CIS13: Identity Tech Overview: Less Pain, More Gain

  • 290 views
Uploaded on

Tim Bray, Developer Advocate, Google …

Tim Bray, Developer Advocate, Google
Identity is tricky, and the penalties for getting it wrong are severe. Good news: technologies are surfacing that reduce developer pain while improving user experience. This talk highlights those technologies and introduces a framework, starting from your unique combination of constraints, users and platforms, to help you figure out which technologies and policies will work for you.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
290
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Developers Thursday, July 18, 13
  • 2. Developers Thursday, July 18, 13
  • 3. 13 Thursday, July 18, 13
  • 4. 13 Scalable Internet Kindness Tim Bray (tbray.org, google.com/+TimBray, @timbray) Developer Advocate Thursday, July 18, 13
  • 5. 4 Demo: Tumblr Thursday, July 18, 13
  • 6. 5 • The password must be at least 8 characters long. • The password must contain at least: ◦ one alpha character [a-zA-Z]; ◦ one numeric character [0-9]; ◦ one special character from this set: ` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ? • The password must not: ◦ contain spaces; ◦ begin with an exclamation [!] or a question mark [?]; ◦ contain your login ID. ◦ Contain your registered email address • The password cannot contain repeating character strings of 3 or more identical characters. E.g. “1111” or “aaa” • The sequence of the first 3 characters cannot be in your login ID. • The first 8 characters cannot be the same as in your previous password. • Passwords are treated as case sensitive. From the top Google match for “password rules” Thursday, July 18, 13
  • 7. 6 Thursday, July 18, 13
  • 8. 7 Thursday, July 18, 13
  • 9. 8 Demo: AccountChooser Thursday, July 18, 13
  • 10. 9 Thursday, July 18, 13
  • 11. 9 Thursday, July 18, 13
  • 12. 10 Thursday, July 18, 13
  • 13. 11 Brian Campbell’s slides from GlueCon, major deep-dive: http://goo.gl/Sj1UF Thursday, July 18, 13
  • 14. 12 Thursday, July 18, 13
  • 15. 13 “ya29.AHES6ZQjFP7Ih-1pKyG9vdUo F28p4peeieppieob5CPHAwq3FLnm” An Access Token Thursday, July 18, 13
  • 16. 14 GET /v1/people/me HTTP/1.1 ... Host: www.googleapis.com Authorization: Bearer ya29.AHES6ZQjFP7Ih-1pKyG9vdUoF2... How to use an Access Token Thursday, July 18, 13
  • 17. 15 634> curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.AHES6Z... { "issued_to": "407408718192.apps.googleusercontent.com", "audience": "407408718192.apps.googleusercontent.com", "user_id": "107760670355981561507946", "scope": "https://www.googleapis.com/auth/plus.me", "expires_in": 3370, "access_type": "offline" } How to peek into an Access Token Thursday, July 18, 13
  • 18. An Access Token 16 • Is opaque, • short-lived, and • signifies the right for a particular Google Account to access a particular scope. • It is unencrypted, therefore • it must be transmitted over TLS (https). Thursday, July 18, 13
  • 19. 17 Thursday, July 18, 13
  • 20. 18 “1/z48pvqwy8wucZp2zqQxgC 2B3gZNoPRRq_mgrgdJcmi4” A Refresh Token Thursday, July 18, 13
  • 21. 19 POST /o/oauth2/token HTTP/1.1 Host: accounts.google.com Content-Type: application/x-www-form-urlencoded ... refresh_token=1/z48pvqwy8wucZp2...& client_id=424861364121.apps.googleusercontent.com& client_secret=****& grant_type=refresh_token How to use a Refresh Token Thursday, July 18, 13
  • 22. A Refresh Token 20 • Is opaque, • doesn’t expire until revoked, and • signifies the right for a particular Google Account to access a particular scope. • It includes a shared secret, and • it is unencrypted, therefore • it must be transmitted over TLS (https). Thursday, July 18, 13
  • 23. 21 eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMW E5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2M DY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQ iOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0M Dc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoi VzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1N TMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29 tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk- ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icl igeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDas Tn9KKxba-DE An ID Token Thursday, July 18, 13
  • 24. 21 eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMW E5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2M DY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQ iOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0M Dc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoi VzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1N TMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29 tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk- ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icl igeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDas Tn9KKxba-DE An ID Token Thursday, July 18, 13
  • 25. 22 eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMW E5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2M DY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQ iOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0M Dc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoi VzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1N TMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29 tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk- ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icl igeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDas Tn9KKxba-DE An ID Token Thursday, July 18, 13
