7

For example, I can log in to stackexchange websites by logging in to external websites such as OpenID, Yahoo, etc. How does this work? How do the websites (SE and Yahoo!, for example) communicate? How does Yahoo! know that it's really stackexchange? How does stackexchange know that I have successfully logged in to Yahoo! and it's really Yahoo!? Does stackexchange know if I log out to Yahoo! after I log in here?

AviD
  • 72,138
  • 22
  • 136
  • 218
Fitri
  • 395
  • 3
  • 9

2 Answers2

11

In your particular example, StackExchange uses OpenID. OpenID supports the idea of identity providers -- Yahoo is an Identity Provider, same as Google, MyOpenID, etc. To log in StackExchange asks you which provider you want to use, and then redirects you to that providers login page.

Once you authenticate against the provider, the provider redirects you back to StackExchange with a token. This token contains your identity information. This is generally called Claims Based Authentication, where a Claim is a piece of information about an identity, e.g. your name, and claims are bundled into a token.

Communication is done through HTTP 302 redirects and HTTP POST's all via the user's browser. Yahoo knows its StackExchange because the Yahoo URL contains a parameter saying it's StackExchange. StackExchange knows the identity token is from Yahoo because it is signed by Yahoo.

See here: http://openid.net/get-an-openid/what-is-openid/

And here: http://openidexplained.com/

Steve
  • 15,155
  • 3
  • 37
  • 66
  • Since everything happens in browser, how does the signed token get transferred from Yahoo to StackExchange? How do Yahoo! know if it's not someone else faking StackExchange? I guess in this system StackExchange does not know if the account in Yahoo! logged out, gets deleted, etc.? – Fitri Jun 17 '11 at 16:19
  • Faking StackExchange would require the attacker to take control of DNS, as Yahoo would POST to stackexchange.com. – Steve Jun 17 '11 at 16:46
  • "single logout" is indeed a difficult thing for single-sign-on schemes like openid, probably not implemented here, @fitri – nealmcb Jun 17 '11 at 23:19
  • To be honest, I'm still curious about the identity token. What is it form and how does it get transferred from Yahoo! (or open id?) server to StackExchange server – Fitri Jun 19 '11 at 15:58
  • EDIT: I said Yahoo does a POST... I think I'm wrong, and it does a 302 redirect with the token in the query string. See here: http://openid.net/specs/openid-authentication-2_0.html#anchor2 – Steve Jun 20 '11 at 16:13
6

Regarding the identity token - it can take on several forms. In one particular case (which I know OpenID supports) the token is effectively a set of URL parameters. They provide a number of things, including:

  1. Uniquely identifying who you are (e.g. your OpenID/URL)
  2. A signature. This is a cryptographic hash, created from the identity information above and a pre-established secret known by only your OpenID provider and StackExchange.

If you change the identifying information, you break the signature and StackExchange will refuse to log you in. You also can't successfully re-create a signature from scratch, as you don't know the shared secret.

Another form of token, one which I'm more familiar with, is a long pseudo-random string. Your browser returns from the identity provider with this in the URL. Then the client site (e.g. StackExchange) checks the token directly against the identity provider; the provider looks in its list of recently issued tokens and, if it finds it, returns the client your uniquely identifying information.

Regarding logout / single-sign-out - no, StackExchange doesn't know if you log out of your OpenID service. Likewise, your OpenID provider isn't notified if you log out of StackExchange.

Some systems (Google mail/docs/calendar is a good example) instead use an approach that logs you out of the site/service you're using and your ID provider service. However, all other services are uneffected. For example:

  1. Sign in to Gmail
  2. Link to Google Docs (you won't have to sign in again)
  3. Sign out of Gmail (your Google Docs session will be uneffected)
  4. The next Google service you go to will insist you sign in again

References:

John King
  • 161
  • 3