Persona and Shiro for identity and authorization

[Tim Niblett]

There is a demo at http://personashiro.appspot.com showing how to set up Mozilla's Persona for identity and Apache Shiro for authorization. There is a small demo here which shows how to set things up.  The aim is to be as simple to program as the built-in user service but to provide more authorization features.

Persona isn't quite ready for prime time yet, but it looks interesting.  It seems (in principle) to be more secure than using OAuth for identification, for what that's worth.

[Jon Stevens]

I'm curious, what makes you think that Persona isn't ready for prime time? We've been using it for Voost and while I admit, it isn't 100% perfect (what is?), it definitely works great in a production environment.

jon

[Tim Niblett]

Jon,

We're talking about identity, which is pretty catastrophic if its wrong, so I'm operating with an abundanceof caution. 

I love the idea of Persona, but don't know much about it, so please fill me in if you have answers to my questions/concerns.

---

Persona has only just gone into beta, and is under active development.  I know Google has stretched our ideas of using Beta software in production, but still...

 

Persona is distributed, but there aren't any (major) IdPs signed up yet.  What happens if no-one signs up? Do I have to worry about the service just stopping in a couple of years?

I use 2-factor authentication on my Google account.  How will this work?

In my tests Persona can be pretty slow.  What are Mozilla doing about provisioning, load spikes, etc?

I've had some issues with the popup being suppressed sometimes on iOS.  Don't know why, but its a no-no if users can't log in. Also, its easy to spoof the popup, as it has a weird address in the address bar anyway.

During my (very limited) testing I used 2 Google Accounts.  Could easily be 2 users of the one machine.  When a session expired I'd log in to account A with a password, and after logging off and in again account B was available _without_ a password which I didn't like.  Not that this is any worse than other providers, we've had nasty incidents with Google login cookies.

If you use Facebook as identity provider (or Google to a lesser extent) you get told about failed login attempts and other stats to help protect your account.  Does/will Persona off such facilities?  Will the IdPs be able to?

Tim

[Jeff Schnitzer]

On Wed, Oct 17, 2012 at 1:32 AM, Tim Niblett <t...@timniblett.net> wrote:
> Jon,
>
> We're talking about identity, which is pretty catastrophic if its wrong, so
> I'm operating with an abundanceof caution.
>
> I love the idea of Persona, but don't know much about it, so please fill me
> in if you have answers to my questions/concerns.

I'm the other half of Voost - answers inline:

> Persona has only just gone into beta, and is under active development. I
> know Google has stretched our ideas of using Beta software in production,
> but still...

There are really two "halves" of Persona - the user-facing login
system, and the primary IdP system. The primary IdP system just went
live, but the user-facing login system has been live with Mozilla's
secondary (email verification) IdP for over a year. We've been using
it most of that time. It's solid.

> Persona is distributed, but there aren't any (major) IdPs signed up yet.
> What happens if no-one signs up? Do I have to worry about the service just
> stopping in a couple of years?

Even if no primary IdPs sign up, the secondary (email verification)
backup IdP is a better experience than almost every username/password
system in existence. So even the worst case scenario is still pretty
good. However, Mozilla is working on a proxy IdP called "BigTent"
which will leverage the OpenID mechanisms of Gmail, Yahoo, and
Hotmail. So those users will still get a seamless experience, even if
the three never officially become primary IdPs for Persona. That
covers something like 90% of all users.

What happens if Persona goes away? Persona logins are keyed by email
address. Removing Persona from your system is fairly trivial - add a
conventional email/pw/forgot login form, assign random passwords to
all your users, and give them a note letting them know of the change.

> I use 2-factor authentication on my Google account. How will this work?

If Google adds primary IdP support, they control the login process.
Even if they don't, BigTent will run the user through the standard
openid Google auth process. Currently (with the backup IdP) it
requires an email roundtrip. So 2-factor auth is accounted for.

> In my tests Persona can be pretty slow. What are Mozilla doing about
> provisioning, load spikes, etc?

I suspect the slow part ("We're sorry, this is taking a loooong time")
is the public key cryptography being run in javascript on the client.
They're balancing the need for sufficiently strong encryption with the
need for something that runs fast enough in javascript on crappy
hardware. After the first login to a new site I don't find this to be
an issue. Also: The protocol is designed to be implemented natively
in the browser, so the javascript shim is just a bootstrapping tool.
When browser support becomes ubiquitous (Firefox support is coming
soon) speed will not be an issue.

FWIW, there is much talk of performance on the identity-dev mailing
list. If you have questions, it's a good place to ask. I know they
have significant server capacity and have put a lot of thought into
reliability and operational processes.

