Monday, October 17, 2011

OAuth vs. OpenID Connect ?

OpenID Connet 1.0 Spec is finally released (actually it was release back in Aug). Its release was accompanied by two predictable categories of questions/sentiments, one not very well informed and the other one a legitimate question:

-        OpenID is dead
-        OpenID Connect is really OAuth so why do we need a new protocol?

Granted, this is normally coming from software engineers and social application programmer community and not from identity community, but I feel they are significant enough to be addressed, especially at the time that more and more entities contemplating to become identity providers and they need to decide which protocol they should implement.
First, on the demise of “OpenId”:  It is true that the earlier versions of Open ID (version 1 and version 2) are, for all intent and purposes, depreciated and will not gain a whole lot of traction. But the general idea of “Open” standards for communicating between RPs and IDPs that enables users to provision fewer accounts and have a portable identity while still maintaining control over their privacy and data is alive and well and actually is even more vital than before.
Second, on relationship between OAuth and OpenID Connect, OAuth is a general protocol for authorizing an agent to access a resource on behalf of resource’s owner. OAuth does not assume any particular knowledge about the resource itself. What does this mean? Let’s go back to the canonical OAuth use case of a user who would like to authorize a printing services to access her photos from a Photo service provider. Now imagine that the photo service is slightly sophisticated and recognizes a few properties associated with photos e.g. resolution, size, whether they are shots with no humans, and if there shots with humans, who appears in the photos – basically let’s assume the resource served by SP has more semantics that simple “access”.
Now imagine that the user wants to grant access to only JPEG photos of himself and not a full access to all photos. How would the IDP encode this semantics in the authorization request and response? How would the SP know that they should only provide access to a subset of images?
To be sure, this is doable using OAuth, but the implementer has to add additional parameters to request and response or possibly constraint the input values of some other parameters.
A protocol that is built this way to access a specialized resource, would be a photo access protocol built on top of OAuth.
In essence this is exactly what OpenID Connect it: It is a protocol built on top of OAuth that supports features that are often desired and used when the resources being delegated is “identity” and attribute about an identity.
To illustrate the point, here are what we, at eBay, had to do for an internal authentication protocol on top of OAuth:
      Force Authentication: adding parameters to authorization request to force users to authenticate no matter what the authentication state with IDP is
-        Authorization Behavior: adding parameters to authorization request to indicate to IDPs whether it should display the consent page and how to display the login page (overlay, full page)  
-        Standard Claim Set: Defining the default set of attributes returned by IDP
-        Requested Attributes: adding mechanism to allow RPs to ask for additional attributes, and annotating them to indicate whether explicit user consent is required.
-        Authentication Context: adding a fragment to response to communicated authentication context (single v.s multi-factor, PIN vs. Password, number of retires etc.)
-        Protection: adding parameters to indicate how access tokens should be protected (encryption, signature and order of operations)
-        Token Validation end point: adding an endpoint to introspect access tokens on demand.

These are all features and facets that OpenID Connect enables in a standard and interoperable fashion. In absence of a standard such as OpenID Connect though, any RPs integrating with our IDP had to implement basically a proprietary protocol, be it on top of OAuth.
The point is that if you want to operate an IDP and you want to use just OAuth, you have to add a few things to OAuth, depend on the depth of your requirements, to make it work for “Identity” resource. This is exactly what Facebook did with FB Connect – and they also did a good job of wrapping it with JavaScript plug-ins. The goal of OpenID Connect is to use OAuth as the basic access authorization protocol and add identity specific features to it so that it becomes a standard “identity protocol” that can enable seamless interoperability. 

Wednesday, October 12, 2011

PayPal Access & Commercial Identity

Today eBay Inc. announced an identity and attribute provider product called PayPal Access. Some described as a "Facebook Connect for Commerce", others described it as an easy registration tool for mobile site. Today at the X,Commerce Innovate Conference someone suggested to me that this is the first step for eBay Inc. to offer full cloud based user management for e-commerce sites and merchants. You can also see the official press release from eBay Inc. here.

Most of the press and coverage today focused on "Consumer Identity" - or more accurately Consumer Commercial Identity - and the benefit of PayPal Access for consumers and online merchants visited by those consumer. Consumer identity is indeed one facet of "Commercial identity" - but there is another side to commercial identity, a less understood - and arguably less sexy - side and that is Merchant Identity. What do I mean by this? Let's look at a scenario:

Merchants themselves are consumers of so many online and offline services (think of it as B2B services) - a company that sells on eBay - or any other online channel - has an eBay account, an account with a shipping company (FedEx), a Facebook account, perhaps another account with a email marketing service, bank account etc. Clearly merchants suffer from the same "account and password hell" that consumers do - but this hell is a lot deeper and hotter for merchants, consider these facts

- Most merchants have employees/contractors who create these accounts on behalf of the merchant,
- A lot of these employees (for smaller merchants) are part time or temps
- Employee turn over is high

Here in addition to the usual forgetting one's password - which for merchant leads to loss of productivity and money - sometimes the person who created the account simply leaves - if you are lucky and s/he good terms, you end up having to chase the employee and restore your access, if not, you are exposed to unauthorized access by the employee or down right "account take over".

