際際滷

際際滷Share a Scribd company logo
Authentication made Easy

NCDevCon
2012

Billy Cravens
About me
Billy Cravens
ColdFusion since 4.0 (1999)
Houston CFUG manager
Former DFWCFUG board member
Other languages: PHP, .NET; node.js ninja in training
Remember the Wrox book?
About me

Supporter of Cystic Fibrosis (research)
    www.CureCF.com
Twitter: @bdcravens
Web:
    www.billycravens.com
    billy.io
Traditional authentication
session check per request
CFLogin
OS-based
    IIS
         Windows authentication, using IIS management console
    Apache
         Con鍖gure in .htaccess 鍖le
Pain points of traditional/
Advantages of federated login

Registration and conversion rates
    (statistic here would be nice!)
Established user pro鍖les
Customer care and password recovery costs
Social web
    Facebook: 845 million users
    Twitter: 300 millions users
    Google: 350 million Gmail users
    Linked In : 135 million users
Disadvantages of federated login

User experience
Uncontrolled downtime
Trust and perception
Federated identity/single sign on


Origins
   Liberty Alliance whitepaper
   Microsoft Passport
OpenID
OAuth
OpenId


Services using
The work鍖ow
Open source CF libraries
OpenId
Services using
    Google

    Yahoo

    WordPress

    Flickr

    Other services

    Roll your own
OpenId
The work鍖ow
   OpenID URL
   Authentication
   Permission request
   Shared secret
   Returns pro鍖le info and unique ID (URI)
OpenId


Open source CF libraries
    http://www.yakhnov.info/go/projects/openid/
    others on RiaForge
OAuth

Services using
open source CF libraries
the work鍖ow
oAuth 1.0 / 2.0
Disadvantages
OAuth

Services using
    Twitter (originated here)
    Facebook (oAuth 2.0)
    LinkedIn
Authentication Using Twitter, Google, Facebook, And More
oAuth 2.0 Work鍖ow
   Send user to                     User logs in and grants              Send token to your
authentication URI                        permissions                       callback URI



                                                              API calls using
                     Verify token
                                                                   token
Development

Google
Facebook
Twitter
Others
integrating into legacy systems
Google


Show me the code
Facebook


Show me the code
Twitter


Show me the code
Integrate into existing security


Authenticate your user
Authenticate with service
Capture user ID 鍖eld of service, save to database

More Related Content

Authentication Using Twitter, Google, Facebook, And More

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. Session check: briefly show /session code (no more than 1 minute)\n\nCFLogin: briefly show /cflogin code (no more than 1 minute)\n\nOS options: don’t show examples\n
  5. \n
  6. Trust and perception:\n* people's unwillingness to grant *your* application access to their Twitter/FB/Google data. \n* Although most of these allow a level of access that is only used for auth, many users will not understand that and so may be hesitant to allow access. \n* you are placing trust in another authority, which is also an issue.\n* privacy issues: access to your website as data to mine\n\n
  7. TODO: short blurb about Liberty Alliance. Discuss role in standard, merger into Kantara Initiative\n\nMS Passport: proprietary solution, some early adoption, Starbucks.com; \nbegan process of migrating Windows Live ID to OpenID, but never moved past CTP\n
  8. \n
  9. only one we’re interested in is Google\n\nin this presentation we’re only going to look at \n\n
  10. TODO: a workflow diagram would be good\n
  11. TODO: a workflow diagram would be good\n
  12. \n
  13. not going to look at LinkedIn\n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n