the last authentication system you will ever write
DESCRIPTION
Your users need to sign up, authenticate, retrieve their password, change their password, etc. Building your own system takes time and resources, so why not do what developers do best…abstract it away! Places like Twitter, Facebook, and Google have given developers the sweet gift of third-party authentication, allowing your users to use their existing credentials to access your application. Learn about the pros and cons of offloading authentication to these services and see how they work while exploring options using both OpenID and OAuth.TRANSCRIPT
The Last Authentication System You Will Ever Write
Jason Austin - @jason_austin - [email protected]
Thursday, May 26, 2011
A Quick Rundown
• Authentication Basics
• Pros/Cons of offloading
• Authentication Mechanisms
• Authentication Providers
• Implementation
Thursday, May 26, 2011
Authentication Basics
flickr - @digiart2001
Authentication !=
Authorization
Who you are vs.
what rights you have
Thursday, May 26, 2011
Setting Up An Auth System
• Signup
• Confirmation
• Authenticate (Username / Password)
• Password Retrieval / Reset
• Password Change
Thursday, May 26, 2011
Security Requirements
• Secure Transactions
• Salting/Hashing Passwords
• Storing Passwords
• Password Strength Requirements
• Policies surrounding username selections
Thursday, May 26, 2011
User Impact
• Signup process
• Name
• Password (And Confirm)
• Email Address
• Yet another set of credentials
Thursday, May 26, 2011
Offloading Authentication
flickr - @sbisson
Thursday, May 26, 2011
What is Offloading?
• Authentication via third trusted party
• User creates an account there (or likely already has one)
• They manage passwords and usernames
• Host application passes user to authentication provider
• No passwords pass over your wire
Thursday, May 26, 2011
Why Offload?
• Dirty work is done for you
• No Passwords. Ever. None.
• No Username Selections
• Implementation is quick and easy
• Signup is fast
Thursday, May 26, 2011
Effectiveness
• Quick Conversion
• Personal Information
• Demographic Information
Thursday, May 26, 2011
Downsides
• Indentured to a provider
• Require a third party for a critical aspect of your application
Thursday, May 26, 2011
Who To Use?
Thursday, May 26, 2011
Finding a Provider
• Reliability
• Support
• Trust from users
• Usage
• Longevity
Thursday, May 26, 2011
Make A Choice
• Pick the right service for your audience
• Choose multiple services
Thursday, May 26, 2011
Getting StartedThursday, May 26, 2011
First Step
• Getting to know the technologies
• OpenID
• OAuth
Thursday, May 26, 2011
OpenID
• One login, multiple sites
• Decentralized
• URI-based. EX: jfaustin.myopenid.com
• Service provided by anyone
Thursday, May 26, 2011
OpenID Workflow
Thursday, May 26, 2011
OpenID
• Hasn’t really caught on
• Thought of as “geek speak”
• Service providers include
• Yahoo
• Many more...
Thursday, May 26, 2011
OAuth
• Open standard for access delegation
• With authentication, provides ability for SSO
• Valet key to the internet
Thursday, May 26, 2011
OAuth Players
• Service Provider (Server)- Has the information you want
• Consumer (Client) - Wants the information from the Service Provider
• User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider
Thursday, May 26, 2011
Thursday, May 26, 2011
OAuth
• Technology behind authentication from
• Yahoo!
Thursday, May 26, 2011
Sign in with Twitter
Thursday, May 26, 2011
Get Started
• Register your app with Twitter
• https://dev.twitter.com/apps/new
• Add some UI to your app
• Choose an OAuth lib to help
Thursday, May 26, 2011
OAuth Libraries
• oauth-phphttp://code.google.com/p/oauth-php/
• Zend_Oauthhttp://framework.zend.com/manual/en/zend.oauth.introduction.html
• OAuth PECL packagehttp://pecl.php.net/package/oauth
• CakePHP OAuth Packagehttp://code.42dh.com/oauth/
Thursday, May 26, 2011
Files Needed
index.php auth.php callback.php
* Need a OAuth library. We’re going to use ZF
Thursday, May 26, 2011
<?php// index.php
if (isset($_SESSION['auth'])) { echo "Logged in"; echo "<br><br><pre>"; print_r($_SESSION['auth']); echo "</pre>"; echo "<a href='logout.php'>Logout</a>";} else { echo "Not logged in"; echo "<br><br>"; echo "<a href='auth.php'>Sign in to twitter</a>";}
Logging In
Thursday, May 26, 2011
<?php// auth.php
if (isset($_SESSION['auth'])) { echo "already logged in"; die();}
$options = array( 'consumerKey' => 'asdfgawe23aewvserg43tg', 'consumerSecret' => 'asdf34visnerfg9j0ae49gj09srjg9ae', 'callbackUrl' => 'http://pintlabs.com/demo/callback.php', 'siteUrl' => 'http://twitter.com/oauth');
require_once 'Zend/Oauth/Consumer.php';$consumer = new Zend_Oauth_Consumer($options);
$token = $consumer->getRequestToken();
$_SESSION['requestToken'] = serialize($token); $consumer->redirect();
Authentication
Thursday, May 26, 2011
<?php// callback.php
if (!isset($_GET['oauth_token'])) { die("oauth_token not set");}
$response = array( 'oauth_token' => $_GET['oauth_token'], 'oauth_verifier' => $_GET['oauth_verifier'],);
// same options as auth.php$consumer = new Zend_Oauth_Consumer($options);
$requestToken = unserialize($_SESSION['requestToken']);
$accessToken = $consumer->getAccessToken($response, $requestToken);
unset($_SESSION['requestToken']);
parse_str($accessToken->getResponse()->getBody(), $params);
$_SESSION['auth'] = $params;
Receive the Callback
Thursday, May 26, 2011
Best PracticesThursday, May 26, 2011
A Few Things To Remember...
• What if the external key changes?
• Changed OpenID URL
• Changed Twitter ID
• Multiple accounts from the same user
Thursday, May 26, 2011
Account Management
• Have an internal application account id
• Link external accounts to internal id
• Allow management of external authentication sources by the user
Thursday, May 26, 2011
Have A Backup Plan
• Downtime
• Removal of service
• Change in service
Thursday, May 26, 2011
Questions?
http://joind.in/3431
Jason Austin - @jason_austin - [email protected]
Code Available at http://github.com/jfaustin/tek11-twitter-auth
Thursday, May 26, 2011