Slide 1

Slide 1 text

Identity Management in Your Apps by Prosper Otemuyiwa & Segun Famisa

Slide 2

Slide 2 text

Who Are We? Prosper Otemuyiwa a.k.a unicodeveloper ● Technical Writer at Auth0 ● Blogger at goodheads.io ● Organizer of Lagos PHP & Laravel Meetups ● Self-Acclaimed Evangelist ● Fire Ambassador ● Open Sourcerer ● Google Developer Expert @unicodeveloper

Slide 3

Slide 3 text

Who Are We? Segun Famisa a.k.a Brimstone ● Software Engineer at Konga ● Blogger at segunfamisa.com ● Nigerian Jollof Rice Ambassador ● Open Sourcerer segunfamisa.com @segunfamisa

Slide 4

Slide 4 text

When it comes to Security and saving developers thousands of hours? @auth0 can’t keep calm, young Padawan! #DevCraftKE - @unicodeveloper You want to tweet? Here is a million dollar one!

Slide 5

Slide 5 text

● It is as simple as it sounds. Managing Identities - User Identities. ● Almost every application needs some form of process to manage user identities. ● Authentication ● Authorization What the Hell is Identity Management?

Slide 6

Slide 6 text

● You are doing something simple ● Highly experienced or part of a strong team - been building authentication for apps, services for years ● Small budget Why build Identity Management

Slide 7

Slide 7 text

Wait...what? Buy? Why buy Identity Management?

Slide 8

Slide 8 text

What If I told you that User Identity Management can really become so complex?

Slide 9

Slide 9 text

1. Do you have users who will authenticate with more than one Identity Provider? 2. Do you have multiple applications which will need to authenticate? Now do they use the same stack? 3. What analytics will you need for account creation and authentication events? 4. How will you flag and mitigate anomalies in user management and authentication events? Ask Yourself the Following Questions?

Slide 10

Slide 10 text

5. How can you stay on top of potential security vulnerabilities? 6. Can you/your team securely configure authentication infrastructure? On-premises and in private cloud instances? 7. What is your Multifactor Authentication Strategy? How will you integrate it across different clients? Ask Yourself the Following Questions?

Slide 11

Slide 11 text

8. How will you on-board new B2B Customers wanting SSO for your service? 9. Can you federate with partners who use Active Directory behind the firewall? 10. Have you thought about implementing brute-force protection and DDOS prevention? Identity systems are an attractive target for attacks. Ask Yourself the Following Questions?

Slide 12

Slide 12 text

11. Have you considered scalability, performance, and replication/availablity requirements for your user store? 12. How will you implement OpenID Connect across development stacks and clients? 13. How will you handle reports from the security community of vulnerabilities in your identity implement? Ask Yourself the Following Questions?

Slide 13

Slide 13 text

❖ Half a billion Yahoo accounts were leaked in large-scale data breach in 2014 ❖ Dropbox Data breach: 68 million user account details leaked ❖ LinkedIn Data breach: 117 million emails and passwords leaked in 2012 What about Security? Oh Major Key!

Slide 14

Slide 14 text

All just for User Identity? I AM NOT CRYING! When will I implement the core business logic?

Slide 15

Slide 15 text

Relax Buddy….Auth0 got your back!!

Slide 16

Slide 16 text

Auth0 offers the following for authentication... ● Lock Widget ● Passwordless ( SMS, Magic Link, Touch ID) ● Guardian ( Multi-Factor Authentication made easy) ● Supports over 30 social login providers ● Breached Password detection ● Anomaly detection ● Single Sign On More info here https://auth0.com/how-it-works

Slide 17

Slide 17 text

Before you decide to trust Auth0…... Check this out: ● We maintain over 100 open source projects including your favorites: passportjs, node-jsonwebtoken and express-jwt ● A team of highly experienced & world-class specialists including Jared( creator of passport), Eugene Kogan( Security expert, previously at the US Department of Defense) ● Auth0 is OpenID Certified, SOC Type II Certified and offers HIPAA BAA Compliance

Slide 18

Slide 18 text

@unicodeveloper JUST SHOW ME HOW TO SAVE TIME!!!!

