web page hit counter

Sunday, June 28, 2009

Facebook, Intrigue, Betrayal, Murder

A working understanding of authentication and authorization protocols is key to making use of modern web APIs. But protocols like the three-party delegated authc/authz[1] typical of modern web services can be difficult to follow. Role-playing protocol participants[2] is a fun way to make a very abstract process concrete, so I decided to write, produce and direct some geek theater at my recent Facebook Developer Garage Dallas presentation. When you get to the script pages, imagine Alice played by about the least feminine guy you've ever seen and you'll have the right atmosphere (you might need to click through and view the presentation full-sized to read the text on some pages)

I finished up with a quick review of some very traditional distributed programming topics. The questions "just how many test cases would you need to cover the possible states your program can be in?" and "what makes you think you can test these modules independently?" get people thinking along the right lines.

Oh. In the end Alice runs off with Bob and all of Dave's money, leaving him on the hook with the Mafia for four guns and several bribes. Such is life in the high-stakes world of distributed programming.

[1] Authc = authentication, or identifying a user, and authz = authorization, or determining what services a user is allowed to make use of once they're identified. Authentication says who you are, authorization says what you can do. In the presentation I talk specifically about delegated authc/authz, and ignore the more traditional single-process examples. People seem surprised to learn that OAuth, which is an authorization protocol, doesn't necessarily tell your application the userid of the user (although many implementations include the info along with the authorization tokens that are the primary purpose of the protocol) It doesn't help that the OAuth spec confuses the two.

[2] So, admittedly, the examples aren't usually acted out in front of an audience, but the role-playing does have a long and honored history. The script actually simplifies the real protocol considerably, but it should give the correct flavor: http://www.networkworld.com/news/2005/020705widernetaliceandbob.html

You should follow me on twitter here.


Blogger KMB Associates said...

How do get Twitter "responses" from your main "home" page...


2:11 PM  

Post a Comment

<< Home