A Common API & UI for Building Next Generation Identity Services

Open Identity SummitOpen Identity Summit

The Young and the RESTless

Jonathan ScudderJamie Nelson

Open Identity Summit

Stack Architecture

Resource Oriented

RESTful

API

Open Identity Summit

API: How we share data and functionality with developers and businesses APIs have been around ‘forever’

Usage and significance has changed dramatically over recent years

Shift towards external developers and users

API vs SOA

Open Identity Summit

Killer Argument

Why are we aligning our API’s?

Is REST a good enough argument by itself?

Don’t our current API’s do enough?

Open Identity Summit

#1 Real Stack

Open Identity Summit

#2 Boundary Blur

~ 70% of enterprises building private cloud

~ 40% of enterprises building public and hybrid cloud.

(Survey by IDC, September 2012)

Mobile Social Cloud Enterprise

Open Identity Summit

#3 Integration Power

Create

Read

Update

Delete

Patch

Action

Query

Granular control, simple interface

Standard set of operations (CRUDPAQ), different inputs & outputs

Primarily JSON representation

Attractive non-functional tools and techniques with HTTP

ROA + REST + JSON

Open Identity Summit

CREST example/json/subrealm/users/?_action=create

$ curl --request POST --header "iplanetDirectoryPro: AQIC5w..."

--header "Content-Type: application/json"

--data '{

"name": "bjensen",

"userpassword": "secret12",

"mail": "bjensen@example.com"

}'

https://openam.example.com:8443/openam/json/users/?_action=create

Open Identity Summit

CREST response{

"name": "bjensen",

"realm": "/",

"uid": [

"bjensen"

],

"mail": [

"bjensen@example.com"

],

"userpassword": [

"{SSHA}0pXpKLPRKCGY7g3YqZygJmKMW6IC2BLJimmlwg=="

],

"dn": [

"uid=bjensen,ou=people,dc=openam,dc=forgerock,dc=org"

],

...

Open Identity Summit

API strategy - local

Open Identity Summit

API strategy - stack

Open Identity Summit

Problem

To many different complicated UI Frameworks

Roots from sun

Big company UI strategy churn

Developers learning new frameworks

Customers are locked in

Simple modifications overly complex

Leads to heavyweight API just for the UI

Open Identity Summit

Complex Frameworks

Years to learn

Takes an expert to make changes

No consistency between API, CLI, over the wire

Complexity requires an abstraction layer

Isolates the UI from Command Line and other APIs

Scripting is impossible

Open Identity Summit

ForgeRock User Interfaces

YUI/Click

Jato

JSF/Ice Faces

JSP Admin

Java Swing

Open Identity Summit

Open Identity Stack UI Model

Single UI model for all products

Built on ForgeRock REST (CREST)

Common UIs for:

User management

Registration and Self Service

Login and Password Reset

Build on shared services for Authentication

Open Identity Summit

ForgeRock UI Model

jQuery (Needs a little help)

Backbone.js + Require.js (Modular)

Handlebars.js (Templating)

Underscore.js (Utility library)

Less.js (CSS preprocessor)

Built on ForgeRock REST and Common Services

Caters to the web developers of today

Two different models for ForgeRock UIs

Open Identity Summit

Admin and Configuration

Used primarily by Administrators

UI not typically customized

Configuration for product services

Dynamically rendered based on server JSON schema

REST APIs for custom applications

Adding new services dynamically rendered

Customers not expected to modify more than CSS

Open Identity Summit

End User

Primarily seen by end users

Simple HTML Templates

Read in by Javascript and embedded in the UI

Rendered with site wide styles/CSS

Simple syntax for embedding dynamic values

Separates bus logic from display

Simple to modify without breaking the UI

Easy to patch and upgrade

Open Identity Summit

Open Identity Summit

POST:

http://www.idp.com:8888/openam/json/auth/1/authenticate

QueryString Params:username:tompassword:11111111

Response:{ "tokenId”:"AQIC5wM2LY4Sfcx8hWM5VlE62DUQxqCcIr2TG …”}

Authentication

Open Identity Summit

Open Identity Summit

POST:

http://www.idp.com:8888/openam/json/user/?_action=create

{ "userName":"tom”,"email":"tom.petty@forgerock.com","givenName":"Tom","familyName":"Petty","securityQuestion":"1","securityAnswer":”damn the torpedoes”,…}

Response:{ "dn":["uid=tom,ou=people,dc=openam,dc=forgerock,dc=org"]…}

Registration/Create

Open Identity Summit

Open Identity Summit

POST:

http://www.idp.com:8888/openam/json/users/?_action=idFromSession

Header: "tokenId”:"AQIC5wM2LY4Sfcx8hWM5VlE62DUQxqCcI …”

Response:{"id":”tom", "realm":"/", "dn":"id=tom,ou=user,dc=openam,dc=forgerock,dc=org”}

Get UserID from Session

Open Identity Summit

GET:

http://www.idp.com:8888/openam/json/users/tom

Header: "tokenId”:"AQIC5wM2LY4Sfcx8hWM5VlE62DUQxqCcI …”

Response:{ "name":"tom", "realm":"/", "uid":["tom"], "mail":["tom.petty@forgerock.com"], "sn":["Petty"], "givenname":["Tom"],}

Get User Profile

Open Identity Summit

Extending End User Pages

Open Identity Summit

<div class="column1">

<div class="field">

<label class="light">{{t "common.user.postalCode"}}</label>

<input type="text" name=”city" />

<div class="validation-message"></div>

</div>

</div>

<div class="column2">

<div class="field">

<label class="light">{{t "common.user.city"}}</label>

<input type="text" name=”postalCode" />

<div class="validation-message"></div>

</div>

</div>

Extending End User Pages

Open Identity Summit

Open Identity Summit

Single Shared Model

ForgeRock Services

ForgeRock REST

ForgeRock UI

Application Scripting

Q & AQ & A

Logo of Presenter Company HERE