Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenID authentication and API access

OpenID authentication is inherently browser based. If I wanted to allow an OpenID user to authenticate against an API for use in alternative clients, is there an accepted best practice for that?

So if a user tried to log in with their OpenID into an iPhone app, for instance, how would that work? The only thing I can think of generating an API token of some sort for them and get the user to manually enter it somewhere. This approach is not user friendly.

This is the way sites like Basecamp work, but it still seems clunky to me.

like image 215
Alex Wayne Avatar asked Feb 13 '09 01:02

Alex Wayne


People also ask

What's the difference between OpenID and OAuth in web API?

Simply put, OpenID is used for authentication while OAuth is used for authorization. OpenID was created for federated authentication, meaning that it lets a third-party application authenticate users for you using accounts that you already have.

What is OIDC and API?

OIDC provides a flexible framework for identity providers to validate and assert user identities for Single Sign-On (SSO) to web, mobile, and API workloads.

Is OpenID authentication or authorization?

OIDC was developed by the OpenID Foundation, which includes companies like Google and Microsoft. While OAuth 2.0 is an authorization protocol, OIDC is an identity authentication protocol and may be used to verify the identity of a user to a client service, also called Relying Party.


4 Answers

The problem you're seeing is not unique to OpenID. Any password-less authentication scheme can have this problem. OAuth (http://oauth.net/) is a solution that is an open standard that is quickly gaining traction on a lot of web sites. It is totally independent of how the user authenticates, so their OpenID Provider does not need to support or even be aware that your site (the "service provider" in OAuth terms) is using OAuth. Your API client can be web based or even a local application!

The process would be something like this:

Roles:

  • the user: someone who has an account with your web site.
  • service provider: your web site, which has a programmatic API that requires some credential to access.
  • consumer: the client, whether web or local application, that needs access to the service provider's API.

Flow:

  1. The user is at the consumer. He indicates he wants to access data at the service provider.
  2. The user is either redirected (if the consumer is a web site) or a browser is popped up (if the consumer is a local app) and the user sees the service provider web site.
  3. The user is either already logged into the Service Provider via a persistent cookie, or the user must first log into the Service Provider however that is done (OpenID in your case).
  4. The Service Provider then asks the user: "Consumer (some consumer) wants access to your data (or our API, or whatever). Do you want to authorize this? (yes/no)
  5. User confirms, and the browser window closes or is redirected back to the Consumer site.
  6. Via some OAuth protocol magic, the consumer now has a secret credential that it can use to access your API and access whatever user-private information you just authorized.

Obviously I can't include the whole OAuth spec here, but you can see hopefully from the above that this should solve your problem. OAuth libraries exist to make adding support for it easy.

If you happen to be using ASP.NET, I suggest http://dotnetopenid.googlecode.com/ as it recently added OAuth support (v3.0 beta 1).

like image 136
Andrew Arnott Avatar answered Oct 03 '22 08:10

Andrew Arnott


Neither OpenID nor OAuth define how a user authenticates. They define how the consumer directs the user agent to the authentication provider, how the user agent is directed back, and how the consumer can verify the identity that the user authenticated as.

The actual method used to authenticate is out of band for both schemes.

There are differences between OpenID and OAuth, but both require that the consumer use HTTP redirects and callback URLs. They're both browser based. If your app speaks HTTP, it can do either. However, a main point is that the user is only entering credentials into a trusted app.

like image 24
Karl Anderson Avatar answered Sep 30 '22 08:09

Karl Anderson


What you want is not possible with OpenID. OpenID is based on the premise that you (the iPhone app) only want to know about your users that their OpenID-provider trusts them. They never authenticate themselves to you.

Good OpenID-providers in fact even prevent that you mediate the authentication process (as this would expose users to a possible attack - by you!): they demand that users login with them directly and refuse login-by-referral.

like image 2
yungchin Avatar answered Sep 29 '22 08:09

yungchin


See: this related question

The problem is that the openid spec has no standard provision for authentication with the provider, so the provider can elect that authentication happens via a phone call or whatever.

Hopefully more providers embrace OAuth. Alternatively you could hand code the authentication for a few of the bigger sites.

like image 1
Sam Saffron Avatar answered Sep 30 '22 08:09

Sam Saffron