Learn Python with Talk Python's 270 hours of courses

#292: Pythonic identity (auth in Python ecosystem) Transcript

Recorded on Friday, Oct 2, 2020.

00:00 So you're excited about that next app you're about to build.

00:02 You can visualize the APIs with smooth scalability talking to the mobile apps.

00:07 You can see, finally, this time, you'll get deployment right, and it'll be pure continuous delivery out of GitHub with zero downtime.

00:14 What you're probably not dreaming about is writing yet another password reset form

00:18 and integrating the mail capabilities just to send those reset emails, or how you'll securely store user accounts the right way this time.

00:26 Don't worry, we got you covered.

00:29 Our guests, Christos Mascas and John Patrick Dendison, are here to cover a bunch of different libraries and techniques

00:35 we can use for adding identity to our Python applications.

00:38 This is Talk Python to Me, episode 292, recorded Friday, October 2nd, 2020.

00:58 Welcome to Talk Python to Me, a weekly podcast on Python, the language, the libraries, the ecosystem,

01:03 and the personalities.

01:04 This is your host, Michael Kennedy.

01:06 Follow me on Twitter, where I'm @mkennedy, and keep up with the show and listen to past

01:10 episodes at talkpython.fm, and follow the show on Twitter via at Talk Python.

01:15 This episode is brought to you by Linode and Talk Python Training.

01:18 Please check out the offers during their segments.

01:21 It really helps support the show.

01:22 Here's an unexpected question for you.

01:25 Are you a C Sharp or .NET developer getting into Python?

01:28 Do you work at a company that used to be a Microsoft shop, but is now finding their way over to the

01:34 Python space?

01:35 We built a Python course tailor-made for you and your team.

01:39 It's called Python for the .NET developer.

01:42 This 10-hour course takes all the features of C Sharp and .NET that you think you couldn't

01:47 live without.

01:47 Unity Framework, Lambda Expressions, ASP.NET, and so on.

01:51 And it teaches you the Python equivalent for each and every one of those.

01:55 This is definitely the fastest and clearest path from C Sharp to Python.

01:59 Learn more at talkpython.fm/.NET.

02:02 That's talkpython.fm/D-O-T-N-E-T.

02:06 Christos, John, welcome to Talk Python to Me.

02:09 It's nice to be here.

02:10 Thanks for having us.

02:10 Yeah, it's great to have you guys here.

02:12 We're going to talk about identity at all the different levels.

02:16 And I think that's something we really haven't covered that deeply on the show, not in a

02:20 standalone sense anyway.

02:22 And so I'm looking forward to covering these topics because we've got some interesting

02:26 and strong opinions about different things that we're going to cover.

02:29 And it's going to be a lot of fun.

02:30 I can tell already.

02:30 Hey, we're open.

02:32 We're open to all and every opinion here, right?

02:36 We just want to make sure that people are doing it safely and right if they're building

02:40 apps, right?

02:41 So that's our goal.

02:43 That's right.

02:43 Yeah.

02:44 So let's start with the beginning, with setting stage, just personally for you two.

02:50 Christos, I guess we'll start with you first.

02:51 How did you get into programming?

02:53 And then how do you find your way over to being interested in Python, at least as part of one

02:57 of the languages you write?

02:58 That is correct.

02:59 So it's funny because I was thinking back how I started with programming.

03:03 And I was saying yesterday that I actually want to be a hacker.

03:06 At some point in my life, the crossroads of what do I want to do?

03:09 I think it was the tender age of 20 or 21.

03:12 I was like, what do I want to do with my life?

03:14 I can choose anything I want.

03:15 I want to be a hacker.

03:16 So I was like, to be a hacker, you need to know how to write code.

03:19 So I was like, okay, I'll go and get a degree in coding.

03:21 So I did a software engineering degree.

03:23 And then I thought, you know what?

03:25 If you want to be a good hacker, you need to know about networking.

03:27 So I went and did a networking degree, understanding TCP, stacks, OSI, and what have you.

03:34 And then I went back to programming because I fell in love with it initially.

03:37 I became a .NET fanboy from the early days because I did that in uni.

03:41 And then the market was ripe for that.

03:43 So I ended working with that stack for very long.

03:46 So since 2004, I've been writing code in .NET.

03:50 But over the years, I worked as a consultant.

03:52 So I got a chance to double with Python, Node, Java.

03:56 And that Polyglot experience brought some interesting bits like, oh, I like this bit from Node.

04:00 I like this bit from Python.

04:01 .NET doesn't do everything.

04:03 Then .NET Core came around.

04:04 So I fell in love with .NET Core again and pulled me back into the .NET ecosystem.

04:09 And then I joined Microsoft in 2016, working as a consultant, helping customers.

04:14 And since March, I moved into the identity team where I work as a program manager for the developer advocacy team.

04:22 And this gives me the opportunity to actually go and play around with all the languages and see how we can integrate identity into these things securely and with scale.

04:31 And that's where we are today.

04:32 Yeah, it's super cool.

04:33 And I think one of the things that's really interesting, this whole evangelism side is you get to touch a bunch of different technologies and identity.

04:42 You get to talk about a bunch of different technologies.

04:44 This Node app wants to talk to that Python API back in.

04:48 Yeah.

04:49 So you really kind of got to embrace that full time, right?

04:53 And every platform and every language.

04:54 So we're not locked into a specific ecosystem.

04:57 We can speak to AWS developers.

04:58 We speak to Google developers.

05:00 We speak to DigitalOcean developers, as we mentioned before.

05:03 For us, it's about making sure that you have the right tools in your arsenal to write the code using the tools that you love and the languages that you love.

05:11 All right.

05:12 I can't let you get off this topic here of the origin story without asking you about Mr. Robot.

05:17 Oh, God.

05:18 I love it.

05:19 My background right now on my Windows terminal is Mr. Robot.

05:24 Oh, my gosh.

05:24 As is Mr. JP's, who's going to be talking in a second.

05:29 And the other background, because I have multiple terminals, the other one is Halt and Catch Fire, which is my second favorite TV show.

05:35 If you haven't watched it, it's a fantastic TV show.

05:37 Oh, yeah.

05:38 I would say Mr. Robot, if those of you who have not watched this, it gets a little weird in season two and season three.

05:43 But season one, this is, I would say, it's probably the absolute best dramatic representation of programming and software in a show.

05:53 It's not one of these fake things.

05:55 Like, you really feel like, I think there's a whole section where they're using PyCharm to write some Python code down.

06:00 Yeah.

06:00 And you're like, dude, that's legit code on the screen.

06:02 That's not like weird green text falling down or something, right?

06:06 Actually, it's super accurate.

06:08 And there are lots of people in the tech industry that love that show that spend time looking at the commands that they write to analyze whether it's a valid code or not.

06:16 Whereas other shows, I don't know.

06:17 I mean, the best one was NCIS, was it?

06:20 Where two people jump on the keyboard?

06:21 Yeah.

06:22 Was that the VBA one?

06:23 The VB one?

06:24 Yeah.

06:24 The very first one where they were like, oh, somebody is attacking us.

06:28 And the two people jump on the keyboard trying to type at the same time on the same keyboard.

06:31 Oh, that hurts.

06:34 That's not the pair program we were thinking of.

06:36 All right, John, how about you?

06:39 How did you get into programming, VBA?

06:41 So I started, I was always sort of into computers and building stuff when I was a kid.

06:45 And so I thought, oh, I'll go to college for something I want to do, which is music education.

06:49 So I wanted to be a band director.

06:50 So we see, which we see how well that worked out.

06:53 So I went to college and I took a bunch of programming classes.

06:56 And most of my programming classes were actually in Python when I was starting out before they moved into Java.

07:02 I'm super jealous.

07:03 They said I had to do it all in Lisp and 4chan.

07:06 What?

07:07 Oh, God.

07:08 Yeah, no thanks.

07:11 Yeah.

07:11 All right.

07:12 So yeah.

07:12 All right.

07:12 Python and then Java.

07:13 That makes sense.

07:14 I mean, I think honestly, studying a static language is super important, even if you don't necessarily embrace it.

07:19 But Java, C++, C Sharp, you should know that stuff, even if you don't necessarily do it day to day.

07:24 Yeah.

07:24 Yeah.

07:25 And then while I was in college, I found a job on a help desk and one of their developers left and they said, hey, do you want to come help and take over?

07:31 And I said, I guess.

07:33 I have no idea what I'm doing, but I'll try.

07:35 And so my first project, for better or for worse, was an online banking app that was written in C Sharp.

07:40 And I was like, are you guys sure you want me to build this?

07:43 I was like 20.

07:44 That's so interesting.

07:45 I remember the first time I wrote a credit card processing, I was paranoid.

07:50 I had a hard time being relaxed.

07:53 I'm like, what if I get it wrong?

07:54 What if I charge them $10,000 instead of $100?

07:58 Because I thought it took cents and it took dollars.

08:01 It was really nerve-wracking.

08:02 And that's a hard first project.

08:05 When it was me and one other guy, and he had a lot of – he was a 15-, 20-year guy.

08:08 But I would ask him questions and he was just like, yeah, no, it sounds fine.