> I've had some issues with the popup being suppressed sometimes on iOS.
> Don't know why, but its a no-no if users can't log in. Also, its easy to
> spoof the popup, as it has a weird address in the address bar anyway.

If you see issues on iOS, please report them as bugs. I have not
heard reports from iOS users about not being able to log in, and we
have many such users.

I also don't know what you mean about the weird address. The popup
address in the URL bar is https://login.persona.org/sign_in.

> During my (very limited) testing I used 2 Google Accounts. Could easily be
> 2 users of the one machine. When a session expired I'd log in to account A
> with a password, and after logging off and in again account B was available
> _without_ a password which I didn't like. Not that this is any worse than
> other providers, we've had nasty incidents with Google login cookies.

Persona is fairly particular about "Is this a shared machine?"
Inherent in the distributed nature is the fact that the primary IdP is
not consulted every time a user logs in; this would leak information
to the primary IdP. Right now when you use Facebook auth on a site,
Facebook knows that you logged into that site. This is a major
privacy issue that Persona addresses.

> If you use Facebook as identity provider (or Google to a lesser extent) you
> get told about failed login attempts and other stats to help protect your
> account. Does/will Persona off such facilities? Will the IdPs be able to?

I believe you are confusing the IdP with the account owner. Facebook
notifies the _account owner_ about failed logins, but not the relying
party. There's no reason why primary IdPs could not continue to
notify account owners of hack attempts - although you won't know what
specific site is being attacked, because primary IdPs don't get that
information (an information leak). But it's pretty irrelevant - if
your email password is being attacked, the solution is to make sure
your email password is strong.

Jeff

[alex]

That very fact of the email requirement is one of the reasons I don't
like Persona and will probably never employ it as a login/authz
mechanism. Far from every website/app/service really needs my email
address.

Probably the only good point is the "no information leak". On the
other hand, I don't want my email address to be "leaked" every time I
sign up. Personally, I'd prefer my provider to know where I'm signing
in then being forced to give up my email, because I kinda trust my
provider more than a new site I'm signing up to.

If Persona goes away, a fallback to a random password actually seems
pretty ridiculous living almost in 2013. I haven't registered with a
new password for about a year now. A registration/signup form with a
password field makes me go away.

It's a good thing OAuth 2.0 has finally become an RFC, actually two.

-- alex

> --
> You received this message because you are subscribed to the Google Groups "Google App Engine" group.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
>

[Jeff Schnitzer]

You can want whatever you want as a user, but 99% of websites
(including mine) require an email address. Most users don't
understand "identity" as anything other than an email address.

What else are you proposing to use as an identity? An arbitrary
screen name? A URL? We have decades of experience showing why these
are horrible ids. Whether you like it or not, email address is the
*only* widely adopted, widely understood, distributed identity
mechanism available.

OAuth does not address identity or authentication.

Jeff

[alex]

I'm not currently proposing anything but it's an interesting conversation.

It's true many sites require email but I, as a user, at least would
like to have a choice and not being forced to.

It is also true though that an average user "host" their emails
somewhere like Google, Yahoo!, Windows Live, whatever. Not only that,
they also use their emails under the TOS of those providers. That's,
for one, a reason why I don't believe email is the answer, but I do
favor the fact that Persona exists because I think it might bring some
new ideas in the future.

I remember seeing lots of t-shirts with Twitter @handlers. I recall
people going crazy when Facebook started introducing vanity URLs. I
also remember everybody sticking QR codes on every corner at some
point. Those are just a couple examples of identities probably as good
as your du...@gmail.com ID. Identity is a huge and interesting topic,
but not for this forum.

BTW, authentication is one of the things OAuth kinda does address.
Check out the RFCs, I'm sure you'll find lots of interesting info.

[Tim Niblett]

Jeff,

Thanks for the thoughtful reply.   I take your point about putting

questions/bugs to the right place. Couple of questions if you have time.

You say that OAuth isn't about identity.  But this is a pig with

lipstick. Google and Facebook _are_ using it for identity. So are you

on Voost.

My question about 2-factor was about the UI.  Is this expected to

happen in the popup, or will users get directed to a Google URL?  With

OAuth the UI is in Google's control.  I don't understand what happens

with Persona.

The weird address is that _an_ address not belonging to the site

you're logging in to is shown anyway.  Perhaps 1 user in 100 will look and

say "**** I'm being spoofed, that's not the correct Persona

URL. Another confusing (potentially) issue is that with Mozilla as the

IdP I can use an arbitrary password with a GMail address (which I

am). Probably most people give the "real" password.  

