Your SlideShare is downloading. ×
The Last Authentication System You Will Ever Write
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The Last Authentication System You Will Ever Write

9,726
views

Published on

Your users need to sign up, authenticate, retrieve their password, change their password, etc. Building your own system takes time and resources, so why not do what developers do best…abstract it …

Your users need to sign up, authenticate, retrieve their password, change their password, etc. Building your own system takes time and resources, so why not do what developers do best…abstract it away! Places like Twitter, Facebook, and Google have given developers the sweet gift of third-party authentication, allowing your users to use their existing credentials to access your application. Learn about the pros and cons of offloading authentication to these services and see how they work while exploring options using both OpenID and OAuth.

Published in: Technology

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
9,726
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
57
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Last Authentication System You Will Ever Write Jason Austin - @jason_austin - jfaustin@gmail.comThursday, May 26, 2011
  • 2. A Quick Rundown • Authentication Basics • Pros/Cons of offloading • Authentication Mechanisms • Authentication Providers • ImplementationThursday, May 26, 2011
  • 3. Authentication Basics Authentication != Authorization flickr - @digiart2001 Who you are vs. what rights you haveThursday, May 26, 2011
  • 4. Setting Up An Auth System • Signup • Confirmation • Authenticate (Username / Password) • Password Retrieval / Reset • Password ChangeThursday, May 26, 2011
  • 5. Security Requirements • Secure Transactions • Salting/Hashing Passwords • Storing Passwords • Password Strength Requirements • Policies surrounding username selectionsThursday, May 26, 2011
  • 6. User Impact • Signup process • Name • Password (And Confirm) • Email Address • Yet another set of credentialsThursday, May 26, 2011
  • 7. flickr - @sbisson Offloading AuthenticationThursday, May 26, 2011
  • 8. What is Offloading? • Authentication via third trusted party • User creates an account there (or likely already has one) • They manage passwords and usernames • Host application passes user to authentication provider • No passwords pass over your wireThursday, May 26, 2011
  • 9. Why Offload? • Dirty work is done for you • No Passwords. Ever. None. • No Username Selections • Implementation is quick and easy • Signup is fastThursday, May 26, 2011
  • 10. Effectiveness • Quick Conversion • Personal Information • Demographic InformationThursday, May 26, 2011
  • 11. Downsides • Indentured to a provider • Require a third party for a critical aspect of your applicationThursday, May 26, 2011
  • 12. Who To Use?Thursday, May 26, 2011
  • 13. Finding a Provider • Reliability • Support • Trust from users • Usage • LongevityThursday, May 26, 2011
  • 14. Make A Choice • Pick the right service for your audience • Choose multiple servicesThursday, May 26, 2011
  • 15. Getting StartedThursday, May 26, 2011
  • 16. First Step • Getting to know the technologies • OpenID • OAuthThursday, May 26, 2011
  • 17. OpenID • One login, multiple sites • Decentralized • URI-based. EX: jfaustin.myopenid.com • Service provided by anyoneThursday, May 26, 2011
  • 18. OpenID WorkflowThursday, May 26, 2011
  • 19. OpenID • Hasn’t really caught on • Thought of as “geek speak” • Service providers include • Google • Yahoo • Many more...Thursday, May 26, 2011
  • 20. OAuth • Open standard for access delegation • With authentication, provides ability for SSO • Valet key to the internetThursday, May 26, 2011
  • 21. OAuth Players • Service Provider (Server)- Has the information you want • Consumer (Client) - Wants the information from the Service Provider • User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service ProviderThursday, May 26, 2011
  • 22. Thursday, May 26, 2011
  • 23. OAuth • Technology behind authentication from • Facebook • Yahoo! • TwitterThursday, May 26, 2011
  • 24. Sign in with TwitterThursday, May 26, 2011
  • 25. Get Started • Register your app with Twitter • https://dev.twitter.com/apps/new • Add some UI to your app • Choose an OAuth lib to helpThursday, May 26, 2011
  • 26. OAuth Libraries • oauth-php http://code.google.com/p/oauth-php/ • Zend_Oauth http://framework.zend.com/manual/en/ zend.oauth.introduction.html • OAuth PECL package http://pecl.php.net/package/oauth • CakePHP OAuth Package http://code.42dh.com/oauth/Thursday, May 26, 2011
  • 27. Files Needed index.php auth.php callback.php * Need a OAuth library. We’re going to use ZFThursday, May 26, 2011
  • 28. Logging In <?php // index.php if (isset($_SESSION[auth])) { echo "Logged in"; echo "<br><br><pre>"; print_r($_SESSION[auth]); echo "</pre>"; echo "<a href=logout.php>Logout</a>"; } else { echo "Not logged in"; echo "<br><br>"; echo "<a href=auth.php>Sign in to twitter</a>"; }Thursday, May 26, 2011
  • 29. Authentication <?php // auth.php if (isset($_SESSION[auth])) { echo "already logged in"; die(); } $options = array( consumerKey => asdfgawe23aewvserg43tg, consumerSecret => asdf34visnerfg9j0ae49gj09srjg9ae, callbackUrl => http://pintlabs.com/demo/callback.php, siteUrl => http://twitter.com/oauth ); require_once Zend/Oauth/Consumer.php; $consumer = new Zend_Oauth_Consumer($options); $token = $consumer->getRequestToken(); $_SESSION[requestToken] = serialize($token); $consumer->redirect();Thursday, May 26, 2011
  • 30. <?php Receive the Callback // callback.php if (!isset($_GET[oauth_token])) { die("oauth_token not set"); } $response = array( oauth_token => $_GET[oauth_token], oauth_verifier => $_GET[oauth_verifier], ); // same options as auth.php $consumer = new Zend_Oauth_Consumer($options); $requestToken = unserialize($_SESSION[requestToken]); $accessToken = $consumer->getAccessToken($response, $requestToken); unset($_SESSION[requestToken]); parse_str($accessToken->getResponse()->getBody(), $params); $_SESSION[auth] = $params;Thursday, May 26, 2011
  • 31. Best PracticesThursday, May 26, 2011
  • 32. A Few Things To Remember... • What if the external key changes? • Changed OpenID URL • Changed Twitter ID • Multiple accounts from the same userThursday, May 26, 2011
  • 33. Account Management • Have an internal application account id • Link external accounts to internal id • Allow management of external authentication sources by the userThursday, May 26, 2011
  • 34. Have A Backup Plan • Downtime • Removal of service • Change in serviceThursday, May 26, 2011
  • 35. Questions? Jason Austin - @jason_austin - jfaustin@gmail.com http://joind.in/3431 Code Available at http://github.com/jfaustin/tek11-twitter-authThursday, May 26, 2011