The document discusses the challenges of authentication and identity management through passwords and the emergence of single sign-on (SSO) solutions to enhance user experience and security. It explores the evolution of OAuth protocols, highlighting the differences between OAuth 1.0 and 2.0, and the importance of identity providers in granting access to user resources without sharing credentials. The author emphasizes the need for better user experience and security in authorization processes, while noting the fragmentation and limitations within current OAuth implementations.

1. From authentication
to identity
management
Mehdi Medjaoui

2. Mehdi
Medjaoui
@medjawi
webshell.io
oauth.io

3. Authentication

5. Bob

6. I want to upload my
photos to access
them from anywhere

7. Photo.service

8. Photo.service
Hi Photo.
service!

9. Photo.service
Hi! Who is it?

10. Photo.service
I’m Bob

11. Photo.service
Prove it!

12. Photo.service
Here’s my
secret: ...

13. Photo.service
Oh it’s you
Bob!

14. Photo.service

15. Photo.service

16. Here’s my
secret: ...

17. Here’s my
password

18. Why passwords?

19. Identification

20. Authentication = Identification + Verification

21. To correctly verify someone,
a secret must relate to:
- what they know
- what they have
- what they are
- what they can do

22. But why passwords???

23. In theory

28. Security vs Convenience

29. Photo.service

30. Photo.service
Music.service

31. Photo.service
Music.service

32. Photo.service
Social.service
Music.service
Video.service
Email.service

33. Photo.service
Social.service
Photo.service
Social.service
Photo.service
Social.service
Music.service
Email.service
Video.service
Music.service
Email.service
Video.service
Music.service
Video.service
Email.service

34. Got cloudy these days...

36. Multiplication of web services have
made passwords
- hard to remember if unique

38. Multiplication of web services have
made passwords
- hard to remember if unique
- annoying to type all day if strong

40. password hell

41. Multiplication of web services have
made passwords
- hard to remember if unique
- annoying to type all day if strong
- weak if not unique

42. Passwords (even strong)
do not scale
with a growing number of services

43. Solution = Password manager ?

44. simple interface design

45. Single Sign-On

46. Single Sign-On
Single sign-on (SSO) is a property of
access control of multiple related,
but independent software systems.

47. The promise of SSO:
- UX with frictionless sign in and higher conversion
- Reduced IT costs
- Retrieving data with user’s consent but without annoying
forms
- Reduced password leak risks

48. - SAML
- OpenID
- Facebook connect
- OAuth
- Persona

50. IDP
Identity
provider
Photo.service
I’m Bob from
IDP

51. Is it really
Bob?
Photo.service
IDP
Identity
provider

52. IDP
Identity
provider
Photo.service
Prove to me
you’re Bob!

53. IDP
Identity
provider
Photo.service
Here’s my
session /
password

54. IDP
Identity
provider
Photo.service
You’re good

55. He’s indeed
Bob.
Photo.service
IDP
Identity
provider

56. Hi Bob!
Gimme fotoz!
Photo.service
IDP
Identity
provider

57. Google
myspace
Yahoo
Photo.service
?
The user
makes the
choice

58. -
Based on URLs for personal data
http://google.com/profiles/me
username.wordpress.com
blogname.blogspot.com
www.myspace.com/username

59. Authorization

60. I want to print my
photos from photo.
service with printer.
service

61. The wrong way:

62. Photo.service
has Resource
Printer.service
needs Resource
Key to photo.
service

63. Photo.service
has Resource
Printer.service
needs Resource
Hi, I want to
print my
photos.

64. Photo.service
credentials?
Printer.service
needs Resource
Photo.service
has Resource

65. Photo.service
has Resource
Printer.service
needs Resource
Sure:

66. Hi I’m Bob & I
have the key
Printer.service
needs Resource
Photo.service
has Resource

67. You’re indeed
Bob.
Printer.service
needs Resource
Photo.service
has Resource

68. Please send
me these
photos
Printer.service
needs Resource
Photo.service
has Resource

69. Here you go
Printer.service
needs Resource
Photo.service
has Resource

70. I printed the
photos.
Printer.service
needs Resource
Photo.service
has Resource

71. I’m gonna
look at all of
Bob’s photos!
Rogue Printer.
service
needs Resource
Photo.service
has Resource

72. without his
consent...
Rogue Printer.
service
needs Resource
Photo.service
has Resource

73. Never give your
password to
other services

74. Authorization is
the solution

75. 2008

76. Facebook
has Resource
some.service
needs
resource

78. Photo.service
has Resource
Printer.service
needs Resource
Key to photo.
service

79. Photo.service
has Resource
Printer.service
needs Resource
Hi, I’m Bob.

80. I have support
for Photo.
service, ...
Printer.service
needs Resource
Photo.service
has Resource

81. I have support
for Photo.
service, ...
Printer.service
needs Resource
Photo.service
has Resource
Note: choice of
supported resource
providers has also to
be made by printer.
service