  • 26. 23 eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMW E5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2M DY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQ iOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0M Dc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoi VzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1N TMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29 tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk- ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icl igeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDas Tn9KKxba-DE { "alg":"RS256", "kid":"ad2a50cb70c5da789ee26d05b8f621a99e81202e" } base64 ID Token crypto stuff Thursday, July 18, 13
  • 27. 24 www.googleapis.com/oauth2/v1/certs Thursday, July 18, 13
  • 28. 25 rubygems.org/gems/google-id-token Installation gem install google-id-token Examples validator = GoogleIDToken::Validator.new jwt = validator.check(token, required_audience, required_client_id) if jwt email = jwt['email'] else report "Cannot validate: #{validator.problem}" end Thursday, July 18, 13
  • 29. 26 { "iss":"accounts.google.com", "sub":"107606703558161507946", "azp":"407408718192.apps.googleusercontent.com", "token_hash":"W9aTKDVaz3UJvHGu53-byw", "at_hash":"W9aTKDVaz3UJvHGu53-byw", "aud":"407408718192.apps.googleusercontent.com", "iat":1367531886, "exp":1367535786 } Inside an ID Token payload .eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29... base64 payload Thursday, July 18, 13
  • 30. An ID Token 27 • Is cryptographically signed by an issuer (“iss”), • asserts that the user (“sub”) is authenticated by that issuer, • is meant for a particular recipient (“aud”), and • may have been issued to a particular authorized party (“azp”). • It is unencrypted, therefore • it must be transmitted over TLS (https). • They are incredibly useful! (see tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens) Thursday, July 18, 13
  • 31. 28 Thursday, July 18, 13
  • 32. 28 Thursday, July 18, 13
  • 33. 28 Thursday, July 18, 13
  • 34. 29 (Authz/authn demo) Thursday, July 18, 13
  • 35. 30 <body> <div id="gConnect"> <button class="g-signin" data-scope="https://www.googleapis.com/auth/plus.login" data-requestvisibleactions="http://schemas.google.com/AddActivity" data-clientId="{{ CLIENT_ID }}" data-accesstype="offline" data-callback="onSignInCallback" data-theme="dark" data-cookiepolicy="single_host_origin"> </button> Thursday, July 18, 13
  • 36. 31 get '/people' do # Check for stored credentials in the current user's session. if !session[:token] halt 401, 'User not connected.' end # Authorize the client and construct a Google+ service. $client.authorization.update_token!(session[:token].to_hash) plus = $client.discovered_api('plus', 'v1') # Get the list of people as JSON and return it. response = $client.execute!(plus.people.list, :collection => 'visible', :userId => 'me').body content_type :json response end Thursday, July 18, 13
  • 37. 32 Cross-client Identity Thursday, July 18, 13
  • 38. 32 Cross-client Identity Thursday, July 18, 13
  • 39. Developer API console 33 Your “Project” Web Client ID Android app 1 Client ID JavaScript app Client ID Android app 2 Client ID Thursday, July 18, 13
  • 40. Developer API console 33 Your “Project” Web Client ID Android app 1 Client ID JavaScript app Client ID Android app 2 Client ID Auth one, auth ‘em all Thursday, July 18, 13
  • 41. Developer API console 33 Your “Project” Web Client ID Android app 1 Client ID JavaScript app Client ID Android app 2 Client ID Auth one, auth ‘em all Thursday, July 18, 13
  • 42. 34 developers.google.com/accounts/docs/CrossClientAuth Thursday, July 18, 13
  • 43. 35 Shared sign-in with ID Tokens Shared Access-Token grant Mobile app gets offline Web-app access Cross-client Identity Thursday, July 18, 13
  • 44. 35 Shared sign-in with ID Tokens Shared Access-Token grant Mobile app gets offline Web-app access Cross-client Identity Thursday, July 18, 13
  • 45. 35 Shared sign-in with ID Tokens Shared Access-Token grant Mobile app gets offline Web-app access Cross-client Identity Thursday, July 18, 13
  • 46. 35 Shared sign-in with ID Tokens Shared Access-Token grant Mobile app gets offline Web-app access Cross-client Identity Thursday, July 18, 13
  • 47. 36 Your client app Thursday, July 18, 13
  • 48. 36 Your client app Your server back-end Thursday, July 18, 13
  • 49. 36 Your client app Your server back-end HTTPS Thursday, July 18, 13
  • 50. 36 Your client app Your server back-end HTTPS “Who am I talking to?” Thursday, July 18, 13
  • 51. 37 developers.google.com/accounts/cookbook/ Thursday, July 18, 13
  • 52. 38 Cookbook “Platforms” page • Android app on a compatible device with Google Play services. • A native compiled app on a personal computer or mobile device. • Android app without Google Play services (for example, a Kindle). This is effictively equivalent to the Native-app scenario. • iOS app. • Browser-based Web app. • Hybrid mobile/web, where components need to share identity. • Chrome app/extension. • Server-side app. • Low-capability device (keyboard-challenged). 14 Thursday, July 18, 13
  • 53. Thursday, July 18, 13
  • 54. <Thank You!> tbray.org/ google.com/+TimBray @timbray Thursday, July 18, 13