OAuth 2.0 & OpenID Connect 基礎 @ OpenID Meetup Fukuoka

Transcript

1. OAuth 2.0 & OpenID Connect جૅ Nov Matake

2. Nov Matake ⿣OpenID Foundation Japan ⿣ࣄ຿ہ௕ ⿣ΤόϯδΣϦετ ⿣຋༁ WG Ϧʔμʔ

   ⿣Rubyist ⿣YAuth.jp LLC ୅ද

3. OAuth 2.0 ͱ OpenID Connect ͲͪΒ΋ʮͳΜͪΌΒIDͰϩάΠϯʯ ͰΑ͘࢖ΘΕΔϓϩτίϧ

4. ͳΜͪΌΒIDͰϩάΠϯ ⿣Facebook ID ͰϩάΠϯ : OAuth 2.0 ⿣GitHub ID ͰϩάΠϯ

   : OAuth 2.0 ⿣Google ID ͰϩάΠϯ : OpenID Connect ⿣Yahoo! JAPAN ID ͰϩάΠϯ : OpenID Connect ⿣LINE ID ͰϩάΠϯ : OpenID Connect ⿣ࣗࣾ Web App ͷ ID Ͱࣗࣾ iOS/Android App ʹϩάΠϯ : OAuth 2.0 ⿣ࣗࣾ Web App ʹ͸ Google ID ͰϩάΠϯ : OpenID Connect + OAuth 2.0
5. None
6. None
7. None
8. None
9. None

10. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

11. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

12. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

13. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

14. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

15. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

16. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
17. None

18. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

19. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

20. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

21. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

22. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

23. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Welcome back! Backend API Access

24. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

25. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
26. None

27. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

28. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

29. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

30. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

31. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

32. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

33. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

34. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

35. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

36. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

37. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

38. ·ͣ͸جૅ͔Β…

39. OAuth 2.0 جૅ

40. Abstract - RFC 6749 : The OAuth 2.0 Authorization Framework

    “The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” IUUQTUPPMTJFUGPSHIUNMSGD

41. Abstract - RFC 6749 : The OAuth 2.0 Authorization Framework

    (຋༁൛) ʮOAuth 2.0 ͸, αʔυύʔςΟʔΞϓϦέʔγϣϯʹΑΔHTTPαʔϏε΁ ͷݶఆతͳΞΫηεΛՄೳʹ͢ΔೝՄϑϨʔϜϫʔΫͰ͋Δ. αʔυύʔ ςΟʔΞϓϦέʔγϣϯʹΑΔΞΫηεݖͷऔಘʹ͸, ϦιʔεΦʔφʔͱ HTTPαʔϏεͷؒͰಉҙͷͨΊͷΠϯλϥΫγϣϯΛ൐͏৔߹΋͋Δ͕, αʔυύʔςΟʔΞϓϦέʔγϣϯࣗ਎͕ࣗΒͷݖݶʹ͓͍ͯΞΫηεΛڐ Մ͢Δ৔߹΋͋Δ.ʯ IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPSGDKBIUNM

42. ʮͳΜͪΌΒ ID ͰϩάΠϯʯΑΓ΋ ʮͳΜͪΌΒ API ͱ࿈ܞʯ͕ຊདྷͷ༻్

43. None
44. None
45. None
46. None
47. None

48. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

49. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

50. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

51. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

52. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

53. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

54. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

55. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server API ఏڙଆ API ར༻ଆ 5PLFO
    ൃߦΛ୲͏ "1*
    ఏڙΛ୲͏ ·ͱΊͯ “OAuth Server” ͱ΋ݺ͹ΕΔ “OAuth Client” ͱݺ͹ΕΔ

56. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server RFC 6749 - The OAuth 2.0 Authorization Framework RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage

57. RFC 6749 - The OAuth 2.0 Authorization Framework ⿣OAuth Core

    ͱ͔ݺ͹ΕΔ΍ͭ ⿣API ʹΞΫηε͢ΔͨΊͷτʔΫϯ (Access Token) ͷऔಘํ๏ΛఆΊΔ ⿣ݪจ : https://tools.ietf.org/html/rfc6749 ⿣຋༁ : https://openid-foundation-japan.github.io/rfc6749.ja

58. RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token

    Usage ⿣OAuth Bearer ͱ͔ݺ͹ΕΔ΍ͭ ⿣औಘͨ͠ “Bearer ͳ” Access Token ͷར༻ํ๏ΛఆΊΔ ⿣ੈͷதͷ OAuth 2.0 ࣮૷ͷ 99% Ҏ্͸͜Εʹ֘౰ ⿣ݪจ : https://tools.ietf.org/html/rfc6750 ⿣຋༁ : https://openid-foundation-japan.github.io/rfc6750.ja

59. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

60. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

61. Authorization Request Params ⿣client_id : OAuth Client ͷࣝผࢠ ⿣redirect_uri :

    OAuth Client ͷ Callback URL ⿣response_type : “code” ݻఆ ⿣RFC6749 Ͱ͸ “token” ͱ͍͏஋΋ఆٛ͞Ε͍ͯΔ͕ݱࡏ͸ඇਪ঑ͷྲྀΕ ⿣scope : OAuth Server ͕ఆΊΔʮݶఆతͳ API ΞΫηεݖݶʯΛࣔ͢஋ ⿣state : OAuth Client ͷ౰֘ Session ʹඥ͍ͮͨ೚ҙͷ஋

62. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

63. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

64. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

65. Authorization Response Params ⿣code : Authorization Code ͱΑ͹ΕΔҰ࣌τʔΫϯ ⿣state :

    Authorization Request Ͱ Client ͕ࢦఆͨ͠஋ ⿣Client ͷ Session ʹඥ͍͍ͮͯͳ͍஋ͷ৔߹͸ CSRF ߈ܸΛड͚͍ͯΔ

66. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

67. Token Request Params ⿣grant_type : “authorization_code” ݻఆ ⿣code : Authorization

    Response Ͱड͚औͬͨ Authorization Code ⿣redirect_uri : Authorization Response Λड͚औͬͨ Callback URL ⿣Basic ೝূ : client_id & client_secret Λར༻ ⿣Native App ΍ JS App ͳͲ secret Λ࣋ͨͳ͍ΞϓϦ͸লུՄ

68. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

69. Token Response Params ⿣access_token : API ΞΫηεʹར༻͢ΔτʔΫϯ ⿣refresh_token : access_token

    Λ࠶ൃߦ͢Δࡍʹར༻͢ΔτʔΫϯ ⿣token_type : “Bearer” ݻఆ (case insensible) ⿣expires_in : ౰֘ access_token ͷ༗ޮظݶ

70. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

71. Resource Request Params ⿣Authorization Header : “Bearer” εΩʔϚͰ access_token Λࢦఆ

72. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

73. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

74. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

75. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

76. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

77. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

78. OAuth Server’s Official SDKs

79. https://oauth.net/code/

80. OpenID Connect جૅ

81. OAuth 2.0 Λ ʮͳΜͪΌΒ ID ͰϩάΠϯʯ Ͱར༻͢ΔͨΊʹ֦ுͨ͠࢓༷

82. OAuth 2.0 ͰͷʮͳΜͪΌΒ ID ͰϩάΠϯʯ ⿣Access Token Λऔಘ͢Δํ๏͸ඪ४Խ͞Ε͍ͯΔ ⿣User ID

    (+ Profile Info) Λऔಘ͢Δํ๏͸֤ API Provider ͝ͱʹόϥόϥ ⿣FB Graph API ⿣https://developers.facebook.com/docs/graph-api/reference/user ⿣Github API ⿣https://developer.github.com/v3/users/#get-the-authenticated-user

83. OpenID Connect ⿣OAuth 2.0 ʹՃ͑ͯҎԼΛඪ४Խ ⿣User ID & Profile Info

    ͷऔಘํ๏ ⿣API Server ͕ϢʔβʔΛೝূͨ͠ࡍͷΠϕϯτ৘ใͷऔಘํ๏ ⿣ೝূ೔࣌, ೝূํࣜ etc. ⿣OAuth 2.0 ͕ఆΊͨ෦෼͸ͦͷ··׆༻ ⿣Access Token औಘɾར༻ํ๏

84. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

85. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server API ఏڙଆ "VUIFOUJDBUJPO
    4FSWFS
    ͱ΋ݺ͹ΕΔ ·ͱΊͯ “Identity Provider (IdP)” ͱ΋ݺ͹ΕΔ “Relying Party (RP)” ͱݺ͹ΕΔ API ར༻ଆ