I don't understand your comment about Persona being particular about a

shared machine.  My point was that its not particular from what I've seen.  Do

you mean its a bug?  Or that sharing a browser from the same (host pc)

account means its my fault for being dumb?

What I should have said about hack attempts is another UI issue.  What

does the IdP do if it wants to tell the user in the browser that

they've had too many login attempts for example? Also will Mozilla alert people 

to suspicious activity on their account by Email when they act as IdP?

As I said at the beginning I like Persona.  I think I'd be happy with

it for a non-particularly-secure app. Certainly happier than Google

OAuth which seems lax with cookies ( I could have got it wrong but

it seems not to cancel cookies when you revoke a token).  Perhaps

I should amend my initial comment to "I haven't been able to determine

to my satisfaction whether Persona is ready for prime time".

As a matter of interest what split do you get on Voost between

Facebook and Persona logins?  I'd guess perhaps 85/15?

[Jeff Schnitzer]

On Wed, Oct 17, 2012 at 3:51 PM, alex <al...@cloudware.it> wrote:
> I'm not currently proposing anything but it's an interesting conversation.
>
> It's true many sites require email but I, as a user, at least would
> like to have a choice and not being forced to.

I get that, but I posit that:

* You the user aren't the one who gets to make that decision. You
can decide that you don't want to log into the site because it asks
for an email address, but you are in a *very* tiny minority. Websites
want email addresses, and 99.9% of users are comfortable giving it.

* Users don't understand identity as something other than email
address. There are only two other contending identities - Facebook
and Twitter (and Twitter is pretty much geeks-only, so that leaves
Facebook). Google isn't included - if you talk to nontechnical users,
they don't quite grok the idea of a Google account yet. "You mean
gmail? I don't use gmail."

> It is also true though that an average user "host" their emails
> somewhere like Google, Yahoo!, Windows Live, whatever. Not only that,
> they also use their emails under the TOS of those providers. That's,
> for one, a reason why I don't believe email is the answer, but I do
> favor the fact that Persona exists because I think it might bring some
> new ideas in the future.

In a broader sense, Persona is not really about email. It's an
arbitrary identity system defined by user@domain. It just happens to
overlap with email, which is critical because nontechnical users don't
understand the difference - they just know that user@domain is "me".
But user@domain does not need to be routable. You can set up your own
IdP for you@yourhost.

If you control your domain name, you control your identity. If you
use @gmail.com, Google controls your identity. But at least it's
distributed - if you don't like Google, go with Yahoo or MSN or anyone
else. You can't say the same about Facebook or Twitter identities.

> I remember seeing lots of t-shirts with Twitter @handlers. I recall
> people going crazy when Facebook started introducing vanity URLs. I
> also remember everybody sticking QR codes on every corner at some
> point. Those are just a couple examples of identities probably as good
> as your du...@gmail.com ID. Identity is a huge and interesting topic,
> but not for this forum.

Twitter and Facebook identities are not distributed, and completely at
the mercy of Facebook's and Twitter's TOS. This alone makes them
*vastly* less desirable than user@domain. QR codes aren't an
identity, just a possible representation of an identity (a url? an
email address?). And OpenID tried using URLs as identifiers - oh boy
was that a disaster. Users don't understand "I am a URL".

For better or worse, it keeps coming back to email.

> BTW, authentication is one of the things OAuth kinda does address.
> Check out the RFCs, I'm sure you'll find lots of interesting info.

Even if OAuth provides authentication, where does the _identity_ come
from? If I'm not mistaken, at best it offers the horrible
NASCAR-style UX we get with OpenID today - "pick your auth provider,
Gmail/AOL/Yahoo/etc".

Jeff

[Jeff Schnitzer]

On Wed, Oct 17, 2012 at 8:10 PM, Tim Niblett <t...@timniblett.net> wrote:
> Jeff,
>
> Thanks for the thoughtful reply. I take your point about putting
> questions/bugs to the right place. Couple of questions if you have time.
>
> You say that OAuth isn't about identity. But this is a pig with
> lipstick. Google and Facebook _are_ using it for identity. So are you
> on Voost.

It is important to distinguish between the authentication protocol and
its notion of identity. Persona is a protocol which uses email
address as an identity. OpenID is a protocol which uses a URL as an
identity. Facebook uses OAuth but your Facebook account
(specifically, your facebook id) is the identity.

Email address (Persona) and URL (OpenID) are both distributed
identities, which is far better for weaving the fabric of the internet
than the siloed and rigidly controlled identities like Facebook and
Twitter. OpenID came out of the blog community, where it made sense
that the URL to your blog is "you"; however, this confuses and
bewilders the vast majority of the world.