08:12 I thought, you seem very relaxed about this whole thing.

08:15 And it was an app for high net worth individuals to go and manage their insurance accounts.

08:21 So I guess there weren't like transactions necessarily happening, but you could reinvest your life insurance policy and stuff.

08:28 I mean, I was terrified every day I went to work.

08:32 And this guy, we hired a guy, a consultant to come in and help.

08:35 And my boss said, well, you're 20, so you're not going to get your own office.

08:39 And he's a consultant and he's not going to get his own office.

08:41 So you two are going to share an office.

08:44 And so I sat at a desk with a tower of Mountain Dew cans in between me and him.

08:47 And he would poke out once a day and he'd go up and write a concept on the board like, you need to go learn about interfaces and C-sharp.

08:55 And I said, okay.

08:55 And I'd go figure it out and learn about them and come back a couple days later and say, okay.

09:00 But it was really interesting.

09:02 It was sort of a trial by fire.

09:03 And then I started working, you know, doing enterprise dev at different places.

09:06 And then I got really into Azure about 10 years ago and built an app with a friend.

09:11 I told Christos, I don't know if you can still call it a startup when it's nine years old, but I guess it's still a startup because it makes about as much money as a startup.

09:19 I was actually thinking about that just the other day.

09:21 I saw headlines like, when does a startup stop becoming a startup?

09:24 It's odd that that label, like it's applied to it.

09:26 I feel like people almost consider Facebook and these types of places a startup.

09:31 Like this is not a startup.

09:32 So let me just ask you, my theory is basically when you stop accepting VC money, it's not a startup.

09:40 And maybe it might not be a startup when, even when it's small, if it doesn't have like some of these attributes, like high growth, sort of user growth.

09:49 Overprofit or profitability.

09:51 I feel like there's some sort of metric you can say, like this world makes these attributes make it a startup, not just a small business or a large business.

10:01 I don't know.

10:01 What do you think?

10:02 Yeah.

10:02 Well, by that definition, let's see, growth over profit, VC money.

10:08 So we've had none of those things.

10:09 Exactly.

10:11 But I think we called it, we used to call it a startup because it was only two of us and it was technology focused.

10:17 It was all about, it was actually, it was a proxy.

10:18 Yeah.

10:19 I think it qualifies.

10:20 Sorry for the diversion.

10:21 Keep going.

10:21 No, no, that's okay.

10:22 But I learned a whole lot.

10:23 I learned a whole lot because I was building software outside of work.

10:26 And it was, I think for me, when we had people start paying to use it, it was sort of like the light bulb went off of like, hey, maybe I should, like, maybe this is it.

10:34 Maybe I do have some talent here and I should do this more often.

10:36 Yeah.

10:37 It's kind of like an external validation, which was cool.

10:39 And started doing cloud consulting for people too.

10:43 So I worked for a consulting firm and we would go to customers that wanted to use Azure or were interested in it and say, hey, this is how you use it.

10:50 And these are ways to get started.

10:51 And here's how you design apps that are going to scale to one node or 5,000 nodes.

10:55 And a lot of patterns and how do you deal with consistency and data and that sort of thing in a cloud environment.

11:02 Of course, back then, it was the Wild West.

11:04 We had some customers using AWS.

11:06 We had some customers using Azure.

11:08 We had some customers that were calling Rackspace the cloud, which that's cool because back then they were about the only other thing out there.

11:14 And then I came to Microsoft and did pretty much the same thing, but focused on Azure.

11:18 And a few months ago, right around the same time Christos did, joined the identity team for helping developers understand identity.

11:25 I think because as a developer myself, I know that I didn't care about identity until I started using it and realized, oh, if I don't have to deal with this on my own, I'm sold.

11:34 I don't want to do this.

11:35 I'm sort of, this is what I want to do.

11:37 Yeah.

11:37 And then seeing how many projects got completely sidetracked and blocked and had so many issues with identity because, you know, we have a, we're sort of a funny saying that we hear people say around our division of, we need to talk to identity developers.

11:50 I was like, well, 1,500 identity developers in the world work for us because they care about identity and they want to build an identity system.

11:57 Most of our customers don't want to build an identity system.

12:01 They want to build an app and identity is the third checkbox in the list that they want to check off and get back to the other 200 tasks they have to do.

12:08 Yeah.

12:08 Well, it's one of those things that you have this idea, like, I really want to build this thing.

12:12 It will be amazing.

12:13 And nobody ever goes, and I want to have a super cool login or I want to have a really fantastic secure header exchange with my API.

12:22 Like, nobody wants that, but you can't release the thing without an account and identity and, or some sort of authentication.

12:30 Right.

12:31 And it's, it's also, you talked about being nervous around the banking stuff.

12:35 And so did I rightly so, but this is another one that will make you a little uncomfortable.

12:40 If you get it wrong.

12:41 Oh yeah.

12:42 You know, you could end up in the news in the wrong way.

12:44 You don't want that to happen.

12:45 Yeah.

12:45 We want you to be out of the news.

12:47 So we have lots of companies out there that make the news every week for this exact reason.

12:51 I think Troy Hunt, I don't know if you follow Troy Hunt, but he's a big security.

12:54 Yeah.

12:55 Troy Hunt has been on the show previously.

12:57 Nice.

12:57 Quite a while ago.

12:58 But yeah, Troy is fantastic.

13:00 He does.

13:01 Have I been pwned?

13:02 And he's a really good, he has a bunch of good ideas around what it means to proper security as a developer.

13:07 Yeah.

13:08 Yeah.

13:08 But he's a, have I been pwned, right?

13:10 What nearly 10 billion accounts have been compromised and made it to the, to the news.

13:15 So we don't want our developers or their companies to make it to those news, right?

13:20 We want them to make the news for good reasons like growth or whatever.

13:22 But from a security perspective, it's very hard to get the authentication, right?

13:26 It's very hard to get authorization, right?

13:28 Especially if you're rolling it down yourself.

13:30 And I've done this in the past.

13:31 I am guilty of that.

13:32 And I can tell you I've brought an awful system because I was learning as I was going and it was an internal app.

13:37 So no big deal there.

13:39 However, I just know how hard it is to do it yourself and do it right.

13:42 Especially in the era of the internet where there are so many challenges out there.

13:47 You put your app out on Azure or AWS, it becomes a public target whether you want it or not.

13:52 You say that.

13:53 But it's hard to appreciate how quick or how soon it becomes a target.

14:00 So for example, if I open up any of my web apps, the training website or the podcast or whatever,

14:06 and I just tail the log of like these are the requests coming straight into it.

14:10 It's less than a minute before I see somebody requesting like admin slash like WP admin slash like login dot PHP or some other random like well-known access point just constantly.

14:23 And the thing is not built in web WordPress, but it doesn't matter.

14:26 They're just pounding on any open endpoint that they can find to just start hitting it.

14:31 So when you say that, it's that's probably within the first minute, at least once it becomes a well-known.

14:36 IP address that is a host.

14:38 Yeah.

14:38 There's a funny story that goes with that.

14:40 Once my website runs on a ghost, which is a lightweight kind of a platform for creating blogs.

14:46 And yeah, I was working on that.

14:48 And a friend of mine said, why are you deploying manually the files?

14:51 You should just put it on GitHub and then have a GitHub action that pushes it straight into Azure.

14:54 I'm like, oh, that's a great idea.

14:55 And I pushed my solution to Azure.

14:58 Now inside ghost, there's a send grid section, which allows you to send emails if people subscribe or whatever.

15:04 And I forgot the live settings in that file.

15:07 So I pushed to GitHub.

15:08 I put in the public repo.

15:09 I go to sleep.

15:10 I get up the next morning.

15:11 I get an email from send grid saying you hit your, I can't remember.

15:15 I think it was two, 25,000 emails limit.

15:18 I was like, that's fantastic.

15:19 I went viral overnight.

15:20 That's brilliant.

15:21 And then I continue reading the emails.

15:23 Some of the reasons why this may happen is you disclose credentials, check your GitHub.

15:28 And that point the light bulb went on and thankfully I was still on the free tier.

15:32 So I didn't have to pay anything, but just the stupidity of me putting these things out there.

15:36 And developers do it all the time.

15:37 We see RSA keys on GitHub.

15:39 We see SSA keys for secrets or API, whatever.

15:43 We don't want developers to do that.

15:44 And it's a very easy mistake to do.

15:46 So there you go.

15:47 It's super easy.

15:48 And it is much like I spoke about, like within the first minute you publish your site, it's going to start getting hammered on.

15:55 Have you guys heard of shgit?

15:57 No.

15:57 S-H-H-G-I-T?

16:00 No.

16:00 So this is a shgit.

16:02 I think it's a play on like, oh my goodness, git.

16:05 But also secrets git.

16:08 It's a thing.

16:09 I'll put it in the show notes or something.

16:10 But it finds committed secrets and sensitive files across GitHub, GIST, GitLab, and Bitbucket, or your local repositories in real time.

16:18 Wow.

16:19 And so there's like a continuous stream.

16:21 This thing, it hooks into...

16:23 The public API for these things?

16:25 It hooks into like the public API for like changes to public endpoints on GitHub, basically.

