SlideShare a Scribd company logo

Mobile SSO: are we there yet?

Download as PPTX, PDF
Brian Campbell
Brian Campbell

** note that a recording of this presentation is available at https://www.youtube.com/watch?v=UBNOJ_G7EZc ** Mobile Single Sign-On: are we there yet? -- Brian Campbell, Ping Identity -- -- at the 2015 Cloud Identity Summit -- Mobile computing has grown at an unprecedented rate in recent years while innovations in identity and Single Sign-On on mobile have lagged behind. We'll look at the state of native mobile application SSO including applicable standards such as OAuth 2.0, OpenID Connect, and NAAPS, and try to better understand the bigger picture of what's happening and what might be done to improve things.

Software
1 of 70
MOBILE SSO ARE WE THERE YET? BRIAN CAMPBELL @__b_c
Copyright © 2015 Brian Campbell. All rights reserved. 2 Formalities, Introductions, etc. • I work @ Ping • You might know me as ‘that guy’ with the camera • Slides will be available – at http://www.slideshare.net/briandavidcampbell – & at https://twitter.com/__b_c • 2 underscores + • b + • 1 underscore + • c
Copyright © 2015 Brian Campbell. All rights reserved. 3 Yeah, that guy
Copyright © 2015 Brian Campbell. All rights reserved. 4 Formalities, Introductions, etc. • I work @ Ping • You might know me as ‘that guy’ with the camera • Slides will be available – at http://www.slideshare.net/briandavidcampbell – & at https://twitter.com/__b_c • 2 underscores + • b + • 1 underscore + • c
Copyright © 2015 Brian Campbell. All rights reserved. 5 • Disclaimers – Views or opinions presented herein are solely my own and do not necessarily represent those of the my employer – Wholly unqualified to talk about mobile – Primarily do server side development – And not even very much of that anymore • So, um… WTF? – I know a few people involved with CIS – And I do use a mobile phone… My ‘Safe Harbor’ Slide
Copyright © 2015 Brian Campbell. All rights reserved. 6 Though not very well
Copyright © 2015 Brian Campbell. All rights reserved. 7 But Sometimes… An outsider’s perspective can help see where things just aren’t quite right
Copyright © 2015 Brian Campbell. All rights reserved. 8 as demonstrated by a semi-contrived little story about me and my phone Premise: Single Sign-On just isn’t quite right on mobile
Copyright © 2015 Brian Campbell. All rights reserved. 9 I’m very busy and important As you can see by my opulent travel budget.
Copyright © 2015 Brian Campbell. All rights reserved. 10 So, while I am one of those luddites who still prefers a real computer for work, sometimes I have to use my phone…
Copyright © 2015 Brian Campbell. All rights reserved. 11 Just trying to join a meeting while out on the road.
Copyright © 2015 Brian Campbell. All rights reserved. 12
Copyright © 2015 Brian Campbell. All rights reserved. 13
Copyright © 2015 Brian Campbell. All rights reserved. 14
Copyright © 2015 Brian Campbell. All rights reserved. 15
Copyright © 2015 Brian Campbell. All rights reserved. 16
Copyright © 2015 Brian Campbell. All rights reserved. 17
Copyright © 2015 Brian Campbell. All rights reserved. 18
Copyright © 2015 Brian Campbell. All rights reserved. 19
Copyright © 2015 Brian Campbell. All rights reserved. 20
Copyright © 2015 Brian Campbell. All rights reserved. 21
Copyright © 2015 Brian Campbell. All rights reserved. 22
Copyright © 2015 Brian Campbell. All rights reserved. 23
Copyright © 2015 Brian Campbell. All rights reserved. 24
Copyright © 2015 Brian Campbell. All rights reserved. 25
Copyright © 2015 Brian Campbell. All rights reserved. 26 Please excuse any intermittent time travel. I had some technical difficulties with something called “focus” and had to reshoot a few images.
Copyright © 2015 Brian Campbell. All rights reserved. 27
Copyright © 2015 Brian Campbell. All rights reserved. 28
Copyright © 2015 Brian Campbell. All rights reserved. 29 There’s my meeting!
Copyright © 2015 Brian Campbell. All rights reserved. 30
Copyright © 2015 Brian Campbell. All rights reserved. 31 (This happened on first use a long time ago)
