When Yahoo and AOL came together a year ago as a part of the new Verizon subsidiary Oath, we took on the challenge of unifying their identity platforms based on current identity standards. Identity standards have been a critical part of the Internet ecosystem over the last 20+ years. From single-sign-on and identity federation with SAML; to the newer identity protocols including OpenID Connect, OAuth2, JOSE, and SCIM (to name a few); to the explorations of “self-sovereign identity” based on distributed ledger technologies; standards have played a key role in providing a secure identity layer for the Internet.
As we navigated this journey, we ran across a number of different use cases where there was either no standard or no best practice available for our varied and complicated needs. Instead of creating entirely new standards to solve our problems, we found it more productive to use existing standards in new ways.
One such use case arose when we realized that we needed to migrate the identity stored in mobile apps from the legacy identity provider to the new Oath identity platform. For most browser (mobile or desktop) use cases, this doesn’t present a huge problem; some DNS magic and HTTP redirects and the user will sign in at the correct endpoint. Also it’s expected for users accessing services via their browser to have to sign in now and then.
However, for mobile applications it’s a completely different story. The normal user pattern for mobile apps is for the user to sign in (via OpenID Connect or OAuth2) and for the app to then be issued long-lived tokens (well, the refresh token is long lived) and the user never has to sign in again on the device (entering a password on the device is NOT a good experience for the user).
So the issue is, how do we allow the mobile app to move from one identity provider to another without the user having to re-enter their credentials? The solution came from researching what standards currently exist that might addres this use case (see figure “Standards Landscape” below) and finding the OAuth 2.0 Token Exchange draft specification (https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-13).
The Token Exchange draft allows for a given token to be exchanged for new tokens in a different domain. This could be used to manage the “audience” of a token that needs to be passed among a set of microservices to accomplish a task on behalf of the user, as an example. For the use case at hand, we created a specific implementation of the Token Exchange specification (a profile) to allow the refresh token from the originating Identity Provider (IDP) to be exchanged for new tokens from the consolidated IDP. By profiling this draft standard we were able to create a much better user experience for our consumers and do so without inventing proprietary mechanisms.
During this identity technical consolidation we also had to address how to support sharing signed-in users across mobile applications written by the same company (technically, signed with the same vendor signing key). Specifically, how can a signed-in user to Yahoo Mail not have to re-sign in when they start using the Yahoo Sports app? The current best practice for this is captured in OAuth 2.0 for Natives Apps (RFC 8252). However, the flow described by this specification requires that the mobile device system browser hold the user’s authenticated sessions. This has some drawbacks such as users clearing their cookies, or using private browsing mode, or even worse, requiring the IDPs to support multiple users signed in at the same time (not something most IDPs support).
While, RFC 8252 provides a mechanism for single-sign-on (SSO) across mobile apps provided by any vendor, we wanted a better solution for apps provided by Oath. So we looked at how could we enable mobile apps signed by the vendor to share the signed-in state in a more “back channel” way. One important fact is that mobile apps cryptographically signed by the same vender can securely share data via the device keychain on iOS and Account Manager on Android.
Using this as a starting point we defined a new OAuth2 scope, device_sso, whose purpose is to require the Authorization Server (AS) to return a unique “secret” assigned to that specific device. The precedent for using a scope to define specification behaviour is OpenID Connect itself, which defines the “openid” scope as the trigger for the OpenID Provider (an OAuth2 AS) to implement the OpenID Connect specification. The device_secret is returned to a mobile app when the OAuth2 code is exchanged for tokens and then stored by the mobile app in the device keychain and with the id_token identifying the user who signed in.
At this point, a second mobile app signed by the same vendor can look in the keychain and find the id_token, ask the user if they want to use that identity with the new app, and then use a profile of the token exchange spec to obtain tokens for the second mobile app based on the id_token and the device_secret. The full sequence of steps looks like this:
As a result of our identity consolidation work over the past year, we derived a set of principles identity architects should find useful for addressing use cases that don’t have a known specification or best practice. Moreover, these are applicable in many contexts outside of identity standards:
Spend time researching the existing set of standards and draft standards. As the diagram shows, there are a lot of standards out there already, so understanding them is critical.
Don’t invent something new if you can just profile or combine already existing specifications.
Make sure you understand the spirit and intent of the existing specifications.
For those cases where an extension is required, make sure to extend the specification based on its spirit and intent.
Ask the community for clarity regarding any existing specification or draft.
Contribute back to the community via blog posts, best practice documents, or a new specification.
As we learned during the consolidation of our Yahoo and AOL identity platforms, and as demonstrated in our examples, there is no need to resort to proprietary solutions for use cases that at first look do not appear to have a standards-based solution. Instead, it’s much better to follow these principles, avoid the NIH (not-invented-here) syndrome, and invest the time to build solutions on standards.
