open id, o auth and webservices
DESCRIPTION
This presentation was given at Web Directions South in 2008. It is a developers guide to building sites using OpenID, OAuth and webservices - no code, but enough to point you in the right directionTRANSCRIPT
OpenID, OAuth and Webservices
A developers guide
Web Directions 2008 - Myles Eftos
Our lives in digits
So many web apps - so many usernames, so many passwords
How do we access our data?
How can we do that safely?
How can we do it easily?
Meet Jim
Uses Twitter, Gmail, Digg, Newsgator, LinkedIn + many more
His housemate finds his username and password
Hilarity ensues
OpenID to the rescue!
There are consumers, and there are providers
Everyone gets a URL
Magic happens…
Step 1
User enters their OpenID URL
Step 2
Consumer discovers link tagsfor delegation
<link rel="openid.server" href="http://my.openid.server"><link rel="openid.delegate" href="http://madpilot.openid.server">
Step 3
Consumer redirects to theProvider login screen
openid.mode = checkid_setupopenid.identity = http://myid.openid.comopenid.return_to = http://www.consumer.com?rp_nouce=[RANDOM]openid.trustroot = http://www.consumer.com
Step 4
User enters credentials
Step 5
Provider redirects to Consumerwith return_url parameters
openid.mode = id_resopenid.return_to = http://www.consumer.com?rp_nouce=[RANDOM]
openid.identity = http://madpilot.openid.comopenid.signed = mode,identity,return_to
openid.assoc_handle = [some hash]openid.sig = [Base64 encoded HMAC signature]
Step 6
Consumer POSTs back tovalidate what was returned
openid.mode = check_authenticationopenid.signed = mode,identity,return_toopenid.assoc_handle = [same hash as before]openid.sig = [Same Base64 encoded HMAC signature as before]openid.return_to = http://www.consumer.com?rp_nouce=[RANDOM]Openid.identity = http://madpilot.openid.com
Step 7
If the returned values look okthe Provider returns is_valid:true
is_valid:true
And again with passion
Dumb mode has lots of redirects
Not-dumb mode asynchronously (AJAX) gets an immediate answer
If the user is logged in, the user can continue
If not, decide what to do (authenticate would be a good idea)
Simple Registration
SREG to it’s friends
Send your favourite parameters
Pull nickname, email, date of birth, gender, country, language, time zone
Consumer can request required and optional parameters
I want my data!
Data in the cloud is cool
Backups, hardware upgrades – someone else’s problem
Vendor lock-in is the suck
Web services are the awse
REST vs SOAP
The world needs more religious wars
Both lie on HTTP
Both use XML*
Remote Procedure Pattern vs. Resource Pattern
* REST doesn’t really care…
SOAP: Why no one uses it
In theory it rocks.
Has a description language (WDSL)
It is verbose
Perhaps, something more Ideological?
REST: The web for computers
The web is based on resources
Type in a URL: GET that resource
Submit a form: POST to that resource
Forgotten verbs: PUT and DELETE
One end point to rule them all
OK, maybe two
/companies.xml GET Returns all companies
/companies.xml POST Creates a new company
/companies/1.xml GET Return the company with id=1
/companies/1.xml PUT Update the company with id=1
/companies/1.xml DELETE Delete the company with id=1
HTTP/1.1 101
HTTP does a lot of stuff
HTTP/1.1 101
HTTP does a lot of stuff
Status codes
200 OK!
201 Created
301 Moved Permanently
400 Bad Request
401 Authorization Required
403 Forbidden
404 Not Found
405 Not allowed
410 Gone
422 Invalid Entity
500 Server Error
503 Server Unavailable
HTTP/1.1 101
HTTP does a lot of stuff
Status codes
Headers and modifiers
If-Modified-Since
If-Unmodified-Since
If-Match
If-None-Match
If-Range
Communism doesn’t work
You don’t want any old person changing stuff
401 Authorization Required
Still needs a password though – a pure OpenID implementation is out
Anti-password pattern alert!
Check up on Jim
Signs up to a new Web 2.0 CRM
Offers to copy contacts from Gmail
Requires your Gmail username and password… Sounds phishy
Bloody OAuth it is…
OAuth is a machine authorisation protocol
Like a Valet Key
Give permission for a system to access your account
…or take away permission
Again, there are Providers and there are Consumers
Step 1
User wants to access their photosfrom another service
Step 2
Consumer sends a POST request to the request token URL at the Provider. It identifies itself using a shared secret key that was prepared earlier
Step 3
The Provider returns a unauthorised request token.The token is good for one use
Step 4
The consumer redirects the user to theAuthorisation URL of the provider
Step 5
If the user hasn’t logged in to the Providerservice, they do so now on the Provider
You could use OpenID for this bit
Step 6
The Provider asks the user if they reallywants to let the Consumer have the photos
Step 7
The Provider redirects the user back to the Consumerand lets the Provider know that is can request a
authorized token
Step 8
The Consumer requests an authorised tokenusing the now authorised request token
Step 9
The Provider exchanges the request tokenfor an access token. This token is
good for a pre-determined period of time(Maybe forever)
Step 10
The Consumer can now accessthe data using it’s access token
Step 11
The Provider sends the data ifthe access token checks out
Look ma – no passwords!
User never enters their password on the Consumer
The Consumer actually has it’s own password (the token)
The token can be revoked, stopping access
The Dark Side: OpenID
Phishing
DNS Spoofing
Not an AUTHORISATION system
Consumer has to trust the Provider
Doesn’t really work without a browser
The Dark Side: REST
No standard! (Lather, rinse, repeat)
No description language – requires more legwork
The Dark Side: OAuth
Doesn’t work so well without a browser
More complex/higher overhead than username/password
Doesn’t work with cURL
Yadis with egg and cheese
Service discovery protocol
OpenID is the only open, distributed authentication system (Surprised?)
XML RDF based
Allows Providers and Consumers to negotiate protocols
Yadis with egg and cheese
<?xml version=“1.0” encoding=“UTF-8”?>
<xrds:XRDS xmlns:xrds=“xri://$xrds” xmlns=“xri://$xrd*($v*2.0)”>
<XRD>
<Service>
<Type>http://lid.netmesh.org/sso/2.0</Type>
</Service>
<Service>
<Type>http://lid.netmesh.org/sso/1.0</Type>
</Service>
</XRD>
</xrds:XRDS>
You know what would be cool?
OpenID on your desktop
OpenID on your mobile
Webservice brokering system
File system integration
Your local libraries
OpenID: http://wiki.openid.net/Libraries
OAuth: http://oauth.net/code
In conclusion, Thank You
Question time starts… Now