introduction to t-mobile id - meetupfiles.meetup.com/13678942/developer introduction to t-mobile id...
TRANSCRIPT
Agenda
• Background
• Why an identity project
• What is going on with identity in the industry
• T-Mobile ID
• Technical details
• Architecture • Device agent call flows
• How to integrate
• Screen shots
Passwords Are Broken
4
• 6 out of 10 people re-use their passwords
Consumer website study key findings: -55% still accept notoriously weak passwords such as “123456” or “password” -51% make no attempt to block entry after 10 incorrect password entries (including Amazon, Dell, Best Buy, Macy’s and Williams-Sonoma) -64% have highly questionable password practices -61% do not provide any advice on how to create a strong password during signup, and 93% do not provide an on-screen password strength assessment -Only 10% scored above the threshold for good password policies -8 sites, including Toys “R” Us, J.Crew and 1-800-Flowers.com, send passwords in plain text via email
Mobile can deliver security
2nd Factor Authentication
+
Something I know Something I have Something I am
A single account, a growing ecosystem
Multi Screen Strategy Tablets
PCs TVs
Internet devices
Phones
Smart cars
Multi Brand
Multi Line
Login
• New “User account” (login with email) • User consented access to their profile “T-Mobile Connect” T-Mobile ID : Project and User Experience IAM: Platform (Identity and Access Management)
Core Concepts and Features • “User” not “Line”
– Login with email, username, phone number
– Stays with the user even if they cancel their phone line
– Register a phone line to a user
• User consents – Exposure (profile, line, location,..)
– Access: approve access to bill
• Services and access specific not open ended – Application have access to only the user present, for
the data users have granted
– Core, Branded, Sponsored
• Any device, any where, for anyone. – Over the top integration
– Future connection to SIM authentication
• A TMUS not a My.T-Mobile account – Applicable to multi brands
– Integration across carriers
• Users can create their account from anywhere – On device, in app, in store, on web, or from
purchasing portal
– Users can help themselves (create, access, manage)
• Central authentication & authorization – Built on standards, and easy to integrate
• Device Agent and libraries for developers
+
Something I know Something I have Something I am
High Level Targeted Roadmap
• Alpha release
• Login with phone number
June
• Beta release
• Login with Email
Q3
• Login with Social
• Client Pre-loads
TBD
• Mobile Connect
• Cross carrier interop
TBD
• Initial Testing release • Slow roll out of new
services
• Various T-Mobile services over 2014 • My.T-Mobile.com • MyAccount • On Device Apps
Deeper penetration across 2015
• Background
• Why an identity project
• What is going on with identity in the industry
• T-Mobile ID
• Technical details
• Architecture • Device agent call flows
• How to integrate
• Screen shots
Agenda
T-Mobile ID
High level Design
___________ ___ __________ __________ __ _____
App
IAM
Browser
• User loads application
• User browser redirected to T-Mobile ID to authenticate with Oauth2 authentication parameters
• User interacts with authentication (Login, Consent, Create, Forgot, ...)
• Redirection back to application with Authentication Cookie & Authentication Code
Profile
Token
Auth
Profile
Care LDAP
Internal interfaces
Refresh
validation
• Application converts Authentication code to access token by authenticating with pre-shared secrets
• Application uses Access Token to retrieve profile elements
Exte
rnal
• Dashboard delivered as standalone service • While users are encouraged to use my.T-
Mobile.com they can use account.tmus.net as a standalone location to manage the User profile elements.
APP
APP
APP
Account.TMUS.net
What data can I get?
User Profile
• First name
• Last name
• Email address
• Unique T-ID
• Username
• Account Creation date
• Last login…
T-Mobile Line Profile List of
• Phone number
• Ban
• Permissions
• Account type
• Account status
• Operator id
• Bill cycle
• Birthday
• Zipcode
Billable MSISDN
• Phone number
Entitlements
• Dynamic Biz rules
• Premium VM?
• Days left in trial?
Scopes Subscriber Display
“App” is using T-Mobile ID. “App” is asking to access your T-Mobile ID profile. “App” is asking to manage your T-Mobile ID profile. “App” is asking for your phone number which might be used for billing extra services “App” is asking to access information about your T-Mobile account “App” is asking for information about your T-Mobile services
Applications not already approved must ask for access. 4 launch permissions • User profile (FN/LN/Username/email…) • T-Mobile Line data (MSISDN, …..) • Billable MSISDN (MSISDN only) • Entitlements (dynamic biz rules)
T-Mobile Core Application • Pre-approved • Seamless • Non-revocable
T-Mobile Sponsored Application • Users must initially approve
T-Mobile Branded Application • Pre-approved • Revocable
Device Agent and Helper Library • Standard Android service. • Standard interfaces for clients to request tokens. • “Sync” will be used for contact scraping and
other future use cases. Signatures
• OAuth 2.0 uses client ID and client secret to authenticate the client, and then grants the user approved access to that specific client.
• Secrets are not secure within mobile devices (or within browsers).
Therefore: • IAM Agent will calculate the client secret based
on the application signature. • IAM Server will ensure only the IAM Agent can
perform authentication for mobile apps.
Integration Options & Best Practices Integration Variations
• As an enabler you get to choose how your application integrates to T-Mobile ID
– Provide service, redirect to authentication only to validate what MSISDN a user has
– Provide no service until they bounce through authentication
Best practices
• Link to T-ID not phone number
• Issue short lived service tokens
• Re authenticate when users changes service
• Minimize your requested access
Sandwich • First determine if the user is signed in with T-Mobile ID
– Display = none (Soft authentication attempt)
• Honor the MSISDN insertion (If traffic is over the radio) • Redirect to T-Mobile ID
– If MSISDN insertion fails, or user requests to login as different user.
First Steps
For Web Developers • Have your client ID, and client secret
assigned • Confirm your redirect URL. • Configure your Oauth endpoints
– Auth: https://auth.tmus.net/oauth2/v1/ – Token: https://token.tmus.net/token/ – Profile: https://profile.tmus.net/userinfo/
For App developers • Confirm your public signature • Have your Client ID assigned, and public
signature recorded (or client name for iOS) • Download your helper library (Android&iOS)
– Bitbucket.com/tmobile/TIDAHL – Bitbucket.com/tmobile/TIDIHL
• Download an Agent – Links within beta test group
• Download the configurator, logger, and sandbox to help with your development – Links within beta test group
1. Join the Google+ beta testing group (and introduce yourself) • T-Mobile ID Beta
2. Reach out to [email protected] 3. Accept the developer agreement 4. Schedule an integration discussion
• Background
• Why an identity project
• What is going on with identity in the industry
• T-Mobile ID
• Technical details
• Architecture • Device Agent Call flows
• How to integrate
• Screen shots
Agenda