(HYPER-)INVISIBILITY : The Asian Non-Model for Affection
I’m always confused when I watch Asian music videos - by which I mean K-pop and J-pop, primarily… and the degree to which the videos feel so sexualized. As someone who grew up watching old Asian (Chinese) dramas like 還珠格格(which recently had its remake), it’s strange to know that some of the new Korean dramas are… well, R-rated. While I think most of us (though that’s probably not as true as I believe) struggle or feel loathe to envision others in the throes of passion, the depiction is fairly common in America cinema, something that has made me uncomfortable because it is so absent in Chinese cinema. For example, in 上错花轿嫁对郎*, a show that came out in 2001 and is focused around the idea of marriage, I don’t remember any scenes that show kissing, period. There are probably a few, but not many in a 20 1-hour episode show. Rather, intimacy and affection is shown in long embraces. “Intimate” scenes feature the couple lying down on a bed together, fully clothed.
What’s more remarkable is that this is a step forward even for the culture. Of my parents’ generation, nobody holds hands in public. No one leans into each other or sits touching each other. Even of the couples I know in America, there is a distinct lack of public affection between Asian couples and American couples. Of my peers, if they display a lot of physical intimacy, often it is coupled with an open embrace of another culture - in short, it is not classically considered a part of the culture we “grew up in” which is usually our parents’ culture. Parents who are more traditional, especially the Chinese parents I know, don’t have a sex talk, generally don’t approve of dating in high school, but might be confused why you’re not in a committed relationship by the time you enter grad school.
Contemporary culture of Korean and Japanese dramas are dramatically different. And I’m not quite sure why. It is possible that the government is trying to control the population of China by not encouraging more romantic media to be created. The general disparity between the classes may also because of the distinction between Asian cultures and their portrayal of love and romance on the big screen (particularly given the middle-class nature of such entertainment). But even so relative to American movies, the classic tropes are very different. American women are often either bold/brash and then “subdued” or humanized by love (see “The Proposal”, “Groundhog Day”, “Juno”, etc.) or sensitive/caring ones who win over the “playboy”/“bad boy" (see "A Walk to Remember”, “Beastly”/“Beauty & the Beast”). In Chinese drama, which, of the ones I’ve watched, are often historical, there is the “cultured, demure, perfect girl” who earns love through her faithfulness, and the “uncultured, ‘masculine’, poor girl” who is softened by love. The class element is often a part of the character trope and also often plays a part in the male characterization as well.
All this to say, the normalized presentation of love is pretty… chaste? Traditional? At least by American standards. But it goes beyond couples. Growing up, families didn’t hug (unless it was after crying) or kiss or even say “I love you.” Parents don’t ask about your day, they ask about your homework, about your success. But that is “love” is caring about how successful you are, which I thought was the strangest thing, and didn’t really consider love at all. There was a shift when I finally told my parents “I love you” - and I often still do it in English because it feels weird to do it in Chinese. It just feels… awkward and embarrassing. My younger sister and I are super affectionate, but we do it in English as well. It’s just really weird, because it seems illogical.
I’m also listening to “I Knew I Loved You (Before I Met You)” right now and I would say that I don’t think the disparity exists as much in terms of love songs… but I’m not sure if that’s just because I haven’t listened to as many Chinese love songs, or if it’s because it’s not as prevalent in the media.
*for those of you who are curious what a more “traditional” Chinese drama looks like, you can actual watch some English subtitled videos like the ones above. (it starts with episode 6, unfortunately, but it gives you a sense of what a lot of the ones I’ve watched are like)
Catholic Girl Problem #49: Being constantly told your standards for a pure, Catholic husband are too high and you’ll never find a guy like that. (credit to lovethatquietsallmyfears)
A friend of mine from work recently passed that invisible line after a divorce that says, “You are now back in circulation.” She resisted the idea, but the problem is she’s very attractive. Men keep asking her out. She’s the veritable forty-something head cheerleader in a world of football players and gawking admirers. She says she’s not ready to do something that really ought to be confined to teenagers. “It’s too time consuming to sort out the unsuitable candidates,” she whined. She’s got a point. At our age we’re busy with careers and children. We can’t waste time with potential relationships that are doomed to go nowhere. Although I’m not in circulation and hope I never will be, I’m a big believer in helping out the needy, so I offered to develop a dating questionnaire that would weed out the ones who had no hope of ever being the guy who flips the burgers at her next backyard cook-out.
Because my friend and I are both English teachers, I thought that requiring an essay would be appropriate. “Why I Want to Date You” would have to earn at least a C on a standard college level grading rubric in order for the candidate to move to the next phase. I wanted to declare that more than three comma errors would automatically knock the candidate out of the running, but my friend thought we should go easy on the punctuation. Go figure.
After the usual questions about where do you work and where do you live, the first question is one that is so obvious it should go without asking, but it’s shocking how many men seem to forget the answer to this one: Are you married? Then I moved to what I thought were more ordinary questions like: What are your hobbies? Do you have any pets? What types of chemicals do you keep in your garage? I figure most guys who are not wanted by any law enforcement organizations could easily get through these questions.
