CIS13: Identity Tech Overview: Less Pain, More Gain
•
0 j'aime•909 vues
Tim Bray, Developer Advocate, Google Identity is tricky, and the penalties for getting it wrong are severe. Good news: technologies are surfacing that reduce developer pain while improving user experience. This talk highlights those technologies and introduces a framework, starting from your unique combination of constraints, users and platforms, to help you figure out which technologies and policies will work for you.
Recommandé
Contenu connexe
En vedette
En vedette (19)
Similaire à CIS13: Identity Tech Overview: Less Pain, More Gain
Similaire à CIS13: Identity Tech Overview: Less Pain, More Gain (20)
Plus de CloudIDSummit
Plus de CloudIDSummit (20)
Dernier
Dernier (20)
CIS13: Identity Tech Overview: Less Pain, More Gain
- 3. 13 Thursday, July 18, 13
- 4. 13 Scalable Internet Kindness Tim Bray (tbray.org, google.com/+TimBray, @timbray) Developer Advocate Thursday, July 18, 13
- 5. 4 Demo: Tumblr Thursday, July 18, 13
- 6. 5 • The password must be at least 8 characters long. • The password must contain at least: ◦ one alpha character [a-zA-Z]; ◦ one numeric character [0-9]; ◦ one special character from this set: ` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ? • The password must not: ◦ contain spaces; ◦ begin with an exclamation [!] or a question mark [?]; ◦ contain your login ID. ◦ Contain your registered email address • The password cannot contain repeating character strings of 3 or more identical characters. E.g. “1111” or “aaa” • The sequence of the first 3 characters cannot be in your login ID. • The first 8 characters cannot be the same as in your previous password. • Passwords are treated as case sensitive. From the top Google match for “password rules” Thursday, July 18, 13
- 7. 6 Thursday, July 18, 13
- 8. 7 Thursday, July 18, 13
- 9. 8 Demo: AccountChooser Thursday, July 18, 13
- 10. 9 Thursday, July 18, 13
- 11. 9 Thursday, July 18, 13
- 12. 10 Thursday, July 18, 13
- 13. 11 Brian Campbell’s slides from GlueCon, major deep-dive: http://goo.gl/Sj1UF Thursday, July 18, 13
- 14. 12 Thursday, July 18, 13
- 15. 13 “ya29.AHES6ZQjFP7Ih-1pKyG9vdUo F28p4peeieppieob5CPHAwq3FLnm” An Access Token Thursday, July 18, 13
- 16. 14 GET /v1/people/me HTTP/1.1 ... Host: www.googleapis.com Authorization: Bearer ya29.AHES6ZQjFP7Ih-1pKyG9vdUoF2... How to use an Access Token Thursday, July 18, 13
- 17. 15 634> curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.AHES6Z... { "issued_to": "407408718192.apps.googleusercontent.com", "audience": "407408718192.apps.googleusercontent.com", "user_id": "107760670355981561507946", "scope": "https://www.googleapis.com/auth/plus.me", "expires_in": 3370, "access_type": "offline" } How to peek into an Access Token Thursday, July 18, 13
- 18. An Access Token 16 • Is opaque, • short-lived, and • signifies the right for a particular Google Account to access a particular scope. • It is unencrypted, therefore • it must be transmitted over TLS (https). Thursday, July 18, 13
- 19. 17 Thursday, July 18, 13
- 21. 19 POST /o/oauth2/token HTTP/1.1 Host: accounts.google.com Content-Type: application/x-www-form-urlencoded ... refresh_token=1/z48pvqwy8wucZp2...& client_id=424861364121.apps.googleusercontent.com& client_secret=****& grant_type=refresh_token How to use a Refresh Token Thursday, July 18, 13
- 22. A Refresh Token 20 • Is opaque, • doesn’t expire until revoked, and • signifies the right for a particular Google Account to access a particular scope. • It includes a shared secret, and • it is unencrypted, therefore • it must be transmitted over TLS (https). Thursday, July 18, 13
- 28. 25 rubygems.org/gems/google-id-token Installation gem install google-id-token Examples validator = GoogleIDToken::Validator.new jwt = validator.check(token, required_audience, required_client_id) if jwt email = jwt['email'] else report "Cannot validate: #{validator.problem}" end Thursday, July 18, 13