Copyright © 2015 Brian Campbell. All rights reserved. 32
Copyright © 2015 Brian Campbell. All rights reserved. 33
Copyright © 2015 Brian Campbell. All rights reserved. 34
Copyright © 2015 Brian Campbell. All rights reserved. 35
Copyright © 2015 Brian Campbell. All rights reserved. 36
Copyright © 2015 Brian Campbell. All rights reserved. 37
Copyright © 2015 Brian Campbell. All rights reserved. 38
Copyright © 2015 Brian Campbell. All rights reserved. 39
Copyright © 2015 Brian Campbell. All rights reserved. 40
Copyright © 2015 Brian Campbell. All rights reserved. 41
Copyright © 2015 Brian Campbell. All rights reserved. 42
Copyright © 2015 Brian Campbell. All rights reserved. 43
Copyright © 2015 Brian Campbell. All rights reserved. 44
Copyright © 2015 Brian Campbell. All rights reserved. 45
Copyright © 2015 Brian Campbell. All rights reserved. 46
Copyright © 2015 Brian Campbell. All rights reserved. 47 • Behind the Scenes – Web Single Sign-On – OAuth 2.0 (ish)
Copyright © 2015 Brian Campbell. All rights reserved. 48 Web Single Sign-On in one Slide • Typically – SAML 2.0 – OpenID Connect • But also – SAML 1.1/1.0 – OpenID 2.0 – WS-Federation • And maybe – Facebook Connect/Login – Whatever Twitter does – Various non-standard approaches Identity Provider (IDP) Service Provider (SP) Web Single Sign-On (SSO)
Copyright © 2015 Brian Campbell. All rights reserved. 49 OAuth 2.0 in one slide • client: An application obtaining authorization and making protected resource requests. – Native app on mobile device • resource server (RS): A server capable of accepting and responding to protected resource requests (typically APIs). • authorization server (AS): A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization. A few other OAuth terms • Access token (AT) – Presented by client when accessed protected resources at the RS • Refresh token (RT) - Allows clients to obtain a fresh access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined by the AS/RS • Authorization endpoint – used by the client to obtain authorization from the resource owner via user-agent redirection • Token endpoint – used for direct client to AS communication • Authorization Code – One time code issued by an AS to be exchanged for an AT. Client Resource Server Authorization Server
Copyright © 2015 Brian Campbell. All rights reserved. 50 Web SSO + OAuth = Mobile SSO Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
Copyright © 2015 Brian Campbell. All rights reserved. 51 (1) Request Authorization • When user first needs to access some protected resource (not logged in), the app launches the system browser with an authorization request • ‘IDP Discovery’ can be done in the native application Device Native App System Browser 1 https:// Home Service 1 Authorization Endpoint Token Endpoint Enterprise or Social Identity Provider https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code &scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z A quick note about Apple…
Copyright © 2015 Brian Campbell. All rights reserved. 52 (1a) PKCE https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code &scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z • Proof Key for Code Exchange by OAuth Public Clients (PKCE) – Binds the code exchange to the authorization request – (RFC in waiting) https://tools.ietf.org/html/draft-ietf-oauth-spop
Copyright © 2015 Brian Campbell. All rights reserved. 53 (2) Authenticate and Approve • Redirect to IDP for SSO & Service Provider is the SP Device Native App System Browser https:// Home Service 2 Authorization Endpoint Token Endpoint Enterprise or Social Identity Provider • User approves the requested access – (don’t skip this)
Copyright © 2015 Brian Campbell. All rights reserved. 54 (3) Handle Callback • Authorization server returns control to the app using HTTP redirection and includes an authorization code – URI with a custom scheme registered to the app • Reversed domain name as redirect_uri scheme – Resistant to accidental collisions – Proof of domain ownership provides better recourse against malicious collisions Device Native App System Browser https:// Home Service 3 Authorization Endpoint Token Endpoint 3 Enterprise or Social Identity Provider HTTP/1.1 302 Found Location: org.example.myapp://oauth.cb?code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4
