SlideShare uma empresa Scribd logo

The Last Authentication System You Will Ever Write

Jason Austin
Jason Austin

Your users need to sign up, authenticate, retrieve their password, change their password, etc. Building your own system takes time and resources, so why not do what developers do best…abstract it away! Places like Twitter, Facebook, and Google have given developers the sweet gift of third-party authentication, allowing your users to use their existing credentials to access your application. Learn about the pros and cons of offloading authentication to these services and see how they work while exploring options using both OpenID and OAuth.

Tecnologia
1 de 35
Baixar para ler offline
The Last Authentication System You Will Ever Write Jason Austin - @jason_austin - jfaustin@gmail.com Thursday, May 26, 2011
A Quick Rundown • Authentication Basics • Pros/Cons of offloading • Authentication Mechanisms • Authentication Providers • Implementation Thursday, May 26, 2011
Authentication Basics Authentication != Authorization flickr - @digiart2001 Who you are vs. what rights you have Thursday, May 26, 2011
Setting Up An Auth System • Signup • Confirmation • Authenticate (Username / Password) • Password Retrieval / Reset • Password Change Thursday, May 26, 2011
Security Requirements • Secure Transactions • Salting/Hashing Passwords • Storing Passwords • Password Strength Requirements • Policies surrounding username selections Thursday, May 26, 2011
User Impact • Signup process • Name • Password (And Confirm) • Email Address • Yet another set of credentials Thursday, May 26, 2011
flickr - @sbisson Offloading Authentication Thursday, May 26, 2011
What is Offloading? • Authentication via third trusted party • User creates an account there (or likely already has one) • They manage passwords and usernames • Host application passes user to authentication provider • No passwords pass over your wire Thursday, May 26, 2011
Why Offload? • Dirty work is done for you • No Passwords. Ever. None. • No Username Selections • Implementation is quick and easy • Signup is fast Thursday, May 26, 2011
Effectiveness • Quick Conversion • Personal Information • Demographic Information Thursday, May 26, 2011
Downsides • Indentured to a provider • Require a third party for a critical aspect of your application Thursday, May 26, 2011
Who To Use? Thursday, May 26, 2011
Finding a Provider • Reliability • Support • Trust from users • Usage • Longevity Thursday, May 26, 2011
Make A Choice • Pick the right service for your audience • Choose multiple services Thursday, May 26, 2011
Getting Started Thursday, May 26, 2011
First Step • Getting to know the technologies • OpenID • OAuth Thursday, May 26, 2011
OpenID • One login, multiple sites • Decentralized • URI-based. EX: jfaustin.myopenid.com • Service provided by anyone Thursday, May 26, 2011
OpenID Workflow Thursday, May 26, 2011
OpenID • Hasn’t really caught on • Thought of as “geek speak” • Service providers include • Google • Yahoo • Many more... Thursday, May 26, 2011
OAuth • Open standard for access delegation • With authentication, provides ability for SSO • Valet key to the internet Thursday, May 26, 2011
OAuth Players • Service Provider (Server)- Has the information you want • Consumer (Client) - Wants the information from the Service Provider • User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider Thursday, May 26, 2011
Thursday, May 26, 2011
OAuth • Technology behind authentication from • Facebook • Yahoo! • Twitter Thursday, May 26, 2011
Sign in with Twitter Thursday, May 26, 2011
Get Started • Register your app with Twitter • https://dev.twitter.com/apps/new • Add some UI to your app • Choose an OAuth lib to help Thursday, May 26, 2011
OAuth Libraries • oauth-php http://code.google.com/p/oauth-php/ • Zend_Oauth http://framework.zend.com/manual/en/ zend.oauth.introduction.html • OAuth PECL package http://pecl.php.net/package/oauth • CakePHP OAuth Package http://code.42dh.com/oauth/ Thursday, May 26, 2011
Files Needed index.php auth.php callback.php * Need a OAuth library. We’re going to use ZF Thursday, May 26, 2011
Logging In <?php // index.php if (isset($_SESSION['auth'])) { echo "Logged in"; echo "<br><br><pre>"; print_r($_SESSION['auth']); echo "</pre>"; echo "<a href='logout.php'>Logout</a>"; } else { echo "Not logged in"; echo "<br><br>"; echo "<a href='auth.php'>Sign in to twitter</a>"; } Thursday, May 26, 2011
Authentication <?php // auth.php if (isset($_SESSION['auth'])) { echo "already logged in"; die(); } $options = array( 'consumerKey' => 'asdfgawe23aewvserg43tg', 'consumerSecret' => 'asdf34visnerfg9j0ae49gj09srjg9ae', 'callbackUrl' => 'http://pintlabs.com/demo/callback.php', 'siteUrl' => 'http://twitter.com/oauth' ); require_once 'Zend/Oauth/Consumer.php'; $consumer = new Zend_Oauth_Consumer($options); $token = $consumer->getRequestToken(); $_SESSION['requestToken'] = serialize($token); $consumer->redirect(); Thursday, May 26, 2011
<?php Receive the Callback // callback.php if (!isset($_GET['oauth_token'])) { die("oauth_token not set"); } $response = array( 'oauth_token' => $_GET['oauth_token'], 'oauth_verifier' => $_GET['oauth_verifier'], ); // same options as auth.php $consumer = new Zend_Oauth_Consumer($options); $requestToken = unserialize($_SESSION['requestToken']); $accessToken = $consumer->getAccessToken($response, $requestToken); unset($_SESSION['requestToken']); parse_str($accessToken->getResponse()->getBody(), $params); $_SESSION['auth'] = $params; Thursday, May 26, 2011
Best Practices Thursday, May 26, 2011
A Few Things To Remember... • What if the external key changes? • Changed OpenID URL • Changed Twitter ID • Multiple accounts from the same user Thursday, May 26, 2011
Account Management • Have an internal application account id • Link external accounts to internal id • Allow management of external authentication sources by the user Thursday, May 26, 2011
Have A Backup Plan • Downtime • Removal of service • Change in service Thursday, May 26, 2011
Questions? Jason Austin - @jason_austin - jfaustin@gmail.com http://joind.in/3431 Code Available at http://github.com/jfaustin/tek11-twitter-auth Thursday, May 26, 2011

