Robert Kaiser, "KaiRo" <kairo@kairo.at>
Mozilla Rep, Website developer & Project Manager

Login/Identity solution by Mozilla, 2011-2016

• Decentralized / Federated (with Fallback)
• Multiple identities
• Verified Email
• Potential for browser integration
• BrowserID protocol, easy to implement, server-side verification
• Permission-less

See blog post by François Marier (feeding.cloud.geek.nz)

• Easy to implement
• Trusted identification
• Avoid dealing with how to secure passwords
• No lock-in (identification via email?)
• Privacy (not telling every login attempt to a big company)

• Local: Sounds easy to implement, complications in details
• Local: Can always be trusted
• Local: Need to secure passwords
• External: Potential for lock-in
• External: Potential privacy issues
• External: Implementation difficulty depends on API

• Mozilla Persona
• Firefox Accounts
• Facebook, Google, GitHub, ...
• Other OAuth2 providers
• OpenID Connect (OIDC) providers (based on OAuth2)
• Other/older providers/standards (OAuth1, ...)
• Intermediates, e.g. Auth0

Portier is a new in-development alternative

• Email authentication
• Decentralized (fallback to passwordless email auth)
• Speaking OIDC to client and "Brokers"
• "Spiritual successor to Mozilla Persona"
• Still in development ("early beta"): portier.github.io

• Full control over login stack
• Password security isolated from website code
• Management of multiple identities possible
• Privacy and trust are no issues
• When using standard API, possibility for being switched out later
• Still needing to secure properly

• OAuth2 API (potential extension to OIDC later), using oauth2-server-php
• Password storage with password_hash (currently bcrypt) + nonce, auto-upgrade on login
• Relatively easy to install on "LAMP" (Linux with Apache + MySQL + PHP5/PHP7)
• Doctrine DBAL for DB abstraction, php-utility-classes for email and DOM document abstraction
• Skinnable to brand installation to fit operator
• My installation at auth.kairo.at scores A+ from Mozilla Observatory

• Only Authorization Code flow supported right now, oauth2-server-php can do Client Credentials as well as OIDC, should not be too hard to add.
• Tested with Apache and MySQL for now, other web and DB servers should be possible easily.
• Rudimentary documentation exists in the main README.
• Languages supported are US English (default) and German, detected via Accept-Language sent by browser.
• Testing is done by running logins with KaiRo's websites (2 different client implementations).
• Special Thanks to Christoph Zauner for doing a review that didn't find any actual security issues (but some minor comments).
• Open Source at github.com/KaiRo-at/authserver, under MPL2 - released TODAY!

• Implementation of OIDC and perhaps Client Credentials flows.
• Setting up a test suite and infrastructure.
• Writing more complete documentation.
• More UI languages?
• More installations?
• Your ideas and pull requests!