OpenID Bootcamp: Introduction to OpenID concepts and hands-on creation/use

Bootcamp

Simon Willison David Recordon
simonwillison.net davidrecordon.com
simon@simonwillison.net drecordon@verisign.com

OSCON
July 24th, 2007

Who are We?
• David Recordon

• VeriSign Employee since
May of 2006

• OpenID Foundation Vice-
Chair

• Co-Author of various
OpenID speciﬁcations

• Past employee of
Six Apart, where OpenID
was created

Who are We?
• Simon Willison

• Ex-Yahoo!, now freelance

• “Europe’s ﬁrst OpenID
consultant”

• Co-creator of the Django
Web Framework

The Plan
• Basic concepts of OpenID
• Hands on - Creating and using an OpenID
• Adoption, history, and status
• Security concerns
• Break
• Security solutions
• Clever and creative hacks
• OpenID in code
• Q&A

OpenID is a
decentralised mechanism
for Single Sign On

“Someone else already
grabbed my username”

“My online proﬁle is
scattered across
dozens of sites”

http://swillison.livejournal.com/

http://openid.aol.com/simonwillison/

What can you do
with an OpenID?

You can use it for
authentication

“Who the heck are you?!”
Login?
Home | Main Schedule | Map | Mobile | About iCalico | Web 2.0 Expo

Search
Welcome to ExpoCal!
Go
Social calendaring for Web 2.0 Expo, April. 15-18, 2007. Build lists of interesting looking sessions, check out what your friends
are going to see, or tag surf your way to serependity.

My Schedule
By Day
You need to be logged in to keep a
SUNDAY, APRIL 15, MONDAY, APRIL 16, WEDNESDAY, APRIL 18,
TUESDAY, APRIL 17, 2007 list of talks and sessions you are
2007 2007 2007
interested in attending.
Popular Today Popular Today Popular Today Popular Today
quot;Building Social quot;Conference Welcomequot; Tim quot;Mobile 2.0quot; Ajit Jaokar Mike quot;Welcomequot; Tim O'Reilly login | sign up
Applicationsquot; Stowe Boyd O'Reilly McCue; Ilkka Raiskinen; quot;Jeff Weiner in Conversation
quot;High Performance quot;A Conversation with Jeff Paola Tonelli with John Battellequot; Jeff
Webpagesquot; Steve Bezosquot; Jeffrey P. Bezos quot;State of the Web 2.0: Weiner John B...
Souders Tenni Theurer quot;Built to Last or Built to Measuring the Participatory quot;Web 2.0 for the Enterprise: Is
quot;Ignitequot; Sell: Is There a Difference? Webquot; Bill Tancer It Soup Yet?quot; Dan Farber
quot; John Batt... quot;Eric Schmidt in Conversation Satish Dha...
Today: All with John Battellequot; Eric
Today: All Today: All
Schmidt John...

Today: All

Popular: Tags Popular: Speaker

Community Design and User Ajit Jaokar Bill Tancer Brian Mulloy Charlene
Ajax
Li Dan Farber David Knight Dirk-Willem van
Experience Keynotes Marketing
Gulik Dmitry Dimov Eric Schmidt Ilkka
and Community Strategy and
Raiskinen James Baty Jay Adelson Jay
Business Models Web 2.0
Bhatti Jeff Weiner Jeffrey P. Bezos Joe
Fundamentals Web 2.0 Services
John Battelle Kathy Sierra Kelly
Kraus
and Platforms Web Operations advertising
Goto Kerry Fleming Kevin Lynch Luke Sontag
business design digitalid django experience
Mike McCue
Mena Trott Paola Tonelli
flickr free google javascript marketing microformats
products and services Rich Skrenta Ross Mayfield Satish
openid php

Dharmaraj Subrah Iyar Tim O'Reilly
rails search skypejournal social syndication
all tags
yahoo everybody!
Random People
ChrisC1971 alexiskold atomsplitter billvision brady emccm
Everything! gervasio goodsboy gustav heinika hienhuynh hotwheel
http://jalanoly.pip.verisignlabs.com/
Find: all talks, the all speakers, all tags, or users. http://suleyman.pip.verisignlabs.com/ http://vishnu.myopenid.com/
jessie jggaines leeclw maisany markgoines nborwankar
pbuder philip ron_topright shameer shua slevine timknight
tomas wilsonminer

“prove it!”
Login?

