the last authentication system you will ever write
DESCRIPTION
Your users need to sign up, authenticate, retrieve their password, change their password, etc. Building your own system takes time and resources, so why not do what developers do best…abstract it away! Places like Twitter, Facebook, and Google have given developers the sweet gift of third-party authentication, allowing your users to use their existing credentials to access your application. Learn about the pros and cons of offloading authentication to these services and see how they work while exploring options using both OpenID and OAuth.TRANSCRIPT
![Page 1: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/1.jpg)
The Last Authentication System You Will Ever Write
Jason Austin - @jason_austin - [email protected]
Thursday, May 26, 2011
![Page 2: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/2.jpg)
A Quick Rundown
• Authentication Basics
• Pros/Cons of offloading
• Authentication Mechanisms
• Authentication Providers
• Implementation
Thursday, May 26, 2011
![Page 3: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/3.jpg)
Authentication Basics
flickr - @digiart2001
Authentication !=
Authorization
Who you are vs.
what rights you have
Thursday, May 26, 2011
![Page 4: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/4.jpg)
Setting Up An Auth System
• Signup
• Confirmation
• Authenticate (Username / Password)
• Password Retrieval / Reset
• Password Change
Thursday, May 26, 2011
![Page 5: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/5.jpg)
Security Requirements
• Secure Transactions
• Salting/Hashing Passwords
• Storing Passwords
• Password Strength Requirements
• Policies surrounding username selections
Thursday, May 26, 2011
![Page 6: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/6.jpg)
User Impact
• Signup process
• Name
• Password (And Confirm)
• Email Address
• Yet another set of credentials
Thursday, May 26, 2011
![Page 7: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/7.jpg)
Offloading Authentication
flickr - @sbisson
Thursday, May 26, 2011
![Page 8: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/8.jpg)
What is Offloading?
• Authentication via third trusted party
• User creates an account there (or likely already has one)
• They manage passwords and usernames
• Host application passes user to authentication provider
• No passwords pass over your wire
Thursday, May 26, 2011
![Page 9: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/9.jpg)
Why Offload?
• Dirty work is done for you
• No Passwords. Ever. None.
• No Username Selections
• Implementation is quick and easy
• Signup is fast
Thursday, May 26, 2011
![Page 10: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/10.jpg)
Effectiveness
• Quick Conversion
• Personal Information
• Demographic Information
Thursday, May 26, 2011
![Page 11: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/11.jpg)
Downsides
• Indentured to a provider
• Require a third party for a critical aspect of your application
Thursday, May 26, 2011
![Page 12: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/12.jpg)
Who To Use?
Thursday, May 26, 2011
![Page 13: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/13.jpg)
Finding a Provider
• Reliability
• Support
• Trust from users
• Usage
• Longevity
Thursday, May 26, 2011
![Page 14: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/14.jpg)
Make A Choice
• Pick the right service for your audience
• Choose multiple services
Thursday, May 26, 2011
![Page 15: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/15.jpg)
Getting StartedThursday, May 26, 2011
![Page 16: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/16.jpg)
First Step
• Getting to know the technologies
• OpenID
• OAuth
Thursday, May 26, 2011
![Page 17: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/17.jpg)
OpenID
• One login, multiple sites
• Decentralized
• URI-based. EX: jfaustin.myopenid.com
• Service provided by anyone
Thursday, May 26, 2011
![Page 18: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/18.jpg)
OpenID Workflow
Thursday, May 26, 2011
![Page 19: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/19.jpg)
OpenID
• Hasn’t really caught on
• Thought of as “geek speak”
• Service providers include
• Yahoo
• Many more...
Thursday, May 26, 2011
![Page 20: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/20.jpg)
OAuth
• Open standard for access delegation
• With authentication, provides ability for SSO
• Valet key to the internet
Thursday, May 26, 2011
![Page 21: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/21.jpg)
OAuth Players
• Service Provider (Server)- Has the information you want
• Consumer (Client) - Wants the information from the Service Provider
• User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider
Thursday, May 26, 2011
![Page 22: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/22.jpg)
Thursday, May 26, 2011
![Page 23: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/23.jpg)
OAuth
• Technology behind authentication from
• Yahoo!
