Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
From authentication
to identity
management
Mehdi Medjaoui
Mehdi
Medjaoui
@medjawi
webshell.io
oauth.io
Authentication
Bob
I want to upload my
photos to access
them from anywhere
Photo.service
Photo.service

Hi Photo.
service!
Photo.service

Hi! Who is it?
Photo.service

I’m Bob
Photo.service

Prove it!
Photo.service

Here’s my
secret: ...
Photo.service

Oh it’s you
Bob!
Photo.service
Photo.service
Here’s my
secret: ...
Here’s my
password
Why passwords?
Identification
Authentication = Identification + Verification
To correctly verify someone,
a secret must relate to:
- what they know
- what they have
- what they are
- what they can do
But why passwords???
In theory
Security vs Convenience
Photo.service
Photo.service

Music.service
Photo.service

Music.service
Photo.service

Social.service

Music.service

Video.service

Email.service
Photo.service

Social.service

Photo.service

Social.service

Photo.service

Social.service

Music.service

Email.service
...
Got cloudy these days...
Multiplication of web services have
made passwords
- hard to remember if unique
Multiplication of web services have
made passwords
- hard to remember if unique
- annoying to type all day if strong
password hell
Multiplication of web services have
made passwords
- hard to remember if unique
- annoying to type all day if strong
- wea...
Passwords (even strong)
do not scale
with a growing number of services
Solution = Password manager ?
simple interface design
Single Sign-On
Single Sign-On

Single sign-on (SSO) is a property of
access control of multiple related,
but independent software systems...
The promise of SSO:
- UX with frictionless sign in and higher conversion
- Reduced IT costs
- Retrieving data with user’s ...
- SAML
- OpenID
- Facebook connect
- OAuth
- Persona
IDP
Identity
provider
Photo.service
I’m Bob from
IDP
Is it really
Bob?

Photo.service

IDP
Identity
provider
IDP
Identity
provider
Photo.service

Prove to me
you’re Bob!
IDP
Identity
provider
Photo.service

Here’s my
session /
password
IDP
Identity
provider
Photo.service
You’re good
He’s indeed
Bob.

Photo.service

IDP
Identity
provider
Hi Bob!
Gimme fotoz!

Photo.service

IDP
Identity
provider
Google

myspace

Yahoo

Photo.service
?

The user
makes the
choice
-

Based on URLs for personal data
http://google.com/profiles/me
username.wordpress.com
blogname.blogspot.com
www.myspace....
Authorization
I want to print my
photos from photo.
service with printer.
service
The wrong way:
Photo.service
has Resource
Printer.service
needs Resource

Key to photo.
service
Photo.service
has Resource
Printer.service
needs Resource
Hi, I want to
print my
photos.
Photo.service
credentials?

Printer.service
needs Resource

Photo.service
has Resource
Photo.service
has Resource
Printer.service
needs Resource
Sure:
Hi I’m Bob & I
have the key

Printer.service
needs Resource

Photo.service
has Resource
You’re indeed
Bob.

Printer.service
needs Resource

Photo.service
has Resource
Please send
me these
photos
Printer.service
needs Resource

Photo.service
has Resource
Here you go

Printer.service
needs Resource

Photo.service
has Resource
I printed the
photos.

Printer.service
needs Resource

Photo.service
has Resource
I’m gonna
look at all of
Bob’s photos!
Rogue Printer.
service
needs Resource

Photo.service
has Resource
without his
consent...

Rogue Printer.
service
needs Resource

Photo.service
has Resource
Never give your
password to
other services
Authorization is
the solution
2008
Facebook
has Resource
some.service
needs
resource
Photo.service
has Resource
Printer.service
needs Resource

Key to photo.
service
Photo.service
has Resource
Printer.service
needs Resource
Hi, I’m Bob.
I have support
for Photo.
service, ...
Printer.service
needs Resource

Photo.service
has Resource
I have support
for Photo.
service, ...
Printer.service
needs Resource

Photo.service
has Resource

Note: choice of
support...
Photo.service
has Resource
Printer.service
needs Resource
Please use
Photo.service
Hi, I’m Printer.
service

Printer.service
needs Resource

Photo.service
has Resource
Prove it!

Printer.service
needs Resource

Photo.service
has Resource
Here’s my
client_secret

Printer.service
needs Resource

Photo.service
has Resource
You’re good.

