How PayPal uses Open Identity

  • 306 views
Uploaded on

Tim's talk during the Moosecon at the CeBIT 2013.

Tim's talk during the Moosecon at the CeBIT 2013.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
306
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
12
Comments
1
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. How PayPal uses Open Identity Tim MesserschmidtMoosecon Developer Evangelist 1March 2012, Hannover @SeraAndroid
  • 2. Who am I?Tim MesserschmditDeveloper EvangelistStartup MentorAuthor 2
  • 3. 3
  • 4. What is identity in the Web? 4
  • 5. 5
  • 6. 6
  • 7. PayPal Access•  active users: 123.000.000•  Uses OpenID Connect•  Interesting for commercial use cases –  Adds integrity to existing applications –  Clearly business- & merchant-oriented•  Actively being worked on! –  Expect new kick-ass features soon 7
  • 8. 8
  • 9. 9
  • 10. 10
  • 11. 11
  • 12. Why OpenID Connect? 12
  • 13. Authorization vs.Authentication 13
  • 14. OAuth 1.0 14
  • 15. OAuth 2.0 15
  • 16. OAuth 2.0 & the Road to HellEran Hammer: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ 16
  • 17. “OAuth 2.0 offerslittle to none code reusability” 17
  • 18. “What 2.0 offersis a blueprint foran authorization protocol” 18
  • 19. On the Deadness of OAuth 2Tim Bray: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead 19
  • 20. OAuth 2 isuseful today 20
  • 21. “OAuth 2 may not be perfect,and may have been harmed by the Enterprise crap, but thecore of Web functionality […] seems to have survived.” 21
  • 22. OpenID Connect 22
  • 23. 23
  • 24. 24
  • 25. Session management•  Highly demanded feature –  Service can be used to login & logout•  OAuth 2.0 requires users to revoke permission to “logout”•  Token validation & refreshment•  AN Optional feature 25
  • 26. Authorization Flow Client Server1.  Open Authorization 2.  Provide a login page Endpoint URL 3.  Return the Authorization4.  Check callbacks for Token after a successful Authorization Token login5.  Request a valid Access 6.  Check Authorization Token Token & return the Access Token7.  Retrieve user’s resources if it’s valid 26
  • 27. OAuth 2.0implementation canbe easily changed to OpenID Connect 27
  • 28. Why should I use this? 28
  • 29. People forget passwords…“45 % admit to leaving a website instead of re-setting their password or answering securityquestions” ** Blue Inc. 2011 29
  • 30. People don’t like to register…Out of 657 surveyed users 66 % think thatsocial sign-in is a desirable alternative. ** Blue Inc. 2011 30
  • 31. Verified profilesEmail – as it’s the user’s loginAddress – ship my stuff here!Name – makes sense, too… and much more information! 31
  • 32. 1.  profile5 scopes to 2.  emailaccess the 3.  address profile: 4.  phone 5.  attributes 32
  • 33. Leveragean existing profile 33
  • 34. x.com/identity 34
  • 35. Help? Problems?•  paypal.com/dts –  Developer Technical Services –  Ticketing•  StackOverflow.com –  Tag “PayPal” –  Actively being watched by Technical Service and Developer Evangelists like me 35
  • 36. Questions? 36
  • 37. Thanks! tmesserschmidt@paypal.com@seraandroid / @paypaleurodev slideshare.net/PayPalEUDevs 37