Authentication How do I choose? Les Vogel google.com/+LesVogel twitter: lesv
Agenda
Definitions & Considerations
Roll your own
Google Choices
Definitions Authentication (AuthN) – Verifying Identity Authorization (AuthZ) – What an authenticated user is allowed to do. Credentials – a document or certificate proving a person's identity or qualifications. Confidentiality – No one but the intended parties gain access Data Integrity – Prevent Tampering PII – Personally identifiable information is any data that could potentially identify a specific individual.
Definitions Encryption HMAC – Hash based Message Authentication - A secure way to validate the authenticity of messages. Salt – Random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.
Some Considerations
Platforms • • • • •
Computer Web Android iOS Device (IoT)
What do I need?
Auth Providers • •
• •
Own 3rd party Identity Providers Federated Login Anonymous
• • • • •
Email address Name Location Other PII Access to user owned data
Other • • •
Must they login? Multi-factor auth Password Change / Recovery
Agenda
Definitions & Considerations
Roll your own
Google Choices
What are we trying to do?
What can go wrong?
Encryption • • • •
No encryption Everyone has the same Key No SALT Broken algorithms
Software Engineering
User / Social • • • •
Collect too much PII Lost Passwords Lost Accounts Changed email
• • •
Long lasting tokens Not acting on all errors Not checking Time
Roll your own Auth (Tips) • •
•
DON'T – Roll your own SCrypt (password, salt, N, r, p, dkLen) – Key Derivation Function -- Adjustable Cost model • Memory Hard Algorithm -- expensive to brute force • N – CPU / Memory cost (N=2^?:<2^(16*r)) • r – Blocksize; p – Parallelization • SALT needs to be a good random source • IETF draft-josefsson-scrypt-kdf-03 • N = 2^20, r = 8, p = 1 (was good in 2009) JSON Web Tokens (jwt.io) are useful format for tokens • header.payload.hmac(header.payload,secret) • RFC 7519 • Always verify
•
Include expires time in payload & check it.
Roll your own Auth (Tips) • •
Use Auth Tokens and Refresh tokens Pass in HTTP headers, not in URL's – we use: Authorization: Bearer
1/fFBGRNJru1FQd44AzqT3Zg
(keep this stuff out of log files) • • •
You may wish to send via parallel ways to keep to help prevent CSRF / XSRF and other stuff. Be Paranoid. DON'T DO THIS – Really!
Agenda
Definitions & Considerations
Roll your own
Google Choices
Google Offerings iOS
Web
Google Sign-In
X
X
X
Google Identity Toolkit
X
X
X
OAuth 2.0
X
X
X
Google Apps Domain-Wide Firebase SmartLock for Passwords
X X
X
X
Server to Server
Google Scopes X Scales Well, Very large volume.
X
X
X
X
Delegation of Authority
X
Authenticate w/ Frontend code only Cross device authentication
Definitions OAuth 2.0 Authorization Code - From resource Owner, (note request starts at Auth Server) saying, it's ok if you use my resource. Access Token – Short lived Token that can be used for service (Google API, your own) Refresh Token – 1 time Token that can be exchanged for a new Access / Refresh Tokens Service Accounts – For Server-to-Server interaction, these accounts belong to an application. 2 Legged OAuth (2LO) – Server-to-Server authentication Typically used for App level access / data. (Trusted Secrets possessed by client.) 3 Legged OAuth (3LO) – Client talks to both a Consumer App and an Authentication server typically to allow the Consumer App to act on behalf of the Client in accessing resources. OpenID Connect – OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
2 Party and 3 Party Auth 2 Party Auth (2LO)
3 Party Auth (3LO) User
App
App
“I’m that app.” “I’m this user. Let that app use this part of my data. Google
“I’m that app.”
Google
OAuth 2.0 and OpenID Connect • • • • • • •
Web Applications Server to Server applications Use Google APIs from web applications that do not let users sign in with their Google accounts. Use Google APIs in applications that are installed on devices such as computers and mobile devices that are not based on Android or iOS. Use Google APIs from applications that use service accounts to access the applications' own data, rather than users' data. OAuth 2.0 - authorization Cross Client Identity
Google Sign-In • •
• •
Well established, many users Easy to use - very small amount of code • Android • iOS • Web Gives access to Google Resources OpenID Connect style tokens
Google Identity Toolkit • • • • • • • • •
Google Turnkey Identity as a Service (IdaaS) Robust and Secure Easy to use and setup for what you get. Federated Login • Google, Paypal, Facebook, Microsoft, AOL, Yahoo Password-based authentication, using one API. Import your existing credential database Login Flow Sign-up Flow Scales well
Google Identity Toolkit
Google Identity Toolkit
Google Apps Domain-wide Delegation of Authority • •
•
Provide enterprise Google Apps accounts the ability to grant third party applications domainwide access to their users' data. Supports domain administrators managing user accounts. If you are using App Engine to access Google Apps or Google for Work APIs, you can create a service account with domain-wide delegation of authority. This allows domain administrators the ability to grant third party applications domain-wide access to its users' data. Uses Service Accounts to allow apps to access user data.
Firebase Auth • • • •
Easy to use / easy to get started Social Login – Facebook, Twitter, GitHub, Google User Management: Email & Password Authenticates w/ just frontend code
Default Auth • •
• • •
GOOGLE_APPLICATION_CREDENTIALS environment variable with path to JSON file gcloud auth – hidden file • Windows – %APPDATA%/gcloud/application_default_credentials.json • Others – $HOME/.config/gcloud/application_default_credentials.json GAE AccessToken GCE fetches credentials from the metadata server. Typically it's just: GoogleCredential.getApplicationDefault()
cloud.google.com Images by Connie Zhou
cloud.google.com