Printer.service
needs Resource

Photo.service
has Resource
I need access to
Bob’s photos

Printer.service
needs Resource

Photo.service
has Resource
Photo.service
has Resource
Printer.service
needs Resource

Who are you?
Photo.service
has Resource
Printer.service
needs Resource
I’m Bob. Here’
s my key
Photo.service
has Resource
Printer.service
needs Resource

Do you allow
Pr.S. to access
your photos?
Photo.service
has Resource
Printer.service
needs Resource
Sure!
You now have
access to Bob’
s photos
Printer.service
needs Resource

Photo.service
has Resource
Send me the
holiday photos!

Printer.service
needs Resource

Photo.service
has Resource
Here you go!

Printer.service
needs Resource

Photo.service
has Resource
I printed the
photos.

Printer.service
needs Resource

Photo.service
has Resource
Photo.service
has Resource
Printer.service
needs Resource
Note: Printer.service
does not hold Bob’s
key to Photo.service
The PHOTO app chooses and
control what OAuth provider to
integrate, so the user cannot
choose the identity he wants
Based on API authorizations and
endpoints between applications
-
Single Sign-On
conclusion
- OpenID (URLs) is a group of companies that trust
each other to be an identity provider (IDP)
O...
OpenID

OAuth

SAML

Dates from

2005

2006

2001

Current version

OpenID 2.0

OAuth 2.0

SAML 2.0

API
Single sign-on
Si...
OAuth and the
Highway to Hell
OAuth 2.0 and the
Road to Hell
(Eran Hammer)
OAuth 1.0
(2007)
OAuth provides a method for clients to access server
resources on behalf of a resource owner (such as a
d...
Context :
- php 4
- no https
- Google involved
- not Open ID

OAuth 1.0
(2007)

Pain:
- Signatures
- Broken libraries
- Ex...
OAuth 1.0a
(one legged)

OAuthBible

#
OAuth 1.0a
(two legged)

OAuthBible

#
OAuth 1.0a
(three legged)

OAuthBible

#
OAuth 1.0a
(Echo)

OAuthBible

#
OAuth 1.0a
(xAuth)

OAuthBible

#
OAuth 2.0
Authentication and Signatures
- Stop cryptographic requirements of
signing requests with the client ID and
secret and repl...
User Experience and Alternative Authorization
Flows

OAuth 2 supports a better user experience for
native applications, an...
Performance at Scale
- Many steps require state management and temporary
credentials, which require shared storage and are...
- OAuth 2.0 (Two-legged)
Client credential
Resource user password
- OAuth 2.0 (Three-legged)
- OAuth 2.0 (Refresh token)
S...
OAuth is fragmented.
OAuth is broken.
OAuth 2.0 is a
compromise.
-
Eran Hammer has quit the
OAuth 2.0 Board.
He is building Oz.
Solutions to Consume OAuth ?
- The IETF specs
- The OAuth Bible
- Open source libraries (omniauth
for ruby, requests or fo...
OAuth.io
Demo
OAuth.io
OAuth.io
Demo
oauthd
Open source version of
OAuth.io
The Glue of OAuth?
https://github.com/oauth-io/oauthd/blob/master/providers
OAuth Report
#SOCIAL LOGIN
The future?
Mozilla Persona (Browser ID)
Docker.io
Thank you!
Mehdi Medjaoui
@medjawi
webshell.io
oauth.io
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web
Upcoming SlideShare
Loading in …5
×

OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web

4,466 views

Published on

This talk is about the story of password and identity management on the web.
It make an overview about passwod handling, single sign-on solution, OAuth and the future of it for the web, thanks Mozilla Persona and Docker.io Linux Containers.
It also present OAuth.io , a solution to solve framgementation.