> My question about 2-factor was about the UI. Is this expected to
> happen in the popup, or will users get directed to a Google URL? With
> OAuth the UI is in Google's control. I don't understand what happens
> with Persona.

I don't know what will happen with BigTent; that's still under
development. Hopefully it will have the same UX as if Google was a
primary IdP. You can try it yourself using http://eyedee.me (an IdP)
and http://123done.org (or, for that matter, Voost).

> The weird address is that _an_ address not belonging to the site
> you're logging in to is shown anyway. Perhaps 1 user in 100 will look and
> say "**** I'm being spoofed, that's not the correct Persona
> URL. Another confusing (potentially) issue is that with Mozilla as the
> IdP I can use an arbitrary password with a GMail address (which I
> am). Probably most people give the "real" password.

If you're entering in your password for the Persona secondary IdP,
then yes, you will type your password in when the URL bar says
login.persona.org. Is that confusing? Not particularly. But if your
primary IdP is Google or Yahoo or whatnot, then the url bar will say
google.com or yahoo.com or whatnot. The secondary IdP is just a
bootstrapping process, and when BigTent is in place, few will see even
that.

At any rate, having persona.org in the url bar is not any more
confusing than any other kind of federated login system - there will
always be something else in the URL bar. If you're making the
argument that all websites should maintain their own separate password
databases and web forms... well, it's pretty clear why that has been
failing us, but if you want to open that debate, I'm game :)

> I don't understand your comment about Persona being particular about a
> shared machine. My point was that its not particular from what I've seen.
> Do
> you mean its a bug? Or that sharing a browser from the same (host pc)
> account means its my fault for being dumb?

Maybe I'm misunderstanding you. If you choose to have a browser
"remember me" on a website, you're going to be in potential trouble if
someone else sits down at your workstation. I'm not sure what is new
about Persona here.

> What I should have said about hack attempts is another UI issue. What
> does the IdP do if it wants to tell the user in the browser that
> they've had too many login attempts for example?

Exactly what they do now. If you try to log in too many times to
federated Google Auth, it'll lock you out. This has nothing to do
with Persona, which doesn't specify the UX of identity providers.
Take a look at http://eyedee.me/, it can be taht simple. Persona just
defines the federation logic so that you can log in to other sites
_after_ you have authenticated at an IdP.

> Also will Mozilla alert
> people
> to suspicious activity on their account by Email when they act as IdP?

I doubt it, but you could always request the feature. Keep in mind
that the Mozilla secondary identity provider is just a bootstrapping
tool and will hopefully disappear some day. If I set up an IdP at
infohazard.org, I can stop worrying about it entirely.

> As I said at the beginning I like Persona. I think I'd be happy with
> it for a non-particularly-secure app. Certainly happier than Google
> OAuth which seems lax with cookies ( I could have got it wrong but
> it seems not to cancel cookies when you revoke a token). Perhaps
> I should amend my initial comment to "I haven't been able to determine
> to my satisfaction whether Persona is ready for prime time".

I think anywhere you would consider Facebook authentication is a
pretty good place to consider Persona authentication. I wouldn't
expect to see banks using it anytime soon, but banks are always a
decade behind the technology curve so that is not surprising.

I don't think Persona in principle opens up any new avenues of attack.
Sure, right now there is the secondary auth system, but that will
disappear at some point along with the javascript shim (Persona is
being built into browsers). Email is already the "master key" for
pretty much every website that takes username/password thanks to
password recovery. So why wouldn't you consider Persona secure?
Other than it's relatively new... it could have bugs, sure.

> As a matter of interest what split do you get on Voost between
> Facebook and Persona logins? I'd guess perhaps 85/15?

Our audience is about 50-50. That's before hordes of lookie-loos came
to check out Persona - we're linked from Mozilla's announcement (we
don't mind, but it definitely slants the statistics). Our audience
tends to be an older crowd, many of whom either do not have or
actively do not like Facebook. If you're hitting primarily college
kids, the numbers will likely be different. If you're hitting geeks,
I would expect a lot more Persona.

Jeff

[Tim Niblett]

Jeff,

Thanks again for all the info.

I tried eyedee.me.  I can log in and out on the site but with Persona I get an infinite loop -- just keeps asking you to login.  I could see how the UI works though, which is encouraging.  I created a Github issue for it. 

Your 50/50 split is interesting.  Perhaps shows that people are _not_ happy with the lack of privacy on Facebook.

Tim