Post on 28-Jan-2015
description
The Last Authentication System You Will Ever Write
Jason Austin - @jason_austin - jfaustin@gmail.com
Thursday, May 26, 2011
A Quick Rundown
• Authentication Basics
• Pros/Cons of offloading
• Authentication Mechanisms
• Authentication Providers
• Implementation
Thursday, May 26, 2011
Authentication Basics
flickr - @digiart2001
Authentication !=
Authorization
Who you are vs.
what rights you have
Thursday, May 26, 2011
Setting Up An Auth System
• Signup
• Confirmation
• Authenticate (Username / Password)
• Password Retrieval / Reset
• Password Change
Thursday, May 26, 2011
Security Requirements
• Secure Transactions
• Salting/Hashing Passwords
• Storing Passwords
• Password Strength Requirements
• Policies surrounding username selections
Thursday, May 26, 2011
User Impact
• Signup process
• Name
• Password (And Confirm)
• Email Address
• Yet another set of credentials
Thursday, May 26, 2011
Offloading Authentication
flickr - @sbisson
Thursday, May 26, 2011
What is Offloading?
• Authentication via third trusted party
• User creates an account there (or likely already has one)
• They manage passwords and usernames
• Host application passes user to authentication provider
• No passwords pass over your wire
Thursday, May 26, 2011
Why Offload?
• Dirty work is done for you
• No Passwords. Ever. None.
• No Username Selections
• Implementation is quick and easy
• Signup is fast
Thursday, May 26, 2011
Effectiveness
• Quick Conversion
• Personal Information
• Demographic Information
Thursday, May 26, 2011
Downsides
• Indentured to a provider
• Require a third party for a critical aspect of your application
Thursday, May 26, 2011
Who To Use?
Thursday, May 26, 2011
Finding a Provider
• Reliability
• Support
• Trust from users
• Usage
• Longevity
Thursday, May 26, 2011
Make A Choice
• Pick the right service for your audience
• Choose multiple services
Thursday, May 26, 2011
Getting StartedThursday, May 26, 2011
First Step
• Getting to know the technologies
• OpenID
• OAuth
Thursday, May 26, 2011
OpenID
• One login, multiple sites
• Decentralized
• URI-based. EX: jfaustin.myopenid.com
• Service provided by anyone
Thursday, May 26, 2011
OpenID Workflow
Thursday, May 26, 2011
OpenID
• Hasn’t really caught on
• Thought of as “geek speak”
• Service providers include
• Yahoo
• Many more...
Thursday, May 26, 2011
OAuth
• Open standard for access delegation
• With authentication, provides ability for SSO
• Valet key to the internet
Thursday, May 26, 2011
OAuth Players
• Service Provider (Server)- Has the information you want
• Consumer (Client) - Wants the information from the Service Provider
• User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider
Thursday, May 26, 2011
Thursday, May 26, 2011
OAuth
• Technology behind authentication from
• Yahoo!
Thursday, May 26, 2011
Sign in with Twitter
Thursday, May 26, 2011
Get Started
• Register your app with Twitter
• https://dev.twitter.com/apps/new
• Add some UI to your app
• Choose an OAuth lib to help
Thursday, May 26, 2011
OAuth Libraries
• oauth-phphttp://code.google.com/p/oauth-php/
• Zend_Oauthhttp://framework.zend.com/manual/en/zend.oauth.introduction.html
• OAuth PECL packagehttp://pecl.php.net/package/oauth
• CakePHP OAuth Packagehttp://code.42dh.com/oauth/
Thursday, May 26, 2011
Files Needed
index.php auth.php callback.php
* Need a OAuth library. We’re going to use ZF
Thursday, May 26, 2011
<?php// index.php
if (isset($_SESSION['auth'])) { echo "Logged in"; echo "<br><br><pre>"; print_r($_SESSION['auth']); echo "</pre>"; echo "<a href='logout.php'>Logout</a>";} else { echo "Not logged in"; echo "<br><br>"; echo "<a href='auth.php'>Sign in to twitter</a>";}
Logging In
Thursday, May 26, 2011
<?php// auth.php
if (isset($_SESSION['auth'])) { echo "already logged in"; die();}
$options = array( 'consumerKey' => 'asdfgawe23aewvserg43tg', 'consumerSecret' => 'asdf34visnerfg9j0ae49gj09srjg9ae', 'callbackUrl' => 'http://pintlabs.com/demo/callback.php', 'siteUrl' => 'http://twitter.com/oauth');
require_once 'Zend/Oauth/Consumer.php';$consumer = new Zend_Oauth_Consumer($options);
$token = $consumer->getRequestToken();
$_SESSION['requestToken'] = serialize($token); $consumer->redirect();
Authentication
Thursday, May 26, 2011
<?php// callback.php
if (!isset($_GET['oauth_token'])) { die("oauth_token not set");}
$response = array( 'oauth_token' => $_GET['oauth_token'], 'oauth_verifier' => $_GET['oauth_verifier'],);
// same options as auth.php$consumer = new Zend_Oauth_Consumer($options);
$requestToken = unserialize($_SESSION['requestToken']);
$accessToken = $consumer->getAccessToken($response, $requestToken);
unset($_SESSION['requestToken']);
parse_str($accessToken->getResponse()->getBody(), $params);
$_SESSION['auth'] = $params;
Receive the Callback
Thursday, May 26, 2011
Best PracticesThursday, May 26, 2011
A Few Things To Remember...
• What if the external key changes?
• Changed OpenID URL
• Changed Twitter ID
• Multiple accounts from the same user
Thursday, May 26, 2011
Account Management
• Have an internal application account id
• Link external accounts to internal id
• Allow management of external authentication sources by the user
Thursday, May 26, 2011
Have A Backup Plan
• Downtime
• Removal of service
• Change in service
Thursday, May 26, 2011
Questions?
http://joind.in/3431
Jason Austin - @jason_austin - jfaustin@gmail.com
Code Available at http://github.com/jfaustin/tek11-twitter-auth
Thursday, May 26, 2011