Search
Welcome to ExpoCal!
Go

My Schedule
By Day
2007 2007 2007
Schmidt John...

Today: All


Ajax
Kraus
Mike McCue
openid php

all tags
yahoo everybody!
Random People
tomas wilsonminer

“OK, you’re in!”
Login?

Search
Welcome to ExpoCal!
Go

My Schedule
By Day
2007 2007 2007
Schmidt John...

Today: All


Ajax
Kraus
Mike McCue
openid php

all tags
yahoo everybody!
Random People
tomas wilsonminer

So it’s a bit like
Microsoft Passport,
then?

But you don’t need to ask
Microsoft’s permission to
implement it

One organisation
doesn’t get to own
everyone’s credentials

And the standard isn’t
owned by any one
company or group

So I’m still giving
someone the keys
to my kingdom?

Yes, but it can be
someone you trust

If you have the ability to
run your own server
software, you can do it
for yourself

We'll show you how to
do that a little later on

So my users don’t
have to sign up for an
account?

An OpenID tells you
very little about a user

You don’t know
their e-mail address

You don’t know if they’re
a person or a spambot

Where do I get that
information from?

OpenID augments your
regular sign-up process;
it doesn't replace it

The simple registration
extension can help
users ﬁll out your
registration form

How can I tell if they’re
an evil spambot?

Same as usual: challenge
them with a CAPTCHA

botbouncer.com lets
you outsource your
CAPTCHAs

So how does OpenID
actually work?

“I’m simonwillison.myopenid.com”

Site fetches HTML,
discovers identity provider

Establishes shared secret
with identity provider
(Using Difﬁe-Hellman key exchange)

Redirects you to the
identity provider

If you’re logged in there,
you get redirected back

How does my identity
provider know who I am?

OpenID deliberately
doesn’t specify

username/password
is common

But providers can
use other methods if
they want to

Out of band
authentication via SMS,
e-mail or Jabber

The provider’s business
is authentication: they
can invest much more
effort than regular sites

It’s also possible for a
provider to just say
“yes” to every query

http://www.jkg.in/openid/
does this

Users can give away their
passwords today - this is
the OpenID equivalent

What if I decide I
hate my provider?

Delegate to a
provider you trust

This minimises lock in and
ensures easy portability

So everyone will end up
with one OpenID that
they use for everything?

(I have half a dozen
OpenIDs already)

People like maintaining
multiple online personas

professional
social
secret
...

OpenID makes it easier
to manage multiple
online personas

Three accounts is still
better than three dozen

Some providers let you
host multiple OpenIDs,
or create a new one for
every site you sign in to

Why is OpenID worth
implementing over all the
other identity standards?

Unix philosophy:
It solves one,
tiny problem

Many of the competing
standards are now on
board

Isn’t putting all my
eggs in one basket
a really bad idea?

Bad news: chances are
you already do

“I forgot my password”
means your e-mail
account is already an
SSO mechanism

OpenID just makes this
a bit more obvious

I can has lolcats!? BETA

Make your own lolcats! lol
Sign in with your OpenID:
OpenID: Sign in

http://icanhascheezburger.com/2007/05/16/i-has-a-backpack/

Fake edition
Your identity provider
Username and password, please!
Username:
Password:
Log in

An untrusted site
redirects you to your
trusted provider

PayPal
Yahoo! BBAuth
Google Auth
Google Checkout

We'll talk about some
potential solutions later

Doesn’t this outsource the
security of my users to
untrusted third parties?

