Developers Thursday, July 18, 13
CIS13: Identity Tech Overview: Less Pain, More Gain
Jan 15, 2015
Tim Bray, Developer Advocate, Google
Identity is tricky, and the penalties for getting it wrong are severe. Good news: technologies are surfacing that reduce developer pain while improving user experience. This talk highlights those technologies and introduces a framework, starting from your unique combination of constraints, users and platforms, to help you figure out which technologies and policies will work for you.
Identity is tricky, and the penalties for getting it wrong are severe. Good news: technologies are surfacing that reduce developer pain while improving user experience. This talk highlights those technologies and introduces a framework, starting from your unique combination of constraints, users and platforms, to help you figure out which technologies and policies will work for you.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Developers
Thursday, July 18, 13
Developers
Thursday, July 18, 13
13
Thursday, July 18, 13
13
Scalable Internet Kindness
Tim Bray (tbray.org, google.com/+TimBray, @timbray)Developer Advocate
Thursday, July 18, 13
4
Demo: Tumblr
Thursday, July 18, 13
5
• The password must be at least 8 characters long.• The password must contain at least:◦ one alpha character [a-zA-Z];◦ one numeric character [0-9];◦ one special character from this set:
` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ?• The password must not:◦ contain spaces;◦ begin with an exclamation [!] or a question mark [?];◦ contain your login ID.◦ Contain your registered email address
• The password cannot contain repeating character strings of 3 or more identical characters. E.g. “1111” or “aaa”
• The sequence of the first 3 characters cannot be in your login ID.• The first 8 characters cannot be the same as in your previous password.• Passwords are treated as case sensitive.
From the top Google match for “password rules”
Thursday, July 18, 13
6
Thursday, July 18, 13
7
Thursday, July 18, 13
8
Demo: AccountChooser
Thursday, July 18, 13
9
Thursday, July 18, 13
9
Thursday, July 18, 13
10
Thursday, July 18, 13
11
Brian Campbell’s slides from GlueCon, major deep-dive:
http://goo.gl/Sj1UF
Thursday, July 18, 13
12
Thursday, July 18, 13
13
“ya29.AHES6ZQjFP7Ih-1pKyG9vdUo F28p4peeieppieob5CPHAwq3FLnm”
An Access Token
Thursday, July 18, 13
14
GET /v1/people/me HTTP/1.1...Host: www.googleapis.comAuthorization: Bearer ya29.AHES6ZQjFP7Ih-1pKyG9vdUoF2...
How to use an Access Token
Thursday, July 18, 13
15
634> curl \ https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.AHES6Z...{ "issued_to": "407408718192.apps.googleusercontent.com", "audience": "407408718192.apps.googleusercontent.com", "user_id": "107760670355981561507946", "scope": "https://www.googleapis.com/auth/plus.me", "expires_in": 3370, "access_type": "offline"}
How to peek into an Access Token
Thursday, July 18, 13
An Access Token
16
• Is opaque,
• short-lived, and
• signifies the right for a particular Google Account to access a particular scope.
• It is unencrypted, therefore
• it must be transmitted over TLS (https).
Thursday, July 18, 13
17
Thursday, July 18, 13
18
“1/z48pvqwy8wucZp2zqQxgC 2B3gZNoPRRq_mgrgdJcmi4”
A Refresh Token
Thursday, July 18, 13
19
POST /o/oauth2/token HTTP/1.1Host: accounts.google.comContent-Type: application/x-www-form-urlencoded...refresh_token=1/z48pvqwy8wucZp2...&client_id=424861364121.apps.googleusercontent.com&client_secret=****&grant_type=refresh_token
How to use a Refresh Token
Thursday, July 18, 13
A Refresh Token
20
• Is opaque,
• doesn’t expire until revoked, and
• signifies the right for a particular Google Account to access a particular scope.
• It includes a shared secret, and
• it is unencrypted, therefore
• it must be transmitted over TLS (https).