Copyright © 2015 Brian Campbell. All rights reserved. 55 (4) Trade Code for Token(s) Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 4 Enterprise or Social Identity Provider POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z token endpoint request
Copyright © 2015 Brian Campbell. All rights reserved. 56 (4a) PKCE Again POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z token endpoint request
Copyright © 2015 Brian Campbell. All rights reserved. 57 (4b) Trade Code for Token(s) Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 4 Enterprise or Social Identity Provider POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RltacecQriuFfsxV41”, "refresh_token":"uyAVrtaccLZ2qPzI8rQ5ltckCdGJsz8XE58esc” } token endpoint request token endpoint response
Copyright © 2015 Brian Campbell. All rights reserved. 58 (5) Use Access Token Authenticate/authorize calls to the protected APIs by including AT in the HTTP Authorization header Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 5 Enterprise or Social Identity Provider POST /api/update-status HTTP/1.1 Host: rs.example.org Authorization: Bearer PeRTSD9RltacecQriuFfsxV41 Content-Type: application/json {"status" : "almost done with this presentation"}
Copyright © 2015 Brian Campbell. All rights reserved. 59 Rinse and Repeat • If All Goes well, • And if not, HTTP 401 • Use the refresh token to get a new access token • And if that doesn’t work or you don’t have a refresh token, initiate the authorization request flow again HTTP/1.1 200 OK
Copyright © 2015 Brian Campbell. All rights reserved. 60 Some Folks Like to … Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
Copyright © 2015 Brian Campbell. All rights reserved. 61 … Use a Web-View Device Native App 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Web-View Enterprise or Social Identity Provider but…
Copyright © 2015 Brian Campbell. All rights reserved. 62 The Web-View Anti-Pattern • Usability Issues – No shared context (cookie) – Requires sign-in once per app even when web SSO is possible • Security Issues – Web-view typically isn’t sandboxed from invoking app so credentials and authentication cookies can be stolen – Requires/encourages users to enter credentials without the address bar and associated visual cues of site authenticity (HTTPS) • Missing Features – Some web-views unable to access to client certificates – Generally unable to use password managers, etc.
Copyright © 2015 Brian Campbell. All rights reserved. 63 What about OpenID Connect? • A simple[sic] single sign-on and identity layer on top of OAuth 2.0 • Adds an ID Token (JWT) for user authentication to the client • And a bunch of other stuff
Copyright © 2015 Brian Campbell. All rights reserved. 64 What about OpenID Connect? • Great for the web SSO part • Can be layered on the OAuth part Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
Copyright © 2015 Brian Campbell. All rights reserved. 65 What about NAPPS? • Intended to be a profile of OpenID Connect to enable an SSO model for native applications installed on mobile devices • A Token Agent as the shared context
Copyright © 2015 Brian Campbell. All rights reserved. 66 NAAPS NAPPS is Great! • It’s just not real (yet, anyway) this one um, no “eventually”
Copyright © 2015 Brian Campbell. All rights reserved. 67 Don’t Sleep on NAPPS? • But not totally incompatible with approach discussed herein – (latest thinking, anyway)
Copyright © 2015 Brian Campbell. All rights reserved. 68 And really, who couldn’t use more NAPPS?
Copyright © 2015 Brian Campbell. All rights reserved. 69 Near Term Recommendations • Use OAuth 2.0 + PKCE – & maybe OpenID Connect • Use Web SSO • Prompt for user consent (every time) • Use the System Browser • Use a reversed Internet domain name in the custom scheme for the callback URI
MOBILE SSO ARE WE THERE YET? BRIAN CAMPBELL @__b_c

