This talk is about the story of password and identity management on the web.
It make an overview about passwod handling, single sign-on solution, OAuth and the future of it for the web, thanks Mozilla Persona and Docker.io Linux Containers.
It also present OAuth.io , a solution to solve framgementation.
46. Single Sign-On
Single sign-on (SSO) is a property of
access control of multiple related,
but independent software systems.
47. The promise of SSO:
- UX with frictionless sign in and higher conversion
- Reduced IT costs
- Retrieving data with user’s consent but without annoying
forms
- Reduced password leak risks
80. I have support
for Photo.
service, ...
Printer.service
needs Resource
Photo.service
has Resource
81. I have support
for Photo.
service, ...
Printer.service
needs Resource
Photo.service
has Resource
Note: choice of
supported resource
providers has also to
be made by printer.
service
101. Single Sign-On
conclusion
- OpenID (URLs) is a group of companies that trust
each other to be an identity provider (IDP)
OpenID let the choice to the user of the IDP
- Facebook connect (Facebook Connect was the single
sign on of Facebook affiliate ecosystem)
- OAuth : the OAuth provider know the user AND the
application. The End user application choose the IDP
the end user can connect with.
102. OpenID
OAuth
SAML
Dates from
2005
2006
2001
Current version
OpenID 2.0
OAuth 2.0
SAML 2.0
API
Single sign-on
Single sign-on authorization
for enterprise
Main purpose for consumers
between
users
applications
Protocols used
XRDS, HTTP
JSON, HTTP
SAM, XML,
HTTP, SOAP
105. OAuth 1.0
(2007)
OAuth provides a method for clients to access server
resources on behalf of a resource owner (such as a
different client or an end- user). It also provides a
process for end-users to authorize third-party access to
their server resources without sharing their credentials
(typically, a username and password pair), using useragent redirections.
http://tools.ietf.org/html/rfc5849
106. Context :
- php 4
- no https
- Google involved
- not Open ID
OAuth 1.0
(2007)
Pain:
- Signatures
- Broken libraries
- Extensions
- Crappy specifications
From Eran Hammer #FuckOauth
OAuth 2.0 - Looking Back and Moving On
113. Authentication and Signatures
- Stop cryptographic requirements of
signing requests with the client ID and
secret and replaces signatures with
requiring HTTPS for all
communications between browsers,
clients and the API.
114. User Experience and Alternative Authorization
Flows
OAuth 2 supports a better user experience for
native applications, and supports extending
the protocol to provide compatibility with
future device requirements.
115. Performance at Scale
- Many steps require state management and temporary
credentials, which require shared storage and are
difficult to synchronize across data centers.
- requires that the API server has access to the
application's ID and secret, which often breaks the
architecture of most large providers where the
authorization server and API servers are completely
separate.
116. - OAuth 2.0 (Two-legged)
Client credential
Resource user password
- OAuth 2.0 (Three-legged)
- OAuth 2.0 (Refresh token)
Scopes are often not implemented the good way,
following the specs.
Sometimes spaces are not set, names are different
from providers….
#OAuthBible
120. Eran Hammer has quit the
OAuth 2.0 Board.
He is building Oz.
121. Solutions to Consume OAuth ?
- The IETF specs
- The OAuth Bible
- Open source libraries (omniauth
for ruby, requests or foauth for
python, passport for node.js…)
- Janrain, Dailycred
- OAuth.io