CIS13: Identity Tech Overview: Less Pain, More Gain
54
Developers Thursday, July 18, 13
-
Upload
cloudidsummit -
Category
Technology
-
view
309 -
download
0
description
Tim Bray, Developer Advocate, Google Identity is tricky, and the penalties for getting it wrong are severe. Good news: technologies are surfacing that reduce developer pain while improving user experience. This talk highlights those technologies and introduces a framework, starting from your unique combination of constraints, users and platforms, to help you figure out which technologies and policies will work for you.
Transcript of CIS13: Identity Tech Overview: Less Pain, More Gain
Developers
Thursday, July 18, 13
Developers
Thursday, July 18, 13
13
Thursday, July 18, 13
13
Scalable Internet Kindness
Tim Bray (tbray.org, google.com/+TimBray, @timbray)Developer Advocate
Thursday, July 18, 13
4
Demo: Tumblr
Thursday, July 18, 13
5
• The password must be at least 8 characters long.• The password must contain at least:◦ one alpha character [a-zA-Z];◦ one numeric character [0-9];◦ one special character from this set:
` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ?• The password must not:◦ contain spaces;◦ begin with an exclamation [!] or a question mark [?];◦ contain your login ID.◦ Contain your registered email address
• The password cannot contain repeating character strings of 3 or more identical characters. E.g. “1111” or “aaa”
• The sequence of the first 3 characters cannot be in your login ID.• The first 8 characters cannot be the same as in your previous password.• Passwords are treated as case sensitive.
From the top Google match for “password rules”
Thursday, July 18, 13
6
Thursday, July 18, 13
7
Thursday, July 18, 13
8
Demo: AccountChooser
Thursday, July 18, 13
9
Thursday, July 18, 13
9
Thursday, July 18, 13
10
Thursday, July 18, 13
11
Brian Campbell’s slides from GlueCon, major deep-dive:
http://goo.gl/Sj1UF
Thursday, July 18, 13
12
Thursday, July 18, 13
13
“ya29.AHES6ZQjFP7Ih-1pKyG9vdUo F28p4peeieppieob5CPHAwq3FLnm”
An Access Token
Thursday, July 18, 13
14
GET /v1/people/me HTTP/1.1...Host: www.googleapis.comAuthorization: Bearer ya29.AHES6ZQjFP7Ih-1pKyG9vdUoF2...
How to use an Access Token
Thursday, July 18, 13
15
634> curl \ https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.AHES6Z...{ "issued_to": "407408718192.apps.googleusercontent.com", "audience": "407408718192.apps.googleusercontent.com", "user_id": "107760670355981561507946", "scope": "https://www.googleapis.com/auth/plus.me", "expires_in": 3370, "access_type": "offline"}
How to peek into an Access Token
Thursday, July 18, 13
An Access Token
16
• Is opaque,
• short-lived, and
• signifies the right for a particular Google Account to access a particular scope.
• It is unencrypted, therefore
• it must be transmitted over TLS (https).
Thursday, July 18, 13
17
Thursday, July 18, 13
18
“1/z48pvqwy8wucZp2zqQxgC 2B3gZNoPRRq_mgrgdJcmi4”
A Refresh Token
Thursday, July 18, 13
19
POST /o/oauth2/token HTTP/1.1Host: accounts.google.comContent-Type: application/x-www-form-urlencoded...refresh_token=1/z48pvqwy8wucZp2...&client_id=424861364121.apps.googleusercontent.com&client_secret=****&grant_type=refresh_token
How to use a Refresh Token
Thursday, July 18, 13
A Refresh Token
20
• Is opaque,
• doesn’t expire until revoked, and
• signifies the right for a particular Google Account to access a particular scope.
• It includes a shared secret, and
• it is unencrypted, therefore
• it must be transmitted over TLS (https).
Thursday, July 18, 13
21
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMWE5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoiVzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1NTMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk-ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icligeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDasTn9KKxba-DE
An ID TokenThursday, July 18, 13
21
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMWE5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoiVzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1NTMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk-ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icligeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDasTn9KKxba-DE
An ID TokenThursday, July 18, 13
22
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMWE5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoiVzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1NTMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk-ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icligeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDasTn9KKxba-DE
An ID TokenThursday, July 18, 13
23
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMWE5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoiVzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1NTMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk-ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icligeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDasTn9KKxba-DE
{ "alg":"RS256", "kid":"ad2a50cb70c5da789ee26d05b8f621a99e81202e"}
base64
ID Token crypto stuffThursday, July 18, 13
24
www.googleapis.com/oauth2/v1/certsThursday, July 18, 13
25
rubygems.org/gems/google-id-token
Installationgem install google-id-token
Examplesvalidator = GoogleIDToken::Validator.newjwt = validator.check(token, required_audience, required_client_id)if jwt email = jwt['email']else report "Cannot validate: #{validator.problem}"end
Thursday, July 18, 13
26
{ "iss":"accounts.google.com", "sub":"107606703558161507946", "azp":"407408718192.apps.googleusercontent.com", "token_hash":"W9aTKDVaz3UJvHGu53-byw", "at_hash":"W9aTKDVaz3UJvHGu53-byw", "aud":"407408718192.apps.googleusercontent.com", "iat":1367531886, "exp":1367535786}
Inside an ID Token payload
.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29...