16:30 And it just, yeah, it's the real-time feed API.

16:33 And it just watches those.

16:35 And anytime it sees something come in, it just grabs like the secret keys and the auth keys for...

16:41 I'm looking at it.

16:42 ...Azure, AWS, GitHub.

16:43 It's super disturbing.

16:46 So, yeah, I mean, it's not like, oh, whoops, I have...

16:49 Somebody found my repo and this happened.

16:51 Like, no, it's like a live stream that was probably captured from that.

16:56 And so it's not good.

16:58 Well, I think the way we look at it is like security sort of starts with the identity.

17:02 If you can't secure the identity, then your app sort of...

17:04 Your app can never be secure, right?

17:06 If you can't reliably know who people are and what they can do, so...

17:09 Yeah.

17:09 And it's worth throwing out.

17:10 Like, you could end up on have I been pwned?

17:11 Very likely.

17:12 Not because necessarily identity directly, but SQL injection, other badness.

17:17 But nonetheless, identity is the first gateway.

17:20 So let's talk about identity.

17:22 You know, when I hear about people talk about security, they say the three A's.

17:26 And identity, even though it doesn't have an A in the word, maybe is part of that.

17:31 We've got a fourth A, but I guess we'll start with the first three, right?

17:37 All right.

17:37 Tell me about the fourth A, because I only know where the three is.

17:39 So I'm excited to hear.

17:40 I'm going to learn something today.

17:41 So we have authentication, right?

17:44 So we need to know who the user is.

17:46 So when we authenticate somebody, we say, hey, we know user ABC, John, is the John that we're

17:52 expecting from a trusted provider or with certain properties.

17:56 We can authenticate them correctly and in a way that we can trust.

18:00 Right.

18:01 The second big one is authorization.

18:03 So authorization is all about, now that I know who John is, what can this person do in the app?

18:09 What type of data can they?

18:11 Right.

18:12 Are they an admin?

18:12 Can they create invoices?

18:14 Can they view them?

18:15 Are they just allowed to like, I don't know, something else?

18:18 And what can they view?

18:19 What can they do?

18:20 What kind of actions can they take on that data?

18:22 But then we get into auditing.

18:24 So you know what's been happening.

18:26 And that's the third A.

18:27 So logging, be it identity system logging, your app logging, all of those logs and correlating

18:33 them together so that you can either be alerted when something sideways is going on or so you

18:38 at least know what's happened historically when you're investigating an incident or something

18:42 like that.

18:43 The fourth one is access control, which is actually enforcing control to what people have access

18:49 to.

18:50 And usually that falls to your app, but lots of different identity systems, third

18:55 party identity systems have ways to enforce that access control themselves too.

18:58 Right.

18:59 You hear like exchange of claims, things like that potentially, right?

19:02 Yep.

19:03 Like the identity provider says you have this, that you claim this right or something, even

19:07 though it's not necessarily built in your app, your app kind of trusts it.

19:09 Right.

19:09 And that's the whole point is a way for an app to say, I'm going to let somebody else do handle

19:14 the authentication bit for me and maybe even the authorization bit.

19:18 I'm going to let them do it and send you back to me with this package of data, some package.

19:24 It could be a set of claims.

19:25 It could be a JWT and claims in the JWT, but it could be something else completely opaque

19:31 and arbitrary.

19:31 It doesn't really matter how it's done or what the package looks like.

19:35 What matters is that when you get it back as the developer, you can validate that it's

19:39 true and that it's real.

19:40 And it came from where you expected it to come from.

19:42 This portion of Talk Python to me is sponsored by Linode.

19:47 Simplify your infrastructure and cut your cloud bills in half with Linode's Linux virtual machines.

19:52 Develop, deploy, and scale your modern applications faster and easier.

19:56 Whether you're developing a personal project or managing large workloads, you deserve simple,

20:01 affordable, and accessible cloud computing solutions.

20:03 As listeners of Talk Python to me, you'll get a $100 free credit.

20:07 You can find all the details at talkpython.fm/Linode.

20:11 Linode has data centers around the world with the same simple and consistent pricing regardless

20:16 of location.

20:17 Just choose the data center that's nearest to your users.

20:20 You'll also receive 24-7, 365 human support with no tiers or handoffs regardless of your plan

20:26 size.

20:27 You can choose shared and dedicated compute instances, or you can use your $100 in credit

20:32 on S3 compatible object storage, managed Kubernetes clusters, and more.

20:37 If it runs on Linux, it runs on Linode.

20:40 Visit talkpython.fm/Linode or click the link in your show notes, then click that create

20:45 free account button to get started.

20:49 I'm starting to feel like these identity providers, they're almost like one of the first microservices.

20:54 Yeah, for sure.

20:55 They're like a separate place you go, but then your app sort of talks to them and so on, kind

21:00 of before microservices were cool, before they were not cool again.

21:03 But pretty interesting.

21:07 So the four A's, access control there on the end, and the first A, I feel like that's

21:11 identity, right?

21:12 Who are you?

21:12 Yeah.

21:13 How do you prove to me you are who you say you are?

21:16 Well, a complete system, like a complete identity provider will give you all four A's because

21:21 just authentication is slightly incomplete.

21:23 But yeah, you're right.

21:24 I mean, when we talk about identity, maybe we refer to who you are to start with.

21:28 Right.

21:29 So that's a good question, right?

21:30 Like, what does identity mean when you maybe are talking about like, well, what does our app

21:34 need?

21:35 What mechanism should we choose to provide identity, right?

21:39 Like that, you got to be talking about the same thing so that you have to decide on the

21:44 same trade-offs.

21:44 I think that's worthwhile.

21:45 True.

21:46 So let's start at the beginning.

21:48 Like, let's say mostly the beginning, I care about the first A and I just want something

21:53 simple.

21:53 So I'm just going to create a username password field.

21:55 Like, this is still the most common way, I think, that logins happen on the internet.

22:00 Oh, yeah.

22:01 Yeah.

22:01 There's a lot of people saying that the usernames and passwords are going away in different ways.

22:05 I know.

22:05 I think even Microsoft is working on something.

22:07 You've got YubiKeys.

22:08 Like, YubiKeys scare the daylights out of me.

22:11 Like, I love the idea of the YubiKey.

22:12 But what if I lose it?

22:14 It's like a password vault, but I can't get it back.

22:18 I know there's probably some mechanism where I can, I don't know, get it back.

22:22 But there's other things other than passwords.

22:24 But let's talk about username and password just for a minute.

22:26 Because I feel like a lot of people are going to start there.

22:28 Yeah.

22:28 They're going to say, well, we're going to need users.

22:30 So let's have them have a password.

22:32 We're going to put up a dialogue or some kind of page that says, log in or create an account.

22:37 Did you forget your account here?

22:38 Enter your email address and we'll send you one.

22:41 And that almost always has to be the very second feature.

22:45 The very next feature you implement is, how do you reset your password?

22:49 Because it's incredible how frequently people forget their passwords.

22:53 Have you spoken to my wife?

22:55 Because she drives me crazy.

22:57 We have a password manager for the house.

22:59 We use Bitwarden these days.

23:01 And there are lots of different tools out there.

23:03 Okay.

23:03 But for the last 10 years, I'm trying to instill in her that she should not be using the same password everywhere.

23:08 Yes.

23:08 And when she doesn't do that, she doesn't record what password she uses.

23:12 So she always resets the passwords when she needs to go somewhere.

23:15 The problem is that not every site is optimized to respond real time.

23:19 So you might say, I forgot my password.

23:20 And then you don't receive an email for two hours or two days.

23:23 So you can't use that site until you get the recent password email.

23:26 So I'm trying to say to her, like, please don't do that.

23:29 Just use our password manager.

23:30 So lately, thank God, lately, in the last six months, she started using Bitwarden.

23:34 Yeah.

23:34 And then I checked her Bitwarden account.

23:36 And I saw that most of the passwords were very small variations of the same password.

23:40 Like, there's a way to automatically generate very long passwords.

23:43 Yes, I know.

23:44 Not the long passwords that John is using, because I think he's like 90 characters long.

23:48 But for me, 24 characters randomized through a tool is great.

23:53 Sorry.

23:53 Yeah.

23:53 Let's go back to resetting passwords.

23:55 Well, I think what you're talking about is super interesting.

23:57 A lot of people say that username and password are kind of broken and they're not going to work

24:01 for the reason that you kind of just laid out with your wife.

24:03 On the other hand, if you use something, so I use one password.

24:06 We're a one password family over here.

24:08 But people talk about the challenge of logging in.

24:11 And I'm going to get to the developer side of this quick.

24:13 But I just want to riff on this because it drives me crazy.

24:15 Like, oh, this username and password, I can't use it.

24:17 What I want is some kind of bio-authentication.

24:19 I want a YubiKey or something like that.

24:20 And to me, my experience of logging into a website is I go to the website.

24:25 I hit command backspace.

24:26 That auto fills it.

24:28 Either it auto fills it or it'll say you have to log in.

24:30 So I put my finger on the fingerprint reader on my Mac and then it auto fills it.

24:35 So to me, my login is there's stuff that happens in the middle.

24:38 That's usually like a 30 or 40 character thing that exchange with the site.

