User Management with LastUser         Kiran Jonnalagadda, HasGeek       PyCon India, Pune, September 2011                 ...
The What & The Why
LastUser is an identityaggregating web service                LastUser   Your App 1   Your App 2   Your App 3
A simple goal                     Login identifier that Login                     users can remember                     Re...
OpenID:URLs as Identity
OpenID in theory:http://jace.livejournal.com/
URLs in the browser:www.github.com
URLs in the browser:      github.com
URLs in the browser:http://github.com/
URLs in the browser:https://github.com/
URLs as Identifiers1. github.com2. github.com/3. www.github.com4. www.github.com/5. http://github.com6. http://github.com/7...
Contrast with email Addresses:      kiran@hasgeek.in Change one character and it’s no longervalid. Users are conditioned t...
URL Ambiguity:https://www.google.com/accounts/o8/idOne OpenID URL for all Google accounts
URL Ambiguity:https://www.google.com/accounts/o8/id?id=AItOawnGAN1Swp5zAJn9UYCw0jivCRXg8qIe_9chttps://www.google.com/accou...
URLs are not reliableidentifiers for users
OpenID in practice
OAuth:Delegated Identity
The delegated id model         Your Application
The delegated id model    Synchronizing identity across services?               Your Application
Need a common identifieracross services. It’s usually    an email address
LastUser as abstraction layer     LastUser — OAuth Server      Your App 1   Your App 2   Your App 3
Multiple apps,all connected to one LastUser     instance
1. Login screen provider
Connecting identitiesUsers sometimes login witha different service providerAccounts can be connectedif there is a common i...
Supported id providersTwitterGoogleGitHubOpenID (but not delegation)Upcoming: LinkedIn, Facebook
OAuth: There is no singlestandard called OAuth. Every implementation is different
There is no up-to-date Pythonlibrary for OAuth2. Every service  provider has their own library.    Contrast: Ruby has Omni...
LastUser implements OAuth 2.0 draft 16   (with gaps filled in)
OAuth 2.0 has two parts      OAuth                         OAuth   Authorization                   Resource      Server   ...
OAuth 2.0 has two parts                   OAuth 2.0 doesn’t                    specify how this      OAuth                ...
2. Resource providers    (work in progress)
3. Central access control
Pending workSeamless login UI and pure client-side JS login APINon-web login flowAuthorization to resource server communica...
LastUser is BSD-licensedhttps://github.com/hasgeek/lastuser
Upcoming SlideShare
Loading in …5
×

User Management with LastUser

2,405 views

Published on

LastUser is a identity aggregating web service written in Python using the Flask framework. It provides an OAuth server that proxies for various popular identity providers.

Published in: Technology
  • Be the first to comment

User Management with LastUser

  1. 1. User Management with LastUser Kiran Jonnalagadda, HasGeek PyCon India, Pune, September 2011 flickr.com/exfordy/128576390/
  2. 2. The What & The Why
  3. 3. LastUser is an identityaggregating web service LastUser Your App 1 Your App 2 Your App 3
  4. 4. A simple goal Login identifier that Login users can remember Relief from password Password management Submit No user registration. Just login and use
  5. 5. OpenID:URLs as Identity
  6. 6. OpenID in theory:http://jace.livejournal.com/
  7. 7. URLs in the browser:www.github.com
  8. 8. URLs in the browser: github.com
  9. 9. URLs in the browser:http://github.com/
  10. 10. URLs in the browser:https://github.com/
  11. 11. URLs as Identifiers1. github.com2. github.com/3. www.github.com4. www.github.com/5. http://github.com6. http://github.com/7. http://www.github.com8. http://www.github.com/9. https://github.com10. https://github.com/11. https://www.github.com12. https://www.github.com/ Multiple strings; same final URL flickr.com/mynameisharsha/5157965638/
  12. 12. Contrast with email Addresses: kiran@hasgeek.in Change one character and it’s no longervalid. Users are conditioned to type them in exactly every time
  13. 13. URL Ambiguity:https://www.google.com/accounts/o8/idOne OpenID URL for all Google accounts
  14. 14. URL Ambiguity:https://www.google.com/accounts/o8/id?id=AItOawnGAN1Swp5zAJn9UYCw0jivCRXg8qIe_9chttps://www.google.com/accounts/o8/id?id=AItOawm3y2JBSnIo0ZdNwtIa487VpQXtpbXNmU4 Both are the same Google id, on different domains,using directed identity. If you move to a new domain, all your users’ ids change
  15. 15. URLs are not reliableidentifiers for users
  16. 16. OpenID in practice
  17. 17. OAuth:Delegated Identity
  18. 18. The delegated id model Your Application
  19. 19. The delegated id model Synchronizing identity across services? Your Application
  20. 20. Need a common identifieracross services. It’s usually an email address
  21. 21. LastUser as abstraction layer LastUser — OAuth Server Your App 1 Your App 2 Your App 3
  22. 22. Multiple apps,all connected to one LastUser instance
  23. 23. 1. Login screen provider
  24. 24. Connecting identitiesUsers sometimes login witha different service providerAccounts can be connectedif there is a common idTwitter does not provide anemail addressGitHub provides onlymd5sum of email viaGravatar. Can be connectedif email is already known
  25. 25. Supported id providersTwitterGoogleGitHubOpenID (but not delegation)Upcoming: LinkedIn, Facebook
  26. 26. OAuth: There is no singlestandard called OAuth. Every implementation is different
  27. 27. There is no up-to-date Pythonlibrary for OAuth2. Every service provider has their own library. Contrast: Ruby has OmniAuth
  28. 28. LastUser implements OAuth 2.0 draft 16 (with gaps filled in)
  29. 29. OAuth 2.0 has two parts OAuth OAuth Authorization Resource Server Server 1. Request an OAuth Client 2. Use token to access token access resource
  30. 30. OAuth 2.0 has two parts OAuth 2.0 doesn’t specify how this OAuth OAuth bit works Authorization Resource Server Server LastUser does 1. Request an OAuth Client 2. Use token to access token access resource
  31. 31. 2. Resource providers (work in progress)
  32. 32. 3. Central access control
  33. 33. Pending workSeamless login UI and pure client-side JS login APINon-web login flowAuthorization to resource server communication protocolSupport for token types other than bearer tokens
  34. 34. LastUser is BSD-licensedhttps://github.com/hasgeek/lastuser

×