The Last Authentication System You Will Ever Write

The Last Authentication System You Will Ever Write Jason Austin - @jason_austin - jfaustin@gmail.comThursday, May 26, 2011

A Quick Rundown • Authentication Basics • Pros/Cons of ofﬂoading • Authentication Mechanisms • Authentication Providers • ImplementationThursday, May 26, 2011

Authentication Basics Authentication != Authorization ﬂickr - @digiart2001 Who you are vs. what rights you haveThursday, May 26, 2011

Setting Up An Auth System • Signup • Conﬁrmation • Authenticate (Username / Password) • Password Retrieval / Reset • Password ChangeThursday, May 26, 2011

Security Requirements • Secure Transactions • Salting/Hashing Passwords • Storing Passwords • Password Strength Requirements • Policies surrounding username selectionsThursday, May 26, 2011

User Impact • Signup process • Name • Password (And Conﬁrm) • Email Address • Yet another set of credentialsThursday, May 26, 2011

ﬂickr - @sbisson Ofﬂoading AuthenticationThursday, May 26, 2011

What is Ofﬂoading? • Authentication via third trusted party • User creates an account there (or likely already has one) • They manage passwords and usernames • Host application passes user to authentication provider • No passwords pass over your wireThursday, May 26, 2011

Why Ofﬂoad? • Dirty work is done for you • No Passwords. Ever. None. • No Username Selections • Implementation is quick and easy • Signup is fastThursday, May 26, 2011

Effectiveness • Quick Conversion • Personal Information • Demographic InformationThursday, May 26, 2011

Downsides • Indentured to a provider • Require a third party for a critical aspect of your applicationThursday, May 26, 2011

Who To Use?Thursday, May 26, 2011

Finding a Provider • Reliability • Support • Trust from users • Usage • LongevityThursday, May 26, 2011

Make A Choice • Pick the right service for your audience • Choose multiple servicesThursday, May 26, 2011

Getting StartedThursday, May 26, 2011

First Step • Getting to know the technologies • OpenID • OAuthThursday, May 26, 2011

OpenID • One login, multiple sites • Decentralized • URI-based. EX: jfaustin.myopenid.com • Service provided by anyoneThursday, May 26, 2011

OpenID WorkﬂowThursday, May 26, 2011

OpenID • Hasn’t really caught on • Thought of as “geek speak” • Service providers include • Google • Yahoo • Many more...Thursday, May 26, 2011

OAuth • Open standard for access delegation • With authentication, provides ability for SSO • Valet key to the internetThursday, May 26, 2011

OAuth Players • Service Provider (Server)- Has the information you want • Consumer (Client) - Wants the information from the Service Provider • User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service ProviderThursday, May 26, 2011

Thursday, May 26, 2011

OAuth • Technology behind authentication from • Facebook • Yahoo! • TwitterThursday, May 26, 2011

Sign in with TwitterThursday, May 26, 2011

Get Started • Register your app with Twitter • https://dev.twitter.com/apps/new • Add some UI to your app • Choose an OAuth lib to helpThursday, May 26, 2011

OAuth Libraries • oauth-php http://code.google.com/p/oauth-php/ • Zend_Oauth http://framework.zend.com/manual/en/ zend.oauth.introduction.html • OAuth PECL package http://pecl.php.net/package/oauth • CakePHP OAuth Package http://code.42dh.com/oauth/Thursday, May 26, 2011

Files Needed index.php auth.php callback.php * Need a OAuth library. We’re going to use ZFThursday, May 26, 2011

Logging In <?php // index.php if (isset($_SESSION[auth])) { echo "Logged in"; echo "<br><br><pre>"; print_r($_SESSION[auth]); echo "</pre>"; echo "<a href=logout.php>Logout</a>"; } else { echo "Not logged in"; echo "<br><br>"; echo "<a href=auth.php>Sign in to twitter</a>"; }Thursday, May 26, 2011

Authentication <?php // auth.php if (isset($_SESSION[auth])) { echo "already logged in"; die(); } $options = array( consumerKey => asdfgawe23aewvserg43tg, consumerSecret => asdf34visnerfg9j0ae49gj09srjg9ae, callbackUrl => http://pintlabs.com/demo/callback.php, siteUrl => http://twitter.com/oauth ); require_once Zend/Oauth/Consumer.php; $consumer = new Zend_Oauth_Consumer($options); $token = $consumer->getRequestToken(); $_SESSION[requestToken] = serialize($token); $consumer->redirect();Thursday, May 26, 2011

<?php Receive the Callback // callback.php if (!isset($_GET[oauth_token])) { die("oauth_token not set"); } $response = array( oauth_token => $_GET[oauth_token], oauth_verifier => $_GET[oauth_verifier], ); // same options as auth.php $consumer = new Zend_Oauth_Consumer($options); $requestToken = unserialize($_SESSION[requestToken]); $accessToken = $consumer->getAccessToken($response, $requestToken); unset($_SESSION[requestToken]); parse_str($accessToken->getResponse()->getBody(), $params); $_SESSION[auth] = $params;Thursday, May 26, 2011

Best PracticesThursday, May 26, 2011

A Few Things To Remember... • What if the external key changes? • Changed OpenID URL • Changed Twitter ID • Multiple accounts from the same userThursday, May 26, 2011

Account Management • Have an internal application account id • Link external accounts to internal id • Allow management of external authentication sources by the userThursday, May 26, 2011

Have A Backup Plan • Downtime • Removal of service • Change in serviceThursday, May 26, 2011

Questions? Jason Austin - @jason_austin - jfaustin@gmail.com http://joind.in/3431 Code Available at http://github.com/jfaustin/tek11-twitter-authThursday, May 26, 2011

http://www.jasonawesome.com	1011
http://www.techgig.com	28
http://feeds.feedburner.com	9
http://webcache.googleusercontent.com	1
http://html2canvas.hertzen.com	1
http://translate.googleusercontent.com	1
http://www.google.com	1
http://seoautomated.com	1

The Last Authentication System You Will Ever Write

by Jason Austin

Accessibility

Categories

Upload Details

Usage Rights

8 Embeds 1,053

Statistics

The Last Authentication System You Will Ever Write Presentation Transcript