24:42 But to me, it's I put my finger on my Mac and then I log into the site.

24:45 Yeah.

24:46 So that's an interesting thing, I think.

24:48 Yeah.

24:48 The user experience and security are sort of in direct conflict with each other, right?

24:53 They often are.

24:55 So when it's a miserable experience to add MFA, for example, like multi-factor to do your phone

25:02 or YubiKey or whatever, when that's a miserable experience, nobody uses it.

25:06 So like my parents literally have a physical book that they've written their passwords

25:10 in.

25:11 So in some ways, it's kind of, yeah, somebody's got to break into their house to get it.

25:14 It's so interesting because people say you should never write down your password.

25:17 Like the last thing I'm worried about is someone physically seeing my written password.

25:21 And so, yeah, exactly.

25:23 Like I am so paranoid of a virus or something getting into my computer or sniffing network

25:29 traffic.

25:29 Like the notebook actually seems pretty safe as long as you're not reusing the password.

25:34 Yeah.

25:34 To be honest.

25:35 But they still reuse the password.

25:37 And then like.

25:38 Yes, that's the problem.

25:39 Netflix.

25:40 And not to call Netflix out specifically, but I encountered this a lot.

25:43 I've got like some crazy password that LastPass generated.

25:48 Apparently, we all use different password managers.

25:50 I have some crazy password.

25:51 Sorry, we can still get along.

25:52 It'd be like a fight like from Anchorman or whatever.

25:55 But I've got this, you know, 900 character password or something silly.

26:00 And I went to a hotel and it's like, hey, use your Netflix account in the hotel.

26:04 I was like, oh, that'd be fun.

26:05 And then I hit the login button and it says, oh, type in your password.

26:08 I'm like, no, I'm not going to type it in.

26:10 Probably with the remote control.

26:12 With the remote control.

26:13 Right.

26:14 So I immediately pulled the plug on that and said, well, I guess I'm just going to the

26:18 bar or something instead.

26:19 And but that experience is the same even when you're at home on your own TV.

26:23 And so people end up shortening their passwords to something they can remember, something that's

26:27 easy to type in on a remote control, which is why you see most of those services moving

26:31 to a web based thing where you go to a specific website, type in a short code.

26:35 And the one time code is what connects your account to your TV.

26:39 Yeah, that's a nice system.

26:40 Yeah.

26:40 Because then all of those other things like, oh, you're we don't know who you are.

26:44 You should use your multi-factor or you were going to send you a text message to make sure

26:48 it's you.

26:48 All that can happen on your phone and it doesn't have to be implemented for the device.

26:52 Right.

26:53 And then your phone already knows who you are.

26:54 You're already logged in.

26:56 So on the developer side of this username and password, I think the username and password

26:59 story is pretty straightforward.

27:00 And I don't know it's necessarily to be discounted because for a lot of simple things, it kind

27:05 of it does make sense as opposed to a Facebook login.

27:08 But it's not it shouldn't be discounted.

27:10 But the challenge there is that it is not just the username and password that you need to store

27:15 somewhere and then bring back and validate that when the user inputs the username and password,

27:20 it's the correct one.

27:21 It's all the other things that happen around that.

27:23 So for example, password reset, how do I do my password reset?

27:26 So as a developer, now you have to implement it.

27:28 Yeah.

27:28 Adding MFA.

27:29 I'm not joking.

27:30 It literally gets used like the first 10 minutes you launch an app.

27:33 Yeah.

27:33 Right.

27:34 Exactly.

27:35 You're just gone here.

27:37 It's never existed before.

27:38 Why are you resetting your password?

27:39 But no, it happens.

27:40 Yeah.

27:41 That one.

27:43 And then it's the MFA if you want to do that.

27:46 And if you want to add a notification, so you have to integrate SendGrid or whatever tools

27:50 you want to use.

27:51 Yeah.

27:51 So it shouldn't be discounted, especially if you're writing a simple app.

27:54 But at the same time, like I tried when I went back in 2007, I was implementing that solution

27:59 I mentioned before.

28:00 I had to implement incremental backoff for if you enter your password too many times and

28:05 then you're not the right one, then you have as a developer to manually roll that aim.

28:10 Now, how do you do it efficiently and how do you protect your app from...

28:14 In fact, I was listening to Troy's podcast back then.

28:17 I was like, oh, yeah, he's got some blog post that explains how to do it and why you should

28:20 be doing it.

28:20 Right.

28:21 Let's go and do that.

28:22 But if I hadn't heard Troy saying that, then my website would be viable to or prone to a

28:29 password spray attack or a brute force attack.

28:30 Yeah.

28:31 So...

28:31 Yeah, for sure.

28:32 Absolutely.

28:32 You can do it, but it just requires a lot of steps beyond just a simple username password

28:38 implementation.

28:38 Yeah.

28:39 So I think we're going to move off of this one and to the next level.

28:41 But before we do, I just...

28:44 I would feel remiss if I didn't talk about passlib in the Python space.

28:47 Passlib is so incredibly awesome.

28:50 Because another thing that you got to talk about is how do I store that password?

28:55 It had better not be in a VARCHAR 16, the length of my password and just going straight

29:01 in there, right?

29:01 It had better be at least hashed.

29:04 Yeah.

29:05 And not with MD5, but with a complex hash like bcrypt or a SHA512 or something like that.

29:11 Then you probably need to mix in salt, which is instead of just hashing the text, you also

29:15 hash like a random other bit of text.

29:18 So you can't do rainbow lookups on it, rainbow tables.

29:21 And then you need that to be computationally expensive for guessing, just like you were

29:25 talking about, right?

29:26 So passlib is awesome because it does all those things, but then it also folds the hash back.

29:31 So when you say hash this, it doesn't do it once.

29:33 It creates the salt, it hashes it.

29:35 And then it does it by default 150,000 times, takes the output, feeds it back in, takes the

29:40 output next time, iterates it 150,000 times.

29:42 That's the answer.

29:43 So it's computationally expensive to guess if you ever have, which is beautiful, I think.

29:49 So if you're going to go down it, consider if not using passlib, the ideas encapsulated

29:55 in it as a really good idea.

29:57 Yeah.

29:57 I mean, the net of that, and probably the theme you'll hear over and over from us today is

30:02 don't write that library yourself.

30:04 Yes.

30:05 Don't write your own passlib.

30:08 Let people who understand the cryptography behind making it computationally expensive, let

30:13 them do it because there are a whole lot more eyeballs and a whole lot more sort of skill

30:18 sets involved in getting those libraries out the door than anyone.

30:22 We shouldn't expect a developer who's building an app to necessarily be super, super deep on

30:28 what's the best hashing algorithm for me to use for a password or God forbid, try to implement

30:34 it on their own because it's just, there's too much risk for bugs.

30:37 And in fact, so many of the breaches that we see, they end up pointing back to some homegrown

30:43 system that was either completely built from the ground up to be sort of rolled on their

30:47 own or was maybe used a library here or there, but ultimately had some sort of critical flaw

30:53 in the path of hashing passwords.

30:55 Right.

30:56 It may start with one of these, well, I don't trust that third party library to do

30:59 our encryption.

31:00 That's exactly how it starts.

31:03 That's always how it starts.

31:04 It's the same with the frameworks, right?

31:05 I don't trust the .NET framework.

31:07 I'm going to roll out my own framework on top of .NET just to prove you guys.

31:10 Yeah.

31:11 Yeah, exactly.

31:12 Yeah, exactly.

31:13 For sure.

31:14 There are one silence just to finish on this one.

31:16 I don't mind people building their own stuff, like their own username and passwords using

31:21 existing libraries, but it does require some basic knowledge of certain things.

31:26 Like today you can walk into a room of developers and ask them to explain the difference between

31:30 encryption and hashing and half of them will get it wrong.

31:32 Yeah.

31:33 Because I've been in companies where they say we have secure passwords, we're encrypting

31:36 them.

31:36 And like, no, no, that is not secure.

31:39 And let me explain why.

31:41 So yes, do it if you want to play with that, but just make sure you know that the terminology

31:45 and what you need to do.

31:47 Yeah.

31:47 That's always an option.

31:48 A huge red flag for me is when I go to a site.

31:51 Yes.

31:51 And it says it has an upper bound on the length of the password.

31:54 Yes.

31:55 The password has to be less than 16K.

31:57 It's like, wait, wait, wait, wait, wait.

31:58 Because when you hash it, it's always the same size.

32:02 It doesn't matter how big the input is.

32:03 Exactly.

32:04 Yep.

32:04 So you must be mapping that text to something where it directly relates to the size of it.

32:09 This is disturbing to me.

32:11 Yeah.

32:11 What's worse?

32:12 It's when it's the company you pay your mortgage to every month.

32:14 Oh.

32:15 Yep.

32:15 Oh, my bank has like a 12 character limit.

32:18 I'm like, what is going on?

32:20 Mine's the same way.

32:21 This is insane to me.

32:22 It needs to be between eight and 12 characters.

32:24 It's like eight and 12.

32:25 Way to reduce the attack space considerably for the person guessing passwords.

32:29 Jeez.

32:30 Exactly.