Thursday, May 26, 2011
![Page 24: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/24.jpg)
Sign in with Twitter
Thursday, May 26, 2011
![Page 25: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/25.jpg)
Get Started
• Register your app with Twitter
• https://dev.twitter.com/apps/new
• Add some UI to your app
• Choose an OAuth lib to help
Thursday, May 26, 2011
![Page 26: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/26.jpg)
OAuth Libraries
• oauth-phphttp://code.google.com/p/oauth-php/
• Zend_Oauthhttp://framework.zend.com/manual/en/zend.oauth.introduction.html
• OAuth PECL packagehttp://pecl.php.net/package/oauth
• CakePHP OAuth Packagehttp://code.42dh.com/oauth/
Thursday, May 26, 2011
![Page 27: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/27.jpg)
Files Needed
index.php auth.php callback.php
* Need a OAuth library. We’re going to use ZF
Thursday, May 26, 2011
![Page 28: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/28.jpg)
<?php// index.php
if (isset($_SESSION['auth'])) { echo "Logged in"; echo "<br><br><pre>"; print_r($_SESSION['auth']); echo "</pre>"; echo "<a href='logout.php'>Logout</a>";} else { echo "Not logged in"; echo "<br><br>"; echo "<a href='auth.php'>Sign in to twitter</a>";}
Logging In
Thursday, May 26, 2011
![Page 29: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/29.jpg)
<?php// auth.php
if (isset($_SESSION['auth'])) { echo "already logged in"; die();}
$options = array( 'consumerKey' => 'asdfgawe23aewvserg43tg', 'consumerSecret' => 'asdf34visnerfg9j0ae49gj09srjg9ae', 'callbackUrl' => 'http://pintlabs.com/demo/callback.php', 'siteUrl' => 'http://twitter.com/oauth');
require_once 'Zend/Oauth/Consumer.php';$consumer = new Zend_Oauth_Consumer($options);
$token = $consumer->getRequestToken();
$_SESSION['requestToken'] = serialize($token); $consumer->redirect();
Authentication
Thursday, May 26, 2011
![Page 30: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/30.jpg)
<?php// callback.php
if (!isset($_GET['oauth_token'])) { die("oauth_token not set");}
$response = array( 'oauth_token' => $_GET['oauth_token'], 'oauth_verifier' => $_GET['oauth_verifier'],);
// same options as auth.php$consumer = new Zend_Oauth_Consumer($options);
$requestToken = unserialize($_SESSION['requestToken']);
$accessToken = $consumer->getAccessToken($response, $requestToken);
unset($_SESSION['requestToken']);
parse_str($accessToken->getResponse()->getBody(), $params);
$_SESSION['auth'] = $params;
Receive the Callback
Thursday, May 26, 2011
![Page 31: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/31.jpg)
Best PracticesThursday, May 26, 2011
![Page 32: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/32.jpg)
A Few Things To Remember...
• What if the external key changes?
• Changed OpenID URL
• Changed Twitter ID
• Multiple accounts from the same user
Thursday, May 26, 2011
![Page 33: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/33.jpg)
Account Management
• Have an internal application account id
• Link external accounts to internal id
• Allow management of external authentication sources by the user
Thursday, May 26, 2011
![Page 34: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/34.jpg)
Have A Backup Plan
• Downtime
• Removal of service
• Change in service
Thursday, May 26, 2011
![Page 35: The Last Authentication System You Will Ever Write](https://reader034.vdocuments.site/reader034/viewer/2022050920/54c8c5a84a79591b0f8b458c/html5/thumbnails/35.jpg)
Questions?
http://joind.in/3431
Jason Austin - @jason_austin - [email protected]
Code Available at http://github.com/jfaustin/tek11-twitter-auth
Thursday, May 26, 2011