Hang on, for everybody to get in. There'll be cookies if you stay. Come on. Right. Okay.
Let's, let's get started. Hi, everyone. So that's not doing anything. That's really not doing anything.
Sometimes it works.
Yeah, well that's okay. I mean, you can just talk to this one slide maybe.
There, there a ah, okay. Okay. Thank you.
Okay, I'll, yeah, it's all good. Don't worry. It's fine.
I, yeah, I, I need to unlock it with my face, I think. Is, is this one, is this gonna be the same? Let's see.
Waiting for
Pass.
Ah, ah, ah, there we go. There we go. Awesome.
Good, good, good, good, good. Okay, great.
Okay, cool. So let's see, what are the, what are the things to, what are the things to talk about before we get started? The first thing to talk about is that I, I work for Ping Identity Field, CTO, for emea. Don't ask me to explain what that means.
It's, it's quite a complex story, but I'm actually doing this talk in my personal capacity, right? And I had to do that because otherwise I wouldn't get these slides past our, our marketing team. So Sabrina is the, is the, the best and most, most passive of them, I would say permissive.
So, so, yeah. And, and again, it's probably a little bit weird for somebody who works for a company that makes most of our revenue from selling absolutely great products that implement Open, ID connect to be talking about challenges with, with using Open Id connect, but bear with me.
And for those, if there is anybody in the room who was involved in, you know, sort of building or writing or designing open, ID connect. I don't know if there is anybody.
This is, this is not to denigrate a wonderful tool. It's to talk about scenarios where it might not be the most appropriate tool to, to solve the particular problem.
I, I've been in IAM for way too long, whatever. So, so we all, but for me, customer experience is, is, is a really key thing, right? That's why I'm a lot more interested in Siam, frankly, than I'm in workforce. I am. And the thing about customer experience, of course, is that we're all customers every day in a million different ways. And I dunno if you will agree with me, I, I feel like I just get a bad experience wherever I go, right?
I mean, you know, digital transformation, digital experience, everybody talks about the great things that they're gonna do to make things better for their customers.
I'm not really seeing a lot of that happening in reality.
And I, I'm trying to work out why, why that should be the case. So, so let's talk then about, you know, what is this kind of first party context we're talking about, you know, some of the, some of the issues.
So I, I'll start with a little story as to where did the session come from and where, where did I get the idea for this session? And actually it started in a, it started in a nightclub in Berlin about this time last year. And of course, the nightclub had absolutely nothing to do with this presentation, but it did have a lot to do with the fact that I got completely drunk on the pre, on the second last night of EIC and showed up the next day to do a panel presentation and wasn't really sure what I was gonna talk about.
So, stumbled upon this idea of having a little bit of a rant about just how bad customer experience tends to be. And so that kind of turned into this. So hopefully you'll, you'll forgive me for, for that.
But let's, let's talk then about, okay, so what is, what is first party? I'm sure everybody, everybody really knows what first party is, right? This is where the same organization owns not only the IDP infrastructure, but also the relying party infrastructure. And this obviously tends to be the case a lot of the time within, within Siam, right?
You know, again, you've got a number of digital channels, digital properties that you're offering to your customers, and you're really just trying to stay on brand. You know, you're trying to give a consistent experience. You're trying to minimize friction.
I mean, this is, this is what you want to do in Siam, but, but here's probably be the first, I mean, I don't even know if this is a controversial statement.
Actually, I checked the statement with Brian Campbell before, before I made it, right?
I said, look, my view is that, you know, OAuth in particular and then open ID connect, which allows on top of it, was not really designed for a first party scenario that's designed for the third party scenario. I mean, OAuth is essentially a protocol that we use for authorizing third party data access.
So, yeah, I mean, and again, I think that a lot of the advice that we tend to give is, yeah, I mean, open I connect is a great standard. It's a very secure standard. It does a lot of great things for you. But you know, this scenario where you're actually looking for a joined up experience where you're actually looking for a single site, a single app that works together seamlessly, is, is this always the, always the best option?
So let's talk about the, the UX killer, right? Let's talk about the concept of the, the full page redirect, right?
Or the clicker button to log in, that mega friction sort of activity that, that we see. And, and again, I think that if you, if you speak to the people who, who build these applications, right?
And again, you know, the people who are typically responsible for the applications, I mean, they're not, they're not an IAM team, right? They're, they're a digital team. They're an e-commerce team.
They're, you know, they're, they're the team that actually owns that interaction with the customer, wants to own that relationship with the customer. And so the first thing that you're saying to them is, Hey, use my great product to keep your users secure. But the very first thing that you have to do is you have to break out of your app entirely and, and open a, open a page on, on some other server and, you know, hope that you'll get back into your app at some point.
