APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Similar to OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web (20)
Recently uploaded (20)
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
- 1. From authentication to identity management Mehdi Medjaoui
- 2. Mehdi Medjaoui @medjawi webshell.io oauth.io
- 3. Authentication
- 4. Bob
- 5. I want to upload my photos to access them from anywhere
- 6. Photo.service
- 7. Photo.service Hi Photo. service!
- 8. Photo.service Hi! Who is it?
- 9. Photo.service I’m Bob
- 10. Photo.service Prove it!
- 11. Photo.service Here’s my secret: ...
- 12. Photo.service Oh it’s you Bob!
- 13. Photo.service
- 14. Photo.service
- 15. Here’s my secret: ...
- 16. Here’s my password
- 17. Why passwords?
- 18. Identification
- 19. Authentication = Identification + Verification
- 20. To correctly verify someone, a secret must relate to: - what they know - what they have - what they are - what they can do
- 21. But why passwords???
- 22. In theory
- 23. Security vs Convenience
- 24. Photo.service
- 25. Photo.service Music.service
- 26. Photo.service Music.service
- 27. Photo.service Social.service Music.service Video.service Email.service
- 28. Photo.service Social.service Photo.service Social.service Photo.service Social.service Music.service Email.service Video.service Music.service Email.service Video.service Music.service Video.service Email.service
- 29. Got cloudy these days...
- 30. Multiplication of web services have made passwords - hard to remember if unique
- 31. Multiplication of web services have made passwords - hard to remember if unique - annoying to type all day if strong
- 32. password hell
- 33. Multiplication of web services have made passwords - hard to remember if unique - annoying to type all day if strong - weak if not unique
- 34. Passwords (even strong) do not scale with a growing number of services
- 35. Solution = Password manager ?
- 36. simple interface design
- 37. Single Sign-On
- 38. Single Sign-On Single sign-on (SSO) is a property of access control of multiple related, but independent software systems.
- 39. The promise of SSO: - UX with frictionless sign in and higher conversion - Reduced IT costs - Retrieving data with user’s consent but without annoying forms - Reduced password leak risks
- 40. - SAML - OpenID - Facebook connect - OAuth - Persona
- 41. IDP Identity provider Photo.service I’m Bob from IDP
- 42. Is it really Bob? Photo.service IDP Identity provider
- 43. IDP Identity provider Photo.service Prove to me you’re Bob!
- 44. IDP Identity provider Photo.service Here’s my session / password
- 45. IDP Identity provider Photo.service You’re good
- 46. He’s indeed Bob. Photo.service IDP Identity provider
- 47. Hi Bob! Gimme fotoz! Photo.service IDP Identity provider
- 48. Google myspace Yahoo Photo.service ? The user makes the choice
- 49. - Based on URLs for personal data http://google.com/profiles/me username.wordpress.com blogname.blogspot.com www.myspace.com/username
- 50. Authorization
- 51. I want to print my photos from photo. service with printer. service
- 52. The wrong way:
- 53. Photo.service has Resource Printer.service needs Resource Key to photo. service
- 54. Photo.service has Resource Printer.service needs Resource Hi, I want to print my photos.
- 55. Photo.service credentials? Printer.service needs Resource Photo.service has Resource
- 56. Photo.service has Resource Printer.service needs Resource Sure:
- 57. Hi I’m Bob & I have the key Printer.service needs Resource Photo.service has Resource
- 58. You’re indeed Bob. Printer.service needs Resource Photo.service has Resource
- 59. Please send me these photos Printer.service needs Resource Photo.service has Resource
- 60. Here you go Printer.service needs Resource Photo.service has Resource
- 61. I printed the photos. Printer.service needs Resource Photo.service has Resource
- 62. I’m gonna look at all of Bob’s photos! Rogue Printer. service needs Resource Photo.service has Resource
- 63. without his consent... Rogue Printer. service needs Resource Photo.service has Resource
- 64. Never give your password to other services
- 65. Authorization is the solution
- 66. 2008
- 67. Facebook has Resource some.service needs resource
- 68. Photo.service has Resource Printer.service needs Resource Key to photo. service
- 69. Photo.service has Resource Printer.service needs Resource Hi, I’m Bob.
- 70. I have support for Photo. service, ... Printer.service needs Resource Photo.service has Resource
- 71. I have support for Photo. service, ... Printer.service needs Resource Photo.service has Resource Note: choice of supported resource providers has also to be made by printer. service
- 72. Photo.service has Resource Printer.service needs Resource Please use Photo.service
- 73. Hi, I’m Printer. service Printer.service needs Resource Photo.service has Resource
- 74. Prove it! Printer.service needs Resource Photo.service has Resource
- 75. Here’s my client_secret Printer.service needs Resource Photo.service has Resource
- 76. You’re good. Printer.service needs Resource Photo.service has Resource
- 77. I need access to Bob’s photos Printer.service needs Resource Photo.service has Resource
- 78. Photo.service has Resource Printer.service needs Resource Who are you?
