OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
10 likes5,511 views
The document discusses the challenges of authentication and identity management through passwords and the emergence of single sign-on (SSO) solutions to enhance user experience and security. It explores the evolution of OAuth protocols, highlighting the differences between OAuth 1.0 and 2.0, and the importance of identity providers in granting access to user resources without sharing credentials. The author emphasizes the need for better user experience and security in authorization processes, while noting the fragmentation and limitations within current OAuth implementations.
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
- 1. From authentication to identity management Mehdi Medjaoui
- 5. Bob
- 6. I want to upload my photos to access them from anywhere
- 9. Photo.service Hi! Who is it?
- 14. Photo.service
- 15. Photo.service
- 18. Why passwords?
- 19. Identification
- 20. Authentication = Identification + Verification
- 21. To correctly verify someone, a secret must relate to: - what they know - what they have - what they are - what they can do
- 23. In theory
- 29. Photo.service
- 34. Got cloudy these days...
- 36. Multiplication of web services have made passwords - hard to remember if unique
- 38. Multiplication of web services have made passwords - hard to remember if unique - annoying to type all day if strong
- 40. password hell
- 41. Multiplication of web services have made passwords - hard to remember if unique - annoying to type all day if strong - weak if not unique
- 42. Passwords (even strong) do not scale with a growing number of services
- 43. Solution = Password manager ?
- 45. Single Sign-On
- 46. Single Sign-On Single sign-on (SSO) is a property of access control of multiple related, but independent software systems.
- 47. The promise of SSO: - UX with frictionless sign in and higher conversion - Reduced IT costs - Retrieving data with user’s consent but without annoying forms - Reduced password leak risks
- 48. - SAML - OpenID - Facebook connect - OAuth - Persona
- 58. - Based on URLs for personal data http://google.com/profiles/me username.wordpress.com blogname.blogspot.com www.myspace.com/username
- 59. Authorization
- 60. I want to print my photos from photo. service with printer. service
- 61. The wrong way:
- 62. Photo.service has Resource Printer.service needs Resource Key to photo. service
- 63. Photo.service has Resource Printer.service needs Resource Hi, I want to print my photos.
- 66. Hi I’m Bob & I have the key Printer.service needs Resource Photo.service has Resource
- 68. Please send me these photos Printer.service needs Resource Photo.service has Resource
- 69. Here you go Printer.service needs Resource Photo.service has Resource
- 70. I printed the photos. Printer.service needs Resource Photo.service has Resource
- 71. I’m gonna look at all of Bob’s photos! Rogue Printer. service needs Resource Photo.service has Resource
- 72. without his consent... Rogue Printer. service needs Resource Photo.service has Resource
- 73. Never give your password to other services
- 75. 2008
- 78. Photo.service has Resource Printer.service needs Resource Key to photo. service
- 80. I have support for Photo. service, ... Printer.service needs Resource Photo.service has Resource
- 81. I have support for Photo. service, ... Printer.service needs Resource Photo.service has Resource Note: choice of supported resource providers has also to be made by printer. service
- 82. Photo.service has Resource Printer.service needs Resource Please use Photo.service
- 83. Hi, I’m Printer. service Printer.service needs Resource Photo.service has Resource
- 87. I need access to Bob’s photos Printer.service needs Resource Photo.service has Resource
- 89. Photo.service has Resource Printer.service needs Resource I’m Bob. Here’ s my key
- 90. Photo.service has Resource Printer.service needs Resource Do you allow Pr.S. to access your photos?
- 92. You now have access to Bob’ s photos Printer.service needs Resource Photo.service has Resource
- 93. Send me the holiday photos! Printer.service needs Resource Photo.service has Resource
- 94. Here you go! Printer.service needs Resource Photo.service has Resource
- 95. I printed the photos. Printer.service needs Resource Photo.service has Resource
- 96. Photo.service has Resource Printer.service needs Resource Note: Printer.service does not hold Bob’s key to Photo.service
- 97. The PHOTO app chooses and control what OAuth provider to integrate, so the user cannot choose the identity he wants
- 99. Based on API authorizations and endpoints between applications
- 100. -
- 101. Single Sign-On conclusion - OpenID (URLs) is a group of companies that trust each other to be an identity provider (IDP) OpenID let the choice to the user of the IDP - Facebook connect (Facebook Connect was the single sign on of Facebook affiliate ecosystem) - OAuth : the OAuth provider know the user AND the application. The End user application choose the IDP the end user can connect with.
- 102. OpenID OAuth SAML Dates from 2005 2006 2001 Current version OpenID 2.0 OAuth 2.0 SAML 2.0 API Single sign-on Single sign-on authorization for enterprise Main purpose for consumers between users applications Protocols used XRDS, HTTP JSON, HTTP SAM, XML, HTTP, SOAP
- 103. OAuth and the Highway to Hell OAuth 2.0 and the Road to Hell (Eran Hammer)
- 105. OAuth 1.0 (2007) OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end- user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using useragent redirections. http://tools.ietf.org/html/rfc5849
- 106. Context : - php 4 - no https - Google involved - not Open ID OAuth 1.0 (2007) Pain: - Signatures - Broken libraries - Extensions - Crappy specifications From Eran Hammer #FuckOauth OAuth 2.0 - Looking Back and Moving On
- 112. OAuth 2.0
- 113. Authentication and Signatures - Stop cryptographic requirements of signing requests with the client ID and secret and replaces signatures with requiring HTTPS for all communications between browsers, clients and the API.
- 114. User Experience and Alternative Authorization Flows OAuth 2 supports a better user experience for native applications, and supports extending the protocol to provide compatibility with future device requirements.
- 115. Performance at Scale - Many steps require state management and temporary credentials, which require shared storage and are difficult to synchronize across data centers. - requires that the API server has access to the application's ID and secret, which often breaks the architecture of most large providers where the authorization server and API servers are completely separate.
- 116. - OAuth 2.0 (Two-legged) Client credential Resource user password - OAuth 2.0 (Three-legged) - OAuth 2.0 (Refresh token) Scopes are often not implemented the good way, following the specs. Sometimes spaces are not set, names are different from providers…. #OAuthBible
- 117. OAuth is fragmented. OAuth is broken.
- 118. OAuth 2.0 is a compromise.
- 119. -
- 120. Eran Hammer has quit the OAuth 2.0 Board. He is building Oz.
- 121. Solutions to Consume OAuth ? - The IETF specs - The OAuth Bible - Open source libraries (omniauth for ruby, requests or foauth for python, passport for node.js…) - Janrain, Dailycred - OAuth.io
- 123. OAuth.io
- 124. Demo
- 125. OAuth.io
- 126. OAuth.io
- 127. Demo
- 128. oauthd Open source version of OAuth.io
- 129. The Glue of OAuth? https://github.com/oauth-io/oauthd/blob/master/providers
- 135. The future? Mozilla Persona (Browser ID) Docker.io