Kurt McKee

lessons learned in production

Hey there! This article was written in 2007.

It might not have aged well for any number of reasons, so keep that in mind when reading (or clicking outgoing links!).

Northwestern and OpenID

Posted 13 September 2007

Background

Just over a year ago I discovered a vulnerability in Northwestern University's centralized authentication system. It would have allowed an attacker to steal a person's username and password, if the attacker could get the victim to authenticate using a specially-crafted URL. I probed and saw other details about the system that raised my hackles.

Idea

Thinking back on the authentication system's design, I have realized that Northwestern could easily push forward into the 21st century by implementing the system using OpenID. All Northwestern users would then be able to authenticate anywhere on the internet (that is, anywhere that supports OpenID) using a Northwestern URL such as http://id.northwestern.edu/kurtmckee.

About OpenID

OpenID is an authentication system that doesn't require me to give a site my username and password in order to log in. Let's see how this works in practice. For this example, http://id.northwestern.edu/kurtmckee is my OpenID URL, the OpenID service is called IDea, and I'm wanting to authenticate at a brand new Northwestern service called Hostel.

  1. I visit Hostel and tell the site that my OpenID URL is http://id.northwestern.edu/kurtmckee. This is the only information that I provide to Hostel in order to log in!

  2. Hostel redirects me to id.northwestern.edu/kurtmckee and includes information that lets IDea know how to tell Hostel whether I've authenticated at IDea or not.

  3. I give IDea my username and password. If my username and password are correct, IDea redirects me back to Hostel and informs Hostel that I logged in correctly. Hostel then treats me as a logged in user.

About Northwestern University

Northwestern is a Big 10 school with thousands of users. Although OpenID does not deal with identity, Northwestern is in the unique position to link authentication with identity. Further, it has the ability to give its users the immediate benefit of an OpenID URL that can be used all over the internet.

I hope Northwestern takes the ball and runs with it; this would be an incredible step towards giving its users true value.