Identity Management in Your Apps

Transcript

1. Identity Management in Your Apps
   by
   Prosper Otemuyiwa & Segun Famisa
   

   View Slide

2. Who Are We?
   Prosper Otemuyiwa a.k.a unicodeveloper
   ● Technical Writer at Auth0
   ● Blogger at goodheads.io
   ● Organizer of Lagos PHP & Laravel Meetups
   ● Self-Acclaimed Evangelist
   ● Fire Ambassador
   ● Open Sourcerer
   ● Google Developer Expert
   @unicodeveloper
   

   View Slide

3. Who Are We?
   Segun Famisa a.k.a Brimstone
   ● Software Engineer at Konga
   ● Blogger at segunfamisa.com
   ● Nigerian Jollof Rice Ambassador
   ● Open Sourcerer
   segunfamisa.com
   @segunfamisa
   

   View Slide

4. When it comes to Security and saving
   developers thousands of hours? @auth0
   can’t keep calm, young Padawan!
   #DevCraftKE - @unicodeveloper
   You want to tweet? Here is a million dollar one!
   

   View Slide

5. ● It is as simple as it sounds. Managing Identities -
   User Identities.
   ● Almost every application needs some form of
   process to manage user identities.
   ● Authentication
   ● Authorization
   What the Hell is Identity Management?
   

   View Slide

6. ● You are doing something simple
   ● Highly experienced or part of a strong team -
   been building authentication for apps, services for
   years
   ● Small budget
   Why build Identity Management
   

   View Slide

7. Wait...what? Buy?
   Why buy Identity Management?
   

   View Slide

8. What If I told you that User Identity Management can
   really become so complex?
   

   View Slide

9. 1. Do you have users who will authenticate with more
   than one Identity Provider?
   2. Do you have multiple applications which will need to
   authenticate? Now do they use the same stack?
   3. What analytics will you need for account creation and
   authentication events?
   4. How will you flag and mitigate anomalies in user
   management and authentication events?
   Ask Yourself the Following Questions?
   

   View Slide

10. 5. How can you stay on top of potential security
    vulnerabilities?
    6. Can you/your team securely configure
    authentication infrastructure? On-premises and in
    private cloud instances?
    7. What is your Multifactor Authentication Strategy?
    How will you integrate it across different clients?
    Ask Yourself the Following Questions?
    

    View Slide

11. 8. How will you on-board new B2B Customers
    wanting SSO for your service?
    9. Can you federate with partners who use Active
    Directory behind the firewall?
    10. Have you thought about implementing brute-force
    protection and DDOS prevention? Identity systems
    are an attractive target for attacks.
    Ask Yourself the Following Questions?
    

    View Slide

12. 11. Have you considered scalability, performance, and
    replication/availablity requirements for your user
    store?
    12. How will you implement OpenID Connect across
    development stacks and clients?
    13. How will you handle reports from the security
    community of vulnerabilities in your identity
    implement?
    Ask Yourself the Following Questions?
    

    View Slide

13. ❖ Half a billion Yahoo accounts were
    leaked in large-scale data breach in
    2014
    ❖ Dropbox Data breach: 68 million user
    account details leaked
    ❖ LinkedIn Data breach: 117 million
    emails and passwords leaked in 2012
    What about Security? Oh Major Key!
    

    View Slide

14. All just for User Identity? I AM NOT CRYING!
    When will I implement the core business logic?
    

    View Slide

15. Relax Buddy….Auth0 got your back!!
    

    View Slide

16. Auth0 offers the following for authentication...
    ● Lock Widget
    ● Passwordless ( SMS, Magic Link, Touch ID)
    ● Guardian ( Multi-Factor Authentication made easy)
    ● Supports over 30 social login providers
    ● Breached Password detection
    ● Anomaly detection
    ● Single Sign On
    More info here https://auth0.com/how-it-works
    

    View Slide

17. Before you decide to trust Auth0…...
    Check this out:
    ● We maintain over 100 open source projects
    including your favorites: passportjs,
    node-jsonwebtoken and express-jwt
    ● A team of highly experienced & world-class
    specialists including Jared( creator of passport),
    Eugene Kogan( Security expert, previously at the
    US Department of Defense)
    ● Auth0 is OpenID Certified, SOC Type II Certified
    and offers HIPAA BAA Compliance
    

    View Slide

18. @unicodeveloper
    JUST SHOW ME HOW TO
    SAVE TIME!!!!
    

