2023

users: identity, authentication, accounts

digital identity & providers

agenda

authentication in the modern age

user models and profiles

digital identity

digital identity

information used by computer system to represent an external agent

the agent does not need to be a human

representation is unique
within the system

digital identity

examples

• username

• name and surname

• pesel, SSN

• email address / phone number

• serial number

• uuid

digital identity

identity management

• registration

• changes

• takeover

• delegation

but also

• theft

• regulations

digital identity

in 2023, IT's COMPLICATED

and

you don't want to do it yourself

identity provider

identity provider

An identity provider (IdP) is a system that creates, stores, and manages digital identities

identity provider

standards

providers

• openid connect

• saml

• google, microsoft, facebook, ...

• auth0, okta, ping, onelogin, ...

• roll your own

identity provider

proving you are you

agent needs to prove they have someting secret

• password

• biometrics

• two-factor authentication

• one-time codes

secure tokens

identity token

signature

secure tokens

identity token

access token

• issued by the provider

• valid a long time

• contains agent's details

• meant to be cached on the server side

• issued by us

• valid a short time
  (but can be refreshed)

• contains just what we need

authentication flow

enter 2023

agents don't share all their info with us

agents want to authenticate with identity provider only

authentication flow

Hi, I have a reservation

good morning! I need to know who you are, and we trust these providers

• the government

• google

• microsoft

which one would you prefer?

Very well, here's the URL!

Let's go with microsoft

authentication flow

<opens url on their phone>

<logs in ON THEIR PHONE>

<receives a one-time code>

alright, microsoft says that code is "122378457854378439"

this is handled by your web browser

authentication flow

<uses hotel's secret and one-time code to retrieve id token>

welcome, mr. lowas-rzechonek!

here's your room key. it's valid for one day, please come by tomorrow to refresh it

<uses key to open the door>

authentication flow

key points

• agent can choose a provider

• provider shows who is asking and for what
  privacy is a thing

• agent doesn't get their id token
  we don't trust them to authenticate the receptionist

• agents receive only a short-lived access token

user profile

where to keep information on authenticated users?

identity provider is not a database

you can't just write stuff on agents' ID

user profile

user model

a data structure used to capture certain characteristics about an individual user

user profile

an instance of a user model tied to a specific user

colloquially known as "account"

user profile

examples

• company name

• preferred language

• have they accepted the terms?

• additional permissions

all of that needs to be stored in our system, tied to some identity

a single agent might have multiple profiles

what are we doing wrong?

we expect agents to show us their password

we give id tokens back to agents

we keep parts of the profile on the provider's side

problems

agents show their password

this is a post-it note on the monitor

very hard to add 2fa, biometrics, passkeys

we risk leaking the password (e.g. in logs)

problems

agents use id token

identity theft when someone impersonates us

we can't forcefully log them out

problems

user profile on the provider's side

vendor lock

performance issues

problems

2023

users: identity, authentication, accounts

questions?