base64payload
Thursday, July 18, 13
An ID Token
27
• Is cryptographically signed by an issuer (“iss”),
• asserts that the user (“sub”) is authenticated by that issuer,
• is meant for a particular recipient (“aud”), and
• may have been issued to a particular authorized party (“azp”).
• It is unencrypted, therefore
• it must be transmitted over TLS (https).
• They are incredibly useful! (see tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens)
Thursday, July 18, 13
28
Thursday, July 18, 13
28
Thursday, July 18, 13
28
Thursday, July 18, 13
29
(Authz/authn demo)
Thursday, July 18, 13
30
<body> <div id="gConnect"> <button class="g-signin" data-scope="https://www.googleapis.com/auth/plus.login" data-requestvisibleactions="http://schemas.google.com/AddActivity" data-clientId="{{ CLIENT_ID }}" data-accesstype="offline" data-callback="onSignInCallback" data-theme="dark" data-cookiepolicy="single_host_origin"> </button>
Thursday, July 18, 13
31
get '/people' do # Check for stored credentials in the current user's session. if !session[:token] halt 401, 'User not connected.' end
# Authorize the client and construct a Google+ service. $client.authorization.update_token!(session[:token].to_hash) plus = $client.discovered_api('plus', 'v1')
# Get the list of people as JSON and return it. response = $client.execute!(plus.people.list, :collection => 'visible', :userId => 'me').body content_type :json responseend
Thursday, July 18, 13
32
Cross-clientIdentity
Thursday, July 18, 13
32
Cross-clientIdentity
Thursday, July 18, 13
Developer API console
33
Your “Project”
Web Client ID
Android app 1
Client ID
JavaScript appClient ID
Android app 2
Client ID
Thursday, July 18, 13
Developer API console
33
Your “Project”
Web Client ID
Android app 1
Client ID
JavaScript appClient ID
Android app 2
Client ID
Auth one, auth ‘em allThursday, July 18, 13
Developer API console
33
Your “Project”
Web Client ID
Android app 1
Client ID
JavaScript appClient ID
Android app 2
Client ID
Auth one, auth ‘em allThursday, July 18, 13
34
developers.google.com/accounts/docs/CrossClientAuth
Thursday, July 18, 13
35
Shared sign-in with ID Tokens
Shared Access-Token
grant
Mobile app gets offline Web-app
access
Cross-clientIdentity
Thursday, July 18, 13
35
Shared sign-in with ID Tokens
Shared Access-Token
grant
Mobile app gets offline Web-app
access
Cross-clientIdentity
Thursday, July 18, 13
35
Shared sign-in with ID Tokens
Shared Access-Token
grant
Mobile app gets offline Web-app
access
Cross-clientIdentity
Thursday, July 18, 13
35
Shared sign-in with ID Tokens
Shared Access-Token
grant
Mobile app gets offline Web-app
access
Cross-clientIdentity
Thursday, July 18, 13
36
Your client app
Thursday, July 18, 13
36
Your client app
Your server back-end
Thursday, July 18, 13
36
Your client app
Your server back-end
HTTPS
Thursday, July 18, 13
36
Your client app
Your server back-end
HTTPS
“Who am I talking to?”
Thursday, July 18, 13
37
developers.google.com/accounts/cookbook/Thursday, July 18, 13
38
Cookbook “Platforms” page
• Android app on a compatible device with Google Play services.
• A native compiled app on a personal computer or mobile device.
• Android app without Google Play services (for example, a Kindle). This is effictively equivalent to the Native-app scenario.
• iOS app.
• Browser-based Web app.
• Hybrid mobile/web, where components need to share identity.
• Chrome app/extension.
• Server-side app.
• Low-capability device (keyboard-challenged).
14
Thursday, July 18, 13
Thursday, July 18, 13
<Thank You!>
tbray.org/google.com/+TimBray@timbray
Thursday, July 18, 13