... so do “forgotten
password” e-mails!

If e-mail is secure
enough for your user’s
authentication, so is
OpenID

Password e-mails are
essentially SSO with a
bad user experience

What are the privacy
implications?

Cross correlation of
accounts

Don’t publish a user’s
OpenID without making
it clear that you’re going
to do that

Allow users to opt-out
of sharing their OpenID

The online equivalent of a
credit reporting agency?

This could be built today
by sites conspiring to
share e-mail addresses

IANAL, but legal
protections against this
already exist

“Directed identity” in
OpenID 2.0 makes it
easy to use a different
OpenID for every site

Sun,VeriSign and JanRain
have both announced
“patent covenants”

They won’t smack you
down with their patents
for using OpenID 1.1

They will smack down
anyone else who asserts
their own patents against
OpenID

The OpenID
Foundation is working
on an IPR Policy

AOL - provider, full
consumer very soon

Microsoft: Bill Gates
expressed their interest
at the RSA conference

(mainly as good PR
for CardSpace?)

Sun: Patent Covenant,
33,000 employees

...etc
we'll talk about this more
later

Creating an OpenID
pip.VeriSignLabs.com MyOpenID.com

ClaimID.com FreeYourID.com

http://openid.net/wiki/index.php/OpenIDServers

and you may already have one

Using Your OpenID
Basecamp.com
Plaxo.com
Blinksale.com
Toodledo.com
Wikispaces.com

WikiTravel.com
Ma.gnolia.com
Jyte.com
HighRiseHQ.com
WetPaint.com
http://intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers

6
0
0
~12 million OpenIDs

2 OpenID 1.1 - Estimated from various services

~120 million OpenIDs
(including every AOL user)

OpenID 1.1 - Estimated from various services

6
Total Relying Parties

0
(aka places you can login with OpenID)

0 y
nt
ou
/B
p i
Sx
4,500

2
3,375

2,250

1,125

0
'05

ct

ov

ec

'06

b

ar

r

ay

e

ly

g
Ap

Au
n
Fe

Ju
O

M

M
D
N

Ju
p

Jan
Se

OpenID 1.1 - As viewed by MyOpenID.com

Total Relying Parties (aka places you can login with OpenID)

po
L
AO
y

Ex
nt
ou

0
&

2.
/B

T
SF

eb
p

M

W
i
Sx
4,500

3,375

2,250

1,125

0
'05

ct

ov

ec

'06

b

ar

r

ay

e

ly

g

p

ct

ov

ec

'07

b

ar

r

ay

e

22
Ap

Ap
Au
n

n
Fe

Se

Fe
Ju
O

O
M

M
M

M
D

D
N

Ju

N

Ju

ly
p

Jan

Jan

Ju
Se

OpenID 1.1 - As viewed by MyOpenID.com

History 2005 & 2006
Created by Brad Fitzpatrick (Summer 2005)
Yadis Discovery protocol (Jan 2006)
VeriSign launches OpenID Provider (May)
Convergence with i-names (July)
Convergence with Sxip (Aug.)
$50,000 USD Developer Bounty (Aug.)
Technorati adopts OpenID (Oct.)
Tutorials by Simon Willison (Dec.)

History Q1 2007
Mozilla announces intent to support OpenID in FireFox 3 (Jan.)
Microsoft support expressed by Bill Gates and Craig Mundie at
RSA Conference keynote (Feb.)
AOL add OpenID to every one of their ~60M accounts (Feb.)
Symantec announces upcoming OpenID products (Feb.)
Digg and NetVibes announce OpenID support (Feb.)
Wordpress.com and 37Signals adopt OpenID (March)
USA Today publishes OpenID article on the Money section
front-page (March)

History Q2 2007
Plone 3.0 ships with OpenID support (May)
Sun Microsystems adopts OpenID in enterprise product and
provides employees with OpenID (May)
livedoor adds OpenID support (May)
OpenID wins Next Web Award (June)
Leo Laporte and Steve Gibson discuss OpenID (June)
OpenID wins CNET Webware 100 award (June)
Atlassian (makers of enterprise wiki software) supports OpenID (June)
Drupal 6 ships with OpenID support (June)

The purpose of the OpenID Foundation is to
foster and promote the development and
adoption of OpenID as a framework for
user-centric identity on the Internet.

