Open Identity How PayPal uses

March 2012, Hannover

Moosecon 1

Tim Messerschmidt Developer Evangelist

@SeraAndroid

2

Tim Messerschmdit

Developer Evangelist

Startup Mentor

Author

W!" #$ I?

3

4

W!"# $% $&'(#$#) $( #!' W'b?

5

6

7

•  active users: 123.000.000

•  Uses OpenID Connect

•  Interesting for commercial use cases – Adds integrity to existing applications

– Clearly business- & merchant-oriented

•  Actively being worked on! – Expect new kick-ass features soon

8

P#%P#& A''())

9 9

10 10

11

12

13

W!) O*'(ID C+((',#?

Authorization

v%. Authentication

14

OA-#! 1.0

15

OA-#! 2.0

16

OA-#! 2.0 & #!' R+"& #+ H'..

17 Eran Hammer: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

“OAuth 2.0 offers little to none code

reusability”

18

“What 2.0 offers is a blueprint for an authorization

protocol” 19

O( #!' D'"&('%% +f OA-#! 2

20 Tim Bray: http://www.tbray.org/ongoing/When/201x/2012/07/28/Oauth2-dead

OAuth 2 is

useful today

21

“OAuth 2 may not be perfect, and may have been harmed by the Enterprise crap, but the

core of Web functionality […] seems to have survived.”

22

O*'(ID C+((',#

23

24

25

S())*"+ $#+#,($(+-

•  Highly demanded feature – Service can be used to login & logout

•  OAuth 2.0 requires users to revoke permission to “logout”

•  Token validation & refreshment

•  AN Optional feature

26

A.-!"r/#-*"+ F&"w

C!"#$% 1.  Open Authorization

Endpoint URL

4.  Check callbacks for Authorization Token

5.  Request a valid Access Token

7.  Retrieve user’s resources

S#rv#r 2.  Provide a login page 3.  Return the Authorization

Token after a successful login

6.  Check Authorization Token & return the Access Token if it’s valid

27

OA.-! 2.0 *$0&($(+-#-*"+ '#+ b( (#)*&% '!#+,(1 -"

O0(+ID C"++('- 28

W!) %!+-.& I -%' #!$%?

29

30

P("0&( f"r,(- 0#))w"r1)… “45 % admit to leaving a website instead of re-setting their password or answering security questions” * * B&.( I+'. 2011

31

P("0&( 1"+’- &*2( -" r(,*)-(r… Out of 657 surveyed users 66 % think that social sign-in is a desirable alternative. * * B&.( I+'. 2011

32

V(r*3(1 0r"3&() Email – as it’s the user’s login

Address – ship my stuff here!

Name – makes sense, too … #+1 $.'! $"r( *+f"r$#-*"+!

5 scopes to access the

profile:

1.  profile

2.  email

3.  address

4.  phone

5.  attributes

33

34

Leverage an existing

profile

x.com/identity

35

36

W!#-’) +4-?

H(&0? Pr"b&($)?

•  paypal.com/dts – Developer Technical Services

–  Ticketing

•  StackOverflow.com –  Tag “PayPal”

– Actively being watched by Technical Service and Developer Evangelists like me

37

Q&#'%"($'? 38

)*$+'! tmesserschmidt@paypal.com

@seraandroid / @paypaleurodev slideshare.net/PayPalEUDevs

39