Open Identity - getting to know your users

983 views
834 views

Published on

This talk is about Open Identity and using it to create an amazing user experience. Also it handles topics like secure API communication to protect your service and users from different kind of attacks like CSRF.

The difference between Authentication and Authorization are being highlighted and OAuth, OpenID Connect etc. get explained.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
983
On SlideShare
0
From Embeds
0
Number of Embeds
41
Actions
Shares
0
Downloads
6
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Open Identity - getting to know your users

  1. 1. OPEN  IDENTITY   …  ge$ng  to  know  your  users       TIM  MESSERSCHMIDT   @SeraAndroid   &  cool  stuff  you  can  do  with  it  
  2. 2. Developer  Evangelist   PayPal  
  3. 3. What  does  PayPal  do  at   JSConf.eu?  
  4. 4. Rebuild  Developer   Experience:   developer.paypal.com  
  5. 5. What  is  idenEty?  
  6. 6. Do  we  always  use  the   same  idenHty?    
  7. 7. Should  we  always  use   the  same  idenHty?    
  8. 8. AuthenHcaHon  vs.   AuthorizaHon  
  9. 9. Current  standards  
  10. 10. Basic  AuthenHcaHon  
  11. 11. OAuth  1.0  
  12. 12. Request   Request  Token   Grant   Request  Token   Direct  User  to  Service   Obtain  AuthorizaEon   Direct  to  Consumer   Request   Access  Token   Grant   Access  Token   Access   Resources   Consumer   Service  Provider  
  13. 13. OAuth  1.0a  
  14. 14. OAuth  2.0  
  15. 15. Direct  User  to  Service   Obtain  AuthorizaEon   Request   Access  Token   Greant   Access  Token   Direct  to  Consumer   Access   Resources  /  Profile   Consumer   Service  Provider  
  16. 16. OAuth  2.0  and  the   Road  to  Hell   hPp://hueniverse.com/2012/07/oauth-­‐2-­‐0-­‐and-­‐the-­‐road-­‐to-­‐hell/  
  17. 17. hPp://homakov.blogspot.de/2013/03/oauth1-­‐oauth2-­‐oauth.html  
  18. 18. IdenEficaEon  
  19. 19. Name   Email   Date  of  Birth   Locale   Time  Zone   Address   Gender   Language   Phone  Number   CreaHon  Date  
  20. 20. OpenID  
  21. 21. BrowserID   Persona  
  22. 22. How  to  combine  both?  
  23. 23. OpenID  with  OAuth   Hybrid  Extension  
  24. 24. OpenID  Connect  
  25. 25. IdenHty  Providers   Social  vs.  Concrete  
  26. 26. ArEficial  barriers  
  27. 27. Yeah,  nice..  but  why?     People  forget  passwords…     45%  admit  to  leaving  a  website  instead  of  re-­‐ se$ng  their  password  or  answering  security   quesEons  *     *  Blue  Inc.  2011    
  28. 28. Also  they  hate  to  register     Out  of  657  surveyed  users  66%  think  that  social   sign-­‐in  is  a  desirable  alternaEve.  *     *  Blue  Inc.  2011    
  29. 29. Where  else  should  we   use  authenHcaHon?  
  30. 30. JSONP   Cross-­‐domain  Request  (XDR)  
  31. 31. CORS   Cross-­‐Origin  Request  Sharing  
  32. 32. API  communicaHon     curl  -­‐v  hPps://api.paypal.com/v1/payments/payment     -­‐H  'Content-­‐Type:applicaEon/json'     -­‐H  'AuthorizaHon:Bearer  MyAwesomeToken'     -­‐d  '{    "intent":"sale",    "payer":{              "payment_method":"paypal"        },    "transacEons":[{      "amount":{        "total":"7.47",        "currency":"USD"                  },    }]   }‘  
  33. 33. XMLHpRequest     Request:   POST  /cors  HTTP/1.1   Origin:  hPp://api.bob.com   Host:  api.bob.com     Response:   Access-­‐Control-­‐Allow-­‐Origin:  hPp://api.bob.com   Access-­‐Control-­‐Allow-­‐CredenEals:  true   Access-­‐Control-­‐Expose-­‐Headers:  FooBar   Content-­‐Type:  text/html;  charset=un-­‐8     source:  hPp://www.html5rocks.com/en/tutorials/cors/  
  34. 34. Wrap  up   Difference  between  authen.ca.on   and  authoriza.on   IdenHty  does  maer   Token  based  authenHcaHon  for  API   communicaHon  
  35. 35. QuesHons?     tmesserschmidt@paypal.com   @SeraAndroid   slideshare.com/paypal  

×