How PayPal uses Open Identity
-
Upload
paypal -
Category
Technology
-
view
403 -
download
0
description
Transcript of How PayPal uses Open Identity
Open Identity How PayPal uses
March 2012, Hannover
M!"#$!% 1
Tim Messerschmidt Developer Evangelist
@SeraAndroid
2
Tim Messerschmdit
Developer Evangelist
Startup Mentor
Author
W&! '( I?
3
W!"# $% $&'(#$#) $( #!' W'b?
4
5
6
• active users: 123.000.000
• Uses OpenID Connect
• Interesting for commercial use cases – Adds integrity to existing applications
– Clearly business- & merchant-oriented
• Actively being worked on! – Expect new kick-ass features soon
7
P')P'* A$$#++
8 8
9 9
10
11
12
W!) O*'(ID C+((',#?
Authorization
v%. Authentication
13
OA-#! 1.0
14
OA-#! 2.0
15
OA-#! 2.0 & #!' R+"& #+ H'..
16 Eran Hammer: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
“OAuth 2.0 offers little to none code
reusability”
17
“What 2.0 offers is a blueprint for an authorization
protocol” 18
O( #!' D'"&('%% +f OA-#! 2
19 Tim Bray: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead
OAuth 2 is
useful today
20
“OAuth 2 may not be perfect, and may have been harmed by the Enterprise crap, but the
core of Web functionality […] seems to have survived.”
21
O*'(ID C+((',#
22
23
24
S#++,!% ('%'-#(#%.
• Highly demanded feature – Service can be used to login & logout
• OAuth 2.0 requires users to revoke permission to “logout”
• Token validation & refreshment
• AN Optional feature
25
A/.&!r0'.,!% F*!w
C!"#$% 1. Open Authorization
Endpoint URL
4. Check callbacks for Authorization Token
5. Request a valid Access Token
7. Retrieve user’s resources
S#rv#r 2. Provide a login page 3. Return the Authorization
Token after a successful login
6. Check Authorization Token & return the Access Token if it’s valid
26
OA/.& 2.0 ,(1*#(#%.'.,!% $'% b# #'+,*) $&'%-#2 .!
O1#%ID C!%%#$. 27
W!) %!+-.& I -%' #!$%?
28
29
P#!1*# f!r-#. 1'++w!r2+… “45 % admit to leaving a website instead of re-setting their password or answering security questions” * * B*/# I%$. 2011
30
P#!1*# 2!%’. *,3# .! r#-,+.#r… Out of 657 surveyed users 66 % think that social sign-in is a desirable alternative. * * B*/# I%$. 2011
31
V#r,4#2 1r!4*#+ Email – as it’s the user’s login
Address – ship my stuff here!
Name – makes sense, too … '%2 (/$& (!r# ,%f!r('.,!%!
5 scopes to access the
profile:
1. profile
2. email
3. address
4. phone
5. attributes
32
33
Leverage an existing
profile
x.com/identity
34
H#*1? Pr!b*#(+?
• paypal.com/dts – Developer Technical Services
– Ticketing
• StackOverflow.com – Tag “PayPal”
– Actively being watched by Technical Service and Developer Evangelists like me
35
Q&#'%"($'? 36