Dashboard: Access Log
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
23
OAuth 2.0 and Identity Management
• http://tools.ietf.org/html/draft-hansen-privacy-terminology says – An identity is any subset of attribute values of an individual person
which sufficiently identifies this individual person within any set of persons. So usually there is no such thing as "the identity", but several of them.
– An identity of an individual person may comprise many partial identities of which each represents the person in a specific context or role.
– Identity management means managing various partial identities of an individual person, i.e., administration of identity attributes including the development and choice of the partial identity and pseudonym to be (re-)used in a specific context or role.
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
24
OAuth 2.0 and Identity Management, cont.
• OAuth 2.0 does not mandate – a specific user identifier format, – any authentication mechanism, – a specific credential type, – specific type of data to be stored at the resource
server, – management features for creating, modifying, and
deleting data
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
25
OAuth 2.0 and Identity Management, cont.
• Facebook, deploying OAuth 2.0, defines– a specific user identifier format (for logon),– Password-based authentication using a browser interface,– Data to be stored, – management features for creating, modifying, and deleting data (and access
permissions) using a Web browser.• OAuth provides the functionality of OpenID but in a different style.
OpenID’s initial design did not envision any relationship between the relying party and the identity provider. In practice, this turned out to be a no-go.
• From a standardization point of view, OAuth and OpenID started at different places.
– For example, OpenID has standardized APIs for exchange of data while OAuth does not have such APIs. See http://openid.net/specs/openid-attribute-exchange-1_0.html and http://www.axschema.org/types/
– Next slide shows the OAuth standardization status.
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
26OAuth Profiles
Token Request
Standardization Status of the OAuth Framework
User Agent
Authorization Server
Resource Server
Resource Consumer
Access Request(incl. Token)
Authorization Request
User Interface
Token FormatAnd Content
Authz ServerInteractionData Exchange
Authentication
Request Security
User
Legend: - Red box: Currently covered by OAuth WG
Feb, 2nd 2011 MIT CFP Privacy & Security Working Group
27
Summary• Open Web Authentication (OAuth) is developed in the IETF
OAuth working group:– http://datatracker.ietf.org/wg/oauth/
• Code available (see http://oauth.net/code/) and deployment going fine.
• Working group is trying hard to finish OAuth 2.0:http://tools.ietf.org/html/draft-ietf-oauth-v2
• Security and privacy turns out to be challenging. – Largely a deployment challenge!– See http://zachholman.com/2011/01/oauth_will_murder_your_children/
• WG rechartering process ongoing to standardize other parts of the OAuth framework.