Tuesday, August 28, 2012

The need for both #OpenID and #OAuth

Many words have been used on the merits of OpenID and OAuth. There are many misconceptions and many of those have everything to do with perspective. In order to get a better understanding I asked on the Wikitech mailinglist a use case for OAuth. The answer I received helps.
OpenID is an identity management system. It allows users to authenticate to one site using another site as their identity. A use case for this is, for example, using your Facebook account to log in to Wikipedia. This may be useful, as it would allow users to more easily register for Wikipedia
OAuth is a third-party authentication and authorization system that allows outside applications to do stuff on behalf of a user. The reason for this is because currently toolserver applications, etc. authenticate to Wikipedia using a plaintext username and password, which is extremely insecure for a number of reasons I will not elaborate on here.
When you read the answer, there are some observations to make. The most obvious is how do you assure that the software that is to use OAuth will be secure. Given the power of many Toolserver tools how do you make sure that only trusted people make use of the Toolserver functionality.

Enter OpenID, it does provide identity management. OpenID is able to provide more information than just "this is indeed the indicated identity" as part of the "OpenID Attribute Exchange". When the Wikimedia Foundation implements OpenID as a service, it will be possible to identify the users that have a "bot flag" on the user profile. 

As it is, the Toolserver tools are not necessarily secure. With OAuth it will become even less secure to run the software because it will be the software itself that includes the authorisation to run, never mind its configuration, never mind how it is used or by whom. When OpenID authenticates users, it becomes possible to ensure that only people with a bot flag can run Toolserver software on the production Wikimedia projects.

To make the use of the Toolserver tools secure, it is necessary to complement OAuth with OpenID. Oauth in isolation will make the Toolserver tools easier to use but it does not make them more secure to run.
Thanks,
      GerardM

2 comments:

Ryan Lane said...

This will be my last comment on this subject with you:

This is simply incorrect.

It's nice that you are so enthusiastic about technology, but you are spreading misinformation that borders on FUD.

GerardM said...

Why is it incorrect? Given your reaction it is inconvenient.
Thanks,
Gerard