Identity Management in Your Apps by Prosper Otemuyiwa & Segun Famisa

Who Are We? Prosper Otemuyiwa a.k.a unicodeveloper ● Technical Writer at Auth0 ● Blogger at goodheads.io ● Organizer of Lagos PHP & Laravel Meetups ● Self-Acclaimed Evangelist ● Fire Ambassador ● Open Sourcerer ● Google Developer Expert @unicodeveloper

Who Are We? Segun Famisa a.k.a Brimstone ● Software Engineer at Konga ● Blogger at segunfamisa.com ● Nigerian Jollof Rice Ambassador ● Open Sourcerer segunfamisa.com @segunfamisa

When it comes to Security and saving developers thousands of hours? @auth0 can’t keep calm, young Padawan! #DevCraftKE - @unicodeveloper You want to tweet? Here is a million dollar one!

● It is as simple as it sounds. Managing Identities - User Identities. ● Almost every application needs some form of process to manage user identities. ● Authentication ● Authorization What the Hell is Identity Management?

● You are doing something simple ● Highly experienced or part of a strong team - been building authentication for apps, services for years ● Small budget Why build Identity Management

Wait...what? Buy? Why buy Identity Management?

What If I told you that User Identity Management can really become so complex?

1. Do you have users who will authenticate with more than one Identity Provider? 2. Do you have multiple applications which will need to authenticate? Now do they use the same stack? 3. What analytics will you need for account creation and authentication events? 4. How will you flag and mitigate anomalies in user management and authentication events? Ask Yourself the Following Questions?

5. How can you stay on top of potential security vulnerabilities? 6. Can you/your team securely configure authentication infrastructure? On-premises and in private cloud instances? 7. What is your Multifactor Authentication Strategy? How will you integrate it across different clients? Ask Yourself the Following Questions?

8. How will you on-board new B2B Customers wanting SSO for your service? 9. Can you federate with partners who use Active Directory behind the firewall? 10. Have you thought about implementing brute-force protection and DDOS prevention? Identity systems are an attractive target for attacks. Ask Yourself the Following Questions?

11. Have you considered scalability, performance, and replication/availablity requirements for your user store? 12. How will you implement OpenID Connect across development stacks and clients? 13. How will you handle reports from the security community of vulnerabilities in your identity implement? Ask Yourself the Following Questions?

❖ Half a billion Yahoo accounts were leaked in large-scale data breach in 2014 ❖ Dropbox Data breach: 68 million user account details leaked ❖ LinkedIn Data breach: 117 million emails and passwords leaked in 2012 What about Security? Oh Major Key!

All just for User Identity? I AM NOT CRYING! When will I implement the core business logic?

Relax Buddy….Auth0 got your back!!

Auth0 offers the following for authentication... ● Lock Widget ● Passwordless ( SMS, Magic Link, Touch ID) ● Guardian ( Multi-Factor Authentication made easy) ● Supports over 30 social login providers ● Breached Password detection ● Anomaly detection ● Single Sign On More info here https://auth0.com/how-it-works

Before you decide to trust Auth0…... Check this out: ● We maintain over 100 open source projects including your favorites: passportjs, node-jsonwebtoken and express-jwt ● A team of highly experienced & world-class specialists including Jared( creator of passport), Eugene Kogan( Security expert, previously at the US Department of Defense) ● Auth0 is OpenID Certified, SOC Type II Certified and offers HIPAA BAA Compliance

@unicodeveloper JUST SHOW ME HOW TO SAVE TIME!!!!

Goals: ● Users should be able to sign in to the app to unlock a tasty plate of Ugali ● Users should be able to sign in with either username & password, facebook, google, or twitter ● User Analytics needed. Let’s Build an App: KE Food Quest

1. Sign up for an Auth0 account 2. Create a new app from your Dashboard Build an App: KE Food Quest (Web)

3. Click on the “Quickstart tab” Just after creating the app to get started with a boilerplate for any technology you want to use. - AngularJS - React - Vue - Aurelia - Ember - CycleJS ...many more! Build an App: KE Food Quest (Web)

Build an App: KE Food Quest (Web) 4. Replace your CLIENT_ID & DOMAIN with the real values from your dashboard. 5. Specify a callback URL & also “Allowed Origins”

Build an App: KE Food Quest (Web) 4. Replace your CLIENT_ID & DOMAIN with the real values from your dashboard. 5. Specify a callback URL & also “Allowed Origins”

No content

No content

No content

No content

● Grab all the data

● User Analytics

Build an App: KE Food Quest (Mobile) Requirements: 1. Android Studio 2. minSdkVersion 15 (Android 4.0.3) 3. Android emulator or device

Build an App: KE Food Quest (Mobile) 1. If you don’t have an existing client on the dashboard, create one.

Build an App: KE Food Quest (Mobile) 2. Add callback url for the app. Callback url for an Android client is: https:///android//callback

Build an App: KE Food Quest (Mobile) 3. Add auth0 dependency to your app’s build.gradle file

Build an App: KE Food Quest (Mobile) 4. Configure auth0 in your AndroidManifest.xml file i. Add auth0 LockActivity ii. Add auth0 WebAuthActivity

Build an App: KE Food Quest (Mobile) 4. Configure auth0 in your AndroidManifest.xml file i. Add auth0 LockActivity ii. Add auth0 WebAuthActivity

Build an App: KE Food Quest (Mobile) In the onCreate method, initialize the Lock class 5. Implement auth0 login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token

Build an App: KE Food Quest (Mobile) 5. Implement auth0 login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token

Build an App: KE Food Quest (Mobile) 5. Implement auth0 login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token

Build an App: KE Food Quest (Mobile) 5. Implement auth0 login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token

Build an App: KE Food Quest (Mobile) 6. Handle expired id tokens The refresh token doesn’t expire, so use it to request for a new IdToken Basically, create a delegation token with the refresh token A delegation token is a token that can be used to request for another resource

Build an App: KE Food Quest (Mobile) Login prompt Login UI Success! Find your ugali! Error getting new token

Build an App: KE Food Quest (Mobile) Want to see more code? Check out this demo project here: https://github.com/segunfamisa/auth0-demo-android

Success Stories “Getting identity management out of the way was, surprisingly, a really big deal, both to these proud institutions, and to the federal government. Ever since this project started, we’ve become the NIH’s shining example of how to share data among disparate institutions.” - David Bernick, Director of Technology, Harvard Medical School Department of Bioinformatics “Setting up our application to integrate with one partner and then having that partner act as a service hub for dozens of identity systems helps simplify work for our core development teams, while allowing our customer base to grow exponentially.” – Cris Concepcion, Engineering Manager at Safari Books Online “Thanks you for your help. We saw over 1.3 million registrations and our campaign got a social media sentiment score of over 95% positive, so it has been deemed a great success!!” — AKQA – Agency implementing the campaign for Marks and Spencer Companies that trust Auth0 - https://auth0.com/customers

Thanks DevCraft! Any Questions?