- 79. Photo.service has Resource Printer.service needs Resource I’m Bob. Here’ s my key
- 80. Photo.service has Resource Printer.service needs Resource Do you allow Pr.S. to access your photos?
- 81. Photo.service has Resource Printer.service needs Resource Sure!
- 82. You now have access to Bob’ s photos Printer.service needs Resource Photo.service has Resource
- 83. Send me the holiday photos! Printer.service needs Resource Photo.service has Resource
- 84. Here you go! Printer.service needs Resource Photo.service has Resource
- 85. I printed the photos. Printer.service needs Resource Photo.service has Resource
- 86. Photo.service has Resource Printer.service needs Resource Note: Printer.service does not hold Bob’s key to Photo.service
- 87. The PHOTO app chooses and control what OAuth provider to integrate, so the user cannot choose the identity he wants
- 88. Based on API authorizations and endpoints between applications
- 89. -
- 90. Single Sign-On conclusion - OpenID (URLs) is a group of companies that trust each other to be an identity provider (IDP) OpenID let the choice to the user of the IDP - Facebook connect (Facebook Connect was the single sign on of Facebook affiliate ecosystem) - OAuth : the OAuth provider know the user AND the application. The End user application choose the IDP the end user can connect with.
- 91. OpenID OAuth SAML Dates from 2005 2006 2001 Current version OpenID 2.0 OAuth 2.0 SAML 2.0 API Single sign-on Single sign-on authorization for enterprise Main purpose for consumers between users applications Protocols used XRDS, HTTP JSON, HTTP SAM, XML, HTTP, SOAP
- 92. OAuth and the Highway to Hell OAuth 2.0 and the Road to Hell (Eran Hammer)
- 93. OAuth 1.0 (2007) OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end- user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using useragent redirections. http://tools.ietf.org/html/rfc5849
- 94. Context : - php 4 - no https - Google involved - not Open ID OAuth 1.0 (2007) Pain: - Signatures - Broken libraries - Extensions - Crappy specifications From Eran Hammer #FuckOauth OAuth 2.0 - Looking Back and Moving On
- 95. OAuth 1.0a (one legged) OAuthBible #
- 96. OAuth 1.0a (two legged) OAuthBible #
- 97. OAuth 1.0a (three legged) OAuthBible #
- 98. OAuth 1.0a (Echo) OAuthBible #
- 99. OAuth 1.0a (xAuth) OAuthBible #
- 100. OAuth 2.0
- 101. Authentication and Signatures - Stop cryptographic requirements of signing requests with the client ID and secret and replaces signatures with requiring HTTPS for all communications between browsers, clients and the API.
- 102. User Experience and Alternative Authorization Flows OAuth 2 supports a better user experience for native applications, and supports extending the protocol to provide compatibility with future device requirements.
- 103. Performance at Scale - Many steps require state management and temporary credentials, which require shared storage and are difficult to synchronize across data centers. - requires that the API server has access to the application's ID and secret, which often breaks the architecture of most large providers where the authorization server and API servers are completely separate.
- 104. - OAuth 2.0 (Two-legged) Client credential Resource user password - OAuth 2.0 (Three-legged) - OAuth 2.0 (Refresh token) Scopes are often not implemented the good way, following the specs. Sometimes spaces are not set, names are different from providers…. #OAuthBible
- 105. OAuth is fragmented. OAuth is broken.
- 106. OAuth 2.0 is a compromise.
- 107. -
- 108. Eran Hammer has quit the OAuth 2.0 Board. He is building Oz.
- 109. Solutions to Consume OAuth ? - The IETF specs - The OAuth Bible - Open source libraries (omniauth for ruby, requests or foauth for python, passport for node.js…) - Janrain, Dailycred - OAuth.io
- 110. OAuth.io
- 111. Demo
- 112. OAuth.io
- 113. OAuth.io
- 114. Demo
- 115. oauthd Open source version of OAuth.io
- 116. The Glue of OAuth? https://github.com/oauth-io/oauthd/blob/master/providers
- 117. OAuth Report #SOCIAL LOGIN
- 118. The future? Mozilla Persona (Browser ID) Docker.io
- 119. Thank you! Mehdi Medjaoui @medjawi webshell.io oauth.io
