X-Git-Url: https://git-public.kairo.at/?a=blobdiff_plain;f=fosdem2017%2Findex.html;h=8530779c3b6742e7f4603005cbcb81452e30d4d0;hb=8efb85cb5301668530aa336f1e661c13018b01e4;hp=a07ff06c1bc06c5ec0b205b2512d1c9ec17212a9;hpb=df2f979f67e5137fe546d1927dc3c1cc061b0f44;p=slides.git
diff --git a/fosdem2017/index.html b/fosdem2017/index.html
index a07ff06..8530779 100755
--- a/fosdem2017/index.html
+++ b/fosdem2017/index.html
@@ -42,16 +42,16 @@
Robert Kaiser,
"KaiRo" <kairo@kairo.at>
-
Mozilla Rep
+
Mozilla Rep, Website developer & Project Manager
-What iswas Persona?
+What iswas Persona?
-
Login/Identity solution by Mozilla, 2011-2016
+
+
Login/Identity solution by Mozilla, 2011-2016
- Decentralized / Federated (with Fallback)
- Multiple identities
@@ -80,7 +81,7 @@
- Permission-less
See
-blog post by François Marier
+blog post by François Marier (feeding.cloud.geek.nz)
@@ -88,12 +89,13 @@ blog post by François Marier
Needs of a Small Website
+
- - Easy to implement
- - Trusted identification
- - Avoid dealing with how to secure passwords
- - No lock-in (identification via email?)
- - Privacy (not telling every login attempt to a big company)
+ - Easy to implement
+ - Trusted identification
+ - Avoid dealing with how to secure passwords
+ - No lock-in (identification via email?)
+ - Privacy (not telling every login attempt to a big company)
@@ -102,12 +104,13 @@ blog post by François Marier
Local vs. External Login
+
- - Local: Need to secure passwords
- - Local: Sounds easy to implement, complications in details
+ - Local: Sounds easy to implement, complications in details
- Local: Can always be trusted
- - External: Potential for lock-in
- - External: Potential privacy issues
+ - Local: Need to secure passwords
+ - External: Potential for lock-in
+ - External: Potential privacy issues
- External: Implementation difficulty depends on API
@@ -117,12 +120,13 @@ blog post by François Marier
External Alternatives
+
Mozilla Persona
Firefox Accounts
- - Facebook, Google, GitHub
- - Other OAuth2 providers
- - OpenID Connect (OIDC) providers (based on OAuth2)
+ - Facebook, Google, GitHub, ...
+ - Other OAuth2 providers
+ - OpenID Connect (OIDC) providers (based on OAuth2)
- Other/older providers/standards (OAuth1, ...)
- Intermediates, e.g. Auth0
@@ -133,13 +137,14 @@ blog post by François Marier
Interlude: A Future Alternative
-
Portier is a new in-development alternative
+
+
Portier is a new in-development alternative
- Email authentication
- Decentralized (fallback to passwordless email auth)
- Speaking OIDC to client and "Brokers"
- "Spiritual successor to Mozilla Persona"
- - Still in development ("early beta")
+ - Still in development ("early beta"): portier.github.io
@@ -148,12 +153,13 @@ blog post by François Marier
Self-Hosted "External"
+
- - Full control over login stack
+ - Full control over login stack
- Password security isolated from website code
- Management of multiple identities possible
- - Privacy and trust are no issues
- - When using standard API, possibility for being switched out later
+ - Privacy and trust are no issues
+ - When using standard API, possibility for being switched out later
- Still needing to secure properly
@@ -163,10 +169,11 @@ blog post by François Marier
The PHP Authserver
+
- - OAuth2 API (potential extension to OIDC later), using oauth2-server-php
- - Password storage with password_hash (currently bcrypt) + nonce, auto-upgrade on login
- - Relatively easy to install on Linux with Apache + PHP5/PHP7 + MySQL (Other DBs should be easy to support)
+ - OAuth2 API (potential extension to OIDC later), using oauth2-server-php
+ - Password storage with password_hash (currently bcrypt) + nonce, auto-upgrade on login
+ - Relatively easy to install on "LAMP" (Linux with Apache + MySQL + PHP5/PHP7)
- Doctrine DBAL for DB abstraction,
php-utility-classes for email and DOM document abstraction
- Skinnable to brand installation to fit operator
@@ -177,16 +184,17 @@ blog post by François Marier
Current Status
+
+
- - Only Authorization Code flow supported right now, oauth2-server-php can do Client Credentials as well as OIDC, should not be too hard to add.
- - Tested with Apache and MySQL for now, other web and DB servers should be possible easily.
- - Rudimentary documentation exists in the main README.
+ - Only Authorization Code flow supported right now, oauth2-server-php can do Client Credentials as well as OIDC, should not be too hard to add.
+ - Tested with Apache and MySQL for now, other web and DB servers should be possible easily.
+ - Rudimentary documentation exists in the main README.
- Languages supported are US English (default) and German, detected via Accept-Language sent by browser.
- Testing is done by running logins with KaiRo's websites (2 different client implementations).
+ - Special Thanks to Christoph Zauner for doing a review that didn't find any actual security issues (but some minor comments).
- Open Source at github.com/KaiRo-at/authserver, under MPL2 - released TODAY!
-
-
@@ -194,25 +202,25 @@ blog post by François Marier
Help Needed
+
- - Implementation of OIDC and perhaps Client Credentials flows.
- - Setting up a test suite and infrastructure.
- - Writing more complete documentation.
- - More languages?
+ - Implementation of OIDC and perhaps Client Credentials flows.
+ - Setting up a test suite and infrastructure.
+ - Writing more complete documentation.
+ - More UI languages?
- More installations?
- - Your ideas and pull requests!
+ - Your ideas and pull requests!
-
-
Questions?
-
-
+
+
Questions?
+
+
+