Table of Contents
Web Logins after Persona
The following slides are available in this presentation:
Web Logins after Persona
How I solved logins on my small websites
Robert Kaiser,
"KaiRo" <kairo@kairo.at>
Mozilla Rep, Website developer & Project Manager
Mozilla Rep, Website developer & Project Manager
Slides: https://slides.kairo.at/fosdem2017/
- Created for Mozilla Developer Room at FOSDEM 2017 in Brussels.
- Written in HTML 5 with CSS 3 and JavaScript.
- Navigation via links on all slides, via access keys (e.g. "n"/Alt+Shift+N for "next") or back/forward arrow keys
- Contents
01-02/2017 Robert Kaiser.
What iswas Persona?
Login/Identity solution by Mozilla, 2011-2016
- Decentralized / Federated (with Fallback)
- Multiple identities
- Verified Email
- Potential for browser integration
- BrowserID protocol, easy to implement, server-side verification
- Permission-less
See blog post by François Marier (feeding.cloud.geek.nz)
Needs of a Small Website
- Easy to implement
- Trusted identification
- Avoid dealing with how to secure passwords
- No lock-in (identification via email?)
- Privacy (not telling every login attempt to a big company)
Local vs. External Login
- Local: Sounds easy to implement, complications in details
- Local: Can always be trusted
- Local: Need to secure passwords
- External: Potential for lock-in
- External: Potential privacy issues
- External: Implementation difficulty depends on API
External Alternatives
Mozilla PersonaFirefox Accounts- Facebook, Google, GitHub, ...
- Other OAuth2 providers
- OpenID Connect (OIDC) providers (based on OAuth2)
- Other/older providers/standards (OAuth1, ...)
- Intermediates, e.g. Auth0
Interlude: A Future Alternative
Portier is a new in-development alternative
- Email authentication
- Decentralized (fallback to passwordless email auth)
- Speaking OIDC to client and "Brokers"
- "Spiritual successor to Mozilla Persona"
- Still in development ("early beta"): portier.github.io
Self-Hosted "External"
- Full control over login stack
- Password security isolated from website code
- Management of multiple identities possible
- Privacy and trust are no issues
- When using standard API, possibility for being switched out later
- Still needing to secure properly
The PHP Authserver
- OAuth2 API (potential extension to OIDC later), using oauth2-server-php
- Password storage with password_hash (currently bcrypt) + nonce, auto-upgrade on login
- Relatively easy to install on "LAMP" (Linux with Apache + MySQL + PHP5/PHP7)
- Doctrine DBAL for DB abstraction, php-utility-classes for email and DOM document abstraction
- Skinnable to brand installation to fit operator
- My installation at auth.kairo.at scores A+ from Mozilla Observatory
Current Status
- Only Authorization Code flow supported right now, oauth2-server-php can do Client Credentials as well as OIDC, should not be too hard to add.
- Tested with Apache and MySQL for now, other web and DB servers should be possible easily.
- Rudimentary documentation exists in the main README.
- Languages supported are US English (default) and German, detected via Accept-Language sent by browser.
- Testing is done by running logins with KaiRo's websites (2 different client implementations).
- Special Thanks to Christoph Zauner for doing a review that didn't find any actual security issues (but some minor comments).
- Open Source at github.com/KaiRo-at/authserver, under MPL2 - released TODAY!
Help Needed
- Implementation of OIDC and perhaps Client Credentials flows.
- Setting up a test suite and infrastructure.
- Writing more complete documentation.
- More UI languages?
- More installations?
- Your ideas and pull requests!
