PayPal Access GDG DevFest
2 likes1,193 views
The document outlines PayPal Access, a service introduced in 2011 that allows users to log in using their existing PayPal credentials, leveraging OAuth 2.0 and OpenID Connect for authentication. It highlights the advantages of using social sign-ins, user verification, and the implementation process, along with relevant technical details. Additionally, it provides resources for developers and links to further information on integrating PayPal Access into applications.
![“OAuth 2 may not be
perfect, and may have been
harmed by the Enterprise
crap, but the core of Web
functionality […] seems to
have survived.”
30](https://image.slidesharecdn.com/devfest-121014041416-phpapp02/85/PayPal-Access-GDG-DevFest-30-320.jpg)
PayPal Access GDG DevFest
- 1. IDENTIFY YOURSELF WITH ACCESS Tim Messerschmidt Developer Evangelist GDG DEVFEST 2012 developer.PayPal 1 November 2012, Karlsruhe (via Hangout) @SeraAndroid
- 2. Who am I? 2
- 3. Agenda • What is PayPal Access? • How does it work? • Why should I use this? • How to implement that? 3
- 4. Slides goo.gl/u3Rix SlideShare: PayPalEuDevs 4
- 5. WHAT IS ACCESS? 5
- 6. Can be used to login with your existing PayPal credentials 6
- 7. Figure: Q3 2012 active users 7
- 8. Leverage existing technology to push your own service(s) 8
- 9. Based on OAuth 2.0 or OpenID Connect 9
- 10. Not related to payments 10
- 11. Free to use 11
- 12. Introduced in 2011 12
- 13. Additional features coming soon! 13
- 14. Registration of apps: devportal.x.com 14
- 15. 15
- 16. HOW DOES IT LOOK LIKE? 16
- 17. 17
- 18. 18
- 19. 19
- 20. HOW DOES IT WORK? 20 20
- 21. OAuth? OpenID? OpenID Connect? 21
- 22. OAuth 1.0 22
- 23. OAuth 2.0 23
- 24. OPINIONS ON OAUTH 2 24
- 25. OAuth 2.0 & the Road to Hell Eran Hammer: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ 25
- 26. “OAuth 2.0 offers little to none code re-usability” 26
- 27. “What 2.0 offers is a blueprint for an authorization protocol” 27
- 28. On the Deadness of OAuth 2 Tim Bray: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead 28
- 29. “OAuth 2 is useful today.” 29
- 30. “OAuth 2 may not be perfect, and may have been harmed by the Enterprise crap, but the core of Web functionality […] seems to have survived.” 30
- 31. OpenID Connect 31
- 32. 5 scopes 1. profile 2. email for access 3. address to the 4. phone profile: 5. attributes 32
- 33. THE DIFFERENCE 33
- 34. OAuth 2.0 implementation can be easily changed to OpenID Connect Jonathan LeBlanc: https://www.x.com/developers/community/blogs/ jcleblanc/migrating-paypal-access-integration-oauth-2-openid-connect 34
- 35. WHY SHOULD I USE THIS? 35
- 36. People forget passwords… “45 % admit to leaving a website instead of re-setting their password or answering security questions” * * Blue Inc. 2011 36
- 37. People don’t like to register… Out of 657 surveyed users 66 % think that social sign-in is a desirable alternative. * * Blue Inc. 2011 37
- 38. THE VALUE 38
- 39. Leverage an existing profile 39
- 40. Verified user accounts 40
- 41. THE FLOW & SOME CODE 41
- 42. Authorization Flow Client Server 1. Open Authorization 2. Provide login page Endpoint URL 3. Return Authorization 4. Check callbacks for Token after Authorization Token successful login 5. Request a valid 6. Check Authorization Access Token Token & return 7. Retrieve user’s Access Token if valid resources 42
- 43. Your components (OAuth 2) Server endpoints: Client details: 43
- 44. Load the Authorization URL in a WebView and… 44
- 45. … start checking the URLs your WebView is loading 45
- 46. Retrieve the Access Token 46
- 47. THE REPLY { "access_token": "something not so long", "token_type": "Bearer", "refresh_token": ”something not so long", "expires_in": 900, "id_token": "something very long" } 47
- 48. REFRESHING A TOKEN Do a POST including the Refresh Token to this endpoint: https://www.paypal.com/ webapps/auth/protocol/ openidconnect/v1/tokenservice 48
- 49. REFRESHING A TOKEN Change the Grant Type: grant_type=refresh_token Add the profile’s scope scope=profile 49
- 50. VALIDATION Do a POST including the Access Token to this endpoint: https://www.paypal.com/ webapps/auth/protocol/ openidconnect/v1/checkid 50
- 51. VALIDATION Provide the id_token value you got when receiving the Access Token access_token=myToken 51
- 52. LOGGING OUT THE USER Do a POST including the Access Token to this endpoint: https://www.paypal.com/ webapps/auth/protocol/ openidconnect/v1/endsession 52
- 53. LOGGING OUT THE USER Furthermore you have to add the following parameters to the POST: redirect_url=myFancyUrl.com logout=true 53
- 54. FURTHER INFORMATION 54
- 55. Useful links • goo.gl/y9HKO – Migrating PayPal Access to from OAuth 2 to OpenID Connect (Jonathan LeBlanc) • goo.gl/1wjRV – Sample project which has some helper classes that enable easy integration Access into your Android app – Apache V2 55
- 56. Official developer resources • x.com/identity – PayPal Access Developer Guide • x.com/mobile – PayPal payment products • Mobile Payments Library (native) • Mobile Express Checkout (web) 56
- 57. Help!!?! Problems? • paypal.com/dts – Developer Technical Services – Ticketing • x.com/developers/paypal/forums – PayPal Developer Forums 57
- 58. INNOVATION 58
- 59. QR Code adoption between different countries 59
- 60. % of Smartphone Audience 20 18 16 14 12 10 8 6 4 2 0 Germany France UK Italy Spain * comScore MobiLens July 2012 60
- 61. Adoption of QR Codes 70% of 30.000.000 surveyed German households recognize QR Codes and know how to use them * * Nielsen 2011 61
- 62. Available" for " Android" & iOS 62
- 63. TL;DR PayPal Access enhances applications by adding a verified user-base 63
- 64. QUESTIONS? 64
- 65. THANKS! tmesserschmidt@paypal.com @seraandroid / @paypaleurodev +tim messerschmidt slideshare.net/PayPalEuDev 65
Editor's Notes
- #22: Final draft got introduced in April ’07Clunky to implement on client-sideIETF
- #23: Current draft considered as stableFocus on performance & scalabilityDifferent authorization scenarios
- #31: Current draft considered as stableFocus on performance & scalabilityDifferent authorization scenarios
- #32: Good news:Choosing the technique isnot that important
- #33: OAuth: Grant access to resourcesOpenID Connect: Grant access to more specialized resources & session management
- #34: Good news:Choosing the technique isnot that important
- #36: OAuth: Grant access to resourcesOpenID Connect: Grant access to more specialized resources
- #37: OAuth: Grant access to resourcesOpenID Connect: Grant access to more specialized resources
- #40: Real valueMore serious for some usecases