Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Web Service Authentication using OpenID

I'm going to be developing a REST-ful Web Service for a new public website. The idea behind the web service is to have 3rd parties develop fully functional UIs for the business logic.

For security reasons, I'd like to avoid users having to give their passwords for our service to the 3rd party applications. (Perhaps this shouldn't be a big concern?) Instead, I'm looking to implement some sort of login system on our site that provides an auth token to the 3rd party app but keeps the actual password out of their hands.

This made me think that OpenID might be a potential solution here. It seems to me that it should work: the actual password is handled by the OpenID provider and so it doesn't rest with the 3rd party app. I think that the trouble would probably lie with the various passthroughs, but that should be manageable.

However, there's a surprising lack of Googleable info on this, so I'd like SO's opinion. Has anyone implemented a similar system before? Is it even possible? Is it worth the trouble?

like image 725
Craig Walker Avatar asked Dec 22 '08 18:12

Craig Walker


People also ask

Does OpenID use JWT?

OpenID Connect is built on the OAuth 2.0 protocol and uses an additional JSON Web Token (JWT), called an ID token, to standardize areas that OAuth 2.0 leaves up to choice, such as scopes and endpoint discovery.

What is OpenID authentication?

OpenID Connect is a simple identity protocol and open standard that is built using the OAuth 2.0 protocol. It enables client applications to rely on authentication that is performed by an OpenID Connect Provider (OP) to verify the identity of a user.

Can OpenID be used for SSO?

OpenID is a standard added on the top of Oauth 2.0 (Authorization Protocol) framework which adds ID Token to access token in OAuth 2.0. OAuth and OpenID both act as Single Sign-On (SSO) standards.

Does OAuth use OpenID?

Simply put, OpenID is used for authentication while OAuth is used for authorization. OpenID was created for federated authentication, meaning that it lets a third-party application authenticate users for you using accounts that you already have.


2 Answers

I agree completely that what you want is OAuth; I say that having worked on both OAuth and OpenID systems. I've also been in your boat a few times, having to develop a REST web service api.

For a really good ideas on OAuth, and why it is what you want see these attached article:

These are must read, there are four parts read them all: http://hueniverse.com/oauth/guide/

the RFC, read after reading above as it can be a little daunting for most: http://oauth.net/core/1.0

And then finally maybe some code. I have a couple projects hosted that are using Java/Groovy to do OAuth. One is a plain old OAuth client, the other is a client for specific interactions with NetFlix. http://www.blueleftistconstructor.com/projects/

If you are relatively inexperienced with REST (you haven't built a full scale web api yet) I would recommend that you buy (or better get your boss to) "RESTful Web Services" by Richardson & Ruby. It is an O'Reilly book. I can say that it is one of their better books to debut in the past few years.

It might also help to look at some RESTful OAuth based APIs. The NetFlix API is a perfect example: http://developer.netflix.com/docs

Good luck and happy coding!

like image 80
Rob Ottaway Avatar answered Oct 30 '22 20:10

Rob Ottaway


So far, I've found 1 worthwhile link:

http://markmail.org/message/utf7js473zqv45hv

This conversation mentions something called "OpenID Exchange" which is right up my alley... but the included link is broken and there's not much solid information on Google for it.

Looks like OAuth might be the ticket: http://oauth.net/

like image 39
Craig Walker Avatar answered Oct 30 '22 19:10

Craig Walker