Recomendados

Securing Your API
Securing Your APISecuring Your API
Securing Your APIJason Austin
 
Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to ElasticsearchJason Austin
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented ArchitectureJason Austin
 
Design patterns
Design patternsDesign patterns
Design patternsJason Austin
 
How Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperHow Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperJason Austin
 
Preparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldPreparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldJason Austin
 
Object Oriented PHP5
Object Oriented PHP5Object Oriented PHP5
Object Oriented PHP5Jason Austin
 
UNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusUNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusJason Austin
 

Recomendados

Securing Your API
Securing Your APISecuring Your API
Securing Your APIJason Austin
 
Introduction to Elasticsearch
Introduction to ElasticsearchIntroduction to Elasticsearch
Introduction to ElasticsearchJason Austin
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented ArchitectureJason Austin
 
Design patterns
Design patternsDesign patterns
Design patternsJason Austin
 
How Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperHow Beer Made Me A Better Developer
How Beer Made Me A Better DeveloperJason Austin
 
Preparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldPreparing Traditional Media for a Mobile World
Preparing Traditional Media for a Mobile WorldJason Austin
 
Object Oriented PHP5
Object Oriented PHP5Object Oriented PHP5
Object Oriented PHP5Jason Austin
 
UNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusUNC CAUSE - Going Mobile On Campus
UNC CAUSE - Going Mobile On CampusJason Austin
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Mais conteúdo relacionado

Último

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Último (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

Destaque

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Destaque (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

