Download - Identity toolkit
![Page 1: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/1.jpg)
Google Identity Toolkit
Gbolahan Alli @purple_heart_me
Google Developer Group, Ibadan September 7, 2015
![Page 2: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/2.jpg)
Developers shouldn’t need to be security experts.
![Page 3: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/3.jpg)
The hack that makes Internet Identity possible
![Page 4: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/4.jpg)
The HackLogging into a website using your email address.
Proving you were the owner of that email address by having the site send you an SMTP message with a hyperlink back to the site which contained a long code.
![Page 5: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/5.jpg)
Email have downsides as identifiers.
❏Users change email address over time
❏The same email address is sometimes assigned to different people at different time periods
![Page 6: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/6.jpg)
Solution ?
Almost every website still maintains its own “local ID” system just as user accounts did before the 90s.
![Page 7: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/7.jpg)
A plus ?
The local IDs are then mapped to and from a user’s email address.
![Page 8: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/8.jpg)
Remember !!!
We are still talking identity here
![Page 9: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/9.jpg)
Which face are you presenting to the world?
![Page 10: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/10.jpg)
Which face are you presenting to the world?
Some websites such as governmentwebsites for taxes and social services
try to get closer to mapping to an actual person, .
![Page 11: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/11.jpg)
Which face are you presenting to the world?
Human -> Emails -> Local IDs -> Passwords
![Page 12: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/12.jpg)
Which face are you presenting to the world?
In short :The security of the Internet as a whole is now equivalent to the security level of websites with the worst security
![Page 13: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/13.jpg)
Which face are you presenting to the world?
In short :● The security of the Internet as a whole is now equivalent to the
security level of websites with the worst security
● Unless you work for a firm with hundreds of dedicated security personnel, there generally is no reason for your site to require that users are authenticated with passwords.
![Page 14: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/14.jpg)
September 7, 2015
![Page 15: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/15.jpg)
The year 2008?
![Page 16: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/16.jpg)
A Solution ?
![Page 17: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/17.jpg)
We need to understand that :● Each person tends to access the Internet with multiple devices, and
about the only thing in common is that they have a browser, and not necessarily a fancy modern browser, especially on mobile devices.
● Each device may be used by multiple people, who have multiple emails.
● People need a (mostly) consistent experience for logging into a website, no matter what device they are using
● You can’t show a different initial login experience on your site to different people, because before they login, you don’t know who they are. This also means you can’t do % experiments for that initial experience
●People are lazy
![Page 18: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/18.jpg)
People are lazy but they are willing to invest in a longer task one-time to make their lives easier in the future.
![Page 19: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/19.jpg)
Who are Identity Providers ?
![Page 20: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/20.jpg)
The Identity Toolkit
from
![Page 21: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/21.jpg)
The Identity Toolkit
![Page 22: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/22.jpg)
The Identity Toolkit A set of Libraries that integrate with the Google Identity Toolkit API.Available for :
● For Web● For Android● For iOS
Pre-built widgets for Android, iOS, and JavaScript
![Page 23: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/23.jpg)
The benefits
![Page 24: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/24.jpg)
The Approach
![Page 25: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/25.jpg)
The Approach ( cont’d )
![Page 26: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/26.jpg)
The Approach ( cont’d )
Image courtsey : Adam Dawes, Google https://goo.gl/TPLOeD
![Page 27: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/27.jpg)
Benefits●Device flows●Streamlined federations flows●Risk challenges●Simplified UX for users
![Page 28: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/28.jpg)
The Identity Toolkit ●Google, Facebook, Yahoo, AOL, Microsoft and Paypal●Just verify a JWT and issue a session cookie●Same process for all IDPs, same format JWT for all IDPs{ "iss" : "https://identitytoolkit.google.com", "user_id" : 123, "aud" : "6332423432073.apps.googleusercontent.com", "provider_id" : "facebook.com", "exp" : 1407089191, "iat" : 1405879591, "email" : "[email protected]"}
![Page 29: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/29.jpg)
![Page 31: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/31.jpg)
Hacks!!! Hacks!!cat ~/.ssh/id_rsa.pubssh-keygen -t rsa -b 4096 -C "[email protected]"
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa
![Page 32: Identity toolkit](https://reader035.vdocuments.us/reader035/viewer/2022070522/58ee8c401a28ab10718b458d/html5/thumbnails/32.jpg)
Fetch the GDG Ibadan identity toolkit client repo -> http://bitbucket.org/gdgibadan
Merge with your local repo
Go to https://console.developers.google.com
Documentation here https://developers.google.com/identity/toolkit/
Next Steps