Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Easy logins for JavaScript web applications

Francois Marier
October 08, 2013
Programming
4
950

Easy logins for JavaScript web applications

Handling user passwords safely is hard, but replacing passwords on the web in a reasonable way is even harder. Really, this should have been in the browser all along. In this talk you we will see how Persona attempts to solve this issue.

Francois Marier

October 08, 2013
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
280
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
260
Hardening Firefox for Privacy and Security
fmarier
0
980
Security and Privacy on the Web in 2016
fmarier
0
200
Privacy and Tracking Protection in Firefox
fmarier
0
270
Security and Privacy on the Web in 2015
fmarier
0
240
Security and Privacy on the Web in 2015
fmarier
0
180
Integrity protection for third-party JavaScript
fmarier
1
760
URL to HTML
fmarier
1
270

Other Decks in Programming

See All in Programming
Tuning GraphQL on Rails
pyama86
2
1k
Vue.js学習の振り返り
hiro_xre
2
130
Universal Linksの実装方法と陥りがちな罠
kaitokudou
1
220
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
390
offers_20241022_imakiire.pdf
imakurusu
2
360
Importmapを使ったJavaScriptの 読み込みとブラウザアドオンの影響
swamp09
4
1.3k
Vaporモードを大規模サービスに最速導入して学びを共有する
kazukishimamoto
4
4.3k
VR HMDとしてのVision Pro+ゲーム開発について
yasei_no_otoko
0
100
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
430
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
1
300
プロジェクト新規参入者のリードタイム短縮の観点から見る、品質の高いコードとアーキテクチャを保つメリット
d_endo
1
1k
飲食業界向けマルチプロダクトを実現させる開発体制とリアルな現状
hiroya0601
1
400

Featured

See All Featured
Side Projects
sachag
452
42k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
150
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.8k
Measuring & Analyzing Core Web Vitals
bluesmoon
1
41
GraphQLとの向き合い方2022年版
quramy
43
13k
Music & Morning Musume
bryan
46
6.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Code Review Best Practice
trishagee
64
17k
Speed Design
sergeychernyshev
24
570

Transcript

  1. François Marier – @fmarier Easy logins for JavaScript web applications

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None

  12. problem #1: passwords are hard to secure

  13. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  14. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  15. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  16. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  17. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  18. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery 2013 2013 password password guidelines guidelines

  19. passwords are hard to secure they are a liability

  20. ALTER TABLE user DROP COLUMN password;

  21. problem #2: passwords are hard to remember

  22. pick an easy password

  23. pick an easy password use it everywhere

  24. passwords are hard to remember they need to be reset

  25. None

  26. control email account control all accounts =

  27. None

  28. “People want a little dating before marriage.” Eric Vishria –

    Rockmelt
  29. None

  30. decentralised

  31. myid.com/u/francois

  32. None
  33. None

  34. privacy ®

  35. existing login systems are not good enough

  36. ideal web-wide identity system

  37. ideal web-wide identity system

  38. ideal web-wide identity system

  39. ideal web-wide identity system

  40. what if it were a standard part of the web

    browser?
  41. None

  42. how does it work?

  43. [email protected]

  44. [email protected]

  45. getting a proof of email ownership

  46. authenticate?

  47. authenticate? public key

  48. authenticate? public key signed public key

  49. you have a signed statement from your provider that you

    own your email address
  50. None

  51. logging into a 3rd party site

  52. Valid for: 2 minutes wikipedia.org assertion

  53. Valid for: 2 minutes wikipedia.org check audience assertion

  54. Valid for: 2 minutes wikipedia.org check audience check expiry assertion

  55. Valid for: 2 minutes wikipedia.org check audience check expiry check

    signature assertion

  56. assertion Valid for: 2 minutes wikipedia.org public key

  57. assertion Valid for: 2 minutes wikipedia.org

  58. assertion session cookie

  59. demo #1: http://www.voo.st/ http://www.debuggex.com [email protected]

  60. Persona is already a decentralised system

  61. decentralisation is the answer, but it's not a product adoption

    strategy

  62. we can't wait for all domains to adopt Persona

  63. we can't wait for all domains to adopt Persona solution:

    a temporary centralised fallback

  64. demo #2: http://sloblog.io/ [email protected]

  65. Persona already works with all email domains

  66. identity bridging

  67. demo #3: http://www.reasonwell.com/ [email protected]

  68. None
  69. None
  70. None

  71. Persona supports all modern browsers >= 8

  72. Persona is decentralised, simple and cross-browser

  73. it's simple for users, but is it also simple for

    developers?
  74. None

  75. <script src=”https://login.persona.org/include.js”> </script> </body></html>

  76. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  77. navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  78. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  79. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  80. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  81. None

  82. navigator.id.request()

  83. None
  84. None
  85. None

  86. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

  87. eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDg yNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGY xZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGE xYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZ hOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE 1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE 5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2M xNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE 3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzN mNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDh

    lY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTY xNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDV kZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM 3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDV iY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImV tYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA 2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPI bXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9 sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw

  88. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

  89. npm install browserid-verify

  90. const verify = require('browserid-verify')(); verify(assertion, 'http://123done.org', function(err, email, response) {

    if (err) { return console.log(err); } if (email) { session.user = response.email; } else { delete session.user; } });

  91. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” }

  92. const verify = require('browserid-verify')(); verify(assertion, 'http://123done.org', function(err, email, response) {

    if (err) { return console.log(err); } if (email) { session.user = response.email; } else { delete session.user; } });

  93. { status: “failed”, reason: “assertion has expired” }

  94. const verify = require('browserid-verify')(); verify(assertion, 'http://123done.org', function(err, email, response) {

    if (err) { return console.log(err); } if (email) { session.user = response.email; } else { delete session.user; } });
  95. None
  96. None

  97. navigator.id.logout()

  98. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  99. None

  100. 1. load javascript library

  101. 1. load javascript library 2. setup login & logout callbacks

  102. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons

  103. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership

  104. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership no API key needed

  105. you can add support for Persona in four easy steps

  106. Meteor express connect Jungles

  107. one simple request

  108. None

  109. building a new site: default to Persona

  110. working on an existing site/app: add support for Persona

  111. before

  112. after

  113. after navigator.id.request()

  114. None

  115. ALTER TABLE user DROP COLUMN password;

  116. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

    https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

  117. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537"

    }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

  118. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

  119. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

  120. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

  121. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

  122. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  123. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  124. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  125. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  126. © 2013 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: