Live ID, Open ID & OAuth - TheArchitect.co.uk

peruvianwageslaveInternet and Web Development

Feb 5, 2013 (4 years and 2 months ago)

89 views

“a set of claims made by one digital subject
about itself or another digital subject”
Good authentication is secure but unobtrusive

Bad UX leads to weak security
“Identity without borders”

http://openid.net/
A Web single
-
sign
-
on solution

Identity is not Trust!
end user w/
user agent

Identity provider

e.g. myopenid.com

6

2

5

3

1

4

1. Send identifier

2. Associate handle

3. Redirect over UA

4. Login

5. Redirect over UA

6. Check authentication


(optional)

Relying party

e.g. yoursite.com

OpenID.net
MyOpenID
OpenID
Directory
ClickPass
Identity Providers

Relying Parties

OpenID Directory
User experience is generally holding back widespread adoption

http://openid.spammer.com
http://oauth.net/

An application authorization protocol for user
consent to data sharing

and many others…

Request
Request Token

Grant

Request Token

Direct User to
Service Provide

Obtain User
authorization

Direct user to
consumer

Request Access
Token

Grant Access
Token

Access
Protected
Resources

http://dev.live.com/liveid/
… the biggest authentication provider on the planet!

Principals


User (WLID)


Machine (Device ID)


Machine on behalf
of User (linked
device)


App (App ID)


App on behalf of
User (Delegation)

Types of WLIDs


Passport Account,
Hotmail account


EASI (Email as
Sign
-
In) account


Managed
namespaces


Federated Accounts

Windows Live ID service

Relying party

e.g. yoursite.com

3

4

5

6

8

7

2

1

end user w/
user agent

“Using Consent” Phase
(user can be offline)

end user w/
user agent

Granting consent phase

Smart client applications


Depth partners web site
integration


Runs on Windows Server OS


Breadth partners web
site integration


Open source samples in
6 languages


ASP.NET
(C# & VB), Java, Perl,
PHP, Ruby, Python


Third
-
party application
providers access to
Windows Live user’s
data


Open source samples in
6 languages


ASP.NET
(C# & VB), Java, Perl,
PHP, Ruby, Python


Includes ASP.NET
controls to simplify
integration with Live ID /
Windows Live:


Contacts,
IDLogin
,
IDLoginView
,
SilverlightStreamingMedia

Live ID Client SDK

Relying Party Suite
(RPS


aka Live ID
Server SDK)

Web Authentication
SDK (WebAuth)

Delegated
Authentication SDK
(DelAuth)

Windows Live Tools for
Visual Studio

Enabling the enterprise…

Step 3

(Service Sign
-
in)

The issued service token is sent to the Windows
Live service that the user originally wanted to
access.

Step 2

(Windows Live ID Sign
-
in)

IP token is sent to Windows Live ID.

Windows Live ID STS converts the token from the
federated partner to a Windows Live service token.


On the user’s first visit, the Windows Live ID service
maps the federated user account to a Windows Live
ID unique identifier (PUID) and shadow account.

Step 1

(Partner Sign
-
in)

A user sends credentials to the federated partner
identity provider. The federated partner’s
Security
Token Service (STS)

generates an IP token and
returns it to the user.

trust
relationship between organizations

Identity Provider
(IP)
Resource Provider
or Relying Party (RP)
WS
-
* standards



authentication models
federation

Ease
-
of
-
use
Trust Provisioning

Service Provisioning

Account Management

Parental Controls

Good authentication
Ease
-
of
-
use
Identity without borders


Specs
scale
http://Dev.Live.com/LiveId

http://LiveId