32:31 Why don't you just tell them my social security number?

32:34 All right.

32:34 All right.

32:35 So I want to talk about some of the other stuff where you sort of delegate or transfer some of this identity, maybe to a federated identity or some sort of social authentication or just a central identity service that you have at your company that then powers your other apps.

32:52 And there's a bunch of different pieces in here.

32:55 And I have no idea where to fit them together, honestly.

32:57 We have OAuth.

32:58 And there's OAuth 1.

33:00 And then that became sort of outdated.

33:02 So there's OAuth 2.

33:03 And then we have OpenID Connect.

33:05 What's the relationship?

33:06 All these things.

33:06 Like, where do these fit into the world?

33:08 You guys tell me about this.

33:09 Tell us all about this.

33:10 So OAuth 1 was the first attempt at a way for two systems that don't have any sort of inherent trust between them to talk to each other and have a little bit of trust.

33:22 And it was all centered around a user.

33:24 And so a user would say, hey, I want to give app ABC access to my data that's in app 123.

33:31 Very much like on your cell phone when your cell phone pops up and says, hey, this app wants access to your contacts.

33:37 Do you want to allow this to happen?

33:38 Right.

33:39 It's a very similar sort of mechanism.

33:41 And then OAuth 1.

33:42 But over the internet instead of like on the phone.

33:44 That's right.

33:45 But yeah.

33:46 And OAuth 1 was sort of quickly invalidated.

33:48 And then we had 490 or some ridiculous number of drafts of OAuth 2.

33:53 And then we finally got to OAuth 2.

33:54 But the thing about OAuth 2 is that it's purely an authorization framework.

33:58 It's all about giving app 123 access to app ABC's data.

34:03 It has nothing to do with the user, actually.

34:05 So you're not doing any authentication there.

34:07 The system is authenticating the user because it needs to know to whom you're giving access to your data.

34:13 But the application itself that you're using, say, the mobile app on your phone, doesn't actually know who you are in OAuth or OAuth 2.

34:21 It can access your data and it can infer a lot of things about you.

34:25 But the identity system is not actually telling you who they are.

34:28 So OpenID Connect is sort of a superset of OAuth 2.

34:32 And so OpenID Connect gives an application that extra token that says, hey, this is user ABC and this is their first name, last name, email address, you know, whatever properties that you want to send over.

34:43 And it's specifically intended for authentication to happen.

34:47 Okay.

34:47 Yeah.

34:48 Very cool.

34:48 What are some of the use cases, like concrete examples maybe that you see out in the world of these?

34:53 So we'll start with OpenID Connect because that's, in some ways, it's the more simple one.

34:58 It's the more basic one.

34:59 Yeah.

34:59 OpenID Connect is used for signing a user in to a web app, to a mobile app, whatever.

35:03 So let's say I've got a, let's say, let's say I'm going to my office mailbox in Office 365.

35:09 We might as well use a real example.

35:11 At least a few people have those mailboxes.

35:13 So we'll use one of those.

35:14 And so when you go to, when you try to go to Office 365 and sign in, it asks you for your username and password and you type those in.

35:20 And then those go off to what we have, which is Azure AD, some sort of centralized directory service.

35:26 That centralized.

35:28 This is super common in large enterprises.

35:30 They've got an active directory that like owns the definition of identity for like the whole company and everything somehow has to talk to it.

35:37 Yep.

35:37 Or same with your Gmail, right?

35:39 Let's use Google and let's use Gmail because that's probably, that's going to remove the confusion of organizational stuff for the moment.

35:45 So I'm just a guy with a Gmail account and I go to sign in.

35:49 Gmail itself is not actually doing any authentication because Gmail is one of 5 billion apps that, that Google has.

35:57 That they haven't deprecated yet.

35:59 So yeah, maybe next year.

36:01 There's a great Twitter account called what is Google killed or whatever.

36:05 I don't remember exactly what it was.

36:06 It started after reader.

36:08 I think reader was the, that was the tipping point for a lot of people.

36:10 Anyway.

36:11 So when I go to Gmail and I type in my username and password, it's the same experience every time.

36:16 I see that same classic Gmail or Google sign in window in the middle of the screen.

36:20 And I type in my username and type in my password.

36:22 And it's like accounts.google.com I think is the actual website.

36:26 And accounts.google.com plus this long URL that comes after it.

36:31 The part of that path of the URL is what has all the bits of data that the Google authentication system understands to know you're trying to go to Gmail.

36:40 So when I go and type in my username and password, the Google account system is the thing that checks my username and password.

36:46 It also checks the request and says, oh, you're trying to go to Gmail.

36:49 So I'm going to send you back to Gmail.

36:52 I'm going to redirect you to mail.google.com, for example.

36:55 And I'm going to have a specific chunk of information that I send along with you.

36:59 And usually it's in the form of an ID token, ID underscore token.

37:03 Okay.

37:03 And inside that ID token is a bunch of data for the application.

37:08 So in this case, Gmail to go look at and say, oh, okay, I know who this user is.

37:13 So I'm going to go look at my application database and pull back email and pull back tags and that sort of thing.

37:19 And so that's OpenID Connect.

37:20 And that's purely for getting signed into an application.

37:22 So now we're signed in.

37:23 So Gmail knows who I am and they can start showing me my email.

37:26 Right.

37:27 There's probably not really many rules around what you're allowed to do.

37:30 Like Gmail users just do this.

37:32 Right.

37:32 All right.

37:33 They read their email.

37:34 They send email.

37:34 But just what data do you have access to?

37:37 Not can you administer Gmail for other users and stuff like that?

37:41 Like that's not a thing.

37:42 Right.

37:42 Better not be a thing.

37:43 Well, and so sort of as a part of that, though, is that there may be an administrative interface in Google.

37:49 You may have access to somebody else's mailbox.

37:51 You may have access to something, some extra functionality.

37:54 Yeah.

37:54 And like the business version of Google, their apps, Google apps.

37:58 Yeah.

37:58 So once you're signed in, Gmail itself, the Gmail app doesn't know my username and password for Google.

38:06 It doesn't.

38:06 I never gave it to Gmail directly.

38:08 I give it to the Google account system and the Google account system authenticates me and checks my password and maybe prompts my phone or whatever.

38:16 And then it sends back this blob of data to Gmail.

38:19 And because Gmail trusts the Google account system, it can validate that, oh, the Google account system actually wrote this, actually wrote this token because it's got their signature on it and make sure that it's valid.

38:31 And then let me into my email.

38:33 That validation process is fairly standard for most things, for most JWTs, for example.

38:39 See, I can't talk about Google with a Google phone sitting next to me because it thinks I'm talking to it.

38:44 Here's some things I found for you.

38:46 Let me check that on the web.

38:47 Sorry, I can't do that right now.

38:50 That's probably the most common response.

38:51 But the thing about it, though, is that Gmail system has to validate that the token came from the Google account system.

38:59 And typically we do that in the JWT world where you get a JWT, a JSON web token.

39:04 Typically, those are signs.

39:06 So there's a cryptographic signature that sits at the end of that.

39:09 And the identity system, the Google account system, for example, publishes enough data for Gmail to go and check that key and make sure that it was signed actually by the Google account system to say, yeah, we know that this came from the Google account system, so we can trust it.

39:24 All right.

39:24 That way, you know, it's not being faked or man in the middle sort of thing.

39:29 But then you already trust that service and then you can verify everything you got from it was not tampered with.

39:34 That's right.

39:35 Cool.

39:35 All right.

39:36 Let's go next to federated identity.

39:37 So what you've talked about so far is one app doesn't want to do the identity management itself because how painful would it be to log into your Google calendar with a separate account to your Google Docs with a separate account?

39:51 Right.

39:52 You just want to have a Google account and then log into these things.

39:54 But a lot of times there might be some app that is calling, say, an API, and then that API wants to call another API carrying forward that same identity or something along those lines.

40:06 Right.

40:06 I want you to be able to log into that system, which then allows you to log into effectively delegate that identity to an external system.

40:12 I'm like, I don't know if this actually works, but I want to log into my corporate account, which then allows me to log into my business Dropbox account by just virtue of being on the network.

40:22 Right.

40:23 Or I want to be able to log into my corporate account and then take Talk Python courses by just passing that identity along through federated identity.

40:30 Right.

40:30 Yeah.

40:31 Correct.

40:32 Well, the key is you're never passing the identity along.

40:35 And logically we are, but technically you never are.

40:39 So let's go back to Google for a second, to Gmail.

40:41 Okay.

40:42 So your Gmail has the option to connect to your Outlook and pull your Outlook email into Gmail.

40:47 So when the Gmail front end, when the app that you're using needs to connect to that service, that service is going to require some kind of authorization from the user.

40:57 For the user to say, yeah, I want the Gmail app to be able to go and talk to, or to be able to read my email.

41:03 In order to do that, when we're calling the effectively the Outlook.com API, for lack of a better term, we need the user to go and approve that request and say, yeah, I want to do that.

41:13 Which is typically called consent.

41:15 And so when a user consents, they get the window that says, hey, would you like to allow app 123 to access your data in this service?

41:22 In this case, would you like Gmail to be able to access Outlook?

