The Last Authentication System You Will Ever Write

Jason Austin - @jason_austin - jfaustin@gmail.com

Thursday, May 26, 2011

A Quick Rundown

• Authentication Basics

• Pros/Cons of offloading

• Authentication Mechanisms

• Authentication Providers

• Implementation

Thursday, May 26, 2011

Authentication Basics

flickr - @digiart2001

Authentication !=

Authorization

Who you are vs.

what rights you have

Thursday, May 26, 2011

Setting Up An Auth System

• Signup

• Confirmation

• Authenticate (Username / Password)

• Password Retrieval / Reset

• Password Change

Thursday, May 26, 2011

Security Requirements

• Secure Transactions

• Salting/Hashing Passwords

• Storing Passwords

• Password Strength Requirements

• Policies surrounding username selections

Thursday, May 26, 2011

User Impact

• Signup process

• Name

• Password (And Confirm)

• Email Address

• Yet another set of credentials

Thursday, May 26, 2011

Offloading Authentication

flickr - @sbisson

Thursday, May 26, 2011

What is Offloading?

• Authentication via third trusted party

• User creates an account there (or likely already has one)

• They manage passwords and usernames

• Host application passes user to authentication provider

• No passwords pass over your wire

Thursday, May 26, 2011

Why Offload?

• Dirty work is done for you

• No Passwords. Ever. None.

• No Username Selections

• Implementation is quick and easy

• Signup is fast

Thursday, May 26, 2011

Effectiveness

• Quick Conversion

• Personal Information

• Demographic Information

Thursday, May 26, 2011

Downsides

• Indentured to a provider

• Require a third party for a critical aspect of your application

Thursday, May 26, 2011

Who To Use?

Thursday, May 26, 2011

Finding a Provider

• Reliability

• Support

• Trust from users

• Usage

• Longevity

Thursday, May 26, 2011

Make A Choice

• Pick the right service for your audience

• Choose multiple services

Thursday, May 26, 2011

Getting StartedThursday, May 26, 2011

First Step

• Getting to know the technologies

• OpenID

• OAuth

Thursday, May 26, 2011

OpenID

• One login, multiple sites

• Decentralized

• URI-based. EX: jfaustin.myopenid.com

• Service provided by anyone

Thursday, May 26, 2011

OpenID Workflow

Thursday, May 26, 2011

OpenID

• Hasn’t really caught on

• Thought of as “geek speak”

• Service providers include

• Google

• Yahoo

• Many more...

Thursday, May 26, 2011

OAuth

• Open standard for access delegation

• With authentication, provides ability for SSO

• Valet key to the internet

Thursday, May 26, 2011

OAuth Players

• Service Provider (Server)- Has the information you want

• Consumer (Client) - Wants the information from the Service Provider

• User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider

Thursday, May 26, 2011

Thursday, May 26, 2011

OAuth

• Technology behind authentication from

• Facebook

• Yahoo!

• Twitter

Thursday, May 26, 2011

Sign in with Twitter

Thursday, May 26, 2011

Get Started

• Register your app with Twitter

• https://dev.twitter.com/apps/new

• Add some UI to your app

• Choose an OAuth lib to help

Thursday, May 26, 2011

OAuth Libraries

• oauth-phphttp://code.google.com/p/oauth-php/

• Zend_Oauthhttp://framework.zend.com/manual/en/zend.oauth.introduction.html

• OAuth PECL packagehttp://pecl.php.net/package/oauth

• CakePHP OAuth Packagehttp://code.42dh.com/oauth/

Thursday, May 26, 2011

Files Needed

index.php auth.php callback.php

* Need a OAuth library. We’re going to use ZF

Thursday, May 26, 2011

<?php// index.php

if (isset($_SESSION['auth'])) { echo "Logged in"; echo "<br><br><pre>"; print_r($_SESSION['auth']); echo "</pre>"; echo "<a href='logout.php'>Logout</a>";} else { echo "Not logged in"; echo "<br><br>"; echo "<a href='auth.php'>Sign in to twitter</a>";}

Logging In

Thursday, May 26, 2011

<?php// auth.php

if (isset($_SESSION['auth'])) { echo "already logged in"; die();}

$options = array( 'consumerKey' => 'asdfgawe23aewvserg43tg', 'consumerSecret' => 'asdf34visnerfg9j0ae49gj09srjg9ae', 'callbackUrl' => 'http://pintlabs.com/demo/callback.php', 'siteUrl' => 'http://twitter.com/oauth');

require_once 'Zend/Oauth/Consumer.php';$consumer = new Zend_Oauth_Consumer($options);

$token = $consumer->getRequestToken();

$_SESSION['requestToken'] = serialize($token); $consumer->redirect();

Authentication

Thursday, May 26, 2011

<?php// callback.php

if (!isset($_GET['oauth_token'])) { die("oauth_token not set");}

$response = array( 'oauth_token' => $_GET['oauth_token'], 'oauth_verifier' => $_GET['oauth_verifier'],);

// same options as auth.php$consumer = new Zend_Oauth_Consumer($options);

$requestToken = unserialize($_SESSION['requestToken']);

$accessToken = $consumer->getAccessToken($response, $requestToken);

unset($_SESSION['requestToken']);

parse_str($accessToken->getResponse()->getBody(), $params);

$_SESSION['auth'] = $params;

Receive the Callback

Thursday, May 26, 2011

Best PracticesThursday, May 26, 2011

A Few Things To Remember...

• What if the external key changes?

• Changed OpenID URL

• Changed Twitter ID

• Multiple accounts from the same user

Thursday, May 26, 2011

Account Management

• Have an internal application account id

• Link external accounts to internal id

• Allow management of external authentication sources by the user

Thursday, May 26, 2011

Have A Backup Plan

• Downtime

• Removal of service

• Change in service

Thursday, May 26, 2011

Questions?

http://joind.in/3431

Jason Austin - @jason_austin - jfaustin@gmail.com

Code Available at http://github.com/jfaustin/tek11-twitter-auth

Thursday, May 26, 2011