- 29. 26 { "iss":"accounts.google.com", "sub":"107606703558161507946", "azp":"407408718192.apps.googleusercontent.com", "token_hash":"W9aTKDVaz3UJvHGu53-byw", "at_hash":"W9aTKDVaz3UJvHGu53-byw", "aud":"407408718192.apps.googleusercontent.com", "iat":1367531886, "exp":1367535786 } Inside an ID Token payload .eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29... base64 payload Thursday, July 18, 13
- 30. An ID Token 27 • Is cryptographically signed by an issuer (“iss”), • asserts that the user (“sub”) is authenticated by that issuer, • is meant for a particular recipient (“aud”), and • may have been issued to a particular authorized party (“azp”). • It is unencrypted, therefore • it must be transmitted over TLS (https). • They are incredibly useful! (see tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens) Thursday, July 18, 13
- 31. 28 Thursday, July 18, 13
- 32. 28 Thursday, July 18, 13
- 33. 28 Thursday, July 18, 13
- 34. 29 (Authz/authn demo) Thursday, July 18, 13
- 35. 30 <body> <div id="gConnect"> <button class="g-signin" data-scope="https://www.googleapis.com/auth/plus.login" data-requestvisibleactions="http://schemas.google.com/AddActivity" data-clientId="{{ CLIENT_ID }}" data-accesstype="offline" data-callback="onSignInCallback" data-theme="dark" data-cookiepolicy="single_host_origin"> </button> Thursday, July 18, 13
- 36. 31 get '/people' do # Check for stored credentials in the current user's session. if !session[:token] halt 401, 'User not connected.' end # Authorize the client and construct a Google+ service. $client.authorization.update_token!(session[:token].to_hash) plus = $client.discovered_api('plus', 'v1') # Get the list of people as JSON and return it. response = $client.execute!(plus.people.list, :collection => 'visible', :userId => 'me').body content_type :json response end Thursday, July 18, 13
- 39. Developer API console 33 Your “Project” Web Client ID Android app 1 Client ID JavaScript app Client ID Android app 2 Client ID Thursday, July 18, 13
- 40. Developer API console 33 Your “Project” Web Client ID Android app 1 Client ID JavaScript app Client ID Android app 2 Client ID Auth one, auth ‘em all Thursday, July 18, 13
- 41. Developer API console 33 Your “Project” Web Client ID Android app 1 Client ID JavaScript app Client ID Android app 2 Client ID Auth one, auth ‘em all Thursday, July 18, 13
- 43. 35 Shared sign-in with ID Tokens Shared Access-Token grant Mobile app gets offline Web-app access Cross-client Identity Thursday, July 18, 13
- 44. 35 Shared sign-in with ID Tokens Shared Access-Token grant Mobile app gets offline Web-app access Cross-client Identity Thursday, July 18, 13
- 45. 35 Shared sign-in with ID Tokens Shared Access-Token grant Mobile app gets offline Web-app access Cross-client Identity Thursday, July 18, 13
- 46. 35 Shared sign-in with ID Tokens Shared Access-Token grant Mobile app gets offline Web-app access Cross-client Identity Thursday, July 18, 13
- 47. 36 Your client app Thursday, July 18, 13
- 48. 36 Your client app Your server back-end Thursday, July 18, 13
- 49. 36 Your client app Your server back-end HTTPS Thursday, July 18, 13
- 50. 36 Your client app Your server back-end HTTPS “Who am I talking to?” Thursday, July 18, 13
- 52. 38 Cookbook “Platforms” page • Android app on a compatible device with Google Play services. • A native compiled app on a personal computer or mobile device. • Android app without Google Play services (for example, a Kindle). This is effictively equivalent to the Native-app scenario. • iOS app. • Browser-based Web app. • Hybrid mobile/web, where components need to share identity. • Chrome app/extension. • Server-side app. • Low-capability device (keyboard-challenged). 14 Thursday, July 18, 13
- 53. Thursday, July 18, 13