Founding board
Scott Kveton David Recordon
Chair Vice-Chair
scott@kveton.com drecordon@verisign.com

Dick Hardt Martin Atkins
Treasurer Secretary
dick@sxip.com mart@degeneration.co.uk

Johannes Ernst Drummond Reed
jernst@netmesh.us drummond.reed@cordance.net

Bill Washburn
Artur Bergman
Executive Director
sky@crucially.net
bill@oidf.org

Current efforts
Develop an IPR policy and process for OpenID
speciﬁcations to keep OpenID free and patent
unencumbered
Develop a trademark policy that supports the
extended OpenID community
Develop core messaging for OpenID and
websites oriented toward developers, users,
and other potential adopters
Coordinate World-wide joint marketing and
evangelism

OpenID Auth 2.0

• Implementors draft published earlier this
year
• Already seen multiple implementations in
PHP, Java, Perl, and Python
• Concerns raised from service providers the
size of AOL, LiveDoor,Yahoo! around
identifier recycling
• Still really close to a final specification

Protocol Security

• DNS Security
• Man in the Middle Attacks
• Eavesdropping Attacks
• MAC Key Weakness
• Replay Attacks
Don't Panic

Phishing

An untrusted site redirects you to
your trusted provider

Not just a problem for OpenID, but
also for PayPal, Google Auth and
Checkout, Yahoo! BBAuth, AOL
OpenAuth

Passwords Can be Stolen

• Browsers have poor support for other
means
• Users normally ignore browser chrome
• What extent are they willing to go?
• quot;Gang Kidnaps Gamer to Get Password
Using Fake Orkut Datequot;

Trust
quot;Trust ﬁrst requires identityquot; - Brad Fitzpatrick

OpenID does not tell you if a user is
good, bad, or even human

• What if I've never seen the user before?
• What if I know nothing about the OpenID
Provider?

Decoupled Authentication

• What if the user didn't authenticate at all?
• How do I know if they met my policies?
• I need strong authentication!
• The user must authenticate within the past
ﬁve minutes!

Protocol security
• Use SSL correctly throughout the protocol
• Protects against man-in-the-middle,
eavesdropping attacks, and DNS attacks
• Generate strong MAC keys and re-negotiate
as needed
• Used to verify data integrity and
authenticity of OpenID responses
• Verify NONCEs
• Protects against replay attacks

Trust
quot;Trust ﬁrst requires identityquot; - Brad Fitzpatrick

• Challenge them via a CAPTCHA or email
veriﬁcation
• Even a distributed CAPTCHA
• Use whitelists and blacklists
• Ask someone else whom you trust

Decoupled authentication
• OpenID Provider Authentication Policy
Extension, draft published June 2006
• Relying Parties can ask for authentication
policies such as quot;phishing resistantquot; or
quot;multi-factorquot;
• Providers can respond with policies the user
complied with, time since they
authenticated, and strength of the credential
(s) used per NIST guidelines
• Still has the question of quot;trustquot;

Whitelisting Providers
• OpenID doesn't dictate that a RP accept
every OpenID
• Certainly most do
• Might make sense for a bank to whitelist
• Others sites by whitelisting will only hurt
themselves by cutting down the number of
users who can sign in
• With Yadis Discovery, a user can list multiple
providers and a RP can choose which to use

Vidoop
(changes the metaphor by removing passwords)

Microsoft CardSpace
(anti-phishing authentication built into the OS)