Recommended

Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSOBrian Campbell
 
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CIS 2015- Mobile SSO: Are We There Yet? - Brian CampbellCIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CIS 2015- Mobile SSO: Are We There Yet? - Brian CampbellCloudIDSummit
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsBrian Campbell
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnPeter Selch Dahl
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 

Recommended

Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSOBrian Campbell
 
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CIS 2015- Mobile SSO: Are We There Yet? - Brian CampbellCIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CIS 2015- Mobile SSO: Are We There Yet? - Brian CampbellCloudIDSummit
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsBrian Campbell
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnPeter Selch Dahl
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...VMware Tanzu
 
The Cloud Foundry Story on OpenStack
The Cloud Foundry Story on OpenStackThe Cloud Foundry Story on OpenStack
The Cloud Foundry Story on OpenStackStuart Charlton
 
Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015Steve Pember
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
 
Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)
Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)
Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)VMware Tanzu
 
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Melanie Brandt
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingBitbar
 
Account entrapment
Account entrapmentAccount entrapment
Account entrapmentbenlbroussard
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCloudIDSummit
 
WordPress Portsmouth Meetup - 15 Nov 2018
WordPress Portsmouth Meetup - 15 Nov 2018WordPress Portsmouth Meetup - 15 Nov 2018
WordPress Portsmouth Meetup - 15 Nov 2018Herb Miller
 
Real Estate Marketing using Vine
Real Estate Marketing using VineReal Estate Marketing using Vine
Real Estate Marketing using VineFlorida Mobile Fusion
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecurityWill Tran
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverAmit Serper
 
ADMA IQ - Digital Project Management
ADMA IQ - Digital Project Management ADMA IQ - Digital Project Management
ADMA IQ - Digital Project Management Affinity
 
You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.Eryk Szymanski
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportWebinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportCyren, Inc
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
RecSys 2015: Large-scale real-time product recommendation at Criteo
RecSys 2015: Large-scale real-time product recommendation at CriteoRecSys 2015: Large-scale real-time product recommendation at Criteo
RecSys 2015: Large-scale real-time product recommendation at CriteoRomain Lerallut
 
The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of ProofBrian Campbell
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018 Brian Campbell
 

More Related Content

Similar to Mobile SSO: are we there yet?

Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...VMware Tanzu
 
The Cloud Foundry Story on OpenStack
The Cloud Foundry Story on OpenStackThe Cloud Foundry Story on OpenStack
The Cloud Foundry Story on OpenStackStuart Charlton
 
Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015Steve Pember
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
 
Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)
Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)
Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)VMware Tanzu
 
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Melanie Brandt
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingBitbar
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCloudIDSummit
 
WordPress Portsmouth Meetup - 15 Nov 2018
WordPress Portsmouth Meetup - 15 Nov 2018WordPress Portsmouth Meetup - 15 Nov 2018
WordPress Portsmouth Meetup - 15 Nov 2018Herb Miller
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecurityWill Tran
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverAmit Serper
 
ADMA IQ - Digital Project Management
ADMA IQ - Digital Project Management ADMA IQ - Digital Project Management
ADMA IQ - Digital Project Management Affinity
 
You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.Eryk Szymanski
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportWebinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportCyren, Inc
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
RecSys 2015: Large-scale real-time product recommendation at Criteo
RecSys 2015: Large-scale real-time product recommendation at CriteoRecSys 2015: Large-scale real-time product recommendation at Criteo
RecSys 2015: Large-scale real-time product recommendation at CriteoRomain Lerallut
 

Similar to Mobile SSO: are we there yet? (20)

Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
Pivotal CenturyLink Cloud Platform Seminar Presentation: The Developer Experi...
 
The Cloud Foundry Story on OpenStack
The Cloud Foundry Story on OpenStackThe Cloud Foundry Story on OpenStack
The Cloud Foundry Story on OpenStack
 
Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015Richer Data History with Event Sourcing (SpringOne 2GX 2015
Richer Data History with Event Sourcing (SpringOne 2GX 2015
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)
Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)
Part 1: The Developer Experience (Pivotal Cloud Platform Roadshow)
 
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and Testing
 
Account entrapment
Account entrapmentAccount entrapment
Account entrapment
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s Account
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George Fletcher
 
WordPress Portsmouth Meetup - 15 Nov 2018
WordPress Portsmouth Meetup - 15 Nov 2018WordPress Portsmouth Meetup - 15 Nov 2018
WordPress Portsmouth Meetup - 15 Nov 2018
 
Real Estate Marketing using Vine
Real Estate Marketing using VineReal Estate Marketing using Vine
Real Estate Marketing using Vine
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
 
ADMA IQ - Digital Project Management
ADMA IQ - Digital Project Management ADMA IQ - Digital Project Management
ADMA IQ - Digital Project Management
 
You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.You shall not pass - Control your code quality gates with a wizard.
You shall not pass - Control your code quality gates with a wizard.
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportWebinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
RecSys 2015: Large-scale real-time product recommendation at Criteo
RecSys 2015: Large-scale real-time product recommendation at CriteoRecSys 2015: Large-scale real-time product recommendation at Criteo
RecSys 2015: Large-scale real-time product recommendation at Criteo
 

More from Brian Campbell

Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018 Brian Campbell
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018Brian Campbell
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSEBrian Campbell
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsBrian Campbell
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsBrian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityBrian Campbell
 

More from Brian Campbell (12)

The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of Proof
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSE
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
 

Recently uploaded

tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 

Recently uploaded (20)

tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 

Mobile SSO: are we there yet?