41:25 When you click allow or yes, that's okay.

41:28 That's when a new token is issued.

41:31 So you as a developer of the Gmail application, you go and talk to the identity system for the other party.

41:38 So in our case, Azure AD and Outlook.com and say, hey, please give me a token for user 123.

41:45 And so if the user has gone through and authenticated correctly, that first API, the Gmail API for if we want to call it that, that goes through a round sort of a back and forth with the other authentication system and says, hey, this is what the user provided.

42:00 Please give me a token for this next service.

42:02 And so each step in that service is typically called a sort of a that's a more of a traditional OAuth.

42:08 But each one of those steps needs to have its own token to talk to those downstream services.

42:14 Because if I tried to reuse a token for a different service, in most cases, most properly built OAuth services and APIs will reject that token and say, no, I didn't issue this token for you.

42:26 I issued it for this upstream service that you're trying to call.

42:29 Right.

42:29 OK.

42:30 And what kind of systems can you use to set up that the federated identity?

42:35 I know Azure has some federated identity thing like what that and what else?

42:39 There's Azure AD, of course, we offer.

42:42 There are others like Okta and Auth0 that are all sort of identity as a service.

42:46 So those are service providers who are offering a full holistic SaaS type thing, software as a service where.

42:53 Yeah, I'm on the fence about Auth0.

42:55 It looks interesting to me, but the pricing model looks like it could get out of control pretty quick for a lot of scenarios.

43:01 But it looks nice.

43:02 Every time I've looked at it, I've always been curious to the pricing, but I can't say too much because we work for competitors.

43:08 I don't want to say anything about it.

43:10 Yeah, you don't have to say anything.

43:11 But it's like you pay a little bit like the mail list companies like MailChimp and Drip and ConvertKit, all those things.

43:21 You're like, this should be pretty affordable.

43:22 And then all of a sudden you're like, why am I paying $400 a month just to have emails?

43:26 Yeah.

43:26 Maybe I should switch.

43:27 Oh, that one's $500.

43:28 So once you kind of get into these realms, I don't know.

43:30 I mean, I can't say exactly what it is, but it sort of felt to me like that.

43:34 Yeah.

43:35 Yeah.

43:35 Anyway, sorry, it's a bit of a diversion, but.

43:37 No, it's okay.

43:38 A lot of it depends on what the key is for pricing.

43:40 Like the way that we bill is for certain features, the way that other providers bill might be for certain like number of users or number of applications.

43:50 There are all sorts of different metrics that the different providers bill on.

43:53 And it just kind of depends on what you're doing as to which one of those metrics makes the most sense.

43:57 Yeah.

43:58 Yeah.

43:58 And just to like set the context for people, I didn't want to be fair to Auth0, but also let people know.

44:02 So I just looked at their pricing.

44:04 They're up to a thousand users, which is not a lot.

44:07 Like if I, you know, like Talk Python Training is way more than a thousand users, $23 a month.

44:12 But just 5,000 active users is $1,000 a month for identity.

44:16 Oh, that is a lot.

44:18 Like if it's, yeah, if it's over 7,000, like you got to get in touch.

44:21 So anyway, that's a high burden to carry on top of like your other expenses and trying to run a business when you're starting out or whatnot.

44:29 So anyway.

44:30 Yeah.

44:30 That's what I thought when I was thinking of that.

44:32 I guess in fairness, I should say that our consumer identity product, which is called Azure ADB2C, your first 50,000 monthly active users are free.

44:40 Yeah.

44:40 So you can start using that immediately.

44:42 And once you have 50,000 monthly active users, maybe you've got a good problem anyway.

44:47 And spending, you know.

44:48 Yeah, exactly.

44:49 Spending a couple of bucks on an identity system won't be a big deal.

44:52 Yeah, for sure.

44:52 And one of the things about these systems is that the convenience that you get of not you having to manage the deployment, the maintenance and the scalability of the system.

45:01 So whichever identity provider you go to, depending on your choices, hopefully you'll come with us.

45:06 But, you know, that's not a prerequisite.

45:07 I would rather have a developer say, you know, we're going with X provider because we want to do right rather than us having to go and put out fires because they did their own thing.

45:16 But whatever you do, there's always this kind of a trade-off where I don't have to roll it out myself.

45:22 And I know that these companies are dedicated to doing that.

45:25 And you get to pay a little bit more to get that convenience out.

45:29 So security is always this kind of a trade-off where do I pay for it?

45:33 And there's no 100% security.

45:34 So as close to 100% you get, that's great.

45:37 Yeah.

45:37 And it's with everything.

45:38 I think where the really interesting value comes in is the integration between other identity providers, right?

45:45 Like you can kind of do username, password yourself all you want and it's okay.

45:48 But like once you're like, well, we're going to talk to this system and then we want to integrate with their identity.

45:52 Like all of a sudden it explodes in complexity.

45:54 And we were talking about, you kind of got to do a little work to do your own username, password stuff.

45:58 You should never try to do this.

46:02 Like the cryptographic exchanges and stuff in the back and forth.

46:05 It just, it's insane.

46:06 Some of this.

46:07 So like, you don't want to mess with this, right?

46:09 Yeah.

46:09 Not by hand.

46:10 I had a customer I worked with a while back and they had a really old legacy app that was ColdFusion 10 and couldn't be moved past ColdFusion 10.

46:19 Impressive.

46:20 Yeah.

46:21 I was impressed it was still running, but they still had a server that would run that.

46:24 But the thing is, ColdFusion 10 went out of support before OpenID Connect became a standard.

46:30 So there are no libraries for OpenID Connect.

46:32 So we helped them write one.

46:34 And it's not for the faint of heart.

46:37 I mean, there's a ton of signing and cryptographic signatures that happen, both signing the tickets themselves and then reading them to make sure they're okay.

46:45 And it's certainly not something I'd want to do on a regular basis.

46:48 It's a high stress, high stress job, built writing identity code.

46:51 Yeah.

46:52 It's super frustrating to debug that stuff, too.

46:54 It's like, we don't validate the certificates.

46:57 Like, oh my gosh, why?

46:58 What is going on?

46:59 Anyway, like, I don't want to bring back pain.

47:01 So I'll go to a separate therapy session for this.

47:05 We should offer separate therapy sessions as a service.

47:09 Yes, you should.

47:10 For identity developers.

47:12 All right.

47:12 So let's make this concrete for everyone out there and doing Python programming.

47:17 There's a host of libraries that are available for you.

47:21 You could just pip install them and then go integrate them into your apps.

47:25 Not necessarily for the username password story.

47:28 Like, that's built into Django.

47:30 I talked about pass love and, like, integrating that's pretty easy.

47:33 But, you know, things like OAuth, OAuth2, and OpenID Connect and whatnot.

47:37 So one of my favorite places, when I have no idea what I'm doing in a corner of Python,

47:41 is to go to awesome-python.com.

47:44 And those are not all of the libraries in an area.

47:48 But those are libraries that have gotten submitted a certain number of times.

47:51 And once they cross a threshold, they're, like, popular enough to be in there.

47:54 There's my understanding how that place works.

47:56 So anyway, it's, like, kind of the popular recommended libraries.

47:59 And they have an authentication section.

48:00 So they've got an OAuth and a JWT section in here.

48:05 So let's just talk about some of the ones that you might use.

48:08 I mean, let's start with the Microsoft one, because you guys have an interesting B2C and Azure AD library for Python, right?

48:14 Yeah, that's correct.

48:16 I mean, for us, if you are going to use our identity system, then there are two choices.

48:21 And because we're built on top of open standards, we give you choices in how you interact with our system.

48:27 Now, if you are fairly new to our identity system and you haven't done any authentication before,

48:32 then we do give you MSAL for Python or MSAL for whatever ecosystem you want, right?

48:36 So it's not just Python, which follows the same standards that you should be following

48:40 and comes out of the box.

48:41 It comes with samples and everything else.

48:43 However, since we are abiding to open standards, there's a number of other auth libraries out there.

48:49 And as long as they're OpenID compliant and OAuth compliant, then you can use your own thing.

48:54 So you can bring your own libraries or you can use our libraries.

48:56 We just want to make it easy to get off the ground and implement the solutions.

49:01 So MSAL is the recommended for us if you're coming to Microsoft as a fresh greenfield project.

49:07 But there's a list of other ones like Authlib, Django, Auth.

49:11 There's a whole list, right, of other solutions there.

49:15 Yeah.

49:15 Yeah.

49:16 So there's a couple for Django.

49:17 I feel like Django has the biggest advantage here.

49:20 There's a lot of ones that are just like plug-in middleware type of things.

49:24 Whereas if you're in Flask or Pyramid or something else, you kind of a lot of times you're like,

49:28 all right, well, how do I take this random library and integrate it?

49:30 So we've got Django-Oauth, which has the moniker JustWorks for authentication in Django,

49:38 which is nice.

49:38 Nice.

49:39 It has all the authentication, right?

49:40 There's Django OAuth toolkit.

49:43 And it says it'll help you provide out-of-the-box endpoints, data logic,

49:48 to add OAuth to capabilities to your Django projects.

49:51 I think both, maybe both ends actually as a provider as well, which is pretty cool.

