Implementing

David Recordon Brian Ellin

drecordon@verisign.com brian@janrain.com

Web 2.0 Expo

April 15-18, 2007
brief intro...and then
into the code
 What is OpenID?
Single sign-on for the web
Simple and light-weight
(not going to replace your atm pin)

Easy to use and deploy

Open development process
Decentralized
(no single point of failure)

Free!
 Proves You Control a URI

www.davidrecordon.com brianellin.com
the common things we hear
"Been there, done that"
"Been there, done that"

Great for
Centralized Centralized
the enterprise
...but do you really trust them?
With OpenID, you get to
choose who manages
your identity.
(you can even change your mind later)
 "This is a geek's toy,
nobody will ever have
an OpenID!"
~90 million OpenIDs
(including every AOL user)

OpenID 1.1 - Estimated from various services

"Nobody will ever use this!"
 Total Relying Parties (aka places you can use this stuff)

IIW

L
AO
y
nt

s/
ou

&
st
/B

ca

T
SF
eb
IIW

IIW

ip

M
W
Sx
2,500

1,875

1,250

625

0
'05

ct

ov

ec

'06

ar

ay

ly

ct

ov

ec

'07

ar

h
Ap

Au
n
Fe

Se

Fe

7t
Ju
O

O
M

M
M
D

D
N

Ju

r1
p

Jan

Jan
Se

Ap
OpenID 1.1 - As viewed by MyOpenID.com
"So that's great there
are so many blogs, but
what about something
real?"
"What's the big deal?"
OpenID is another
important building
block.
 "Why should we add
OpenID to our feature
list?"
Simon Willison - FOWA 02/07
TechCrunch and other blogs link to dozens of new
startups each week...readers aren't going to make new
accounts for every single one

Simon Willison - FOWA 02/07

TechCrunch and other blogs link to dozens of new
startups each week...readers aren't going to make new
accounts for every single one

Creates ability to email a friend saying, "I've added you

as an author to the blog I setup for our band"

Simon Willison - FOWA 02/07

TechCrunch and other blogs link to dozens of new
startups each week...readers aren't going to make new
accounts for every single one

Creates ability to email a friend saying, "I've added you

as an author to the blog I setup for our band"

Site specific hacks..."Login with your AOL OpenID and

we'll send you updates over AIM"

Simon Willison - FOWA 02/07

TechCrunch and other blogs link to dozens of new
startups each week...readers aren't going to make new
accounts for every single one

Creates ability to email a friend saying, "I've added you

as an author to the blog I setup for our band"

Site specific hacks..."Login with your AOL OpenID and

we'll send you updates over AIM"

If you're not managing passwords, you don't need to

build as complex user management systems

Simon Willison - FOWA 02/07

How does it work?
(protocol and flow)
 Basic Terminology

OpenID Provider (OP) - Site that makes

assertions about an OpenID
Relying Party (RP) - Site that wants to
verify ownership of an OpenID
 M O
E
Using OpenID

D
 M O
E
OpenID Enabling Your Own URL

D
 M O
E
Creating an OpenID with
your own server

D
 * *************************************************************************** *
* CONFIGURATION
* *************************************************************************** *
* You must change these values:
* auth_username = login name
* auth_password = md5(username:realm:password)
*
* Default username = 'test', password = 'test', realm = 'phpMyID'
*/

#$profile = array(
# 'auth_username' => 'test',
# 'auth_password' => '37fa04faebe5249023ed1f6cc867329b'
#);

/*
* Optional - Simple Registration Extension:
*
* If you would like to add any of the following optional registration
* parameters to your login profile, simply uncomment the line, and enter the
* correct values.
*
* Details on the exact allowed values for these paramters can be found at:
* http://openid.net/specs/openid-simple-registration-extension-1_0.html
*/

#$sreg = array (
# 'nickname' => 'Joe',
# 'email' => 'joe@example.com',
# 'fullname' => 'Joe Example',
# 'dob' => '1970-10-31',
# 'gender' => 'M',
# 'postcode' => '22000',
# 'country' => 'US',
# 'language' => 'en',
# 'timezone' => 'America/New_York'
#);
Hash My Password
 * *************************************************************************** *
* CONFIGURATION
* *************************************************************************** *
* You must change these values:
* auth_username = login name
* auth_password = md5(username:realm:password)
*
* Default username = 'test', password = 'test', realm = 'phpMyID'
*/

$profile = array(
'auth_username' => 'david',
'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1'
);

/*
* Optional - Simple Registration Extension:
*
* If you would like to add any of the following optional registration
* parameters to your login profile, simply uncomment the line, and enter the
* correct values.
*
* Details on the exact allowed values for these paramters can be found at:
* http://openid.net/specs/openid-simple-registration-extension-1_0.html
*/

#$sreg = array (
# 'nickname' => 'Joe',
# 'email' => 'joe@example.com',
# 'fullname' => 'Joe Example',
# 'dob' => '1970-10-31',
# 'gender' => 'M',
# 'postcode' => '22000',
# 'country' => 'US',
# 'language' => 'en',
# 'timezone' => 'America/New_York'
#);
 Configure Profile Data
$profile = array(
'auth_username' => 'david',
'auth_password' => 'e0fee9a99fa2fe004bbd70b972a03aa1'
);

