Open Identity How PayPal uses

March 2012, Hannover

M!"#$!% 1

Tim Messerschmidt Developer Evangelist

@SeraAndroid

2

Tim Messerschmdit

Developer Evangelist

Startup Mentor

Author

W&! '( I?

3

W!"# $% $&'(#$#) $( #!' W'b?

4

5

6

•  active users: 123.000.000

•  Uses OpenID Connect

•  Interesting for commercial use cases – Adds integrity to existing applications

– Clearly business- & merchant-oriented

•  Actively being worked on! – Expect new kick-ass features soon

7

P')P'* A$$#++

8 8

9 9

10

11

12

W!) O*'(ID C+((',#?

Authorization

v%. Authentication

13

OA-#! 1.0

14

OA-#! 2.0

15

OA-#! 2.0 & #!' R+"& #+ H'..

16 Eran Hammer: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

“OAuth 2.0 offers little to none code

reusability”

17

“What 2.0 offers is a blueprint for an authorization

protocol” 18

O( #!' D'"&('%% +f OA-#! 2

19 Tim Bray: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead

OAuth 2 is

useful today

20

“OAuth 2 may not be perfect, and may have been harmed by the Enterprise crap, but the

core of Web functionality […] seems to have survived.”

21

O*'(ID C+((',#

22

23

24

S#++,!% ('%'-#(#%.

•  Highly demanded feature – Service can be used to login & logout

•  OAuth 2.0 requires users to revoke permission to “logout”

•  Token validation & refreshment

•  AN Optional feature

25

A/.&!r0'.,!% F*!w

C!"#$% 1.  Open Authorization

Endpoint URL

4.  Check callbacks for Authorization Token

5.  Request a valid Access Token

7.  Retrieve user’s resources

S#rv#r 2.  Provide a login page 3.  Return the Authorization

Token after a successful login

6.  Check Authorization Token & return the Access Token if it’s valid

26

OA/.& 2.0 ,(1*#(#%.'.,!% $'% b# #'+,*) $&'%-#2 .!

O1#%ID C!%%#$. 27

W!) %!+-.& I -%' #!$%?

28

29

P#!1*# f!r-#. 1'++w!r2+… “45 % admit to leaving a website instead of re-setting their password or answering security questions” * * B*/# I%$. 2011

30

P#!1*# 2!%’. *,3# .! r#-,+.#r… Out of 657 surveyed users 66 % think that social sign-in is a desirable alternative. * * B*/# I%$. 2011

31

V#r,4#2 1r!4*#+ Email – as it’s the user’s login

Address – ship my stuff here!

Name – makes sense, too … '%2 (/$& (!r# ,%f!r('.,!%!

5 scopes to access the

profile:

1.  profile

2.  email

3.  address

4.  phone

5.  attributes

32

33

Leverage an existing

profile

x.com/identity

34

H#*1? Pr!b*#(+?

•  paypal.com/dts – Developer Technical Services

–  Ticketing

•  StackOverflow.com –  Tag “PayPal”

– Actively being watched by Technical Service and Developer Evangelists like me

35

Q&#'%"($'? 36

)*$+'! tmesserschmidt@paypal.com

@seraandroid / @paypaleurodev slideshare.net/PayPalEUDevs

37