Oh, and that was the next question: Are you wanted by any law enforcement organizations? Followed by: Have you committed any felonies (that includes the ones you didn’t get caught doing)? If so, were you wearing any women’s garments at the time? If so, were those garments visible?
Have you ever made an illegal left turn? Eaten grapes straight out of the bin in the produce aisle? If so, did you give the cashier an extra quarter to cover the cost when you checked out? Does anyone in your family operate a meth lab? Are you straight? Have you lived with your mother at any point since the age of thirty?
How high is the grass in your yard? (That’s supposed to be actual lawn grass, not the other kind. If they indicate the latter, then they’re referred back to the question about crimes.)
Do you have anything in your sock drawer besides socks? Could you allow your preacher to look in your sock drawer without embarrassment? Do you have a preacher? Did he get his license from the back of a confessional magazine?
Do small children from the end of your street call you daddy and you can’t remember why? Do you know how to turn on a washing machine? When was the last time you did? How many pieces of petrified fruit are underneath your sofa? Do any of your videos or DVD’s have the words sassy, kinky, or Asian mamas in the title? Or Asian sassy boys? (If they say yes to this one, they’re instructed to go back to the earlier question about being straight.)
There are a few more questions, but you get the point. I showed this to my friend and she read it with alternating nods and confused looks. “So, how many yes’s are supposed to eliminate a man from the process?”
“It’s really up to you.” I said. “I would have knocked him out at the comma thing, but I suppose there are some women who’ll let any old riff raff sneak by.”
She gave me a dirty look as if I’d insulted her standards, which of course I had. “Oh, there’s one final assignment,” I said. “He has to write the names of all of his past sexual partners on this.” I handed her a white plastic bottle cap about the size of my eyeball. “If he can’t get them to fit then I’d call that a red flag.” She spun it on her index finger. “Clever,” she said. I think she was genuinely impressed at last.
I pointed at the cap. “And don’t let any of them cheat by trying to put initials,” I said. Boy, the things I do to look out for my friends.
When I lived in America I was a regular on Spindale public radio in North Carolina. These essays are from my collection that aired on WNCW.
Cathy Adams was recently nominated for a Pushcart Prize. Her first novel, This Is What It Smells Like, was published by New Libri Press, Washington. Her short stories have been published in Utne, A River and Sound Review, Upstreet, Portland Review, Steel Toe Review, and Cha: An Asian Literary Journal, among others. She earned her MFA in Creative Writing from Pacific Lutheran University’s Rainier Writing Workshop and now lives and writes in Xinzheng, China, with her husband, photographer, JJ Jackson.
This happened a while ago, but it shows how people view me in life sometimes. I went to Taco Bell to pick up something to eat and the minute I walked in this group of guys in the back started pointing at me, laughing, snickering and calling me a freak of nature for the way I looked. But the woman who served me my food pulled me off to the side and told me that was beautiful and unique and to not let assholes dictate me and label me for something I’m not. Sometimes people are shit, but sometimes there are those willing to stand up and support you even when people push you down. That woman at Taco Bell made my whole day, and I appreciate her for standing up for me. When you look as unique as me there will always be people to put you down, but the jokes on them, because the way I look makes me happy, it makes me feel beautiful and handsome and attractive. And isn’t that what life’s about, trying to find your own personal happiness? Sometimes I find it difficult to even leave the house, because those asshole people exist everywhere. I can’t even remember going out in public once in the last few years without someone putting me down and laughing at me. But I know there are also good people to stand up for me. So fuck society’s version of what attractive should be, I’m attractive in my own way, and I’m not going to let a few narrow minded people treat me like shit for it.
Alessia Cara’s- Scars To Your Beautiful highlights the importance of self love and acceptance. In the video it stars a diverse group of people expressing their struggles and how they learned to embrace their beauty. This song is a power anthem. No one is to determine who you are. Do what makes you happy and remember that everyone is beautful. At the end of the video she made a very heartfelt statement, she stated “Often times, the world both directly and indirectly tells us that we shouldn’t be happy with ourselves if we don’t fit certain beauty standards. Scar to your beautiful is a reminder that beauty isn’t only one look, shape, size, or color. It isn’t even always tangible.It comes in an endless amount of forms and we need to recognize that”.
In my opinion it isn’t the individuals fault for having insecurities about their body image. Society falls short of accepting diversity and tends to shame people for individualism. Lip fillers, butt lifts, anti-aging laser treatments, botox, etc., has become a cultural norm and people forget that natural beauty still exist. A person shouldn’t have to conform to beauty standards to feel whole nor should they feel pressured to become a product of their environment.
Source: AlessiaCaraVEVO. “Alessia Cara - Scars To Your Beautiful.” YouTube. YouTube, 11 July 2016. Web. 06 Dec. 2016. <https://www.youtube.com/watch?v=MWASeaYuHZo>.