Slide 19

Slide 19 text

Goals: ● Users should be able to sign in to the app to unlock a tasty plate of Ugali ● Users should be able to sign in with either username & password, facebook, google, or twitter ● User Analytics needed. Let’s Build an App: KE Food Quest

Slide 20

Slide 20 text

1. Sign up for an Auth0 account 2. Create a new app from your Dashboard Build an App: KE Food Quest (Web)

Slide 21

Slide 21 text

3. Click on the “Quickstart tab” Just after creating the app to get started with a boilerplate for any technology you want to use. - AngularJS - React - Vue - Aurelia - Ember - CycleJS ...many more! Build an App: KE Food Quest (Web)

Slide 22

Slide 22 text

Build an App: KE Food Quest (Web) 4. Replace your CLIENT_ID & DOMAIN with the real values from your dashboard. 5. Specify a callback URL & also “Allowed Origins”

Slide 23

Slide 23 text

Build an App: KE Food Quest (Web) 4. Replace your CLIENT_ID & DOMAIN with the real values from your dashboard. 5. Specify a callback URL & also “Allowed Origins”

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

● Grab all the data

Slide 29

Slide 29 text

● User Analytics

Slide 30

Slide 30 text

Build an App: KE Food Quest (Mobile) Requirements: 1. Android Studio 2. minSdkVersion 15 (Android 4.0.3) 3. Android emulator or device

Slide 31

Slide 31 text

Build an App: KE Food Quest (Mobile) 1. If you don’t have an existing client on the dashboard, create one.

Slide 32

Slide 32 text

Build an App: KE Food Quest (Mobile) 2. Add callback url for the app. Callback url for an Android client is: https:///android//callback

Slide 33

Slide 33 text

Build an App: KE Food Quest (Mobile) 3. Add auth0 dependency to your app’s build.gradle file

Slide 34

Slide 34 text

Build an App: KE Food Quest (Mobile) 4. Configure auth0 in your AndroidManifest.xml file i. Add auth0 LockActivity ii. Add auth0 WebAuthActivity

Slide 35

Slide 35 text

Build an App: KE Food Quest (Mobile) 4. Configure auth0 in your AndroidManifest.xml file i. Add auth0 LockActivity ii. Add auth0 WebAuthActivity

Slide 36

Slide 36 text

Build an App: KE Food Quest (Mobile) In the onCreate method, initialize the Lock class 5. Implement auth0 login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token

Slide 37

Slide 37 text

Build an App: KE Food Quest (Mobile) 5. Implement auth0 login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token

Slide 38

Slide 38 text

Build an App: KE Food Quest (Mobile) 5. Implement auth0 login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token

Slide 39

Slide 39 text

Build an App: KE Food Quest (Mobile) 5. Implement auth0 login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token

Slide 40

Slide 40 text

Build an App: KE Food Quest (Mobile) 6. Handle expired id tokens The refresh token doesn’t expire, so use it to request for a new IdToken Basically, create a delegation token with the refresh token A delegation token is a token that can be used to request for another resource

Slide 41

Slide 41 text

Build an App: KE Food Quest (Mobile) Login prompt Login UI Success! Find your ugali! Error getting new token

Slide 42

Slide 42 text

Build an App: KE Food Quest (Mobile) Want to see more code? Check out this demo project here: https://github.com/segunfamisa/auth0-demo-android

Slide 43

Slide 43 text

Success Stories “Getting identity management out of the way was, surprisingly, a really big deal, both to these proud institutions, and to the federal government. Ever since this project started, we’ve become the NIH’s shining example of how to share data among disparate institutions.” - David Bernick, Director of Technology, Harvard Medical School Department of Bioinformatics “Setting up our application to integrate with one partner and then having that partner act as a service hub for dozens of identity systems helps simplify work for our core development teams, while allowing our customer base to grow exponentially.” – Cris Concepcion, Engineering Manager at Safari Books Online “Thanks you for your help. We saw over 1.3 million registrations and our campaign got a social media sentiment score of over 95% positive, so it has been deemed a great success!!” — AKQA – Agency implementing the campaign for Marks and Spencer Companies that trust Auth0 - https://auth0.com/customers

Slide 44

Slide 44 text

Thanks DevCraft! Any Questions?