Empowering your business

Authentication Protocol : OpenID, OpenID 2.0 and OpenID Connect

Starting with my very first blog post, I remember the words “Your Creation Creates You”, said by Sir Rajesh Patkar, is absolutely so true. Our creation shapes our soul, enlightens our mind and encourages our heart to take challenges and conquer the universe, here its the ‘THE PROGRAMMING UNIVERSE’ for me.

Not discussing much about this, I start with “Authentication Funda”. Throughout my various blog posts, metaphors like house, door, etc…stuff will be helping me out to understand the concepts better.

This time its “Bob” metaphor, my savior. Say a Hi, “Hi Bob, help me out dude to authenticate”.

Authentication Definition : In simple means, it says “Who you are?”. Hey Bob, please help me with an example.

Bob : How do you enter your house which is locked?

Me : Oh, come on, its obviously using my key, whats the big deal?

Bob : That’s it, this key is the way to open your lock i.e. authenticate you to enter the room.

Me : Oh wow, this is such a simple and great example. But, its programming platform Bob, can you give another example related to web.

Bob : Sure. When you visit a website, say “www.example.com”, it might ask you to “Sign Up” to use their features. This is exactly like when you buy a new house and you register your papers to mark your identity. Then, the house is yours. After sign up, you can “Login” the website for its services. This is again same like opening the door of your house using the key given to you. Difference is just that, on website, you login using “Username/Email” and “Password”, which is more or less like a key to your door.

Me : Hey, that’s great. Thanks Bob.

This Example helped you to understand the basic meaning of authentication. Now, I will be discussing on authentication protocol OpenID. Don’t worry, its as simple as it appears.

Me : Bob, whats a protocol?

Bob : Its a set of rules (standards) to govern or function a data exchange between computer networks.

Me : Bob, please make it easy.

Bob : OK. When you make a tea, what methods do you follow?

Me : I pour some water in a tea pan, boil it, then put some tea leaves, some milk, and a teaspoon of sugar, tea is ready.

Bob : This is it. The steps you followed to prepare tea can be said as a set of rules or methods for preparing tea. Protocols define the way you want to achieve things, in IT terminology, its to achieve data exchange safely.

Me : OK. Then whats OpenID and why this protocol came into existence?

OpenID Technology

  • OpenID is the first generation of OpenID technology.
  • OpenID 2.0 is 2nd generation.
  • OpenID Connect is latest 3rd in its series.

A way of identifying yourself no matter which website you visit.

Me : Sounds interesting, can you explain it in detail?

Bob : Sure, Bob to the rescue. During 90’s, web evolved as a platform where many people started going to different websites, register themselves and use their services. But, soon it became difficult for people to deal with usernames and passwords. Please consider the following interactions, you will understand it well.

Bob is asked to login to enter the website.pic1

Bob provides password and gets logged in.pic2

Me : OK. so whats new in this.

Bob : Hold on one second, don’t hurry. See this.

Bob wants to login to another website but authentication fails.

pic3

Me : But why?

Bob : Username provided by me was ‘Bob’, but actually I had registered on this website with username ‘Boban’. I forgot the username. This is just the case with 2 different websites. Imagine, how difficult it will be to remember passwords and usernames for ‘n’ number of websites.

Two difficulties faced in above scenario :

  • Convenience : Its difficult or inconvenient to remember passwords and/or usernames.
  • Security : Most of the websites might not be fully secure. Thus, creating danger signal for users to navigate through different websites.

Me : Hmmm, it means there is no way to deal with this?

Bob : Don’t worry, this is where OpenID comes into role. Here is the mechanism of OpenID.

old

Me : Bob, what the hell is this?

Bob : Take its easy, this is simple mechanism of how OpenID works. It has two main terminologies associated with it

IDP : Stands for Identity Provider. RP : Relying Party Me : I am not getting anything.

Bob : Let us consider above scenario with example

Example : Consider that Bob wants to login to one website say, “www.example.com”. In above scenario, “www.example.com” is the “Relying Party”. The name itself suggest that is is relying (depending) on someone for something. Now, “Identity Provider” is suppose another website say, “www.myopenid.com”. Bob has already obtained an account in “www.myopenid.com”. This is a provider that provides OpenID URL that can be used to login to any desired website you want (provided that the website supports OpenID).

Now following steps are performed

Step 1 : Bob goes to www.example.com. This website supports OpenID, thus, this is a Relying Party. Bob Sends its OpenID URL to www.example.com. OpenID URL is a unique identifier which can look something like this “bobjoseph202.myopenid.com” (Provided by the IDP when account is created with IDP).

Step 2 : When RP gets this OpenID URL, it investigates it with the IDP. In this case, it is www.myopenid.com.

Step 3 : Now, the page is redirected to the IDP provider’s page. IDP provider now checks whether the query form RP is correct or not. It does this by asking the username and password form Bob (Remember, its important that Bob must initially create an account with www.myopenid.com with username and password, which is actually now being asked by IDP). Bob provides the username and password. If authentication is valid, then IDP asks Bob as to which information to be shared with RP and which should be kept hidden.

Step 4 : Bob allows IDP to share only his email id.