82. Photo.service
has Resource
Printer.service
needs Resource
Please use
Photo.service

83. Hi, I’m Printer.
service
Printer.service
needs Resource
Photo.service
has Resource

84. Prove it!
Printer.service
needs Resource
Photo.service
has Resource

85. Here’s my
client_secret
Printer.service
needs Resource
Photo.service
has Resource

86. You’re good.
Printer.service
needs Resource
Photo.service
has Resource

87. I need access to
Bob’s photos
Printer.service
needs Resource
Photo.service
has Resource

88. Photo.service
has Resource
Printer.service
needs Resource
Who are you?

89. Photo.service
has Resource
Printer.service
needs Resource
I’m Bob. Here’
s my key

90. Photo.service
has Resource
Printer.service
needs Resource
Do you allow
Pr.S. to access
your photos?

91. Photo.service
has Resource
Printer.service
needs Resource
Sure!

92. You now have
access to Bob’
s photos
Printer.service
needs Resource
Photo.service
has Resource

93. Send me the
holiday photos!
Printer.service
needs Resource
Photo.service
has Resource

94. Here you go!
Printer.service
needs Resource
Photo.service
has Resource

95. I printed the
photos.
Printer.service
needs Resource
Photo.service
has Resource

96. Photo.service
has Resource
Printer.service
needs Resource
Note: Printer.service
does not hold Bob’s
key to Photo.service

97. The PHOTO app chooses and
control what OAuth provider to
integrate, so the user cannot
choose the identity he wants

99. Based on API authorizations and
endpoints between applications

100. -

101. Single Sign-On
conclusion
- OpenID (URLs) is a group of companies that trust
each other to be an identity provider (IDP)
OpenID let the choice to the user of the IDP
- Facebook connect (Facebook Connect was the single
sign on of Facebook affiliate ecosystem)
- OAuth : the OAuth provider know the user AND the
application. The End user application choose the IDP
the end user can connect with.

102. OpenID
OAuth
SAML
Dates from
2005
2006
2001
Current version
OpenID 2.0
OAuth 2.0
SAML 2.0
API
Single sign-on
Single sign-on authorization
for enterprise
Main purpose for consumers
between
users
applications
Protocols used
XRDS, HTTP
JSON, HTTP
SAM, XML,
HTTP, SOAP

103. OAuth and the
Highway to Hell
OAuth 2.0 and the
Road to Hell
(Eran Hammer)

105. OAuth 1.0
(2007)
OAuth provides a method for clients to access server
resources on behalf of a resource owner (such as a
different client or an end- user). It also provides a
process for end-users to authorize third-party access to
their server resources without sharing their credentials
(typically, a username and password pair), using useragent redirections.
http://tools.ietf.org/html/rfc5849

106. Context :
- php 4
- no https
- Google involved
- not Open ID
OAuth 1.0
(2007)
Pain:
- Signatures
- Broken libraries
- Extensions
- Crappy specifications
From Eran Hammer #FuckOauth
OAuth 2.0 - Looking Back and Moving On

107. OAuth 1.0a
(one legged)
OAuthBible
#

108. OAuth 1.0a
(two legged)
OAuthBible
#

109. OAuth 1.0a
(three legged)
OAuthBible
#

110. OAuth 1.0a
(Echo)
OAuthBible
#

111. OAuth 1.0a
(xAuth)
OAuthBible
#

112. OAuth 2.0

113. Authentication and Signatures
- Stop cryptographic requirements of
signing requests with the client ID and
secret and replaces signatures with
requiring HTTPS for all
communications between browsers,
clients and the API.

114. User Experience and Alternative Authorization
Flows
OAuth 2 supports a better user experience for
native applications, and supports extending
the protocol to provide compatibility with
future device requirements.

115. Performance at Scale
- Many steps require state management and temporary
credentials, which require shared storage and are
difficult to synchronize across data centers.
- requires that the API server has access to the
application's ID and secret, which often breaks the
architecture of most large providers where the
authorization server and API servers are completely
separate.

116. - OAuth 2.0 (Two-legged)
Client credential
Resource user password
- OAuth 2.0 (Three-legged)
- OAuth 2.0 (Refresh token)
Scopes are often not implemented the good way,
following the specs.
Sometimes spaces are not set, names are different
from providers….
#OAuthBible

117. OAuth is fragmented.
OAuth is broken.

118. OAuth 2.0 is a
compromise.

119. -

120. Eran Hammer has quit the
OAuth 2.0 Board.
He is building Oz.

121. Solutions to Consume OAuth ?
- The IETF specs
- The OAuth Bible
- Open source libraries (omniauth
for ruby, requests or foauth for
python, passport for node.js…)
- Janrain, Dailycred
- OAuth.io

123. OAuth.io

124. Demo

125. OAuth.io

126. OAuth.io

127. Demo

128. oauthd
Open source version of
OAuth.io

129. The Glue of OAuth?
https://github.com/oauth-io/oauthd/blob/master/providers

130. OAuth Report
#SOCIAL LOGIN

135. The future?
Mozilla Persona (Browser ID)
Docker.io

137. Thank you!
Mehdi Medjaoui
@medjawi
webshell.io
oauth.io