Published in: Technology
  • Be the first to comment

OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management on the Web

  1. 1. From authentication to identity management Mehdi Medjaoui
  2. 2. Mehdi Medjaoui @medjawi webshell.io oauth.io
  3. 3. Authentication
  4. 4. Bob
  5. 5. I want to upload my photos to access them from anywhere
  6. 6. Photo.service
  7. 7. Photo.service Hi Photo. service!
  8. 8. Photo.service Hi! Who is it?
  9. 9. Photo.service I’m Bob
  10. 10. Photo.service Prove it!
  11. 11. Photo.service Here’s my secret: ...
  12. 12. Photo.service Oh it’s you Bob!
  13. 13. Photo.service
  14. 14. Photo.service
  15. 15. Here’s my secret: ...
  16. 16. Here’s my password
  17. 17. Why passwords?
  18. 18. Identification
  19. 19. Authentication = Identification + Verification
  20. 20. To correctly verify someone, a secret must relate to: - what they know - what they have - what they are - what they can do
  21. 21. But why passwords???
  22. 22. In theory
  23. 23. Security vs Convenience
  24. 24. Photo.service
  25. 25. Photo.service Music.service
  26. 26. Photo.service Music.service
  27. 27. Photo.service Social.service Music.service Video.service Email.service
  28. 28. Photo.service Social.service Photo.service Social.service Photo.service Social.service Music.service Email.service Video.service Music.service Email.service Video.service Music.service Video.service Email.service
  29. 29. Got cloudy these days...
  30. 30. Multiplication of web services have made passwords - hard to remember if unique
  31. 31. Multiplication of web services have made passwords - hard to remember if unique - annoying to type all day if strong
  32. 32. password hell
  33. 33. Multiplication of web services have made passwords - hard to remember if unique - annoying to type all day if strong - weak if not unique
  34. 34. Passwords (even strong) do not scale with a growing number of services
  35. 35. Solution = Password manager ?
  36. 36. simple interface design
  37. 37. Single Sign-On
  38. 38. Single Sign-On Single sign-on (SSO) is a property of access control of multiple related, but independent software systems.
  39. 39. The promise of SSO: - UX with frictionless sign in and higher conversion - Reduced IT costs - Retrieving data with user’s consent but without annoying forms - Reduced password leak risks
  40. 40. - SAML - OpenID - Facebook connect - OAuth - Persona
  41. 41. IDP Identity provider Photo.service I’m Bob from IDP
  42. 42. Is it really Bob? Photo.service IDP Identity provider
  43. 43. IDP Identity provider Photo.service Prove to me you’re Bob!
  44. 44. IDP Identity provider Photo.service Here’s my session / password
  45. 45. IDP Identity provider Photo.service You’re good
  46. 46. He’s indeed Bob. Photo.service IDP Identity provider
  47. 47. Hi Bob! Gimme fotoz! Photo.service IDP Identity provider
  48. 48. Google myspace Yahoo Photo.service ? The user makes the choice
  49. 49. - Based on URLs for personal data http://google.com/profiles/me username.wordpress.com blogname.blogspot.com www.myspace.com/username
  50. 50. Authorization
  51. 51. I want to print my photos from photo. service with printer. service
  52. 52. The wrong way:
  53. 53. Photo.service has Resource Printer.service needs Resource Key to photo. service
  54. 54. Photo.service has Resource Printer.service needs Resource Hi, I want to print my photos.
  55. 55. Photo.service credentials? Printer.service needs Resource Photo.service has Resource
  56. 56. Photo.service has Resource Printer.service needs Resource Sure:
  57. 57. Hi I’m Bob & I have the key Printer.service needs Resource Photo.service has Resource
  58. 58. You’re indeed Bob. Printer.service needs Resource Photo.service has Resource
  59. 59. Please send me these photos Printer.service needs Resource Photo.service has Resource
  60. 60. Here you go Printer.service needs Resource Photo.service has Resource
  61. 61. I printed the photos. Printer.service needs Resource Photo.service has Resource
  62. 62. I’m gonna look at all of Bob’s photos! Rogue Printer. service needs Resource Photo.service has Resource
  63. 63. without his consent... Rogue Printer. service needs Resource Photo.service has Resource
  64. 64. Never give your password to other services
  65. 65. Authorization is the solution
  66. 66. 2008
  67. 67. Facebook has Resource some.service needs resource
  68. 68. Photo.service has Resource Printer.service needs Resource Key to photo. service
  69. 69. Photo.service has Resource Printer.service needs Resource Hi, I’m Bob.
  70. 70. I have support for Photo. service, ... Printer.service needs Resource Photo.service has Resource
  71. 71. I have support for Photo. service, ... Printer.service needs Resource Photo.service has Resource Note: choice of supported resource providers has also to be made by printer. service
