Easy Testing on Ruby OpenID Consumer

Implementationsby Roman Gonzalez.

Tuesday 24 March 2009

Presentation Highlights

• What is OpenID?

• URL’s as our identity credentials

• OpenID Terminology

• The OpenID authentication process explained

• How to implement RP’s Ruby

Tuesday 24 March 2009

Presentation Highlights

• Testing OpenID RP’s

• Demo (Rails, Merb)

• Q&A’s

Tuesday 24 March 2009

What is OpenID?

• A protocol that promotes the use of a single digital identity (Single Sign On)

• Decentralized

• Simple and light-weight (no high security stuff)

• Built upon Web technologies (HTTP, DNS)

Tuesday 24 March 2009

URL’s are our credentials

• Most of people already have an URL to represent their identity (Facebook, Twitter)

• They are globally unique and ubiquitous

Tuesday 24 March 2009

OpenID Terminology

• Actors

• Identifier (URL of the user)

• User-Agent (normally a Web Browser)

• Relying Party (RP)

• OpenID Provider (OP)

Tuesday 24 March 2009

OpenID Terminology

• Direct Messages

• HTTP POST requests from RP’s to OP’s

• Used for interchange of public keys

Tuesday 24 March 2009

OpenID Terminology

• Indirect Messages

• HTTP Redirects from RP’s to OP’s and back

• Used for the authentication process

Tuesday 24 March 2009

OpenID AuthenticationStep 1. Discovery

Tuesday 24 March 2009

OpenID AuthenticationStep 1. Discovery

HTTP GET

Tuesday 24 March 2009

OpenID AuthenticationStep 1. Discovery

Tuesday 24 March 2009

OpenID AuthenticationStep 1. Discovery

Tuesday 24 March 2009

OpenID AuthenticationStep 1. Discovery

Tuesday 24 March 2009

OpenID AuthenticationStep 2. Association

Tuesday 24 March 2009

OpenID AuthenticationStep 2. Association

HTTP POST

Exchange of public keys

Tuesday 24 March 2009

OpenID AuthenticationStep 3. Give credentials to OP

Tuesday 24 March 2009

OpenID AuthenticationStep 4. Choose which info to give to the RP

Tuesday 24 March 2009

OpenID AuthenticationStep 5. You are _authenticated_

Tuesday 24 March 2009

Implementing OpenID RP’s in Ruby

• Ruby On Rails: open_id_authentication by rails at http://github.com

• Merb: hassox’s merb-auth gem, using the OpenID strategy

• Rack: Using the auth/openid Rack app included in the gem

Tuesday 24 March 2009

Testing OpenID RP’s

• How do we make test on it?

• First naive approach: mocking/stubbing the ruby-openid gem

• Why it is so hard to test?

• Multiple types of communication between the RP and the OP

• The existing OP’s need human interaction

Tuesday 24 March 2009

Introducing ROTS (Ruby OpenID Test Server)

• It provides an “easy” interface for automated testing

• It uses an OP test servers (provided on the gem) and a test API

Tuesday 24 March 2009

DEMO

Tuesday 24 March 2009

Final Thoughts

• ROTS is _not_ a silver bullet

• OpenID is not perfect, and it is not trying to be

Tuesday 24 March 2009

Resources

• http://openidexplained.com

• http://github.com/rails/open_id_auth

• http://github.com/roman/rots

• http://test-id.net

Tuesday 24 March 2009

Q&A’s

Tuesday 24 March 2009

Thanks...Contact Me

Follow: http://twitter/romanandregRead: http://blog.romanandreg.com

Tuesday 24 March 2009