User Management with LastUser

Transcript

1. User Management with LastUser Kiran Jonnalagadda, HasGeek PyCon India, Pune,

   September 2011 flickr.com/exfordy/128576390/

2. The What & The Why

3. LastUser is an identity aggregating web service LastUser Your App

   1 Your App 2 Your App 3

4. A simple goal Login Password Submit Login identifier that users

   can remember Relief from password management No user registration. Just login and use

5. OpenID: URLs as Identity

6. OpenID in theory: http://jace.livejournal.com/

7. github.com www. URLs in the browser:

8. github.com URLs in the browser:

9. github.com/ http:// URLs in the browser:

10. github.com/ https:// URLs in the browser:

11. URLs as Identifiers 1. github.com 2. github.com/ 3. www.github.com 4.

    www.github.com/ 5. http://github.com 6. http://github.com/ 7. http://www.github.com 8. http://www.github.com/ 9. https://github.com 10. https://github.com/ 11. https://www.github.com 12. https://www.github.com/ Multiple strings; same final URL flickr.com/mynameisharsha/5157965638/

12. Contrast with email Addresses: [email protected] Change one character and it’s

    no longer valid. Users are conditioned to type them in exactly every time

13. URL Ambiguity: https://www.google.com/accounts/o8/id One OpenID URL for all Google accounts

14. URL Ambiguity: https://www.google.com/accounts/o8/id?id=AItOawnGAN1Swp5zAJn9UYCw0jivCRXg8qIe_9c https://www.google.com/accounts/o8/id?id=AItOawm3y2JBSnIo0ZdNwtIa487VpQXtpbXNmU4 Both are the same Google id,

    on different domains, using directed identity. If you move to a new domain, all your users’ ids change

15. URLs are not reliable identifiers for users

16. OpenID in practice

17. OAuth: Delegated Identity

18. The delegated id model Your Application

19. The delegated id model Your Application Synchronizing identity across services?

20. Need a common identifier across services. It’s usually an email

    address

21. LastUser as abstraction layer LastUser — OAuth Server Your App

    1 Your App 2 Your App 3

22. Multiple apps, all connected to one LastUser instance

23. 1. Login screen provider

24. Connecting identities Users sometimes login with a different service provider

    Accounts can be connected if there is a common id Twitter does not provide an email address GitHub provides only md5sum of email via Gravatar. Can be connected if email is already known

25. Supported id providers Twitter Google GitHub OpenID (but not delegation)

    Upcoming: LinkedIn, Facebook

26. OAuth: There is no single standard called OAuth. Every implementation

    is different

27. There is no up-to-date Python library for OAuth2. Every service

    provider has their own library. Contrast: Ruby has OmniAuth

28. LastUser implements OAuth 2.0 draft 16 (with gaps filled in)

29. OAuth 2.0 has two parts OAuth Authorization Server OAuth Resource

    Server OAuth Client 1. Request an access token 2. Use token to access resource

30. OAuth 2.0 has two parts OAuth Authorization Server OAuth Resource

    Server OAuth Client 1. Request an access token 2. Use token to access resource OAuth 2.0 doesn’t specify how this bit works LastUser does

31. 2. Resource providers (work in progress)

32. 3. Central access control

33. Pending work Seamless login UI and pure client-side JS login

    API Non-web login flow Authorization to resource server communication protocol Support for token types other than bearer tokens

34. LastUser is BSD-licensed https://github.com/hasgeek/lastuser