49:56 You've got one that looks really flexible called OAuth Lib.

49:59 And this one's nice because it's a generic OAuth library, not just for, say, Django.

50:03 But the problem with the generic ones is you kind of got to understand, like there's the six chains.

50:08 There's like these five callbacks.

50:10 You've got a hook or whatever, which is a pain.

50:11 Yeah.

50:12 You don't want that.

50:13 You want just like, I do this and then I get the user.

50:16 So what they did is there's a bunch of people who have built wrappers for common frameworks.

50:20 So there's a Django OAuth toolkit, which wraps that.

50:24 There's the Flask OAuth and Flask Dance, which wrap this one.

50:29 There's Pyramid-OAuth Lib, which wraps it for Pyramid and Bottle.

50:32 And it says if you have another library like Sanic or whatever, some other random web framework,

50:37 and you want to add that, you could write a thin wrapper around OAuth Lib and then add that

50:42 to your framework.

50:43 So that's pretty cool.

50:43 Yeah, I think our library, we tried to balance sort of the Pythonic idioms so that it makes

50:50 sense if you're looking at it, if you're familiar with Python, that when you come to the library,

50:53 it makes sense how you use it, how you import it, how you integrate with it.

50:56 But our focus has been really strong on know how to use the library and not necessarily having

51:02 to be a super deep protocol nerd to understand how to use it.

51:07 So most of the API surface where our library is fairly, it's fairly light.

51:12 It's sign in user, get token quietly and get token by prompting the user.

51:18 There really aren't that many protocol details that are leaked out of there.

51:22 That's good.

51:22 Because, yeah, we want it to be as close to a just work kind of a scenario as we can.

51:28 And when you've got OpenID 7 and OAuth 9, you can just keep the same API.

51:33 Exactly.

51:33 Well, a great example.

51:35 So for a long time, there's been something called the implicit flow in OAuth.

51:39 And the implicit flow was the least secure flow of all of the ways you can use OAuth.

51:44 And there's a new thing, authorization code with PKCE, you hear called Pixie a lot, where

51:50 you don't need to worry about what the flow itself actually does.

51:53 It obviates the need to use the implicit flow.

51:57 So in apps where you have to use implicit today, you can use this Pixie-based flow tomorrow.

52:01 And we updated our libraries to use that.

52:06 And we were working on a JavaScript app the other day, and we upgraded the package.

52:10 Nothing else changed.

52:11 Then we started using Pixie, and we didn't have to change a line of code, which was awesome.

52:15 We just upgraded the package.

52:16 So yeah, that's super cool.

52:18 Yeah, nice.

52:18 So our maintainers do what they can to keep the API surface as generic and consistent as

52:24 possible in the sense that it's very focused on what do you need to do rather than how does

52:30 it need to be done?

52:30 Right.

52:31 Okay.

52:32 Yeah, that sounds great.

52:33 So one other place I want to give, one other library-ish, I guess library framework, I want

52:37 to give a shout out to in this space is FastAPI.

52:41 So for me, FastAPI is the hot new API framework in Python these days, right?

52:48 It's got fantastic support for async and await.

52:51 It's got really cool support by taking Pydantic data exchange models with validation and automatically

52:57 binding like a JSON post over to it.

52:59 But it also comes with OAuth 2 scopes directly built in.

53:03 So it lets you work with more fine-grained permissions and do many of the big integrations

53:09 with providers like Facebook and GitHub, Microsoft, they call it explicitly.

53:13 So yeah, so that's kind of built into the API there, which is pretty cool.

53:17 That's cool.

53:18 Yeah.

53:19 And I think because we're standards-backed, if a library is implementing OIDC, OpenID Connect,

53:24 or OAuth 2 to spec, they should work with our system and any other system really without

53:29 having to make any changes.

53:30 It all just comes down to configuration.

53:31 And it's also worth noting too that an API developer, someone who's building an API, their

53:37 concerns are going to be a little bit different than someone who's building, say, a web app that

53:41 consumes that API.

53:42 Because an API, I don't necessarily need to log into an API.

53:47 I need to validate a token that's coming in from some other client, a web client or a

53:52 mobile client or whatever.

53:52 And so the things that I'm concerned about more are, can I validate that this is a real

53:57 token?

53:57 And then what does the token allow this user to do?

54:00 Which is just a different set of concerns than say, I'm building a front-end web app and

54:05 I need to let a user sign in and then determine what they need to do and call APIs.

54:09 Yeah.

54:10 Because one of those, you're just receiving something you need to check.

54:12 And the other thing, you need to handle the actual acquisition of one of those tokens.

54:16 Right.

54:16 Which can get tricky.

54:17 Like that provider over there said their email address was this.

54:20 So I'm going to assume that I can identify them by that.

54:23 But is that really their email?

54:24 Because they could have lied to that place.

54:26 There's a lot of interesting stuff there.

54:28 So I think this gives us a pretty good range of the world in this identity space and some

54:34 of the libraries we can use.

54:35 But I definitely want to have a short conversation, especially with you, Christos, because we went

54:42 off on this before we hit record about depending on basically social media for your identity

54:49 in other places.

54:51 Right.

54:51 So that's, I want to go, like you go to places, you can create an account with a username or password,

54:56 or you can use Facebook, or you can use Twitter, or you can use Google, or you can use Microsoft

55:02 or whatever.

55:03 How does that make you feel?

55:04 You like it?

55:05 You're a fan?

55:06 I am partial to it, as we were discussing before.

55:09 I think it's a great convenience.

55:11 If you are creating a consumer app, you want your consumers to be able to log in.

55:15 So let's say your Walmart or whichever account, you want people to come into your shop and buy

55:21 with great convenience.

55:22 And I know a lot of people just don't use the right tools.

55:24 So they don't want to go and create a username and passwords for every single website.

55:27 However, yeah.

55:29 All right.

55:29 They have these thoughts like, oh, if I'm going to create an account here, how can I trust this

55:34 random thing on the internet to not like get hacked or lose my password?

55:37 Exactly.

55:38 To me, I don't feel that way because it's a 40 character randomly generated thing.

55:43 True.

55:43 If it gets lost, whatever, right?

55:45 But anyway, yeah, carry on.

55:46 Yeah.

55:46 But you're right.

55:47 I mean, I tend to avoid using my social media accounts for logging in.

55:51 First, because I don't remember which one I use where.

55:53 And that means that if I go to a site I haven't used in a year, like, did I use Google or did

55:59 I use Facebook?

56:00 And every time you actually go back and use a different social media account, it creates

56:04 a new account for you.

56:05 So you might log in with a new account and suddenly like, where's my basket?

56:09 Where are my orders from last year?

56:11 And what have you?

56:12 So it's a little bit confusing.

56:13 Right.

56:13 So a year ago you went in there and you said, ah, I feel like Twitter is the one I want to

56:17 use.

56:17 Yeah.

56:17 Right.

56:17 So you said Twitter.

56:18 And you created an account and it knows your Twitter.

56:20 And then you go back here and you're like, gosh, I could log with Twitter, Facebook,

56:23 GitHub with all this.

56:25 Probably I chose Facebook and that is a totally different account.

56:28 It's as if you used a different username and password and you're like, well, what is this?

56:33 Right.

56:33 There's no, it drives me crazy.

56:35 There's no real record of that unless you hunt through like your authorized apps and your different

56:39 social media platforms to find it.

56:41 Correct.

56:42 So I can see the convenience there.

56:44 And I know that some people like to sign everywhere with their Facebook account and they only have

56:48 that one.

56:48 But at the same time, it creates a bit of a lock in.

56:50 So if I decide to delete my Facebook account for whatever reason, if I decide to stop using

56:54 Google from now on, then that means everywhere I sign with my Google account is now not accessible

56:59 anymore.

56:59 So I have to go and create a brand new identity for me.

57:02 So to people that like to use them, I would just say approach them with caution, but they're

57:06 more secure, right?

57:07 So you don't have to create a username and password all the time.

57:09 They do bring that access token to the app.

57:11 They do that secure exchange that we talked about earlier on.

57:14 So Facebook now is a trusted provider for my identity into the new system, which reduces

57:19 the amount of passwords.

57:20 But if you use the right tools, like a password manager out there, then I don't think that

57:23 should be an issue.

57:24 So I agree.

57:26 The danger is like, you're not going to have your password dumped on have I been pwned and

57:31 like haste bin and other random places.

57:34 If it gets hacked, if you use say face, let's just pick Facebook login, use Facebook.

57:39 But if you authorize 50 different websites with Facebook and your Facebook account gets

57:43 hacked.

57:43 Yes.

57:44 All of a sudden, like you've got a list of these are all the apps that you also can use

57:48 if you break into this one, right?

57:50 So there's like this, there's a bigger wall.

57:52 But if you scale it, there's a larger pile of goodies for the hackers to get ahold of on

57:57 the far side of it.

57:58 I tend to fall on the side of I might use a social login, but I usually create a username

58:03 and password either first if the site supports it or after I've done a social login.

58:08 Because that way, like I deleted my Facebook account the other day and then I had to create

58:13 it again, which was really made me sad.

58:15 But like, but me and my old account is totally gone.