/*
* Optional - Simple Registration Extension:
*
* If you would like to add any of the following optional registration
* parameters to your login profile, simply uncomment the line, and enter the
* correct values.
*
* Details on the exact allowed values for these paramters can be found at:
* http://openid.net/specs/openid-simple-registration-extension-1_0.html
*/

$sreg = array (
'nickname' => 'daveman692',
'email' => 'recordond@gmail.com',
'fullname' => 'David Recordon',
'dob' => '1986-09-04',
'gender' => 'M',
'postcode' => '941458',
'country' => 'US',
'language' => 'en',
'timezone' => 'America/Los_Angeles'
);
Upload
 Configure Delegation
(source of www.davidrecordon.com)
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>David Recordon</title>
<style>
div {
text-align: center;
color: #C0C0C0;
}
img {
border: 0px;
}
a {
color: #C0C0C0;
}
</style>

<link rel="openid.server" href="http://www.davidrecordon.com/myid.php" />

<link rel="openid.delegate" href="http://www.davidrecordon.com/myid.php" />
</head>
 Done!
Time to configure and upload phpMyID:

<5 minutes
http://siege.org/projects/phpMyID/
OpenID Enabling ExpoCal

M O
E
http://cal.web2expo.com/

Existing users: Sign in and click the the "add OpenID"

D
link at the top right

New users: Click "login" and sign in with your OpenID,

skipping the signup process :)
 Tools Used

iCalicio by Kellan Elliot-McCrea and Evan

Henshaw-Plath
Ruby and Rails
gem install ruby-openid
 ExpoCal User Model
Stores login name and hashed password
We need to add an optional OpenID column

1 class AddOpenId < ActiveRecord::Migration

2 def self.up
3 add_column :users, :openid, :string
4 add_index :users, [:openid], :name => :users_openid_index
5 end
6
7 def self.down
8 remove_column :users, :openid
9 end
10 end
Using the OpenID Library
1 def consumer
2 store_dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store')
3 store = OpenID::FilesystemStore.new(store_dir)
4 return OpenID::Consumer.new(session, store)
5 end

FilesystemStore saved OpenID transaction state

OpenID::Consumer handles the protocol details
 Add OpenID UI

1 <h2>Or, login with OpenID</h2>

2 <%= start_form_tag(:controller=>'account', :action => 'openid_start') %>
3 <p><label for="openid_identifier">OpenID</label><br/>
4 <%= text_field_tag 'openid_identifier' %></p>
5 <%= submit_tag 'OpenID Login' %>
6 <%= end_form_tag %>

<input name="openid_identifer" />

Handle Login Form Submit
1 def openid_start
2 openid_request = consumer.begin(params[:openid_identifier])
3
4 case openid_request.status
5 when OpenID::SUCCESS
6 return_to = url_for(:action => 'openid_finish')
7 trust_root = url_for(:controller => '')
8 server_redirect_url = openid_request.redirect_url(trust_root, return_to)
9 redirect_to(server_redirect_url)
10
11 when OpenID::FAILURE
12 flash[:notice] = "Could not find your OpenID server."
13 redirect_back_or_default(:controller => '/account', :action => 'index')
14
15 end
16 end

1. Discover
2.Associate
3. Redirect
(we’ll handle the server response at the return_to URL)
Redirect to OpenID Provider
Handle Server Response
1 def openid_finish
2 openid_response = consumer.complete(params)
3
4 case openid_response.status
5 when OpenID::SUCCESS
6 openid = openid_response.identity_url
7 @user = User.find_by_openid(openid)
8
9 unless @user
10 @user = User.create(:openid => openid, :login => openid)
11 end
12 self.current_user = @user
13 flash[:notice] = "Welcome #{@user.openid}"
14
15 when OpenID::FAILURE
16 flash[:notice] = 'Verification failed.'
17 end
18
19 redirect_back_or_default(:controller => 'talk', :action => 'list')
20 end
 Done!
Time to implement OpenID in iCalico:

45 minutes
http://cal.web2expo.com/
"So this all looks great,
but what are the
downsides?"
Kitten Overload!

More kittens!

Simon Willison - FOWA 02/07

Kitten Overload!

FAKE More kittens!

Simon Willison - FOWA 02/07

Kitten Overload!

Identity theft!
FAKE :'(

Simon Willison - FOWA 02/07

You could just remove passwords
Client Side Certs
Microsoft CardSpace

(UI for certs)

 Vidoop

(changing the metaphor)

...but passwords are still
widely used
VeriSign's OpenID Seatbelt
(demoing today)
OpenID is great for innovation!
(authentication method is up to the provider and user)
 "I don't want just one
identity...I mean I don't
want my boss to know
I'm a furry!"
Well you don't wear your
furry suit to work do you?
So use multiple OpenIDs!
(you already do this with email addresses today)
 Go code!
(and join the conversation at OpenID.net)
 Thanks!
(and don't forget to grab a CD)

David Recordon Brian Ellin

drecordon@verisign.com brian@janrain.com