86. IUUQTPQFOJEOFUDPOOFDU

87. IUUQTPQFOJEOFUDPOOFDU

88. IUUQTPQFOJEOFUXH

89. ࢓༷܈΋͍ͬͺ͍͋ͬͯ Ϣʔεέʔε͝ͱʹ WG ͕֦ுͯ͠Δ͚Ͳ େࣄͳ͜ͱ͸ 3 ఺ͷΈ

90. OpenID Connect = OAuth 2.0 + … ⿣“openid” scope ⿣౰֘ϦΫΤετ͕

    OpenID Connect ͷϦΫΤετͰ͋Δ (= End-User ͷ ࣝผࢠΛཁٻ͍ͯ͠Δ) ͜ͱΛࣔ͢஋ ⿣ID Token ⿣ॺ໊෇͖Ͱ Authentication Session ͷ৘ใΛؚΉτʔΫϯ (Assertion) ⿣User Info API ⿣ඪ४Խ͞Εͨ JSON ϑΥʔϚοτͰϢʔβʔϓϩϑΟʔϧ৘ใΛฦ͢

91. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

92. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

93. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
94. None
95. None

96. ID Token ͷத਎ ⿣iss (issuer) : ID Token ൃߦओମ (IdP)

    ͷࣝผࢠ ⿣aud (audience) : ID Token ൃߦ૬ख (RP) ͷࣝผࢠ ⿣sub (subject) : IdP ͕ൃߦͨ͠ End-User ͷࣝผࢠ ⿣iat (issued_at) & exp (expires_at) : ൃߦ೔࣌ͱ༗ޮظݶ (UNIX Timestamp) ⿣nonce : ϦΫΤετ࣌ʹड͚औͬͨ஋ (AuthZ Req & Token Res Binding) ⿣at_hash : ಉ࣌ʹൃߦ͞Εͨ Access Token ͷϋογϡ஋ ⿣ଞʹ΋ auth_time, acr, amr, azp, c_hash etc... IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUDPSF@IUNM*%5PLFO

97. Init Authenticate Consent Redirect Get Tokens API Access End-User Client

    Authorization Server Resource Server Redirect
98. None

99. ⿣sub ⿣name ⿣given_name ⿣family_name ⿣middle_name ⿣nickname ⿣preferred_username ⿣profile ⿣picture ⿣website

    ⿣email ⿣email_verified ⿣gender ⿣birthdate ⿣zoneinfo ⿣locale ⿣phone_number ⿣phone_number_veri fied ⿣address ⿣updated_at User Info ͷத਎ IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUDPSF@IUNM$MBJNT

100. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

     Client Authorization Server Resource Server

101. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

     Client Authorization Server Resource Server

102. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

     Client Authorization Server Resource Server
103. None

104. Init Authenticate Consent Redirect Get Tokens API Access End-User Client

     Authorization Server Resource Server Redirect
105. None

106. OAuth 2.0 + ID Token + UserInfo API = OpenID

     Connect

107. ʲ࠷ޙʹิ଍ʳ OAuth 2.0 / OpenID Connect ࢖͍෼͚

108. OAuth 2.0 ࢖͏ͱ͜Ζ ⿣OpenID Connect Λαϙʔτ͍ͯ͠ͳ͍ IdP ͷ ID ͰϩάΠϯ

     ⿣ʮͳΜͪΌΒ ID ͰϩάΠϯʯ͸ෆཁͰ API ͚ͩΛ࢖͍͍ͨ࣌ ⿣ࣗࣾαʔϏεͰࣾ֎ and/or ࣾ಺޲͚ʹ API Λఏڙ͍ͨ࣌͠ ⿣JS / iOS / Android App Ͱ Backend Server ͱ API ܦ༝Ͱ΍ΓऔΓ͍ͨ࣌͠

109. OpenID Connect ࢖͏ͱ͜Ζ ⿣OpenID Connect Λαϙʔτ͍ͯ͠Δ IdP ͷ ID ͰϩάΠϯ

     ⿣ʮͳΜͪΌΒ ID ͰϩάΠϯʯͭͭ͠ IdP ͕ఏڙ͢Δଞ API ΋࢖͍͍ͨ࣌ ⿣ࣗࣾαʔϏεͰࣾ֎ and/or ࣾ಺޲͚ʹೝূج൫ (+ API) Λఏڙ͍ͨ࣌͠ ⿣microservices Ά͍΍ͭͱ͔
110. None