The Last Authentication System You Will Ever Write
-
Upload
jason-austin -
Category
Technology
-
view
113 -
download
1
description
Transcript of The Last Authentication System You Will Ever Write
![Page 1: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/1.jpg)
The Last Authentication System You Will Ever Write
Jason Austin - @jason_austin - [email protected]
Thursday, May 26, 2011
![Page 2: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/2.jpg)
A Quick Rundown
• Authentication Basics
• Pros/Cons of offloading
• Authentication Mechanisms
• Authentication Providers
• Implementation
Thursday, May 26, 2011
![Page 3: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/3.jpg)
Authentication Basics
flickr - @digiart2001
Authentication !=
Authorization
Who you are vs.
what rights you have
Thursday, May 26, 2011
![Page 4: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/4.jpg)
Setting Up An Auth System
• Signup
• Confirmation
• Authenticate (Username / Password)
• Password Retrieval / Reset
• Password Change
Thursday, May 26, 2011
![Page 5: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/5.jpg)
Security Requirements
• Secure Transactions
• Salting/Hashing Passwords
• Storing Passwords
• Password Strength Requirements
• Policies surrounding username selections
Thursday, May 26, 2011
![Page 6: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/6.jpg)
User Impact
• Signup process
• Name
• Password (And Confirm)
• Email Address
• Yet another set of credentials
Thursday, May 26, 2011
![Page 7: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/7.jpg)
Offloading Authentication
flickr - @sbisson
Thursday, May 26, 2011
![Page 8: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/8.jpg)
What is Offloading?
• Authentication via third trusted party
• User creates an account there (or likely already has one)
• They manage passwords and usernames
• Host application passes user to authentication provider
• No passwords pass over your wire
Thursday, May 26, 2011
![Page 9: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/9.jpg)
Why Offload?
• Dirty work is done for you
• No Passwords. Ever. None.
• No Username Selections
• Implementation is quick and easy
• Signup is fast
Thursday, May 26, 2011
![Page 10: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/10.jpg)
Effectiveness
• Quick Conversion
• Personal Information
• Demographic Information
Thursday, May 26, 2011
![Page 11: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/11.jpg)
Downsides
• Indentured to a provider
• Require a third party for a critical aspect of your application
Thursday, May 26, 2011
![Page 12: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/12.jpg)
Who To Use?
Thursday, May 26, 2011
![Page 13: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/13.jpg)
Finding a Provider
• Reliability
• Support
• Trust from users
• Usage
• Longevity
Thursday, May 26, 2011
![Page 14: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/14.jpg)
Make A Choice
• Pick the right service for your audience
• Choose multiple services
Thursday, May 26, 2011
![Page 15: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/15.jpg)
Getting StartedThursday, May 26, 2011
![Page 16: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/16.jpg)
First Step
• Getting to know the technologies
• OpenID
• OAuth
Thursday, May 26, 2011
![Page 17: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/17.jpg)
OpenID
• One login, multiple sites
• Decentralized
• URI-based. EX: jfaustin.myopenid.com
• Service provided by anyone
Thursday, May 26, 2011
![Page 18: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/18.jpg)
OpenID Workflow
Thursday, May 26, 2011
![Page 19: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/19.jpg)
OpenID
• Hasn’t really caught on
• Thought of as “geek speak”
• Service providers include
• Yahoo
• Many more...
Thursday, May 26, 2011
![Page 20: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/20.jpg)
OAuth
• Open standard for access delegation
• With authentication, provides ability for SSO
• Valet key to the internet
Thursday, May 26, 2011
![Page 21: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/21.jpg)
OAuth Players
• Service Provider (Server)- Has the information you want
• Consumer (Client) - Wants the information from the Service Provider
• User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider
Thursday, May 26, 2011
![Page 22: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/22.jpg)
Thursday, May 26, 2011
![Page 23: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/23.jpg)
OAuth
• Technology behind authentication from
• Yahoo!
Thursday, May 26, 2011
![Page 24: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/24.jpg)
Sign in with Twitter
Thursday, May 26, 2011
![Page 25: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/25.jpg)
Get Started
• Register your app with Twitter
• https://dev.twitter.com/apps/new
• Add some UI to your app
• Choose an OAuth lib to help
Thursday, May 26, 2011
![Page 26: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/26.jpg)
OAuth Libraries
• oauth-phphttp://code.google.com/p/oauth-php/
• Zend_Oauthhttp://framework.zend.com/manual/en/zend.oauth.introduction.html
• OAuth PECL packagehttp://pecl.php.net/package/oauth
• CakePHP OAuth Packagehttp://code.42dh.com/oauth/
Thursday, May 26, 2011
![Page 27: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/27.jpg)
Files Needed
index.php auth.php callback.php
* Need a OAuth library. We’re going to use ZF
Thursday, May 26, 2011
![Page 28: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/28.jpg)
<?php// index.php
if (isset($_SESSION['auth'])) { echo "Logged in"; echo "<br><br><pre>"; print_r($_SESSION['auth']); echo "</pre>"; echo "<a href='logout.php'>Logout</a>";} else { echo "Not logged in"; echo "<br><br>"; echo "<a href='auth.php'>Sign in to twitter</a>";}
Logging In
Thursday, May 26, 2011
![Page 29: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/29.jpg)
<?php// auth.php
if (isset($_SESSION['auth'])) { echo "already logged in"; die();}
$options = array( 'consumerKey' => 'asdfgawe23aewvserg43tg', 'consumerSecret' => 'asdf34visnerfg9j0ae49gj09srjg9ae', 'callbackUrl' => 'http://pintlabs.com/demo/callback.php', 'siteUrl' => 'http://twitter.com/oauth');
require_once 'Zend/Oauth/Consumer.php';$consumer = new Zend_Oauth_Consumer($options);
$token = $consumer->getRequestToken();
$_SESSION['requestToken'] = serialize($token); $consumer->redirect();
Authentication
Thursday, May 26, 2011
![Page 30: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/30.jpg)
<?php// callback.php
if (!isset($_GET['oauth_token'])) { die("oauth_token not set");}
$response = array( 'oauth_token' => $_GET['oauth_token'], 'oauth_verifier' => $_GET['oauth_verifier'],);
// same options as auth.php$consumer = new Zend_Oauth_Consumer($options);
$requestToken = unserialize($_SESSION['requestToken']);
$accessToken = $consumer->getAccessToken($response, $requestToken);
unset($_SESSION['requestToken']);
parse_str($accessToken->getResponse()->getBody(), $params);
$_SESSION['auth'] = $params;
Receive the Callback
Thursday, May 26, 2011
![Page 31: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/31.jpg)
Best PracticesThursday, May 26, 2011
![Page 32: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/32.jpg)
A Few Things To Remember...
• What if the external key changes?
• Changed OpenID URL
• Changed Twitter ID
• Multiple accounts from the same user
Thursday, May 26, 2011
![Page 33: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/33.jpg)
Account Management
• Have an internal application account id
• Link external accounts to internal id
• Allow management of external authentication sources by the user
Thursday, May 26, 2011
![Page 34: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/34.jpg)
Have A Backup Plan
• Downtime
• Removal of service
• Change in service
Thursday, May 26, 2011
![Page 35: The Last Authentication System You Will Ever Write](https://reader034.fdocuments.us/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/35.jpg)
Questions?
http://joind.in/3431
Jason Austin - @jason_austin - [email protected]
Code Available at http://github.com/jfaustin/tek11-twitter-auth
Thursday, May 26, 2011