VeriSign's OpenID SeatBelt
(an OpenID convenience and security add-on for Firefox)

works with

SeatBelt
• Provide contextual information
• Am I currently logged in and if so as whom?
• Is it safe to login?
• Remove phishing opportunities
• Login when my browser opens
• Take me to my Provider if I'm not logged in
• Protect against common attacks
• Validate SSL certiﬁcates when interacting with
my Provider

the best solutions will
be in the browser

Mozilla has said FireFox 3
will include some sort of
OpenID integration

IE Team has posted a job
ad mentioning quot;OpenIDquot;
quot;Does the idea of redeﬁning the role of the Internet browser appeal to
you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If
so, then this just might be the opportunity for you.quot;

Simpliﬁed account creation
• The classic OpenID use-case: allow users to
create a regular account on your system tied
to their OpenID
• Use Simple Registration to pre-ﬁll the signup
form
• Let users associate one or more OpenIDs
with an existing account

Lightweight accounts

• Sometimes you just need persistent cookies
• Personalisation
• Preference saving
• Anything where users can’t spam you
• http://oscon07.icalico.org/ is a nice example

Simpliﬁed OpenID login

• Millions of people have OpenIDs but don’t
know what OpenID is
• Offer them a sign-in form speciﬁc to their
provider
• Construct the OpenID behind the scenes

Internal SSO
• Restrict your internal applications to only
accept corporate assigned OpenIDs
• Requires an internal OpenID server
• Wikis, bug trackers, blog engines...
• Applications need to be able to whitelist
OpenIDs that match a certain pattern
• http://(w+).internal.example.com/

Portable contact lists
• Re-adding your friends on every social
network completely sucks
• The Facebook platform shows the
importance of being able to build even trivial
applications on top of an existing network
• An OpenID is globally unique; it’s the ideal
hook for building a reusable friend list

Contact list options
• FOAF
• RDF format, exported by LiveJournal
• Currently adding a new “openid” ﬁeld
• XFN
• Microformat for listing relationships
• Can be embedded directly in HTML

http://daveman692.livejournal.com/data/foaf

...
<foaf:knows>
<foaf:Person>
<foaf:nick>bradfitz</foaf:nick>
<foaf:member_name>Brad Fitzpatrick</foaf:member_name>
<foaf:tagLine></foaf:tagLine>
<foaf:image>http://userpic.livejournal.com/21628/1</foaf:image>
<rdfs:seeAlso rdf:resource=quot;http://bradfitz.livejournal.com/data/foafquot; />
<foaf:weblog rdf:resource=quot;http://bradfitz.livejournal.com/quot;/>
</foaf:Person>
</foaf:knows>
...

http://gmpg.org/xfn/intro

<ul>
<li><a href=quot;http://jane-blog.example.org/quot; rel=quot;date metquot;>Jane</a></li>
<li><a href=quot;http://dave-blog.example.org/quot; rel=quot;friend metquot;>Dave</a></li>
<li><a href=quot;http://darryl-blog.example.org/quot; rel=quot;friend metquot;>Darryl</a></li>
</ul>

Pre-approved accounts

• Collaboration apps (private wikis, multi-
author blogs, Google Docs etc) often let you
“invite” new members to your project
• With OpenID, you can pre-approve their
ability to log in without needing to create
them a username and password

Social whitelists
• A potential mechanism for tackling blog
comment spam
• Create a list of OpenIDs that can skip your
spam ﬁlter
• Share that list with your friends
• Allow people on their lists to skip your
spam ﬁlters as well
• http://simonwillison.net/2007/Jan/22/whitelisting/