Step 5 : IDP replies RP confirming that it is Bob.

Step 6 : RP allows Bob to access its logged in features.

Thus, authentication is achieved easily and efficiently.

Me : Wow, its just mind blowing. Can you tell me the list of OpenID IDPs?

Bob: Sure, some of them are as follows

  1. StackExchange : https://openid.stackexchange.com
  2. Google (deprecated and will shut down in April, 2015, will make use of OpenID Connect)
  3. Yahoo : https://me.yahoo.com
  4. Flickr
  5. AOL
  6. Blogspot : https://www.blogspot.com/
  7. WordPress
  8. MyOpenID : (Is no more active now, slated to be shut down February, 2014) etc..

Me : Great. So, this means that now, we need not worry for creating accounts at ‘n’ websites.

Bob : Yep, but somethings fishy about OpenID first version.

Me : What do you mean?

Bob : As this OpenID makes use of simple architecture, it has some pitfalls as follows

Use of OpenID URL can be problematic for the user to remember Even after providing the URL to RP, we explicitly need to provide username and password to IDP again As its a first version developed in 2005, Its architecture has some security loopholes Me : Then, whats the solution? Is everything over then?

Bob : Nope, its just the beginning (as Shahrukh said “Picture abhi baaki hai mere dost”. Ignore this line if you don’t know who is Shahrukh).

Me : Aaahaa, whats it? Tell me. I am eager to hear it.

Bob : Its OpenID 2.0

OpenID 2.0

OpenID 2.0 offered excellent security. The authentication scheme plays nicely with “AJAX”-style setups. This means an end user can prove their Identity to a Relying Party without having to leave their current Web page. It also relied upon XML Me : Shit. Whats AJAX and XML? Are they making OpenID easy to function?

Bob : Of course. OpenID 2.0 has the same basic mechanism as I shown in the earlier scenarios, infact all the series of OpenID technology follows more or less, the same mechanism. The difference here is that OpenID 2.0 is more efficient than OpenID. AJAX is the art of exchanging data with a server, and updating parts of a web page – without reloading the whole page whereas XML is a software- and hardware-independent tool for carrying information.

Me : Does it require us to remember the OpenID URL? Something like that?

Bob : Nope. Username and Password will do.

Me : Cool. Then I will go with OpenID 2.0.

Bob : Sorry to interrupt you again, but OpenID itself has some disadvantages because of which OpenID Connect came into existence.

Me : Oh! So, Whats the disadvantages of OpenID 2.0 and whats OpenID Connect?

Bob: Here is it

OpenID 2.0 has following pitfalls

RP could only be web pages, not mobile apps or native applications (Same in case of OpenID) Its XML data structure also makes it little difficult to take care of. Me : Hmmmm.

OpenID Connect

OpenID Connects’ goal is to be much more developer-friendly This new authentication standard is layered on top of OAuth 2.0 so that all the technology that sites already use to connect to other sites’ APIs can also be reused for authentication. OpenID Connect uses standard JSON Web Token (JWT) data structures when signatures are required. Me : Wait a second. Now this seems much bigger than anything before.

Bob : Yup. It is. See this diagram, you will understand everything

Picture1

Bob : Features of OpenID Connect

Firstly, its JSON based. JSON is a syntax for storing and exchanging data. JSON is an easier-to-use alternative to XML. Secondly, its REST friendly. REST is an architecture style for designing networked applications. Thirdly, if we create simple OpenID, then its simply the case of copying the given code and pasting it in the development area we want (OpenID Connect is made keeping the developers in mind). Fourthly, it also supports Mobiles and Apps. Also, it makes use of ID token which is actually JSON. Me : Interesting. But whats the code at the right side in above diagram?

Bob : O! Don’t worry about that. We will come to it later in coming blogs. For now, just remember that Contributors to OpenID Connect include

AOL, Deutsche Telekom, Facebook, (However has its own Face Book Connect mechanism) Google, Microsoft, Mitre Corporation, mixi, Nomura Research Institute, Orange, PayPal, Ping Identity, Salesforce, Yahoo! Japan, among other individuals and organizations. Me : Hey, I forgot to ask one thing. Whats OAuth 2.0 ? What role does it play?

Bob : See this

OpenID Connect = OAuth 2.0 + OpenID 2.0

This means that OpenID Connect is a layer above OAuth 2.0. OAuth 2.0 is an open standard that allows authorization to the server’s resources on behalf of resource owner.

Me : But whats the difference between authentication and authorization?

Bob : In short, Authentication means “Who you are” and Authorization means “What are you authorized to do or say allowed to do, once you are authenticated”

Me : OK. Now I am getting the whole scenario. So, I need to develop my OpenID and I even want to become IDP. So, how to implement it?

Bob : Take a chill bro. You have just learned about OpenID. Implementation of the same will be discussed very soon in the coming blogs.

So, that was a brief idea about the OpenID Technology for Authentication. Thanks Bob for clearing out the things so easily.

I hope you like the post. Please do comment. Till then, me and Bob signing off.

Subscribe

Stay updated with our newsletter, we occasionally do write about technology, open source and best practices.
Don't worry, we will never share your details and won't spam you either.