How PayPal uses                       Open Identity                                     Tim MesserschmidtMoosecon         ...
Who am I?Tim MesserschmditDeveloper EvangelistStartup MentorAuthor                       2
3
What is identity in the Web?                   4
5
6
PayPal Access•  active users: 123.000.000•  Uses OpenID Connect•  Interesting for commercial use cases  –  Adds integrity ...
8
9
10
11
Why OpenID Connect?             12
Authorization     vs.Authentication                 13
OAuth 1.0            14
OAuth 2.0            15
OAuth 2.0 &         the Road to HellEran Hammer: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/   16
“OAuth 2.0 offerslittle to none code    reusability”                      17
“What 2.0 offersis a blueprint foran authorization     protocol”                     18
On the Deadness         of OAuth 2Tim Bray: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead   19
OAuth 2 isuseful today               20
“OAuth 2 may not be perfect,and may have been harmed by the Enterprise crap, but thecore of Web functionality […]   seems ...
OpenID Connect                 22
23
24
Session management•  Highly demanded feature  –  Service can be used to login & logout•  OAuth 2.0 requires users to revok...
Authorization Flow           Client                         Server1.  Open Authorization          2.  Provide a login page...
OAuth 2.0implementation canbe easily changed to OpenID Connect                       27
Why should I use this?               28
People forget passwords…“45 % admit to leaving a website instead of re-setting their password or answering securityquestio...
People don’t like to register…Out of 657 surveyed users 66 % think thatsocial sign-in is a desirable alternative. ** Blue ...
Verified profilesEmail – as it’s the user’s loginAddress – ship my stuff here!Name – makes sense, too… and much more informa...
1.    profile5 scopes to   2.    emailaccess the    3.    address  profile:    4.    phone              5.    attributes  ...
Leveragean existing    profile              33
x.com/identity                 34
Help? Problems?•  paypal.com/dts  –  Developer Technical Services  –  Ticketing•  StackOverflow.com  –  Tag “PayPal”  –  A...
Questions?             36
Thanks! tmesserschmidt@paypal.com@seraandroid / @paypaleurodev slideshare.net/PayPalEUDevs                                37
Upcoming SlideShare
Loading in …5
×

How PayPal uses Open Identity

800 views

Published on

Tim's talk during the Moosecon at the CeBIT 2013.

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
800
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
18
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

How PayPal uses Open Identity

  1. 1. How PayPal uses Open Identity Tim MesserschmidtMoosecon Developer Evangelist 1March 2012, Hannover @SeraAndroid
  2. 2. Who am I?Tim MesserschmditDeveloper EvangelistStartup MentorAuthor 2
  3. 3. 3
  4. 4. What is identity in the Web? 4
  5. 5. 5
  6. 6. 6
  7. 7. PayPal Access•  active users: 123.000.000•  Uses OpenID Connect•  Interesting for commercial use cases –  Adds integrity to existing applications –  Clearly business- & merchant-oriented•  Actively being worked on! –  Expect new kick-ass features soon 7
  8. 8. 8
  9. 9. 9
  10. 10. 10
  11. 11. 11
  12. 12. Why OpenID Connect? 12
  13. 13. Authorization vs.Authentication 13
  14. 14. OAuth 1.0 14
  15. 15. OAuth 2.0 15
  16. 16. OAuth 2.0 & the Road to HellEran Hammer: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ 16
  17. 17. “OAuth 2.0 offerslittle to none code reusability” 17
  18. 18. “What 2.0 offersis a blueprint foran authorization protocol” 18
  19. 19. On the Deadness of OAuth 2Tim Bray: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead 19
  20. 20. OAuth 2 isuseful today 20
  21. 21. “OAuth 2 may not be perfect,and may have been harmed by the Enterprise crap, but thecore of Web functionality […] seems to have survived.” 21
  22. 22. OpenID Connect 22
  23. 23. 23
  24. 24. 24
  25. 25. Session management•  Highly demanded feature –  Service can be used to login & logout•  OAuth 2.0 requires users to revoke permission to “logout”•  Token validation & refreshment•  AN Optional feature 25
  26. 26. Authorization Flow Client Server1.  Open Authorization 2.  Provide a login page Endpoint URL 3.  Return the Authorization4.  Check callbacks for Token after a successful Authorization Token login5.  Request a valid Access 6.  Check Authorization Token Token & return the Access Token7.  Retrieve user’s resources if it’s valid 26
  27. 27. OAuth 2.0implementation canbe easily changed to OpenID Connect 27
  28. 28. Why should I use this? 28
  29. 29. People forget passwords…“45 % admit to leaving a website instead of re-setting their password or answering securityquestions” ** Blue Inc. 2011 29
  30. 30. People don’t like to register…Out of 657 surveyed users 66 % think thatsocial sign-in is a desirable alternative. ** Blue Inc. 2011 30
  31. 31. Verified profilesEmail – as it’s the user’s loginAddress – ship my stuff here!Name – makes sense, too… and much more information! 31
  32. 32. 1.  profile5 scopes to 2.  emailaccess the 3.  address profile: 4.  phone 5.  attributes 32
  33. 33. Leveragean existing profile 33
  34. 34. x.com/identity 34
  35. 35. Help? Problems?•  paypal.com/dts –  Developer Technical Services –  Ticketing•  StackOverflow.com –  Tag “PayPal” –  Actively being watched by Technical Service and Developer Evangelists like me 35
  36. 36. Questions? 36
  37. 37. Thanks! tmesserschmidt@paypal.com@seraandroid / @paypaleurodev slideshare.net/PayPalEUDevs 37

×