hybrid auth: openid + oauth

Hybrid Auth: OAuth + OpenID

Erik Eldridge

Engineer/Evangelist

Yahoo! Developer Network

Overview

• What, Why, and How of Hybrid Authentication

• Sample code

• Summary

• Resources

What is Hybrid Auth?

• Using OpenID for authentication and Oauth to authorize data access

• Similar to Facebook's Connect, but based on open standards

Why should we use it?

• Easy– Single flow for end-users

• Portable– Open source libraries– Any service can be an OpenID "Provider"– Transferable skill-set and technologies

How do we get started?

• Setup

• Implementation

• Sample

Setup requirements

• Visit developer.yahoo.com/dashboard

• Register an OAuth application

• Download Yahoo! Social SDK from github.com/yahoo

• Download OpenID-Enabled library from openidenabled.com

Generalized implementation

• Define a log in/out mechanism for your site• If user is not logged in, initialize authentication

via OpenID with Simple Registration• In OpenID callback, check if OAuth access

token for user is stored• If access token does not exist, exchange

request token for access token and store access token

• Log in user using local mechanism and begin fetching data using Oauth

Example

• service– index.html– openid/

• index.php• return_to.php• php-openid-2.1.3/

– oauth/• index.php• yahoo-social-php-sdk/

Service/index.html, top

Service/index.html, middle

Service/index.html, bottom

Service/openid/index.php, top

Service/openid/index.php, bottom

Service/openid/return_to.php, top

Service/openid/return_to.php, middle

Service/openid/return_to.php, bottom

Service/oauth/index.php

Summary

• What?– Combination of OpenID authentication and OAuth

authorization

• Why?– Convenient for the end-user: single auth flow

• How?– Yahoo! Social SDK + OpenID-Enabled OpenID

library (with a pinch of YUI and YQL)

Resources

• developer.yahoo.com/openid

• developer.yahoo.com/oauth

• example.erikeldridge.com/{example code}

• Find me on Twitter: @erikeldridge