User Management with LastUser
2 likes1,040 views
Lastuser is an identity aggregation web service that simplifies user login by utilizing OpenID URLs and OAuth for delegated identity management. It allows applications to connect and manage user identities uniformly without the need for multiple password entries. The service is designed to streamline identity synchronization across various services and provides compatibility with multiple identity providers while addressing issues around URL reliability as user identifiers.
User Management with LastUser
- 1. User Management with LastUser Kiran Jonnalagadda, HasGeek PyCon India, Pune, September 2011 flickr.com/exfordy/128576390/
- 2. The What & The Why
- 3. LastUser is an identity aggregating web service LastUser Your App 1 Your App 2 Your App 3
- 4. A simple goal Login identifier that Login users can remember Relief from password Password management Submit No user registration. Just login and use
- 7. URLs in the browser: www.github.com
- 8. URLs in the browser: github.com
- 9. URLs in the browser: http://github.com/
- 10. URLs in the browser: https://github.com/
- 11. URLs as Identifiers 1. github.com 2. github.com/ 3. www.github.com 4. www.github.com/ 5. http://github.com 6. http://github.com/ 7. http://www.github.com 8. http://www.github.com/ 9. https://github.com 10. https://github.com/ 11. https://www.github.com 12. https://www.github.com/ Multiple strings; same final URL flickr.com/mynameisharsha/5157965638/
- 12. Contrast with email Addresses: kiran@hasgeek.in Change one character and it’s no longer valid. Users are conditioned to type them in exactly every time
- 13. URL Ambiguity: https://www.google.com/accounts/o8/id One OpenID URL for all Google accounts
- 14. URL Ambiguity: https://www.google.com/accounts/o8/id?id=AItOawnGAN1Swp5zAJn9UYCw0jivCRXg8qIe_9c https://www.google.com/accounts/o8/id?id=AItOawm3y2JBSnIo0ZdNwtIa487VpQXtpbXNmU4 Both are the same Google id, on different domains, using directed identity. If you move to a new domain, all your users’ ids change
- 15. URLs are not reliable identifiers for users
- 18. The delegated id model Your Application
- 19. The delegated id model Synchronizing identity across services? Your Application
- 20. Need a common identifier across services. It’s usually an email address
- 21. LastUser as abstraction layer LastUser — OAuth Server Your App 1 Your App 2 Your App 3
- 22. Multiple apps, all connected to one LastUser instance
- 23. 1. Login screen provider
- 24. Connecting identities Users sometimes login with a different service provider Accounts can be connected if there is a common id Twitter does not provide an email address GitHub provides only md5sum of email via Gravatar. Can be connected if email is already known
- 25. Supported id providers Twitter Google GitHub OpenID (but not delegation) Upcoming: LinkedIn, Facebook
- 26. OAuth: There is no single standard called OAuth. Every implementation is different
- 27. There is no up-to-date Python library for OAuth2. Every service provider has their own library. Contrast: Ruby has OmniAuth
- 28. LastUser implements OAuth 2.0 draft 16 (with gaps filled in)
- 29. OAuth 2.0 has two parts OAuth OAuth Authorization Resource Server Server 1. Request an OAuth Client 2. Use token to access token access resource
- 30. OAuth 2.0 has two parts OAuth 2.0 doesn’t specify how this OAuth OAuth bit works Authorization Resource Server Server LastUser does 1. Request an OAuth Client 2. Use token to access token access resource
- 31. 2. Resource providers (work in progress)
- 32. 3. Central access control
- 33. Pending work Seamless login UI and pure client-side JS login API Non-web login flow Authorization to resource server communication protocol Support for token types other than bearer tokens