Autentification, registration, identity

< Développement Web <
TwitterFacebook
Get flash to fully experience Pearltrees

The Authoritative Guide to OAuth 1.0 « hueniverse

http://hueniverse.com/oauth/guide/ OAuth Core 1.0 (also known as RFC 5849 ), the community-based specification published on December 4th, 2007 , revised June 24th, 2009 , and finalized in April 2010 is one of the fastest growing Open Web specifications. It provides a much needed solution for security web APIs without requiring users to share their usernames and passwords. This guide attempts to explain OAuth by taking a look at its history, architecture, and technical details.
OAuth is an open standard for authorization . It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific site (e.g., a video editing site) for specific resources (e.g., just videos from a specific album) and for a defined duration (e.g., the next 2 hours). This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data. OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation. Meanwhile, Ma.gnolia needed a solution to allow its members with OpenIDs to authorize Dashboard Widgets to access their service.

OAuth - Wikipedia, the free encyclopedia

http://en.wikipedia.org/wiki/OAuth
25th January 2012: Status update API on My Opera no longer available This article is partially out of date: the status update API (see the "Get your My Opera status" section) on My Opera is no longer available. We will provide such functionality in a different way in the future — until then, watch this space.

Gentle introduction to OAuth - Dev.Opera

http://dev.opera.com/articles/view/gentle-introduction-to-oauth/

Identification Oauth Twitter sur son site avec PHP - Tutorial - La Ferme du web

http://www.lafermeduweb.net/tutorial/identification-oauth-twitter-sur-son-site-avec-php-30.html Dans ce tutorial, nous allons voir comment fonctionne l'API OAuth de Twitter. Nous créerons un module de commentaires en PHP basé sur une authentification Twitter Oauth.
http://net.tutsplus.com/tutorials/php/how-to-authenticate-users-with-twitter-oauth/

How to Authenticate Users With Twitter OAuth | Nettuts+

Beginning August 16th, Twitter will no longer support the basic authentication protocol for its platform. That means the only way to authenticate users will be through a Twitter application. In this tutorial, I’ll show you how to use Twitter as your one-click authentication system, just as we did with Facebook . Fill in the fields for your site accordingly, just be sure to select Browser in Application Type , and set the Callback URL to something like http://localhost.com/twitter_login.php ( http://localhost/ won’t be accepted because it doesn’t have a domain name).
http://net.tutsplus.com/tutorials/php/creating-a-twitter-oauth-application/ OAuth can be a tricky concept to wrap your head around at first, but with the Twitter API now requiring its use, it is something you need to understand before creating a Twitter application. This tutorial will introduce you to OAuth, and walk you through the process of creating a basic application. Introduction In this tutorial, we will be building a simple app that allows users to apply different effects to their Twitter avatar. In order to work with the Twitter API, we must use OAuth to authorize our app to make requests on the user’s behalf. Upon selection, the user is presented a confirmation screen showing the original and new avatar for comparison.

Creating a Twitter OAuth Application | Nettuts+

Introducing ‘Sign-in with Twitter’, OAuth-Style “Connect” « hueniverse

Yesterday Twitter released ‘Sign-in with Twitter’ , the ability to use Twitter as a delegated sign-in provider for third-party websites. The cool thing about this new feature, which is part of their OAuth API beta , is that it is completely standard OAuth . No extensions, not secret sauce, and not another proprietary provider ( yes, I’m looking at you Facebook ). It is Open done right. http://hueniverse.com/2009/04/introducing-sign-in-with-twitter-oauth-style-connect/

Security Assertion Markup Language - Wikipedia, the free encyclopedia

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Security Assertion Markup Language ( SAML ) is an XML -based open standard for exchanging authentication and authorization data between security domains , that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services Technical Committee. The single most important problem that SAML is trying to solve is the Web Browser Single Sign-On ( SSO ) problem, a problem also addressed by the OpenID protocol. Single sign-on solutions are abundant at the intranet level (using cookies , for example) but extending these solutions beyond the intranet has been problematic and has led to the proliferation of non-interoperable proprietary technologies. SAML assumes the principal (often a user) has enrolled with at least one identity provider.

HMAC - Wikipedia, the free encyclopedia

In cryptography , HMAC (Hash-based Message Authentication Code) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key . As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message . Any cryptographic hash function, such as MD5 or SHA-1 , may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output length in bits, and on the size and quality of the cryptographic key. An iterative hash function breaks up a message into blocks of a fixed size and iterates over them with a compression function . For example, MD5 and SHA-1 operate on 512-bit blocks. http://en.wikipedia.org/wiki/HMAC
Usability researcher Jakob Nielsen’s recent column advocates a fundamental change to password field design on the web. He believes that the time has come “to show most passwords in clear text as users type them,” abandoning the traditional approach that displays a series of asterisks or bullets in place of the actual password. Nielsen’s controversial proposal demonstrates the principle that most design decisions require trade-offs. User goals and business objectives do not always intersect. Security, usability, and aesthetic concerns often compete. We must set priorities and balance these interests to achieve the best results in each situation.

The Problem with Passwords - A List Apart Articles

http://www.alistapart.com/articles/the-problem-with-passwords/

“Lazy Registration” and the value of iterative research & design « Madgex Labs Blog

One of the things we concentrate on at Madgex is the use of iterative research and design to improve conversion rates on our platforms. We run a lot of usability interviews, make design changes, and track the conversion rates via analytics. The lazy registration system we introduced in version 3 of our platform last year is a great example of this. One of the biggest leakage points of any webapp is registration : users are forced to make a clear decision about whether they want to enter a long term relationship with your site.
David Recordon, one of the key architects of OpenID and other identity technologies that have emerged over the past five years, has envisioned a new direction for OpenID. His proposal, which was drafted with input from several people in the OpenID community, is called OpenID Connect . At the highest level, it essentially rebuilds OpenID on top of OAuth 2.0, combining the two popular open source systems for authenticating users and letting them share data with social websites and applications.

New 'OpenID Connect' Proposal Could Solve Many of the Social Web's Woes | Webmonkey| Wired.com

WebFinger is an updated take on the Name/Finger protocol using HTTP, XRD , and host-meta (instead of a direct TCP connection on port 79) to obtain information about user accounts. It works by defining a new account URI scheme and a protocol for resolving it into an extensible descriptor of the account and its owner. The account URI, using the newly proposed ‘ acct ‘ scheme, is used to identify user accounts at a given host which are typically used for the purpose of resource management and establishing local identity (at the host). User accounts include a local identifier (username, screenname, or handle), and a host which can resolve and (usually) authenticate the local identifier. Account URIs are useful in most places HTTP URIs are accepted.

Introducing WebFinger « hueniverse

A centralized authentication, authorization, entitlements and federation services OpenAM technology underpins many of the globe’s largest corporate and government agency security infrastructures. It's the market leader in open source Authentication, Authorization, Entitlement and Federation product.

OpenAM

Technologies Authentification Unique