Embed Size (px)
DESCRIPTION
This talk is about Open Identity and using it to create an amazing user experience. Also it handles topics like secure API communication to protect your service and users from different kind of attacks like CSRF. The difference between Authentication and Authorization are being highlighted and OAuth, OpenID Connect etc. get explained.
Citation preview
OPEN IDENTITY … ge$ng to know your users
TIM MESSERSCHMIDT @SeraAndroid
& cool stuff you can do with it
Developer Evangelist PayPal
What does PayPal do at JSConf.eu?
Rebuild Developer Experience: developer.paypal.com
What is idenEty?
Do we always use the same idenHty?
Should we always use the same idenHty?
AuthenHcaHon vs. AuthorizaHon
Current standards
Basic AuthenHcaHon
OAuth 1.0
Request Request Token
Grant Request Token
Direct User to Service Obtain AuthorizaEon
Direct to Consumer Request Access Token
Grant Access Token
Access Resources
Consumer Service Provider
OAuth 1.0a
OAuth 2.0
Direct User to Service Obtain AuthorizaEon
Request Access Token
Greant Access Token
Direct to Consumer Access Resources / Profile
Consumer Service Provider
OAuth 2.0 and the Road to Hell hPp://hueniverse.com/2012/07/oauth-‐2-‐0-‐and-‐the-‐road-‐to-‐hell/
hPp://homakov.blogspot.de/2013/03/oauth1-‐oauth2-‐oauth.html
IdenEficaEon
Name
Date of Birth
Locale Time Zone
Address
Gender
Language
Phone Number
CreaHon Date
OpenID
BrowserID Persona
How to combine both?
OpenID with OAuth Hybrid Extension
OpenID Connect
IdenHty Providers Social vs. Concrete
ArEficial barriers
Yeah, nice.. but why?
People forget passwords… 45% admit to leaving a website instead of re-‐se$ng their password or answering security quesEons * * Blue Inc. 2011
Also they hate to register
Out of 657 surveyed users 66% think that social sign-‐in is a desirable alternaEve. * * Blue Inc. 2011
Where else should we use authenHcaHon?
JSONP Cross-‐domain Request (XDR)
CORS Cross-‐Origin Request Sharing
API communicaHon curl -‐v hPps://api.paypal.com/v1/payments/payment \ -‐H 'Content-‐Type:applicaEon/json' \ -‐H 'AuthorizaHon:Bearer MyAwesomeToken' \ -‐d '{
"intent":"sale", "payer":{
"payment_method":"paypal" },
"transacEons":[{ "amount":{ "total":"7.47", "currency":"USD"
}, }]
}‘
XMLH\pRequest Request: POST /cors HTTP/1.1 Origin: hPp://api.bob.com Host: api.bob.com Response: Access-‐Control-‐Allow-‐Origin: hPp://api.bob.com Access-‐Control-‐Allow-‐CredenEals: true Access-‐Control-‐Expose-‐Headers: FooBar Content-‐Type: text/html; charset=un-‐8 source: hPp://www.html5rocks.com/en/tutorials/cors/
Wrap up Difference between authen.ca.on and authoriza.on IdenHty does ma\er Token based authenHcaHon for API communicaHon
QuesHons? [email protected] @SeraAndroid slideshare.com/paypal