  • 1. MOBILE SSO ARE WE THERE YET? BRIAN CAMPBELL @__b_c
  • 2. Copyright © 2015 Brian Campbell. All rights reserved. 2 Formalities, Introductions, etc. • I work @ Ping • You might know me as ‘that guy’ with the camera • Slides will be available – at http://www.slideshare.net/briandavidcampbell – & at https://twitter.com/__b_c • 2 underscores + • b + • 1 underscore + • c
  • 3. Copyright © 2015 Brian Campbell. All rights reserved. 3 Yeah, that guy
  • 4. Copyright © 2015 Brian Campbell. All rights reserved. 4 Formalities, Introductions, etc. • I work @ Ping • You might know me as ‘that guy’ with the camera • Slides will be available – at http://www.slideshare.net/briandavidcampbell – & at https://twitter.com/__b_c • 2 underscores + • b + • 1 underscore + • c
  • 5. Copyright © 2015 Brian Campbell. All rights reserved. 5 • Disclaimers – Views or opinions presented herein are solely my own and do not necessarily represent those of the my employer – Wholly unqualified to talk about mobile – Primarily do server side development – And not even very much of that anymore • So, um… WTF? – I know a few people involved with CIS – And I do use a mobile phone… My ‘Safe Harbor’ Slide
  • 6. Copyright © 2015 Brian Campbell. All rights reserved. 6 Though not very well
  • 7. Copyright © 2015 Brian Campbell. All rights reserved. 7 But Sometimes… An outsider’s perspective can help see where things just aren’t quite right
  • 8. Copyright © 2015 Brian Campbell. All rights reserved. 8 as demonstrated by a semi-contrived little story about me and my phone Premise: Single Sign-On just isn’t quite right on mobile
  • 9. Copyright © 2015 Brian Campbell. All rights reserved. 9 I’m very busy and important As you can see by my opulent travel budget.
  • 10. Copyright © 2015 Brian Campbell. All rights reserved. 10 So, while I am one of those luddites who still prefers a real computer for work, sometimes I have to use my phone…
  • 11. Copyright © 2015 Brian Campbell. All rights reserved. 11 Just trying to join a meeting while out on the road.
  • 12. Copyright © 2015 Brian Campbell. All rights reserved. 12
  • 13. Copyright © 2015 Brian Campbell. All rights reserved. 13
  • 14. Copyright © 2015 Brian Campbell. All rights reserved. 14
  • 15. Copyright © 2015 Brian Campbell. All rights reserved. 15
  • 16. Copyright © 2015 Brian Campbell. All rights reserved. 16
  • 17. Copyright © 2015 Brian Campbell. All rights reserved. 17
  • 18. Copyright © 2015 Brian Campbell. All rights reserved. 18
  • 19. Copyright © 2015 Brian Campbell. All rights reserved. 19
  • 20. Copyright © 2015 Brian Campbell. All rights reserved. 20
  • 21. Copyright © 2015 Brian Campbell. All rights reserved. 21
  • 22. Copyright © 2015 Brian Campbell. All rights reserved. 22
  • 23. Copyright © 2015 Brian Campbell. All rights reserved. 23
  • 24. Copyright © 2015 Brian Campbell. All rights reserved. 24
  • 25. Copyright © 2015 Brian Campbell. All rights reserved. 25
  • 26. Copyright © 2015 Brian Campbell. All rights reserved. 26 Please excuse any intermittent time travel. I had some technical difficulties with something called “focus” and had to reshoot a few images.
  • 27. Copyright © 2015 Brian Campbell. All rights reserved. 27
  • 28. Copyright © 2015 Brian Campbell. All rights reserved. 28
  • 29. Copyright © 2015 Brian Campbell. All rights reserved. 29 There’s my meeting!
  • 30. Copyright © 2015 Brian Campbell. All rights reserved. 30
  • 31. Copyright © 2015 Brian Campbell. All rights reserved. 31 (This happened on first use a long time ago)
  • 32. Copyright © 2015 Brian Campbell. All rights reserved. 32
  • 33. Copyright © 2015 Brian Campbell. All rights reserved. 33
  • 34. Copyright © 2015 Brian Campbell. All rights reserved. 34
  • 35. Copyright © 2015 Brian Campbell. All rights reserved. 35
  • 36. Copyright © 2015 Brian Campbell. All rights reserved. 36
  • 37. Copyright © 2015 Brian Campbell. All rights reserved. 37
  • 38. Copyright © 2015 Brian Campbell. All rights reserved. 38
  • 39. Copyright © 2015 Brian Campbell. All rights reserved. 39
  • 40. Copyright © 2015 Brian Campbell. All rights reserved. 40
  • 41. Copyright © 2015 Brian Campbell. All rights reserved. 41
