LastUser is a identity aggregating web service written in Python using the Flask framework. It provides an OAuth server that proxies for various popular identity providers.

1. User Management with LastUser
Kiran Jonnalagadda, HasGeek
PyCon India, Pune, September 2011
flickr.com/exfordy/128576390/

2. The What & The Why

3. LastUser is an identity
aggregating web service
LastUser
Your App 1 Your App 2 Your App 3

4. A simple goal
Login identifier that
Login
users can remember
Relief from password
Password
management
Submit
No user registration.
Just login and use

5. OpenID:
URLs as Identity

6. OpenID in theory:
http://jace.livejournal.com/

7. URLs in the browser:
www.github.com

8. URLs in the browser:
github.com

9. URLs in the browser:
http://github.com/

10. URLs in the browser:
https://github.com/

11. URLs as Identifiers
1. github.com
2. github.com/
3. www.github.com
4. www.github.com/
5. http://github.com
6. http://github.com/
7. http://www.github.com
8. http://www.github.com/
9. https://github.com
10. https://github.com/
11. https://www.github.com
12. https://www.github.com/
Multiple strings; same final URL
flickr.com/mynameisharsha/5157965638/

12. Contrast with email Addresses:
kiran@hasgeek.in
Change one character and it’s no longer
valid. Users are conditioned to type them
in exactly every time

13. URL Ambiguity:
https://www.google.com/accounts/o8/id
One OpenID URL for all Google accounts

14. URL Ambiguity:
https://www.google.com/accounts/o8/id?id=AItOawnGAN1Swp5zAJn9UYCw0jivCRXg8qIe_9c
https://www.google.com/accounts/o8/id?id=AItOawm3y2JBSnIo0ZdNwtIa487VpQXtpbXNmU4
Both are the same Google id, on different domains,
using directed identity. If you move to a new domain,
all your users’ ids change

15. URLs are not reliable
identifiers for users

16. OpenID in practice

17. OAuth:
Delegated Identity

18. The delegated id model
Your Application

19. The delegated id model
Synchronizing identity across services?
Your Application

20. Need a common identifier
across services. It’s usually
an email address

21. LastUser as abstraction layer
LastUser — OAuth Server
Your App 1 Your App 2 Your App 3

22. Multiple apps,
all connected to
one LastUser
instance

23. 1. Login screen provider

24. Connecting identities
Users sometimes login with
a different service provider
Accounts can be connected
if there is a common id
Twitter does not provide an
email address
GitHub provides only
md5sum of email via
Gravatar. Can be connected
if email is already known

25. Supported id providers
Twitter
Google
GitHub
OpenID (but not delegation)
Upcoming: LinkedIn, Facebook

26. OAuth: There is no single
standard called OAuth. Every
implementation is different

27. There is no up-to-date Python
library for OAuth2. Every service
provider has their own library.
Contrast: Ruby has OmniAuth

28. LastUser implements
OAuth 2.0 draft 16
(with gaps filled in)

29. OAuth 2.0 has two parts
OAuth OAuth
Authorization Resource
Server Server
1. Request an OAuth Client 2. Use token to
access token access resource

30. OAuth 2.0 has two parts
OAuth 2.0 doesn’t
specify how this
OAuth OAuth
bit works
Authorization Resource
Server Server
LastUser does
1. Request an OAuth Client 2. Use token to
access token access resource

31. 2. Resource providers
(work in progress)

32. 3. Central access control

33. Pending work
Seamless login UI and pure client-side JS login API
Non-web login flow
Authorization to resource server communication protocol
Support for token types other than bearer tokens

34. LastUser is BSD-licensed
https://github.com/hasgeek/lastuser