    View Slide

19. Goals:
    ● Users should be able to sign in to the app to
    unlock a tasty plate of Ugali
    ● Users should be able to sign in with either
    username & password, facebook, google, or
    twitter
    ● User Analytics needed.
    Let’s Build an App: KE Food Quest
    

    View Slide

20. 1. Sign up for an Auth0 account
    2. Create a new app from your
    Dashboard
    Build an App: KE Food Quest (Web)
    

    View Slide

21. 3. Click on the “Quickstart tab”
    Just after creating the app to
    get started with a boilerplate for
    any technology you want to use.
    - AngularJS
    - React
    - Vue
    - Aurelia
    - Ember
    - CycleJS
    ...many more!
    Build an App: KE Food Quest (Web)
    

    View Slide

22. Build an App: KE Food Quest (Web)
    4. Replace your CLIENT_ID &
    DOMAIN with the real values
    from your dashboard.
    5. Specify a callback URL & also
    “Allowed Origins”
    

    View Slide

23. Build an App: KE Food Quest (Web)
    4. Replace your CLIENT_ID &
    DOMAIN with the real values
    from your dashboard.
    5. Specify a callback URL & also
    “Allowed Origins”
    

    View Slide

24. View Slide

25. View Slide

26. View Slide

27. View Slide

28. ● Grab all the data
    

    View Slide

29. ● User Analytics
    

    View Slide

30. Build an App: KE Food Quest (Mobile)
    Requirements:
    1. Android Studio
    2. minSdkVersion 15 (Android 4.0.3)
    3. Android emulator or device
    

    View Slide

31. Build an App: KE Food Quest (Mobile)
    1. If you don’t have an
    existing client on the
    dashboard, create one.
    

    View Slide

32. Build an App: KE Food Quest (Mobile)
    2. Add callback url for the app.
    Callback url for an Android client
    is:
    https:///android/name>/callback
    

    View Slide

33. Build an App: KE Food Quest (Mobile)
    3. Add auth0 dependency to
    your app’s build.gradle file
    

    View Slide

34. Build an App: KE Food Quest (Mobile)
    4. Configure auth0 in your
    AndroidManifest.xml file
    i. Add auth0 LockActivity
    ii. Add auth0 WebAuthActivity
    

    View Slide

35. Build an App: KE Food Quest (Mobile)
    4. Configure auth0 in your
    AndroidManifest.xml file
    i. Add auth0 LockActivity
    ii. Add auth0 WebAuthActivity
    

    View Slide

36. Build an App: KE Food Quest (Mobile)
    In the onCreate method, initialize the
    Lock class
    5. Implement auth0 login using
    the Lock class.
    i. Setup Lock
    ii. Setup lock callback
    iii. Clean up the Lock class
    onDestroy (to prevent memory
    leakage)
    iv. Validate token
    

    View Slide

37. Build an App: KE Food Quest (Mobile)
    5. Implement auth0 login using
    the Lock class.
    i. Setup Lock
    ii. Setup lock callback
    iii. Clean up the Lock class
    onDestroy (to prevent memory
    leakage)
    iv. Validate token
    

    View Slide

38. Build an App: KE Food Quest (Mobile)
    5. Implement auth0 login using
    the Lock class.
    i. Setup Lock
    ii. Setup lock callback
    iii. Clean up the Lock class
    onDestroy (to prevent memory
    leakage)
    iv. Validate token
    

    View Slide

39. Build an App: KE Food Quest (Mobile)
    5. Implement auth0 login using
    the Lock class.
    i. Setup Lock
    ii. Setup lock callback
    iii. Clean up the Lock class
    onDestroy (to prevent memory
    leakage)
    iv. Validate token
    

    View Slide

40. Build an App: KE Food Quest (Mobile)
    6. Handle expired id tokens
    The refresh token doesn’t expire,
    so use it to request for a new
    IdToken
    Basically, create a delegation
    token with the refresh token
    A delegation token is a token
    that can be used to request for
    another resource
    

    View Slide

41. Build an App: KE Food Quest (Mobile)
    Login prompt Login UI
    Success! Find
    your ugali!
    Error getting
    new token
    

    View Slide

42. Build an App: KE Food Quest (Mobile)
    Want to see more code?
    Check out this demo project here:
    https://github.com/segunfamisa/auth0-demo-android
    

    View Slide

43. Success Stories
    “Getting identity management out of the way was, surprisingly, a really big deal, both
    to these proud institutions, and to the federal government. Ever since this project
    started, we’ve become the NIH’s shining example of how to share data among
    disparate institutions.” - David Bernick, Director of Technology, Harvard Medical School
    Department of Bioinformatics
    “Setting up our application to integrate with one partner and then having that
    partner act as a service hub for dozens of identity systems helps simplify work
    for our core development teams, while allowing our customer base to grow
    exponentially.” – Cris Concepcion, Engineering Manager at Safari Books Online
    “Thanks you for your help. We saw over 1.3 million registrations and our campaign
    got a social media sentiment score of over 95% positive, so it has been deemed a
    great success!!” — AKQA – Agency implementing the campaign for Marks and Spencer
    Companies that trust Auth0 - https://auth0.com/customers
    

    View Slide

44. Thanks DevCraft!
    Any Questions?
    

    View Slide