  • 42. Copyright © 2015 Brian Campbell. All rights reserved. 42
  • 43. Copyright © 2015 Brian Campbell. All rights reserved. 43
  • 44. Copyright © 2015 Brian Campbell. All rights reserved. 44
  • 45. Copyright © 2015 Brian Campbell. All rights reserved. 45
  • 46. Copyright © 2015 Brian Campbell. All rights reserved. 46
  • 47. Copyright © 2015 Brian Campbell. All rights reserved. 47 • Behind the Scenes – Web Single Sign-On – OAuth 2.0 (ish)
  • 48. Copyright © 2015 Brian Campbell. All rights reserved. 48 Web Single Sign-On in one Slide • Typically – SAML 2.0 – OpenID Connect • But also – SAML 1.1/1.0 – OpenID 2.0 – WS-Federation • And maybe – Facebook Connect/Login – Whatever Twitter does – Various non-standard approaches Identity Provider (IDP) Service Provider (SP) Web Single Sign-On (SSO)
  • 49. Copyright © 2015 Brian Campbell. All rights reserved. 49 OAuth 2.0 in one slide • client: An application obtaining authorization and making protected resource requests. – Native app on mobile device • resource server (RS): A server capable of accepting and responding to protected resource requests (typically APIs). • authorization server (AS): A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization. A few other OAuth terms • Access token (AT) – Presented by client when accessed protected resources at the RS • Refresh token (RT) - Allows clients to obtain a fresh access token without re-obtaining authorization • Scope – A permission (or set of permissions) defined by the AS/RS • Authorization endpoint – used by the client to obtain authorization from the resource owner via user-agent redirection • Token endpoint – used for direct client to AS communication • Authorization Code – One time code issued by an AS to be exchanged for an AT. Client Resource Server Authorization Server
  • 50. Copyright © 2015 Brian Campbell. All rights reserved. 50 Web SSO + OAuth = Mobile SSO Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
  • 51. Copyright © 2015 Brian Campbell. All rights reserved. 51 (1) Request Authorization • When user first needs to access some protected resource (not logged in), the app launches the system browser with an authorization request • ‘IDP Discovery’ can be done in the native application Device Native App System Browser 1 https:// Home Service 1 Authorization Endpoint Token Endpoint Enterprise or Social Identity Provider https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code &scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z A quick note about Apple…
  • 52. Copyright © 2015 Brian Campbell. All rights reserved. 52 (1a) PKCE https://as.example.com/as/authz.oauth2?client_id=org.example.myapp&response_type=code &scope=update_status&idp=pingidentity.com&code_challenge=7gEsCAcCLtCTbDl2fml2z • Proof Key for Code Exchange by OAuth Public Clients (PKCE) – Binds the code exchange to the authorization request – (RFC in waiting) https://tools.ietf.org/html/draft-ietf-oauth-spop
  • 53. Copyright © 2015 Brian Campbell. All rights reserved. 53 (2) Authenticate and Approve • Redirect to IDP for SSO & Service Provider is the SP Device Native App System Browser https:// Home Service 2 Authorization Endpoint Token Endpoint Enterprise or Social Identity Provider • User approves the requested access – (don’t skip this)
  • 54. Copyright © 2015 Brian Campbell. All rights reserved. 54 (3) Handle Callback • Authorization server returns control to the app using HTTP redirection and includes an authorization code – URI with a custom scheme registered to the app • Reversed domain name as redirect_uri scheme – Resistant to accidental collisions – Proof of domain ownership provides better recourse against malicious collisions Device Native App System Browser https:// Home Service 3 Authorization Endpoint Token Endpoint 3 Enterprise or Social Identity Provider HTTP/1.1 302 Found Location: org.example.myapp://oauth.cb?code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4
  • 55. Copyright © 2015 Brian Campbell. All rights reserved. 55 (4) Trade Code for Token(s) Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 4 Enterprise or Social Identity Provider POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z token endpoint request