You might say, what is the difference between this and consumer identity, these employee are consumers to and technically there is no difference. But look closer. Merchant use cases are fundamentally different. In consumer identity use cases, a consumer is a principle and gives consent on his/her own behalf to a agent (another site or application), the IDP itself recognizes the consumer is the principle and allows her (and ONLY her) to change or revoke this access. In Merchant cases, what appear to be the consumer is really not a principle binded to the merchant identity but an employee. In this case IDP must recognize this "hierarchical relationship" and allow and "admin" employee of merchant to monitor and manage the life cycle of tokens (and identities) of employees.

In the use case above, merchant X would not reveal its primary eBay user name and password to any employee, the would provision an account for each employee. Employee then logs into eBay using her own account - and via PayPalAccess - All the while PayPal Access monitors and manage all the tokens issued to all employees of merchant X. Should an employee leave or changes function, the token can be revoked by merchant X admin regardless of employee's decision.

If this sounds familiar to LDAP or ActiveDirectory, b/c it really serves the same function: Enterprise Identity, in this case enterprise is really a merchant. This is not unexpected in the world where enterprise identity, consumer identity (a.k.a social identity) are converging - and there is a need for a cloud based enterprise user management.

Please note that this is NOT an annoucement (or leak) for PayPal Access Cloud-Base user directory. IT IS NOT, REALLY. I just wanted to point out the there is two sides to commercial identity, a sexy side (consumer) and a side that can make you money (merchants).

In the next post, I will write a bit about Consumer Commercial Identity and how it may be different that social identity.

Saturday, October 8, 2011

Magician vs. Engineer

Steve Jobs, the man, died a few days ago. Steve Jobs the symbol and the icon in all likelihood lives on for a long time. In this status he is joined perhaps only by one other man: Bill Gates (whether people agree or disagree with his business tactics, feel that MSFT produced low quality or hard to use software... no one can deny the fact that he was one of the first few who realized that software would be the key to pervasive computing, co-founded the first real software company and put software engineering as a profession on the map).

That is why I was so excited to watch them being interviewed on the same stage and at the same time @ D5 in 2007. When the news of Steve Jobs passing came out, I went back and watched it again and this time I found it simply fascinating - the session is about 1.5 hours, an hour the interview and 30 minutes Q&A.

It is long, but it is well worth the time.

After about 4.5 years, and with hindsight, it is so amazing to see Steve Jobs explaining his vision about "Post-PC" era and superiority of native applications, merits of integration of hardware and software, and in general, what we can only now recognize as a general description of  iPad. (with the notable absence of any reference to App Store)

Interestingly, Bill Gates, in response to what he sees as post PC era, talks, spot on, about tablet computing, significance of touch and the "convergence device".  Keep in mind that MSFT had been doing basic research in this field for a long time.

In my view, both men shared the same over all knowledge of trends and technologies in 2007, both knew that a device that is basically touch enabled and connected will dominate the future. Then why Apple was able to come up with iPad and MSFT ended up with a few tablet from bunch of manufacturers that only a few ever saw live in action, let alone use.

Amazingly, Bill Gates answers this question himself - in what I think is the most interesting exchange of the interview: a member of audience (a woman @ about 1:22 into the video) asks both Jobs and Gates "...What did you learn about running your own business that you wished you had thought of sooner or first by watching the other guy". Bill Gates volunteers an answer first and says:

"...he (Steve) has an intuitive taste for product and people, we sat in Mac product reviews and question would come up that I would view it as engineering question b/c that is how my mind works and I'd see Steve make a decision based on a sense of people and product that is even hard for me to explain, the way he does things are just different and I think it is magical and in that case WOW" (he never mentions what that case was)

There, ladies and gentlemen, you have it! This is why MSFT and Bill Gates, as great as he is, with all the knowledge of trends, technologies could never quiet come up with that "convergence device". They (or any one else) did not have that magical "intuitive taste for product and technology". As Bill Gates said it, it is even hard for him to explain let alone replicate that intuition.

A lot of things have been said and written about Steve Jobs greatness, but none captures and express the essence of what Jobs did better than the description given by the only other icon of modern computing Bill Gates: intuition vs.solution , soul vs. mechanics, empathy vs. sympathy ..Magic vs. Engineering.