The Last Authentication System You Will Ever Write

  • 1. The Last Authentication System You Will Ever Write Jason Austin - @jason_austin - jfaustin@gmail.com Thursday, May 26, 2011
  • 2. A Quick Rundown • Authentication Basics • Pros/Cons of offloading • Authentication Mechanisms • Authentication Providers • Implementation Thursday, May 26, 2011
  • 3. Authentication Basics Authentication != Authorization flickr - @digiart2001 Who you are vs. what rights you have Thursday, May 26, 2011
  • 4. Setting Up An Auth System • Signup • Confirmation • Authenticate (Username / Password) • Password Retrieval / Reset • Password Change Thursday, May 26, 2011
  • 5. Security Requirements • Secure Transactions • Salting/Hashing Passwords • Storing Passwords • Password Strength Requirements • Policies surrounding username selections Thursday, May 26, 2011
  • 6. User Impact • Signup process • Name • Password (And Confirm) • Email Address • Yet another set of credentials Thursday, May 26, 2011
  • 7. flickr - @sbisson Offloading Authentication Thursday, May 26, 2011
  • 8. What is Offloading? • Authentication via third trusted party • User creates an account there (or likely already has one) • They manage passwords and usernames • Host application passes user to authentication provider • No passwords pass over your wire Thursday, May 26, 2011
  • 9. Why Offload? • Dirty work is done for you • No Passwords. Ever. None. • No Username Selections • Implementation is quick and easy • Signup is fast Thursday, May 26, 2011
  • 10. Effectiveness • Quick Conversion • Personal Information • Demographic Information Thursday, May 26, 2011
  • 11. Downsides • Indentured to a provider • Require a third party for a critical aspect of your application Thursday, May 26, 2011
  • 12. Who To Use? Thursday, May 26, 2011
  • 13. Finding a Provider • Reliability • Support • Trust from users • Usage • Longevity Thursday, May 26, 2011
  • 14. Make A Choice • Pick the right service for your audience • Choose multiple services Thursday, May 26, 2011
  • 16. First Step • Getting to know the technologies • OpenID • OAuth Thursday, May 26, 2011
  • 17. OpenID • One login, multiple sites • Decentralized • URI-based. EX: jfaustin.myopenid.com • Service provided by anyone Thursday, May 26, 2011
  • 19. OpenID • Hasn’t really caught on • Thought of as “geek speak” • Service providers include • Google • Yahoo • Many more... Thursday, May 26, 2011
  • 20. OAuth • Open standard for access delegation • With authentication, provides ability for SSO • Valet key to the internet Thursday, May 26, 2011
  • 21. OAuth Players • Service Provider (Server)- Has the information you want • Consumer (Client) - Wants the information from the Service Provider • User (Resource Owner) - Can grant access to the Consumer to acquire information about your account from the Service Provider Thursday, May 26, 2011
  • 23. OAuth • Technology behind authentication from • Facebook • Yahoo! • Twitter Thursday, May 26, 2011
  • 24. Sign in with Twitter Thursday, May 26, 2011
  • 25. Get Started • Register your app with Twitter • https://dev.twitter.com/apps/new • Add some UI to your app • Choose an OAuth lib to help Thursday, May 26, 2011
  • 26. OAuth Libraries • oauth-php http://code.google.com/p/oauth-php/ • Zend_Oauth http://framework.zend.com/manual/en/ zend.oauth.introduction.html • OAuth PECL package http://pecl.php.net/package/oauth • CakePHP OAuth Package http://code.42dh.com/oauth/ Thursday, May 26, 2011
  • 27. Files Needed index.php auth.php callback.php * Need a OAuth library. We’re going to use ZF Thursday, May 26, 2011
  • 28. Logging In <?php // index.php if (isset($_SESSION['auth'])) { echo "Logged in"; echo "<br><br><pre>"; print_r($_SESSION['auth']); echo "</pre>"; echo "<a href='logout.php'>Logout</a>"; } else { echo "Not logged in"; echo "<br><br>"; echo "<a href='auth.php'>Sign in to twitter</a>"; } Thursday, May 26, 2011
  • 29. Authentication <?php // auth.php if (isset($_SESSION['auth'])) { echo "already logged in"; die(); } $options = array( 'consumerKey' => 'asdfgawe23aewvserg43tg', 'consumerSecret' => 'asdf34visnerfg9j0ae49gj09srjg9ae', 'callbackUrl' => 'http://pintlabs.com/demo/callback.php', 'siteUrl' => 'http://twitter.com/oauth' ); require_once 'Zend/Oauth/Consumer.php'; $consumer = new Zend_Oauth_Consumer($options); $token = $consumer->getRequestToken(); $_SESSION['requestToken'] = serialize($token); $consumer->redirect(); Thursday, May 26, 2011
  • 30. <?php Receive the Callback // callback.php if (!isset($_GET['oauth_token'])) { die("oauth_token not set"); } $response = array( 'oauth_token' => $_GET['oauth_token'], 'oauth_verifier' => $_GET['oauth_verifier'], ); // same options as auth.php $consumer = new Zend_Oauth_Consumer($options); $requestToken = unserialize($_SESSION['requestToken']); $accessToken = $consumer->getAccessToken($response, $requestToken); unset($_SESSION['requestToken']); parse_str($accessToken->getResponse()->getBody(), $params); $_SESSION['auth'] = $params; Thursday, May 26, 2011
  • 32. A Few Things To Remember... • What if the external key changes? • Changed OpenID URL • Changed Twitter ID • Multiple accounts from the same user Thursday, May 26, 2011
  • 33. Account Management • Have an internal application account id • Link external accounts to internal id • Allow management of external authentication sources by the user Thursday, May 26, 2011
  • 34. Have A Backup Plan • Downtime • Removal of service • Change in service Thursday, May 26, 2011
  • 35. Questions? Jason Austin - @jason_austin - jfaustin@gmail.com http://joind.in/3431 Code Available at http://github.com/jfaustin/tek11-twitter-auth Thursday, May 26, 2011