58:19 And so anything that I had authorized there would be gone.

58:21 And Facebook's also a little bit of different of an identity provider because there are a

58:25 lot of apps that are a little bit malicious because you get a lot of data on Facebook.

58:28 And so for a while, it was sort of the wild west of, oh, you can sign in with your Facebook

58:32 account.

58:33 And then I'm also going to pull your friends list and your photos and all these extra things.

58:37 Yes, exactly.

58:38 So, you know, it's our privacy policies.

58:42 We work with this.

58:43 Oh, God, in the UK, but there's like some analytics.

58:47 Yeah, I don't know.

58:48 I mean, I forgot the name of the cup, but the whole one that around the DNC and not the DNC

58:52 hack, but like, oh, yeah, Cambridge, the one that happened like around there.

58:56 Yeah.

58:56 Cambridge Analytica.

58:57 Yes, Cambridge Analytics.

58:59 Yes.

58:59 Yeah, we just we don't share much.

59:01 We just share a little data with them and it's going to be fine.

59:03 Just a little.

59:03 So, yeah, I mean, I tend to fall on the side of because the big risk with passwords is if

59:09 you use the same one over and over again or a variant and somebody gets it from site A,

59:13 now they've just unlocked 40 other sites for you.

59:15 But so a password manager with super random accounts kind of removes that.

59:19 So if I get a notification that my password is on.

59:22 Yes.

59:23 On Troy Hunt's site.

59:25 Well, at least I know that password, you know, the blast radius of that password leaking

59:28 was just to that one site because I didn't use it anywhere else.

59:32 And that's sort of the key.

59:33 So, yeah.

59:33 And you just go change in one place and it's fine.

59:36 Like what I usually it's those huge random ones are probably good enough, even though space.

59:41 So I don't know.

59:42 I'm with you.

59:43 There's a site that I use periodically and it literally does not allow me to create a

59:47 username or password.

59:47 I can only log in with Facebook.

59:49 Oh, yeah, that hurts.

59:50 Wow.

59:51 Sounds like it's time to not use that site anymore.

59:53 And it keeps logging me out.

59:55 And I had been taking the policy that I'm not going to be logged into Facebook on my main

59:59 browser.

59:59 If I want to do Facebook, that's an incognito window to Facebook.

01:00:02 And then I close that down.

01:00:04 Right.

01:00:04 Yeah.

01:00:04 Good idea.

01:00:05 But now I've got to stay logged in if I go.

01:00:06 I mean, I got to keep logging in and out of Facebook just to go do that thing.

01:00:09 But it has these like knock on effects of, well, now like every Facebook pixel and the

01:00:14 Internet is now turned on for me to the extent that my ad blockers are not stopping that.

01:00:19 Right.

01:00:19 It's like an arms race.

01:00:21 But it's it frustrates me if that's the only option out there.

01:00:26 Yeah, for sure.

01:00:27 Yeah.

01:00:27 All right.

01:00:27 Well, just leave it there, I suppose.

01:00:29 I think we're getting definitely long in time here, but been really fun to talk about identity

01:00:34 and the broader sense with you guys.

01:00:36 Absolutely.

01:00:36 And it's been a blast being here and talk about identity and how to keep you off the

01:00:40 news.

01:00:41 Yeah.

01:00:41 All right.

01:00:42 Before we get here, if you're going to write some code, I'll just, since there's two, I'll

01:00:44 just ask the one, although who knows, it might be the same answer.

01:00:47 We'll see.

01:00:48 If you're going to write some code, some Python code, what editor do you use?

01:00:51 I would probably go with VS Code.

01:00:53 Okay.

01:00:54 Because I am more comfortable with that.

01:00:56 I haven't really used bytes or mats and I haven't really done a lot of Python production

01:00:59 work to say that.

01:01:01 So that will be the convenient one.

01:01:03 However, we are working with JetBrains these days to actually improve the Azure experience

01:01:08 inside PyTorch and PyCharm.

01:01:10 Yeah.

01:01:11 Yeah.

01:01:11 PyCharm.

01:01:12 Yeah.

01:01:12 Awesome.

01:01:12 Really?

01:01:13 I didn't know that.

01:01:13 That's cool.

01:01:13 Yeah.

01:01:14 So we want to bring it in to everyone.

01:01:16 Yeah.

01:01:16 So use the tools that work best for you.

01:01:19 Yeah, absolutely.

01:01:19 John, how about you?

01:01:20 Do Jupyter notebooks count?

01:01:22 Yeah.

01:01:22 Yeah.

01:01:23 They absolutely count.

01:01:23 Sure.

01:01:24 In the browser.

01:01:24 Yeah.

01:01:25 No, I mean, most of what I've used Python for in the past, probably past 12 months has been

01:01:30 like work in Spark doing like data processing and stream processing, which I kind of love

01:01:35 it for that because it's so much easier than Scala.

01:01:38 And I tried to do Scala once and I was really quite miserable.

01:01:42 And then I was like, I'll just do this in Python.

01:01:44 And then a lot of it too, I do use VS Code a lot.

01:01:47 And for more sort of like application stuff for doing like Azure automation stuff, like if I want to automate some resources and things like that in Azure or use like AWS Lambda for application stuff, I tend to fall to VS Code.

01:01:59 Excellent.

01:02:00 All right.

01:02:00 Well, that's definitely a popular answer these days.

01:02:02 All right.

01:02:03 Final call to action.

01:02:03 People are interested in identity.

01:02:05 They want to up their game and their app or maybe they're creating a new app.

01:02:08 They want to try something different, like federated identity or something.

01:02:11 What do you say to them?

01:02:12 Do it and come hang out with us on Twitch, come and write some code with us and tell us what you want to see.

01:02:17 Tell us what kind of scenarios you're in that you want to see.

01:02:20 Yeah, we haven't talked about that.

01:02:21 Just really quickly, you guys have a Twitch programming live stream.

01:02:24 You want to tell folks about that real quick?

01:02:26 We'll put the link in the show notes.

01:02:27 Sure.

01:02:28 It's every Tuesday and Thursday at 7 a.m. Pacific, 10 a.m. Eastern.

01:02:32 And usually Tuesdays, we build something.

01:02:34 Right now, we're working on a multi-episode project of building what we're calling the Thrasman, which is the Azure Resource Thrasher, which will be fun.

01:02:42 And we take questions from the chat and from the community all the time.

01:02:46 And then Thursdays, we do community hour where we show off a cool project that somebody in the community has been working on.

01:02:52 Or we have a guest come on from Microsoft or outside and share with the world what they're working on or something really cool or a big announcement.

01:02:59 And yeah, it's a lot of fun.

01:03:00 Yeah, cool.

01:03:01 I hear you have some Python topics maybe coming up potentially.

01:03:04 We do.

01:03:05 When are you going to come on the show?

01:03:06 Come build something with us.

01:03:07 Oh, yeah.

01:03:07 Oh, yeah.

01:03:08 October 20th.

01:03:10 Nice.

01:03:11 It's already done.

01:03:12 Agreed.

01:03:13 And we're cooking.

01:03:13 So we'll make sure that we promote that and let people know that you're coming to the show to build some awesome authentication stuff with us.

01:03:19 Yeah, that'd be sweet.

01:03:20 Yeah, it sounds good.

01:03:21 We'll do some Flask plus OpenID Connect or something like that.

01:03:24 Yes.

01:03:25 Awesome.

01:03:25 All right, guys.

01:03:26 Thank you for being on the show.

01:03:27 It's been a lot of fun.

01:03:28 Thanks for having us.

01:03:29 Thank you for having us.

01:03:30 Yeah, Yvette.

01:03:31 Talk to you later.

01:03:31 This has been another episode of Talk Python to Me.

01:03:35 Our guests in this episode were Christos Mathkes and John Patrick Dendison.

01:03:39 And it's been brought to you by us over at Talk Python Training in Linode.

01:03:44 Simplify your infrastructure and cut your cloud bills in half with Linode's Linux virtual machines.

01:03:48 Develop, deploy, and scale your modern applications faster and easier.

01:03:51 Visit talkpython.fm/linode and click the Create Free Account button to get started.

01:03:57 Want to level up your Python?

01:03:58 If you're just getting started, try my Python Jumpstart by Building 10 Apps course.

01:04:03 Or if you're looking for something more advanced, check out our new Async course that digs into

01:04:08 all the different types of async programming you can do in Python.

01:04:11 And of course, if you're interested in more than one of these, be sure to check out our

01:04:15 Everything Bundle.

01:04:16 It's like a subscription that never expires.

01:04:18 Be sure to subscribe to the show.

01:04:20 Open your favorite podcatcher and search for Python.

01:04:22 We should be right at the top.

01:04:23 You can also find the iTunes feed at /itunes, the Google Play feed at /play,

01:04:28 and the direct RSS feed at /rss on talkpython.fm.

01:04:32 This is your host, Michael Kennedy.

01:04:34 Thanks so much for listening.

01:04:36 I really appreciate it.

01:04:37 Now get out there and write some Python code.

01:04:39 I'll see you next time.

01:04:59 Thank you.

Back to show page
Talk Python's Mastodon Michael Kennedy's Mastodon