Ruby and OpenID
Brian Ellin
JanRain, Inc.
Slides and code: http://openidenabled.com/resources/pdx.rb/
What is OpenID?
- URL based identifier system
- Specifies how a user may prove that she owns a URL
- Decentralized
- User may choose an identity server, or run their own
- Open protocol
- Not a trust system. "Trust requires identity first"
History
- Originally developed by Brad Fitzpatrick of livejournal.com for cross LJ site commenting (Deadjournal, Greatestjournal, Livejourbal)
- Brad implements OpenID on livejournal to get the ball rolling
- Protocol refined by the community and considered stable July 2005
- Other libraries and services that use OpenID emerge
Terminology
- OpenID URL
- Also called an identity URL, this is the URL owned by the end user or provided by her identity server.
- End User
- The human who wants to prove their identity to another site.
- OpenID Consumer
- The website that wants to consume the end user's identity. This site wants the user to prove that they actually own the provided OpenID url through a conversation with their OpenID server. Also called a relying party.
Terminology continued
- OpenID Server
- The URL the end user declares to have authority over their identity. The consumer asks the server for cryptographic proof that they own the OpenID URL provided.
- User Agent
- End user's web browser.
OpenID Design Goals
- Keep it simple: Complicated specs don't get adopted.
- Decentralized: Don't have to trust a central server or authority.
- Make it easier to log into several websites everyday.
- Only required software for the end-user is a browser (no plugins!)
- Keep it open
OpenID Protocol Overview
- User submits Identity URL on a consumer site
- Consumer fetches the content of the provided identity URL, and extracts server infomation
- Consumer creates an association with server (or uses an existing one). Shared secret is exchanges using Diffie-Hellman.
- Consumer sends HTTP 302 redirect to server with the user's identiy information through the user agent.
- End user authenticates with server, and authorizes the consumer's use of their identity. May be skipped if user is already logged into server and has previously approved consumer.
- Server redirects back to consumer and verifies the user's authentication using the server association.
Protocol Diagram
Dumb Mode
- "Dumb" consumer mode
- Lowers the bar for consumer sites
- Should only be used by consumers who cannot store state. (Filesystem, SQL)
- More server interactions required
- Slower
Role of the OpenID Server
An OpenID server does several important things:- Provides a page that the end user owns
- Has the ability to authenticate users
- Asserts that a user does or does not own the provided page based on their authentication
- Authentication method is left up to the server, and is not defined by the OpenID protocol
- Most servers use password authentication over SSL, but any method is possible: biometics, voice, etc.
Getting an OpenID
- MyOpenID.com - Free OpenID server by JanRain
- Livejournal.com acts as an OpenID server for it's users
- Videntity.org - Free OpenID server written in PHP by Dan Libby
- Download Ruby OpenID and create your own :)
These sites provide you with a URL that you own. The HTML on the end of that URL will contain the server discovery snippet:
<link rel="openid.server" href="http://example.com/server">
Delegation: Using your Own URL
You may use a URL that you own but is not on your OpenID server
- I use MyOpenID.com as my server and own http://brian.myopenid.com/
- I also own http://brianellin.com/, and would like to use it as my identity.
- I don't want to run my own server.
- I add the following to brianellin.com/index.html
<head>
<link rel="openid.server" href="http://www.myopenid.com/server">
<link rel="openid.delegate" href="http://brian.myopenid.com/">
</head>
<link rel="openid.server" href="http://www.myopenid.com/server">
<link rel="openid.delegate" href="http://brian.myopenid.com/">
</head>
Existing OpenID Consumers
You may use your identity at the following sites:- Livejournal.com - Blog community - Comment posting, friending
- Schtuff.com - Free wiki farm - Create/edit wikis
- openidenabled.com - Plone developer site - add content
- Moveable Type/Typepad.com - Blog software - commenting
- Videntity.org - Social networking - add profile info, build relationships
- Pyblosxom - blogging software - commenting
- Lifewiki - Perl based wiki software - edit pages
- Your app?
SSO and Identity Centric Apps
- OpenID provides a mechanism for proving your identity, which can mean different things to different people.
- Many of the applications on the previous slide are idenitity-centric, meaning that your identity is used an idenitifier in the web app.
- OpenID is also useful in non idenitity-centric applications as a single sign on(SSO) mechanism. We'll see an example of this in a moment.
Ruby Library
- OpenID::Consumer - Interface to the consumer logic
- OpenID::Server - Interface to the server logic
- Abstracts the OpenID protocol internals into an easy to use API.
- Storage options - Filsystem, or rails based ActiveRecord store
- Fully functional WEBrick and rails based consumer and server examples
- OpenIDLoginGenerator - Clone of Rails' LoginGenerator. Consumer OpenID authentication without writing any code!
- LGPL
Writing a Consumer
Framework requirements:- Ability to create and dispatch to a URL where OpenID server responses will be sent (rails makes this easy :)
- Ability to send HTTP 302 redirects
- A database, or write access to the filesystem for non-dumb mode consumers
OpenIDConsumer Interface
- Creation
store = FilesystemOpenIDStore.new('/home/brian/var/openidstore/') consumer = OpenIDConsumer.new(store) - begin_auth(url)
- Takes identity url
- Discovers server and associates
- Returns on OpenIDAuthInfo object used to create server redirect
- You must store auth_info.token in your environment somewhere. Session, cookie, or pass through the return_to URL.
- construct_redirect(auth_info, return_to, trust_root)
- Called after begin_auth completes successfully
- return_to is the url in your app that handles OpenID server responses (complete_auth calls)
- Returns a URL to which you should redirect the user.
OpenIDConsumer continued
- Takes token which you stored after begin_auth
- params is a Hash-like object of the GET arguments to this request
- Returns an array of two describing the authenticaion results.
- OpenID::SUCCESS !
Instiki Example
Instiki is a wiki written with Ruby on Rails, and comes with a feature to password protect wiki webs. The approach it takes could be better:- All users must share the same password!
- Security and scalability issues:
- Who has the password?
- Revocation?
Extending Instiki to use a whitelist of OpenID URLs:
- Replace the password with a list of OpenID URLs we trust
- No password to rememebr
- We know exactly who has access
- Revocation is easy
Instiki Demo
Running at http://openidenabled.com:2500/Download the code at the URL below.
Building on the Identity Foundation
It is incremental!Starting with a indentity foundation like OpenID, we can build a solid stack that will make the web 2.0 really useful:
- User mediated profile exchange
- Trust networks
- Secure messaging/mail
- Spam free social networks
- ...?
Further Reading
Learn more at:- openid.net
OpenID Spec homepage. - openidenabled.com
Ruby, Python, Perl, PHP, and C# OpenID libraries and docs. - yadis.org
YADIS Discovery protocol
Thanks!
Questions, comments, ideas?brian -at- janrain -dot- com