Group syndication

• A combination of social whitelisting and pre-
approved accounts
• Syndicate groups as a list of OpenIDs
• www.jyte.com does this
• Tell another application that “anyone who is
a member of that group can sign in”

jyte.com/api/group/djangonauts/roster
http://www.jacobian.org/
http://groovymother.com/
http://rodbegbie.sxipper.com/
http://cygnus.myopenid.com/
http://www.b-tree.org/
http://root.b-tree.org/
http://jlam.idproxy.net/
http://claimid.com/jlam
http://openid.aol.com/jlameudaemon
http://jlam.vox.com/
http://jlam.livejournal.com/
http://adamh.openid.pl/
http://robhudson.myopenid.com/
http://recombiant.com/public/yadis.xrdf
http://bradpitcher.livejournal.com/
http://kristate.myopenid.com/
http://michele.campeotto.net/
http://mderk.livejournal.com/
http://meangrape.myopenid.com/
http://telenieko.com/
http://eas.myopenid.com/
http://geekfun.livejournal.com/
http://www.pauladamsmith.com/
http://teknico.myopenid.com/
http://adamendicott.com/
http://simonwillison.net/
http://azuer88.myopenid.com/
http://lightlan.myopenid.com/

Provider-speciﬁc services
• OpenIDs from different providers can tell
you different things about a user
• An AOL OpenID “proves” their IM details
• A LiveJournal OpenID lets you discover
their RSS, FOAF and LJ Jabber account
• A last.fm OpenID could indicate their
taste in music
• Another reason to allow multiple OpenIDs
to be associated with a single account

Identity projection
• A related concept
• OpenID lets you project your identity from
one service to another
• If you can prove to site X that you are a
user of site Y, what new things can you build?
• Lots of opportunities for interesting
mashups here

Build a decentralised
reputation network
• eBay users build up a trusted reputation over
time
• Imagine if reputation could be tied to an
OpenID, and aggregated by crawlers
• This wouldn’t punish the bad guys (who would
just get a new OpenID), but it would reward
the good guys
• Jyte lets you vote on claims about OpenIDs

Being a consumer
and a provider
• Not as crazy as you might think
• Letting users sign in with OpenID is a no-
brainer
• Providing OpenID as a way of proving
ownership of a proﬁle page is also useful
• You could even automatically delegate to the
OpenID that they used to sign in

Proxies for proprietary
authentication APIs
• Google,Yahoo! and Facebook all provide
proprietary authentication APIs
• If they're supporting an authentication API,
why don't they just support OpenID?
• You can set yourself up as a proxy between
their protocol and OpenID

associate
• Back-channel between RP and Provider
• Used to establish a shared secret used for
message signing
• HMAC style key calculated with SHA1 or
SHA256
• Can use Difﬁe-Hellman or be in the clear if
using SSL

checkid_setup

• Front-channel via browser redirects
• Send the user to their Provider with an
OpenID request
• Provider authenticates and prompts user
• Responds with a quot;yesquot; or quot;cancelquot;

checkid_immediate
• Front-channel via browser redirects
• Send the user to their Provider with an
OpenID request
• Provider immediately responds with a quot;yesquot;
or quot;noquot;
• Good for AJAX type setups or quot;single
logoutquot;

check_authentication

• Back-channel between RP and Provider
• Used to verify a signature if there was not an
existing association
• Also used to verify a signature if the
Provider told the RP to invalidate the
existing association

As a drawing

http://leancode.com http://www.windley.com

Creating an OpenID with
your own server

* *************************************************************************** *
* CONFIGURATION
* *************************************************************************** *
* You must change these values:
* auth_username = login name
* auth_password = md5(username:realm:password)
*
* Default username = 'test', password = 'test', realm = 'phpMyID'
*/

#$profile = array(
# 'auth_username' => 'test',
# 'auth_password' => '37fa04faebe5249023ed1f6cc867329b'
#);

/*
* Optional - Simple Registration Extension:
*
* If you would like to add any of the following optional registration
* parameters to your login profile, simply uncomment the line, and enter the
* correct values.
*
* Details on the exact allowed values for these paramters can be found at:
* http://openid.net/specs/openid-simple-registration-extension-1_0.html
*/

