Post on 01-Sep-2014
description
Google Confidential and Proprietary
So you want to be a Relying Party:Google Identity Toolkit v3
Adam DawesJuly 9, 2013
http://goo.gl/8pA1v
Google Confidential and Proprietary
Google Identity Toolkit
● Challenges to getting out of the password business
● GITKit v3 Overview and UX walkthrough
● GITKit v3 Deployment
● What's coming
Google Confidential and Proprietary
Challenge #1:I don't know how to get rid of my password db
Google Confidential and Proprietary
Challenge #2:I need a complete solution for both passwords and IDPs
Google Confidential and Proprietary
Challenge #3:I don't know how to 'slow roll' conversion to IDP sign-in
Google Confidential and Proprietary
Challenge #4:I'm afraid NASCAR UX will confuse users
Google Confidential and Proprietary
GITKit v3 Key Features
● Migrate passwords to hosted authentication service
● Single integration point for multiple email IDPs and passwords
● Fine-grained controls for password to IDP conversion
● Streamlined login and new account UX without NASCAR
● Account management widgets
● Detection of security event in multi-session scenarios
Google Confidential and Proprietary
GITKit provides a complete auth solution across passwords and multiple IDPs
Auth Engine
Password Store
GITKit ID Token
Legacy passwords
GITKit APIs
Login
GITKit
Google Confidential and Proprietary
GITKit v3 UX Walkthrough:Password Login
Google Confidential and Proprietary
Account Chooser
● Addresses the NASCAR problem by initiating login with an “account hint”
● Privacy-preserving HTML5 app with all accounts stored locally
Google Confidential and Proprietary
GITKit v3 UX Walkthrough:Password Sign Up
Google Confidential and Proprietary
GITKit v3 UX Walkthrough:Password to IDP Account Conversion
Google Confidential and Proprietary
Incrementally roll out IDP support to password users
Configure and roll out usage of selected IDPs
Google Confidential and Proprietary
GITKit v3 UX Walkthrough:IDP Sign Up
1) Sign-in button 2) Account Chooser
3) Password Entry/ Sign-up widgets
2Aii
2Ai, 2Aiii
2B
password db
5) GITKit Service
5A
5B
Auth Engine
4) IDP Auth
6) Post-login account chip
3A, 3C
3B
2Aiv
3D
Google Confidential and Proprietary
GITKit v3 UX Walkthrough:Account Management Widget
Google Confidential and Proprietary
GITKit Deployment - Overview
1. Register at the Google Developer Console
2. Modify your session management
3. Provide 4 endpoints: Callback, Home, Signout, and Lost-passworda. Home and Sign-out are easy. b. Callback is just a one-line branch to GITKit handler code. c. Lost-password is hard.
4. Customize the GITKit UI
5. Migrate your users and accounts
Google Confidential and Proprietary
GITKit Session Management - Basic
● You have to retrieve & validate the GITKit cookie; easy with a JWT library.
● When your session is invalid, check the GITKit cookie and if it's valid, load up a new session from it.
● If you notice it's a new user, use GITKit APIs to retrieve whatever information GITKit has on that user.
Google Confidential and Proprietary
GITKit Session Management - Advanced
You can use GITKit to check if a multiply-logged-in user has changed their password in another session.
1. Maintain a global per-user last-password-change timestamp.
2. Whenever the GITKit cookie changes, retrieve last-password-change and update the timestamp. Also, extract and remember the timestamp of the cookie itself.
3. For each transaction, check the GITKit cookie timestamp against the last-password-change timestamp. If it’s earlier, end the session, delete the GITKit cookie, and force re-authorization.
Google Confidential and Proprietary
Advanced Topics - Lost Password Handling
GITKit provides a CAPTCHA-protected password-change module. But it requires significant work from you.
1. Register a “Service Account” for your app in the Developer Console.
2. When you get the lost-password notification, use the Service-Account flow to get an offline-access token for GITKit.
3. Use the token to retrieve a one-time code.
4. Email a special callback URL including the code to the user; when they click it, the flow will complete.
Google Confidential and Proprietary
What's coming for GITKit
● Non-email IDPs starting with Google+ Sign-in
● Support for IDPs that offer additional scopes and web widgets that use them
● Native library support for Android and iOS including interoperability with libraries from other IDPs
Google Confidential and Proprietary
Questions?
Thanks!
DocumentationGoogle Search: 'Google Identity Toolkit'
Demofavcolor.net/gat
Trusted Tester Sign-upgoo.gl/U3w3f
This deckgoo.gl/8pA1v