Upload
kiran-jonnalagadda
View
1.974
Download
0
Embed Size (px)
DESCRIPTION
LastUser is a identity aggregating web service written in Python using the Flask framework. It provides an OAuth server that proxies for various popular identity providers.
Citation preview
User Management with LastUserKiran Jonnalagadda, HasGeek
PyCon India, Pune, September 2011flickr.com/exfordy/128576390/
The What & The Why
LastUser is an identity aggregating web service
LastUser
Your App 1 Your App 2 Your App 3
A simple goal
Login
Password
Submit
Login identifier that users can remember
Relief from password management
No user registration. Just login and use
OpenID:URLs as Identity
OpenID in theory:
http://jace.livejournal.com/
github.comwww.
URLs in the browser:
github.com
URLs in the browser:
github.com/http://
URLs in the browser:
github.com/https://
URLs in the browser:
URLs as Identifiers1. github.com2. github.com/3. www.github.com4. www.github.com/5. http://github.com6. http://github.com/7. http://www.github.com8. http://www.github.com/9. https://github.com10. https://github.com/11. https://www.github.com12. https://www.github.com/
Multiple strings; same final URL
flickr.com/mynameisharsha/5157965638/
Contrast with email Addresses:
[email protected] one character and it’s no longer
valid. Users are conditioned to type them in exactly every time
URL Ambiguity:https://www.google.com/accounts/o8/id
One OpenID URL for all Google accounts
URL Ambiguity:https://www.google.com/accounts/o8/id?id=AItOawnGAN1Swp5zAJn9UYCw0jivCRXg8qIe_9c
https://www.google.com/accounts/o8/id?id=AItOawm3y2JBSnIo0ZdNwtIa487VpQXtpbXNmU4
Both are the same Google id, on different domains, using directed identity. If you move to a new domain,
all your users’ ids change
URLs are not reliable identifiers for users
OpenID in practice
OAuth:Delegated Identity
The delegated id model
Your Application
The delegated id model
Your Application
Synchronizing identity across services?
Need a common identifier across services. It’s usually
an email address
LastUser as abstraction layer
LastUser — OAuth Server
Your App 1 Your App 2 Your App 3
Multiple apps, all connected to
one LastUser instance
1. Login screen provider
Connecting identitiesUsers sometimes login with a different service provider
Accounts can be connected if there is a common id
Twitter does not provide an email address
GitHub provides only md5sum of email via Gravatar. Can be connected if email is already known
Supported id providers
GitHub
OpenID (but not delegation)
Upcoming: LinkedIn, Facebook
OAuth: There is no single standard called OAuth. Every
implementation is different
There is no up-to-date Python library for OAuth2. Every service
provider has their own library.Contrast: Ruby has OmniAuth
LastUser implements OAuth 2.0 draft 16
(with gaps filled in)
OAuth 2.0 has two parts
OAuthAuthorization
Server
OAuthResource
Server
OAuth Client1. Request anaccess token
2. Use token toaccess resource
OAuth 2.0 has two parts
OAuthAuthorization
Server
OAuthResource
Server
OAuth Client1. Request anaccess token
2. Use token toaccess resource
OAuth 2.0 doesn’tspecify how this
bit works
LastUser does
2. Resource providers(work in progress)
3. Central access control
Pending work
Seamless login UI and pure client-side JS login API
Non-web login flow
Authorization to resource server communication protocol
Support for token types other than bearer tokens
LastUser is BSD-licensedhttps://github.com/hasgeek/lastuser