#$sreg = array (
# 'nickname' => 'Joe',
# 'email' => 'joe@example.com',
# 'fullname' => 'Joe Example',
# 'dob' => '1970-10-31',
# 'gender' => 'M',
# 'postcode' => '22000',
# 'country' => 'US',
# 'language' => 'en',
# 'timezone' => 'America/New_York'
#);

* *************************************************************************** *
* CONFIGURATION
* *************************************************************************** *
* You must change these values:
* auth_username = login name
* auth_password = md5(username:realm:password)
*
* Default username = 'test', password = 'test', realm = 'phpMyID'
*/

$profile = array(
'auth_username' => 'david',
'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1'
);

/*
*
* correct values.
*
*/

#$sreg = array (
# 'nickname' => 'Joe',
# 'email' => 'joe@example.com',
# 'fullname' => 'Joe Example',
# 'dob' => '1970-10-31',
# 'gender' => 'M',
# 'postcode' => '22000',
# 'country' => 'US',
# 'language' => 'en',
# 'timezone' => 'America/New_York'
#);

Conﬁgure Proﬁle Data
$profile = array(
'auth_username' => 'david',
'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1'
);

/*
*
* correct values.
*
*/

$sreg = array (
'nickname' => 'daveman692',
'email' => 'recordond@gmail.com',
'fullname' => 'David Recordon',
'dob' => '1986-09-04',
'gender' => 'M',
'postcode' => '941458',
'country' => 'US',
'language' => 'en',
'timezone' => 'America/Los_Angeles'
);

Conﬁgure Delegation
(source of www.davidrecordon.com)

<html xmlns=quot;http://www.w3.org/1999/xhtmlquot;>
<head>
<title>David Recordon</title>
<style>
div {
text-align: center;
color: #C0C0C0;
}
img {
border: 0px;
}
a {
color: #C0C0C0;
}
</style>

<link rel=quot;openid.serverquot; href=quot;http://www.davidrecordon.com/myid.phpquot; />
<link rel=quot;openid.delegatequot; href=quot;http://www.davidrecordon.com/myid.phpquot; />
</head>

Done!
Time to conﬁgure and upload phpMyID:

~5 Min

http://siege.org/projects/phpMyID/

OpenID enabling iCalico
http://oscon.icalico.org/

Existing users: Sign in and click the the quot;add
OpenIDquot; link at the top right

New users: Click quot;loginquot; and sign in with your
OpenID, skipping the signup process :)

Thanks Brian Ellin of JanRain

Tools Used

• iCalicio by Kellan Elliot-McCrea and Evan
Henshaw-Plath
• Ruby and Rails
• gem install ruby-openid

iCalico User Model
• Stores login name and hashed password
• We need to add an optional OpenID column

1 class AddOpenId < ActiveRecord::Migration
2 def self.up
3 add_column :users, :openid, :string
4 add_index :users, [:openid], :name => :users_openid_index
5 end
6
7 def self.down
8 remove_column :users, :openid
9 end
10 end

Now for the best practice
• Should allow multiple OpenIDs...though is slightly more
complex
1 class AddOpenId < ActiveRecord::Migration
2 def self.up
3 create_table :openids do |t|
4 t.column :identifier, :string
5 t.column :user_id, :int
6 end
7 end
8
9 def self.down
10 drop_table :openids
11 end
12 end

1 class User < ActiveRecord::Base
2 has_many :openids
3 end

Using the OpenID Library

1 def consumer
2 store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store')
3 store = OpenID::FilesystemStore.new(store_dir)
4 return OpenID::Consumer.new(session, store)
5 end

• FilesystemStore saved OpenID transaction state
• OpenID::Consumer handles the protocol details

Add OpenID UI

1 <h2>Or, login with OpenID</h2>
2 <%= start_form_tag(:controller=>'account', :action => 'openid_start') %>
3 <p><label for=quot;openid_identifierquot;>OpenID</label><br/>
4 <%= text_field_tag 'openid_identifier' %></p>
5 <%= submit_tag 'OpenID Login' %>
6 <%= end_form_tag %>