So they interfere with the, with the app ux.
And I mean, again, pretty much everybody is using an an SBA framework, single page application framework to build apps because it creates a far more responsive design. You know, I don't think too many of the, you know, the younger people out there today would, would know what to do with a, a traditional server rendered web application anymore.
It would, you know, they, they wouldn't be able to understand why it doesn't, you know, update itself all the time. And again, you know, there are more, more SBA frameworks, I guess, JavaScript frameworks that come out, you know, sort of every, every year than you can possibly keep track of.
And very, very few of them, in my experience, rarely play well or work well with this concept of redirecting away from the app and, and coming back to it. Because they work on the assumption that you load the app once.
I mean, often the app itself is actually just stored on a, on a CDN somewhere. It's the, the app is stored at the edge and the interaction is, the interaction is with, is with APIs.
Now, here's the other thing, right? It's hard to share signals, state data, et cetera, et cetera, whatever else, or between the IDP and the relying party during the flow. Right? Now we're all really battling with fraud. We're all battling with account takeovers.
We, you know, we really want to get good signals about how these individuals are interacting with our, with our digital properties. And, and that's happening, that's happening on the app, right? That's happening on, on the page where, you know, you're selling your cookies or enabling people to view movies or, or whatever else. How do you share those signals in a way that is continuous, in a way that allows you to detect risk events, that allows you to detect changes of posture when you know the piece that is enforcing it. The IDP piece that is enforcing it is, is somewhere else.
And you, you have to kind of do these redirects backwards and forwards to, to get there and back.
And I think, you know, possibly the thing that is, that is almost more important than any of this is that the, the digital experience teams generally prefer an approach where, where you're doing some form of, of embedded ui, right? Which again, is not a, it's not a standard option or it's not an option that's really available with, with open Id connect. The key thing about it, of course, is that, you know, it's very easy to say, oh, well those people are wrong, right?
They don't understand, they don't understand identity, they don't understand these great protocols that we've, that we've built. But those are the people who have the influence. Those are the people who are making the decisions as to what products they're going to use and what mechanisms they're, they're going to use to implement those products. So let's talk about sessions.
This is a, this slide is a bad joke.
These people are having a, a different, kind of a different kind of session, right? Coordination again between the app and the IDP to enable a consistent and safe session experience is very, very hard to do, right?
I mean, at last count, I think there are probably, I, I know that there are a couple of draft specs out there for, you know, session support with, with Open I connect. I know that there are also no fewer than three different specs for handling things like logout, right? And trying to figure out how on earth you actually just allow somebody to log out in a scenario where your, you know, your session is actually held somewhere other than your, other than your application.
Again, you know, we can, we, we can sort of go on into, into more detail about this. Again, you know, some of this, I guess is, is, is kind of controversial.
So, you know, if anybody has any, any thoughts, let's, let's keep 'em for the end. And, you know, feel free to tell me, feel free to tell me where I'm wrong.
But I, I hate this, I hate this discussion with customers, to be honest. I, I really hate the discussion about, Hey, how am I gonna do sessions?
You know, how am I going to ensure that, you know, my app knows what's going on, what's going on with my user? Because it's, it's really, really hard to do and it's becoming a lot harder to do with all of the, all of the third party cookie things that are, that are coming into coming into browsers. Another thing, and this is something I think that for, for retailers in particular is, is, is becomes hugely, hugely important and hugely frustrating, right? Anonymous users matter, but OIDC doesn't really know or care about anonymous users, right?
So the way in which retailers and, you know, other sort of companies that are, that are in that, that sort of, let's say that mass market, that mass consumer space tend to think, right? And when you speak to, again, the digital people, the product people, the people that are actually interested in interacting with the customers, I mean, all they see is somebody starts interacting with my digital property and I just want a chance to get to know them, right? I wanna start out with what they're doing right at the beginning.
I want to try and see if I can figure out what sort of products and services they're interested in. At some point, hopefully I'm gonna entice them to buy something or sign up for my service. And at that point I'm going to try to learn more information about them, right? But this whole concept of until you've logged in, you don't exist, right?
Until you've logged in. You're just, you're just noise on my site and I don't care about you.
And then, you know, the moment you log in, then you've got this kind of real, again, point of friction, log in with a password, log in or sign up. You know, the concept of gradually bringing the customer along, gradually getting to know them through progressive profiling, through whatever else is starting from when they're anonymous all the way through, hopefully to be being a loyal customer.
Again, pretty hard to do with, with something like Open Id connect and yeah. And that, that's the last time we'll talk about web browsers, right? 'cause everybody hates web browsers. Let's just, you know, let's just, let's just use our phone.
But again, I think that, you know, the, it's an interesting prediction that I'm going to be running out of time. I don't think I'm actually running out of time yet, but, we'll, we'll see how, we'll see how we go.
