Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity Management in Your Apps

Segun Famisa
September 30, 2016

Identity Management in Your Apps

Joint workshop with Prosper (https://twitter.com/unicodeveloper) on "Identity Management in your app using auth0" at DevCraft 2016 conference in Nairobi, Kenya. (http://dev-craft.co.ke )

Demo Web app: https://github.com/unicodeveloper/devcraft-demo
Demo Android app: https://github.com/segunfamisa/auth0-demo-android

Segun Famisa

September 30, 2016
Tweet

More Decks by Segun Famisa

Other Decks in Programming

Transcript

  1. Who Are We? Prosper Otemuyiwa a.k.a unicodeveloper • Technical Writer

    at Auth0 • Blogger at goodheads.io • Organizer of Lagos PHP & Laravel Meetups • Self-Acclaimed Evangelist • Fire Ambassador • Open Sourcerer • Google Developer Expert @unicodeveloper
  2. Who Are We? Segun Famisa a.k.a Brimstone • Software Engineer

    at Konga • Blogger at segunfamisa.com • Nigerian Jollof Rice Ambassador • Open Sourcerer segunfamisa.com @segunfamisa
  3. When it comes to Security and saving developers thousands of

    hours? @auth0 can’t keep calm, young Padawan! #DevCraftKE - @unicodeveloper You want to tweet? Here is a million dollar one!
  4. • It is as simple as it sounds. Managing Identities

    - User Identities. • Almost every application needs some form of process to manage user identities. • Authentication • Authorization What the Hell is Identity Management?
  5. • You are doing something simple • Highly experienced or

    part of a strong team - been building authentication for apps, services for years • Small budget Why build Identity Management
  6. 1. Do you have users who will authenticate with more

    than one Identity Provider? 2. Do you have multiple applications which will need to authenticate? Now do they use the same stack? 3. What analytics will you need for account creation and authentication events? 4. How will you flag and mitigate anomalies in user management and authentication events? Ask Yourself the Following Questions?
  7. 5. How can you stay on top of potential security

    vulnerabilities? 6. Can you/your team securely configure authentication infrastructure? On-premises and in private cloud instances? 7. What is your Multifactor Authentication Strategy? How will you integrate it across different clients? Ask Yourself the Following Questions?
  8. 8. How will you on-board new B2B Customers wanting SSO

    for your service? 9. Can you federate with partners who use Active Directory behind the firewall? 10. Have you thought about implementing brute-force protection and DDOS prevention? Identity systems are an attractive target for attacks. Ask Yourself the Following Questions?
  9. 11. Have you considered scalability, performance, and replication/availablity requirements for

    your user store? 12. How will you implement OpenID Connect across development stacks and clients? 13. How will you handle reports from the security community of vulnerabilities in your identity implement? Ask Yourself the Following Questions?
  10. ❖ Half a billion Yahoo accounts were leaked in large-scale

    data breach in 2014 ❖ Dropbox Data breach: 68 million user account details leaked ❖ LinkedIn Data breach: 117 million emails and passwords leaked in 2012 What about Security? Oh Major Key!
  11. All just for User Identity? I AM NOT CRYING! When

    will I implement the core business logic?
  12. Auth0 offers the following for authentication... • Lock Widget •

    Passwordless ( SMS, Magic Link, Touch ID) • Guardian ( Multi-Factor Authentication made easy) • Supports over 30 social login providers • Breached Password detection • Anomaly detection • Single Sign On More info here https://auth0.com/how-it-works
  13. Before you decide to trust Auth0…... Check this out: •

    We maintain over 100 open source projects including your favorites: passportjs, node-jsonwebtoken and express-jwt • A team of highly experienced & world-class specialists including Jared( creator of passport), Eugene Kogan( Security expert, previously at the US Department of Defense) • Auth0 is OpenID Certified, SOC Type II Certified and offers HIPAA BAA Compliance
  14. Goals: • Users should be able to sign in to

    the app to unlock a tasty plate of Ugali • Users should be able to sign in with either username & password, facebook, google, or twitter • User Analytics needed. Let’s Build an App: KE Food Quest
  15. 1. Sign up for an Auth0 account 2. Create a

    new app from your Dashboard Build an App: KE Food Quest (Web)
  16. 3. Click on the “Quickstart tab” Just after creating the

    app to get started with a boilerplate for any technology you want to use. - AngularJS - React - Vue - Aurelia - Ember - CycleJS ...many more! Build an App: KE Food Quest (Web)
  17. Build an App: KE Food Quest (Web) 4. Replace your

    CLIENT_ID & DOMAIN with the real values from your dashboard. 5. Specify a callback URL & also “Allowed Origins”
  18. Build an App: KE Food Quest (Web) 4. Replace your

    CLIENT_ID & DOMAIN with the real values from your dashboard. 5. Specify a callback URL & also “Allowed Origins”
  19. Build an App: KE Food Quest (Mobile) Requirements: 1. Android

    Studio 2. minSdkVersion 15 (Android 4.0.3) 3. Android emulator or device
  20. Build an App: KE Food Quest (Mobile) 1. If you

    don’t have an existing client on the dashboard, create one.
  21. Build an App: KE Food Quest (Mobile) 2. Add callback

    url for the app. Callback url for an Android client is: https://<your-auth0-domain>/android/<your-package- name>/callback
  22. Build an App: KE Food Quest (Mobile) 3. Add auth0

    dependency to your app’s build.gradle file
  23. Build an App: KE Food Quest (Mobile) 4. Configure auth0

    in your AndroidManifest.xml file i. Add auth0 LockActivity ii. Add auth0 WebAuthActivity
  24. Build an App: KE Food Quest (Mobile) 4. Configure auth0

    in your AndroidManifest.xml file i. Add auth0 LockActivity ii. Add auth0 WebAuthActivity
  25. Build an App: KE Food Quest (Mobile) In the onCreate

    method, initialize the Lock class 5. Implement auth0 login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token
  26. Build an App: KE Food Quest (Mobile) 5. Implement auth0

    login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token
  27. Build an App: KE Food Quest (Mobile) 5. Implement auth0

    login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token
  28. Build an App: KE Food Quest (Mobile) 5. Implement auth0

    login using the Lock class. i. Setup Lock ii. Setup lock callback iii. Clean up the Lock class onDestroy (to prevent memory leakage) iv. Validate token
  29. Build an App: KE Food Quest (Mobile) 6. Handle expired

    id tokens The refresh token doesn’t expire, so use it to request for a new IdToken Basically, create a delegation token with the refresh token A delegation token is a token that can be used to request for another resource
  30. Build an App: KE Food Quest (Mobile) Login prompt Login

    UI Success! Find your ugali! Error getting new token
  31. Build an App: KE Food Quest (Mobile) Want to see

    more code? Check out this demo project here: https://github.com/segunfamisa/auth0-demo-android
  32. Success Stories “Getting identity management out of the way was,

    surprisingly, a really big deal, both to these proud institutions, and to the federal government. Ever since this project started, we’ve become the NIH’s shining example of how to share data among disparate institutions.” - David Bernick, Director of Technology, Harvard Medical School Department of Bioinformatics “Setting up our application to integrate with one partner and then having that partner act as a service hub for dozens of identity systems helps simplify work for our core development teams, while allowing our customer base to grow exponentially.” – Cris Concepcion, Engineering Manager at Safari Books Online “Thanks you for your help. We saw over 1.3 million registrations and our campaign got a social media sentiment score of over 95% positive, so it has been deemed a great success!!” — AKQA – Agency implementing the campaign for Marks and Spencer Companies that trust Auth0 - https://auth0.com/customers