Updated March 13th 2017
Learn more about the authentication process behind PixelPin
What is Federation?
What is Federation?
Federation is a system where you trust somebody else to provide some of your services.
Specifically for PixelPin (and Google, Facebook, etc.) it means trusting someone else to authenticate your users.
You would do this because either you don't want the responsibility of maintaining and protecting your own users' data or perhaps you are a new organisation and your users trust someone else more than you with their information. Alternatively, by using a provider that is already widely used, you are making it as easy as possible for new users to join your site without filling out another registration form.
PixelPin adds another reason to use federation for authentication and that is a revolutionary simple, yet secure, login experience that your users will enjoy and easily remember.
OpenID Connect is a layer on top of OAuth2 that provides additional security, attestation and conformance of the data that is returned from providers, making it possible to have a single piece of code supporting multiple providers.
PixelPin also supports an optional OpenID Connect facility called Discovery, which puts a document at a well known endpoint for a plugin to use for auto-configuration of endpoints.
OAuth2 is one of the most common ways of using federation for authorization.
Most of the famous providers such as Google and Facebook use OAuth2 for their single-sign-on systems.
It is a specification that describes how the client (you) and the server (PixelPin) communicate with each other in a way that is secure from various potential hacks such as hijacking a legitimate account to use for bad reasons, replaying a request again to try and re-gain access to user data or modifying what PixelPin is asked to do in the request to gain more access than you are supposed to.
PixelPin already supports OAuth2 so in order for you to use it, your web site also needs to be compatible.
OAuth is the forerunner to OAuth2 and although they are designed for the same thing, the two are not compatible.
OAuth2 is highly recommended over the original OAuth because it is simpler, requires less calls to the server (i.e. it is faster) and is supposedly more secure. Most of the large identity providers have migrated to OAuth2.
The easiest way for your web site to be PixelPin compatible is to use a plugin, most of which are open source and freely available.
The only time you might not be able to do this is when your site is written from scratch and not based on a web framework or content management system (such as WordPress, Drupal, Yii, .Net, etc).
PixelPin currently provides a plugin that is compatible with Microsoft .Net and another which is based on HybridAuth for use in PHP.
If you are using .Net, you can simply install a Microsoft OpenID Connect plugin from NuGet and fill in the details.
If you are using PHP, visit HybridAuth and find the instructions for your specific content management system. If your PHP site is not based on a framework, your easiest way to integrate with OAuth2 is to download the HybridAuth code and use this directly.
In order for your site to be allowed to connect to PixelPin, you need a PixelPin developer account.
The really important piece of information is the Redirect URI (the 'URL' that PixelPin returns to after a user logs in). This must match your request for security reasons, otherwise you will see an error when you attempt to logon with PixelPin.