  • 56. Copyright © 2015 Brian Campbell. All rights reserved. 56 (4a) PKCE Again POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z token endpoint request
  • 57. Copyright © 2015 Brian Campbell. All rights reserved. 57 (4b) Trade Code for Token(s) Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 4 Enterprise or Social Identity Provider POST /as/token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded;charset=UTF-8 client_id=org.example.myapp& grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& code_verifier=7gEsCAcCLtCTbDl2fml2z HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store { "token_type":"Bearer", "expires_in":3600, "access_token":"PeRTSD9RltacecQriuFfsxV41”, "refresh_token":"uyAVrtaccLZ2qPzI8rQ5ltckCdGJsz8XE58esc” } token endpoint request token endpoint response
  • 58. Copyright © 2015 Brian Campbell. All rights reserved. 58 (5) Use Access Token Authenticate/authorize calls to the protected APIs by including AT in the HTTP Authorization header Device Native App System Browser https:// Home Service Authorization Endpoint Token Endpoint 5 Enterprise or Social Identity Provider POST /api/update-status HTTP/1.1 Host: rs.example.org Authorization: Bearer PeRTSD9RltacecQriuFfsxV41 Content-Type: application/json {"status" : "almost done with this presentation"}
  • 59. Copyright © 2015 Brian Campbell. All rights reserved. 59 Rinse and Repeat • If All Goes well, • And if not, HTTP 401 • Use the refresh token to get a new access token • And if that doesn’t work or you don’t have a refresh token, initiate the authorization request flow again HTTP/1.1 200 OK
  • 60. Copyright © 2015 Brian Campbell. All rights reserved. 60 Some Folks Like to … Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
  • 61. Copyright © 2015 Brian Campbell. All rights reserved. 61 … Use a Web-View Device Native App 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Web-View Enterprise or Social Identity Provider but…
  • 62. Copyright © 2015 Brian Campbell. All rights reserved. 62 The Web-View Anti-Pattern • Usability Issues – No shared context (cookie) – Requires sign-in once per app even when web SSO is possible • Security Issues – Web-view typically isn’t sandboxed from invoking app so credentials and authentication cookies can be stolen – Requires/encourages users to enter credentials without the address bar and associated visual cues of site authenticity (HTTPS) • Missing Features – Some web-views unable to access to client certificates – Generally unable to use password managers, etc.
  • 63. Copyright © 2015 Brian Campbell. All rights reserved. 63 What about OpenID Connect? • A simple[sic] single sign-on and identity layer on top of OAuth 2.0 • Adds an ID Token (JWT) for user authentication to the client • And a bunch of other stuff
  • 64. Copyright © 2015 Brian Campbell. All rights reserved. 64 What about OpenID Connect? • Great for the web SSO part • Can be layered on the OAuth part Device Native App System Browser 1 https:// Home Service 1 2 3 Authorization Endpoint Token Endpoint 3 45 Enterprise or Social Identity Provider
  • 65. Copyright © 2015 Brian Campbell. All rights reserved. 65 What about NAPPS? • Intended to be a profile of OpenID Connect to enable an SSO model for native applications installed on mobile devices • A Token Agent as the shared context
  • 66. Copyright © 2015 Brian Campbell. All rights reserved. 66 NAAPS NAPPS is Great! • It’s just not real (yet, anyway) this one um, no “eventually”
  • 67. Copyright © 2015 Brian Campbell. All rights reserved. 67 Don’t Sleep on NAPPS? • But not totally incompatible with approach discussed herein – (latest thinking, anyway)
  • 68. Copyright © 2015 Brian Campbell. All rights reserved. 68 And really, who couldn’t use more NAPPS?
  • 69. Copyright © 2015 Brian Campbell. All rights reserved. 69 Near Term Recommendations • Use OAuth 2.0 + PKCE – & maybe OpenID Connect • Use Web SSO • Prompt for user consent (every time) • Use the System Browser • Use a reversed Internet domain name in the custom scheme for the callback URI
  • 70. MOBILE SSO ARE WE THERE YET? BRIAN CAMPBELL @__b_c