But yeah, I, I think there's very little doubt that the, the modern organization, particularly organizations that are, you know, sort of committed to digital transformation, are passionate about digital transformation, would have a mobile first, if not mobile only strategy.
Well, I mean, hands up, who in the audience says, heard something said about, about a digital wallet on a phone today. I mean, would've been hard to avoid it, right? I I know the rest of, I know the rest of you have, again, I think that, you know, we are, we are really trying to move towards a model where the phone is the, is the, the kind of the primary, the primary way of, of identifying yourself.
So that, that, that native mobile use case is really, really important.
It, you know, I dunno if anybody has, has ever had this discussion.
I, again, I was told by the marketing department specifically not to include this slide because it's apparently inappropriate, but I'm sure everybody will, will forgive me for that. So, but, but this is, this is kind of the thing. And there's a, there's a, a variation of this discussion that, that I have pretty much every time, you know, within a customer environment, we start speaking to the mobile team, right? 'cause everybody's, oh yeah, cool, let's do the web login. Let's find, you know, are we redirecting, are we embedding, you know, et cetera, et cetera.
Alright, let's talk, let's talk about mobile. What are we gonna do? And we are like, well, there's this RFC called, you know, best current practices for, you know, native mobile, blah, blah, blah. And the first thing it tells you is, well, you know, don't, don't use the, don't use native UX within your, within your mobile app for longing, right? Redirect to a browser. And I can always predict the way that that conversation is gonna go.
I mean, you might be speaking to some security people who are like, yeah, yeah, yeah, that's great. And then the moment you start to speak to, you know, the app development team, the DX team, they're like, what are you insane? I'm not doing that. I'm not ruining my wonderful native experience to, to redirect to a browser.
Again, native UX is simply better in every way that that's possibly a, a controversial statement, but I'll, you know, I'll die on that hill. If somebody, if somebody wants to, you know, wants to come up on top of it with me, the patterns in terms of how to actually use open Id connect in terms of how to actually use that, that browser interface and, you know, pass all the various different bits and pieces, codes and pixie verifies and stuff like that backwards and forwards. They're not particularly natural and they're, they're pretty complicated.
Cookie sharing and support is, is inconsistent, right? So this, this tends to come into play when, you know, organizations are looking for things like single sign on between two different apps that they might own. Or even if it's a case of really just using a, using a cookie to, to remember a user so that they don't have to sort of explicitly log in each time.
And again, the advice and guidance seems to change all the time in terms of exactly what component or exactly what browser component you're meant to use on each platform, based on the fact that, you know, particularly the likes of Apple tend to change the way that their, their OS works with, with every, with every revision. Google less so, but they, but they do it as well.
And then again, all of the aforementioned mentioned changes around cookie visibility, cookie sharing, third party cookies, et cetera, et cetera, really start to diminish the value, I would say, of relying on relying on cookies for, for this, for this sort of thing. And the other thing, I guess, or the thing that, that, that becomes really important is in terms of leveraging native capabilities right now, the thing about a smartphone that makes it really, really great for security professionals like ourselves is that it actually gives you so many really useful signals, right?
I mean, there are a lot of ways to tell where the user is to tell how they're interacting to tell whether they're, you know, able to strongly authenticate, to tell maybe whether, you know, they swapped their SIM card that you know, a whole bunch of stuff, right? The level of risk signals that you're able to get by being embedded natively into a mobile application is, is quite significant. And that's just one of the kind of native capabilities you want.
I mean, what about if you wanna do a, a native social login, right? So if you logged in with your Gmail account on your Google phone, just click a button and log me straight in without having to, you know, redirect through seven or eight different browser windows and, and all of that sort of thing, right?
Again, lots of examples of where you want your, let's call it your identity experiences within the app, your login, your registration, all of the rest of it to be a lot more closely integrated with native capabilities and native SDKs that you have within, within your app as well.
And you can't do that if you redirecting off to a web browser, because of course, you know, you can't, you can't call those native SDKs.
So, so let's then talk about a a about another thing, which again, I think starts to tie into the, it starts to tie into the, the sort of the digital wallets discussion as well, but also sort of follows on from the, from the native discussion, is, is, I mean, how do we, how do we rarely do omnichannel, right? How do we rarely enable a brand, a customer organization to present a single identity layer, a single seamless experience to their customers across all of the digital channels that they interact with, right?
And at, as we've seen up to this point, right? We get very stuck on trying to figure out, well, we've got web and we've got mobile, and how do we make those two things play together or work in a consistent way?
You know, what about, you know, API clients chatbots, AI assistance, ATMs, ibr, et cetera, et cetera, right?
