Identity and Data Access: OpenID & OAuth #io2011 #TechTalk @ryguyrg

Ryan Boyd @ryguyrg

Authentication – verification of the user
Authorization – someone has the right access 

OpenID – Authentication
– Identity Provider (IdP) 
– Relying Parties (RP)

Why do we care?
– Users can login to all sites using their existing accounts
– Faster you can skip signup 50 keystrokes and 3 mouse clicks
– Easier with OpenID sign in is handled via providers 0 key strokes and 2 mouse clicks
– Safer
– one Username/password
– password can be ultra-secure
– password is only provided to the IdP
– two-factor auth and other protections

Becoming an OpenID RP
OpenID is easy to implement, but not easy enough

Google Identity Toolkit
– JS UI widgets
– Client libraries
– code on Google servers
– Signup/login
– multiple IdP's 

Authenticating Users on Mobile Devices
Allow users to create a password example: Concur
Generate a mobile password
OpenID in native apps it's better to open a new browser to avoid issues with cookies

OAuth – getting authorized access
35+ APIs available at Google
What data can your app access?
Contacts, Calendar, Picasa, YouTube

Who owns the data?
Individual owns the resource
Company owns the resource

The Future
One protocol for all use cases for both authentication and authorization
Proposed as OpenID Connect 

Google ID toolkit
Googles Auth docs http://

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s