<input name=quot;openid_identiferquot; />

Handle Login Form Submit
1 def openid_start
2 openid_request = consumer.begin(params[:openid_identifier])
3
4 case openid_request.status
5 when OpenID::SUCCESS
6 return_to = url_for(:action => 'openid_finish')
7 trust_root = url_for(:controller => '')
8 server_redirect_url = openid_request.redirect_url(trust_root, return_to)
9 redirect_to(server_redirect_url)
10
11 when OpenID::FAILURE
12 flash[:notice] = quot;Could not find your OpenID server.quot;
13 redirect_back_or_default(:controller => '/account', :action => 'index')
14
15 end
16 end

1. Discover
2. Associate
3. Redirect
(we’ll handle the server response at the return_to URL)

Handle Server Response
1 def openid_finish
2 openid_response = consumer.complete(params)
3
4 case openid_response.status
5 when OpenID::SUCCESS
6 openid = openid_response.identity_url
7 @user = User.find_by_openid(openid)
8
9 unless @user
10 @user = User.create(:openid => openid, :login => openid)
11 end
12 self.current_user = @user
13 flash[:notice] = quot;Welcome #{@user.openid}quot;
14
15 when OpenID::FAILURE
16 flash[:notice] = 'Verification failed.'
17 end
18
19 redirect_back_or_default(:controller => 'talk', :action => 'list')
20 end

Done!
Time to implement OpenID in iCalico:
45 minutes

http://oscon.icalico.org/

django-openid

• http://code.google.com/p/django-openid
• Convenient wrapper around JanRain library
• Currently provides tools for consuming
OpenID

def index(request):
if request.openid:
# User is signed in with OpenID
...
else:
# User is not signed in
return HttpResponseRedirect('/openidlogin/')

request.openid = most recently signed in OpenID
request.openids = ALL signed in OpenIDs

Additional features

• Simple registration support
• request.openid.sreg['email']
• Coming soon...
• Tie in with django.contrib.auth.User
• Easy creation of an OpenID provider

Best practices for
OpenID relying parties

• OpenID extends rather than replaces your
existing user accounts system

• Two key steps:
• Allow existing users to associate one or
more OpenIDs with their account

• Allow new users to sign up using an
OpenID to jump-start the process

Existing accounts
• Provide an interface for adding and removing
OpenIDs from an account
• Don’t let users associate an OpenID without
ﬁrst authenticating it
• Don’t let users delete the last OpenID
associated with their account without having
a password set (or they’ll lock themselves
out)

New accounts
• Use Simple Registration, if available, to pre-fill fields
in your registration form

• Not all providers support Simple Registration

• Don’t assume that e-mail addresses etc from
Simple Registration are accurate - you may still
want to send a verification e-mail

• Don’t assume the user is a human being - challenge
with a CAPTCHA or use botbouncer.com

Simple Registration
• nickname • postcode
• email • country
• fullname • language
• dob • timezone
• gender
Some providers (or users) may provide just a
subset of this information

Thanks!
http://openid.net/
http://planet.openid.net/

Simon Willison David Recordon
simonwillison.net davidrecordon.com
simon@simonwillison.net drecordon@verisign.com

OSCON
July 24th, 2007

OpenID Bootcamp: Introduction to OpenID concepts and hands-on creation/use

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Viewers also liked

Viewers also liked (20)

Similar to OpenID Bootcamp: Introduction to OpenID concepts and hands-on creation/use

Similar to OpenID Bootcamp: Introduction to OpenID concepts and hands-on creation/use (20)

More from David Recordon

More from David Recordon (14)

Recently uploaded

Recently uploaded (20)

OpenID Bootcamp: Introduction to OpenID concepts and hands-on creation/use