Thursday, July 18, 13
21
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMWE5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoiVzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1NTMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk-ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icligeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDasTn9KKxba-DE
An ID TokenThursday, July 18, 13
21
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMWE5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoiVzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1NTMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk-ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icligeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDasTn9KKxba-DE
An ID TokenThursday, July 18, 13
22
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMWE5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoiVzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1NTMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk-ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icligeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDasTn9KKxba-DE
An ID TokenThursday, July 18, 13
23
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFkMmE1MGNiNzBjNWRhNzg5ZWUyNmQwNWI4ZjYyMWE5OWU4MTIwMmUifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiaWQiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJzdWIiOiIxMDc2MDY3MDM1NTgxNjE1MDc5NDYiLCJjaWQiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhenAiOiI0MDc0MDg3MTgxOTIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJ0b2tlbl9oYXNoIjoiVzlhVEtEVmF6M1VKdkhHdTUzLWJ5dyIsImF0X2hhc2giOiJXOWFUS0RWYXozVUp2SEd1NTMtYnl3IiwiYXVkIjoiNDA3NDA4NzE4MTkyLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaWF0IjoxMzY3NTMxODg2LCJleHAiOjEzNjc1MzU3ODZ9.vtELejHfCClmqR9QTmk-ZATjEQaE37jiizY8cWUwBJ8hpXtTkjD9kRs91vncm8BmF_ztT7I3Q64AqYN8kJCyi82icligeO6vJ_bO-LgSkJSv657m1agdLPhkB6zqGKkH8qT40xwdYTXOXB0EkNZiGQhYg_TJNDasTn9KKxba-DE
{ "alg":"RS256", "kid":"ad2a50cb70c5da789ee26d05b8f621a99e81202e"}
base64
ID Token crypto stuffThursday, July 18, 13
24
www.googleapis.com/oauth2/v1/certsThursday, July 18, 13
25
rubygems.org/gems/google-id-token
Installationgem install google-id-token
Examplesvalidator = GoogleIDToken::Validator.newjwt = validator.check(token, required_audience, required_client_id)if jwt email = jwt['email']else report "Cannot validate: #{validator.problem}"end
Thursday, July 18, 13
26
{ "iss":"accounts.google.com", "sub":"107606703558161507946", "azp":"407408718192.apps.googleusercontent.com", "token_hash":"W9aTKDVaz3UJvHGu53-byw", "at_hash":"W9aTKDVaz3UJvHGu53-byw", "aud":"407408718192.apps.googleusercontent.com", "iat":1367531886, "exp":1367535786}
Inside an ID Token payload
.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29...
base64payload
Thursday, July 18, 13
An ID Token
27
• Is cryptographically signed by an issuer (“iss”),
• asserts that the user (“sub”) is authenticated by that issuer,
• is meant for a particular recipient (“aud”), and
• may have been issued to a particular authorized party (“azp”).
• It is unencrypted, therefore
• it must be transmitted over TLS (https).
• They are incredibly useful! (see tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens)
Thursday, July 18, 13
28
Thursday, July 18, 13
28
Thursday, July 18, 13
28
Thursday, July 18, 13
29
(Authz/authn demo)
Thursday, July 18, 13
30
<body> <div id="gConnect"> <button class="g-signin" data-scope="https://www.googleapis.com/auth/plus.login" data-requestvisibleactions="http://schemas.google.com/AddActivity" data-clientId="{{ CLIENT_ID }}" data-accesstype="offline" data-callback="onSignInCallback" data-theme="dark" data-cookiepolicy="single_host_origin"> </button>
Thursday, July 18, 13
31
get '/people' do # Check for stored credentials in the current user's session. if !session[:token] halt 401, 'User not connected.' end
# Authorize the client and construct a Google+ service. $client.authorization.update_token!(session[:token].to_hash) plus = $client.discovered_api('plus', 'v1')
# Get the list of people as JSON and return it. response = $client.execute!(plus.people.list, :collection => 'visible', :userId => 'me').body content_type :json responseend
Thursday, July 18, 13
32
Cross-clientIdentity
Thursday, July 18, 13
32
Cross-clientIdentity
Thursday, July 18, 13
Developer API console
33
Your “Project”
Web Client ID
Android app 1
Client ID
JavaScript appClient ID
Android app 2
Client ID
Thursday, July 18, 13
Developer API console
33
Your “Project”
Web Client ID
Android app 1
Client ID
JavaScript appClient ID
Android app 2
Client ID
Auth one, auth ‘em allThursday, July 18, 13
Developer API console
33
Your “Project”
Web Client ID
Android app 1
Client ID
JavaScript appClient ID
Android app 2
Client ID
Auth one, auth ‘em allThursday, July 18, 13
34
developers.google.com/accounts/docs/CrossClientAuth
Thursday, July 18, 13
35
Shared sign-in with ID Tokens
Shared Access-Token
grant
Mobile app gets offline Web-app
access
Cross-clientIdentity
Thursday, July 18, 13
35
Shared sign-in with ID Tokens
Shared Access-Token
grant
Mobile app gets offline Web-app
access
Cross-clientIdentity
Thursday, July 18, 13
35
Shared sign-in with ID Tokens
Shared Access-Token
grant
Mobile app gets offline Web-app
access
Cross-clientIdentity
Thursday, July 18, 13
35
Shared sign-in with ID Tokens
Shared Access-Token
grant
Mobile app gets offline Web-app
access
Cross-clientIdentity
Thursday, July 18, 13
36
Your client app
Thursday, July 18, 13
36
Your client app
Your server back-end
Thursday, July 18, 13
36
Your client app
Your server back-end
HTTPS
Thursday, July 18, 13
36
Your client app
Your server back-end
HTTPS
“Who am I talking to?”
Thursday, July 18, 13
37
developers.google.com/accounts/cookbook/Thursday, July 18, 13
38
Cookbook “Platforms” page
• Android app on a compatible device with Google Play services.
• A native compiled app on a personal computer or mobile device.
• Android app without Google Play services (for example, a Kindle). This is effictively equivalent to the Native-app scenario.
• iOS app.
• Browser-based Web app.
• Hybrid mobile/web, where components need to share identity.
• Chrome app/extension.
• Server-side app.
• Low-capability device (keyboard-challenged).
14
Thursday, July 18, 13
Thursday, July 18, 13
<Thank You!>
tbray.org/google.com/+TimBray@timbray
Thursday, July 18, 13
Related Documents