And again, we have within, within Open Id connect and author, we've got client initiated back channel authentication, sibo, we've got the device, what, what is it officially called the Device authorization grant. And I mean, again, these are, these are good patterns, these are good extensions, but they don't cover all use cases.
And again, not rarely understood that well by, by development teams who are outside of this special domain of being identity experts. So let's, and then let's talk, let's talk about that, right? So let's talk about, let's talk about these, these developers, because again, there are a lot more, you know, front end channel developers out there in the world than there are identity experts, right?
And we, you know, yeah. And we've, I mean, we've gotta find a way to meet these people where they are, where they are, engage with them in terms of they understand and ultimately make their lives easier, right? Because if we make their lives more difficult, you know what they're gonna do, right? They're just gonna roll their own within their apps. And that's the exact problem that we've been trying to get away from for the last 20 or 30 years.
So again, this is not a, you, this is not a direct quote. What might be a direct quote, right?
But certainly it's, it picks up on a theme that I, that I've heard it picks up on hours and hours and hours that I've spent on calls and in rooms with application developers on a customer site. Or all they wanna do is they just want to use a product. They just wanna use a standard protocol. They just wanna use something that they don't have to build and maintain to be able to log users into their application. And then they're getting pixed, you know, and they're getting author code flowed, and then they're getting, oh, can we use resource owner password?
No, you can't because reasons, you know, oh, can we do this? Can we do that? Where's the simple API can use to authenticate a user?
Oh, you can't use that, right? Again, lot of, lot of confusion.
I mean, you'll, you'll know why, why I have this man's picture up, right? I mean, remembering Vitor very fondly. Vitor actually was part of the panel that, that I mentioned at the, at the start of the talk.
I mean, to me, the legacy that Vitor left on this industry is the fact that he was the developer's advocate, right? Vitor was always the guy for whom that developer experienced that developer view of things was, was sort of front and center. So couldn't think of a, of a better person to put up there.
Of course, the marketing department was, who the hell is that guy? It's like, no, there's a reason.
But, but let's talk then about, you know, some of the, some of the concerns that, that developers raise. Oh, crap, I'm running out of time availability of good quality libraries, right?
I mean, we always talk about, oh yeah, yeah, yeah, just implement Open Id connect.
Because the relying party side of it is easy. There are not enough good quality libraries. Nobody understands, understands scopes at all, right?
I'm, I'm sure scopes exist for a reason within Open Id connect and O2, but I'm just gonna be honest, nobody out there in the world who needs to use them knows what the hell they're for. And again, secure handling and storage of tokens, really, really hard to do. Con inconsistent advice, I would say.
So let's, let's wrap it up. Again, apologies for being a little bit over time here, but a couple of challenges, and this is a kind of, this is a session where, again, I'm not presenting you a product from Ping, right? So I'm not even gonna pretend to be presenting any answers here. This is really just about challenges. And the challenges for me is this, listen more than we speak, learn more than we teach, right?
There's a whole world out there, there's a whole world of people who frankly don't know and don't care about identity. And there's actually nothing wrong with that, right?
Let's understand their perspective before diving straight into a solution. Let's make sure that we have the right people in the room, okay? And when I say the room, I mean like these, these conferences, right? Let's make sure that we are finding ways to get non identity people to understand the value of what we do and the value of what it gives to them. And I think maybe the most important thing, and possibly the most controversial thing as well, let's favor pragmatic collaboration over identity eism, right?
I, I personally hate that term, and I think it's time that we, as the identity people get over ourselves a little bit and realize we're not really that special. And the only value we offer is the value that our customers and their business teams take from identity. And that was it. Thank you very much. A little bit late.
Thank, thank you, Rob. And I think there, this was a very interesting presentation. I myself would have a ton of things to discuss with you because for instance, I don't believe that the wallet should be only the smartphone.
Oh, total nonsense. Ooh, total nonsense. Good. To my understanding, we need it everywhere, everywhere. Ubiquitous. That's my my perspective. Because for instance, if you want to apply for a l sample from the opening keynote, you will do it from your, not from your smartphone. Yeah. And so no no's
Good point. Yeah.
And, and I think there are, there are quite a number of things we, we probably can't discuss, but unfortunately we don't have the time. So thank you for, for the insights. I also have my thoughts about scopes. By the way, I'm always advocating for dynamic scopes that come up from the developer, but that are read in dynamically would make much more sense. So a lot of things we could improve areas. So I think you, you gave us a lot of, at least you gave me a lot of food for thought with some of the probably willingly provocative statements, which makes sense, most
Of them.
So I really liked, enjoyed it very much. Awesome. Thank you very much.
Yes, thank you Martin. Raise their hands again for Rob.
Thank you everyone. Thanks so much.
