How PayPal uses Open Identity
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

How PayPal uses Open Identity

on

  • 558 views

Tim's talk during the Moosecon at the CeBIT 2013.

Tim's talk during the Moosecon at the CeBIT 2013.

Statistics

Views

Total Views
558
Views on SlideShare
558
Embed Views
0

Actions

Likes
1
Downloads
11
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

How PayPal uses Open Identity Presentation Transcript

  • 1. How PayPal uses Open Identity Tim MesserschmidtMoosecon Developer Evangelist 1March 2012, Hannover @SeraAndroid
  • 2. Who am I?Tim MesserschmditDeveloper EvangelistStartup MentorAuthor 2
  • 3. 3
  • 4. What is identity in the Web? 4
  • 5. 5
  • 6. 6
  • 7. PayPal Access•  active users: 123.000.000•  Uses OpenID Connect•  Interesting for commercial use cases –  Adds integrity to existing applications –  Clearly business- & merchant-oriented•  Actively being worked on! –  Expect new kick-ass features soon 7
  • 8. 8
  • 9. 9
  • 10. 10
  • 11. 11
  • 12. Why OpenID Connect? 12
  • 13. Authorization vs.Authentication 13
  • 14. OAuth 1.0 14
  • 15. OAuth 2.0 15
  • 16. OAuth 2.0 & the Road to HellEran Hammer: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ 16
  • 17. “OAuth 2.0 offerslittle to none code reusability” 17
  • 18. “What 2.0 offersis a blueprint foran authorization protocol” 18
  • 19. On the Deadness of OAuth 2Tim Bray: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead 19
  • 20. OAuth 2 isuseful today 20
  • 21. “OAuth 2 may not be perfect,and may have been harmed by the Enterprise crap, but thecore of Web functionality […] seems to have survived.” 21
  • 22. OpenID Connect 22
  • 23. 23
  • 24. 24
  • 25. Session management•  Highly demanded feature –  Service can be used to login & logout•  OAuth 2.0 requires users to revoke permission to “logout”•  Token validation & refreshment•  AN Optional feature 25
  • 26. Authorization Flow Client Server1.  Open Authorization 2.  Provide a login page Endpoint URL 3.  Return the Authorization4.  Check callbacks for Token after a successful Authorization Token login5.  Request a valid Access 6.  Check Authorization Token Token & return the Access Token7.  Retrieve user’s resources if it’s valid 26
  • 27. OAuth 2.0implementation canbe easily changed to OpenID Connect 27
  • 28. Why should I use this? 28
  • 29. People forget passwords…“45 % admit to leaving a website instead of re-setting their password or answering securityquestions” ** Blue Inc. 2011 29
  • 30. People don’t like to register…Out of 657 surveyed users 66 % think thatsocial sign-in is a desirable alternative. ** Blue Inc. 2011 30
  • 31. Verified profilesEmail – as it’s the user’s loginAddress – ship my stuff here!Name – makes sense, too… and much more information! 31
  • 32. 1.  profile5 scopes to 2.  emailaccess the 3.  address profile: 4.  phone 5.  attributes 32
  • 33. Leveragean existing profile 33
  • 34. x.com/identity 34
  • 35. Help? Problems?•  paypal.com/dts –  Developer Technical Services –  Ticketing•  StackOverflow.com –  Tag “PayPal” –  Actively being watched by Technical Service and Developer Evangelists like me 35
  • 36. Questions? 36
  • 37. Thanks! tmesserschmidt@paypal.com@seraandroid / @paypaleurodev slideshare.net/PayPalEUDevs 37