  72. 72. Photo.service has Resource Printer.service needs Resource Please use Photo.service
  73. 73. Hi, I’m Printer. service Printer.service needs Resource Photo.service has Resource
  74. 74. Prove it! Printer.service needs Resource Photo.service has Resource
  75. 75. Here’s my client_secret Printer.service needs Resource Photo.service has Resource
  76. 76. You’re good. Printer.service needs Resource Photo.service has Resource
  77. 77. I need access to Bob’s photos Printer.service needs Resource Photo.service has Resource
  78. 78. Photo.service has Resource Printer.service needs Resource Who are you?
  79. 79. Photo.service has Resource Printer.service needs Resource I’m Bob. Here’ s my key
  80. 80. Photo.service has Resource Printer.service needs Resource Do you allow Pr.S. to access your photos?
  81. 81. Photo.service has Resource Printer.service needs Resource Sure!
  82. 82. You now have access to Bob’ s photos Printer.service needs Resource Photo.service has Resource
  83. 83. Send me the holiday photos! Printer.service needs Resource Photo.service has Resource
  84. 84. Here you go! Printer.service needs Resource Photo.service has Resource
  85. 85. I printed the photos. Printer.service needs Resource Photo.service has Resource
  86. 86. Photo.service has Resource Printer.service needs Resource Note: Printer.service does not hold Bob’s key to Photo.service
  87. 87. The PHOTO app chooses and control what OAuth provider to integrate, so the user cannot choose the identity he wants
  88. 88. Based on API authorizations and endpoints between applications
  89. 89. -
  90. 90. Single Sign-On conclusion - OpenID (URLs) is a group of companies that trust each other to be an identity provider (IDP) OpenID let the choice to the user of the IDP - Facebook connect (Facebook Connect was the single sign on of Facebook affiliate ecosystem) - OAuth : the OAuth provider know the user AND the application. The End user application choose the IDP the end user can connect with.
  91. 91. OpenID OAuth SAML Dates from 2005 2006 2001 Current version OpenID 2.0 OAuth 2.0 SAML 2.0 API Single sign-on Single sign-on authorization for enterprise Main purpose for consumers between users applications Protocols used XRDS, HTTP JSON, HTTP SAM, XML, HTTP, SOAP
  92. 92. OAuth and the Highway to Hell OAuth 2.0 and the Road to Hell (Eran Hammer)
  93. 93. OAuth 1.0 (2007) OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end- user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using useragent redirections. http://tools.ietf.org/html/rfc5849
  94. 94. Context : - php 4 - no https - Google involved - not Open ID OAuth 1.0 (2007) Pain: - Signatures - Broken libraries - Extensions - Crappy specifications From Eran Hammer #FuckOauth OAuth 2.0 - Looking Back and Moving On
  95. 95. OAuth 1.0a (one legged) OAuthBible #
  96. 96. OAuth 1.0a (two legged) OAuthBible #
  97. 97. OAuth 1.0a (three legged) OAuthBible #
  98. 98. OAuth 1.0a (Echo) OAuthBible #
  99. 99. OAuth 1.0a (xAuth) OAuthBible #
  100. 100. OAuth 2.0
  101. 101. Authentication and Signatures - Stop cryptographic requirements of signing requests with the client ID and secret and replaces signatures with requiring HTTPS for all communications between browsers, clients and the API.
  102. 102. User Experience and Alternative Authorization Flows OAuth 2 supports a better user experience for native applications, and supports extending the protocol to provide compatibility with future device requirements.
  103. 103. Performance at Scale - Many steps require state management and temporary credentials, which require shared storage and are difficult to synchronize across data centers. - requires that the API server has access to the application's ID and secret, which often breaks the architecture of most large providers where the authorization server and API servers are completely separate.
  104. 104. - OAuth 2.0 (Two-legged) Client credential Resource user password - OAuth 2.0 (Three-legged) - OAuth 2.0 (Refresh token) Scopes are often not implemented the good way, following the specs. Sometimes spaces are not set, names are different from providers…. #OAuthBible
  105. 105. OAuth is fragmented. OAuth is broken.
  106. 106. OAuth 2.0 is a compromise.
  107. 107. -
  108. 108. Eran Hammer has quit the OAuth 2.0 Board. He is building Oz.
  109. 109. Solutions to Consume OAuth ? - The IETF specs - The OAuth Bible - Open source libraries (omniauth for ruby, requests or foauth for python, passport for node.js…) - Janrain, Dailycred - OAuth.io
  110. 110. OAuth.io
  111. 111. Demo
  112. 112. OAuth.io
  113. 113. OAuth.io
  114. 114. Demo
  115. 115. oauthd Open source version of OAuth.io
  116. 116. The Glue of OAuth? https://github.com/oauth-io/oauthd/blob/master/providers
  117. 117. OAuth Report #SOCIAL LOGIN
  118. 118. The future? Mozilla Persona (Browser ID) Docker.io
  119. 119. Thank you! Mehdi Medjaoui @medjawi webshell.io oauth.io

×