Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2.0 & OpenID Connect 基礎 @ OpenID Meetup F...

OAuth 2.0 & OpenID Connect 基礎 @ OpenID Meetup Fukuoka

Nov Matake

March 29, 2019
Tweet

More Decks by Nov Matake

Other Decks in Technology

Transcript

  1. ͳΜͪΌΒIDͰϩάΠϯ ⿣Facebook ID ͰϩάΠϯ : OAuth 2.0 ⿣GitHub ID ͰϩάΠϯ

    : OAuth 2.0 ⿣Google ID ͰϩάΠϯ : OpenID Connect ⿣Yahoo! JAPAN ID ͰϩάΠϯ : OpenID Connect ⿣LINE ID ͰϩάΠϯ : OpenID Connect ⿣ࣗࣾ Web App ͷ ID Ͱࣗࣾ iOS/Android App ʹϩάΠϯ : OAuth 2.0 ⿣ࣗࣾ Web App ʹ͸ Google ID ͰϩάΠϯ : OpenID Connect + OAuth 2.0
  2. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  3. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  4. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  5. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  6. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  7. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  8. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  9. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  10. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  11. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  12. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  13. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  14. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Welcome back! Backend API Access
  15. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  16. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  17. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  18. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  19. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  20. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  21. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  22. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  23. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  24. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  25. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  26. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  27. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  28. Abstract - RFC 6749 : The OAuth 2.0 Authorization Framework

    “The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” IUUQTUPPMTJFUGPSHIUNMSGD
  29. Abstract - RFC 6749 : The OAuth 2.0 Authorization Framework

    (຋༁൛) ʮOAuth 2.0 ͸, αʔυύʔςΟʔΞϓϦέʔγϣϯʹΑΔHTTPαʔϏε΁ ͷݶఆతͳΞΫηεΛՄೳʹ͢ΔೝՄϑϨʔϜϫʔΫͰ͋Δ. αʔυύʔ ςΟʔΞϓϦέʔγϣϯʹΑΔΞΫηεݖͷऔಘʹ͸, ϦιʔεΦʔφʔͱ HTTPαʔϏεͷؒͰಉҙͷͨΊͷΠϯλϥΫγϣϯΛ൐͏৔߹΋͋Δ͕, αʔυύʔςΟʔΞϓϦέʔγϣϯࣗ਎͕ࣗΒͷݖݶʹ͓͍ͯΞΫηεΛڐ Մ͢Δ৔߹΋͋Δ.ʯ IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPSGDKBIUNM
  30. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server API ఏڙଆ API ར༻ଆ 5PLFOൃߦΛ୲͏ "1*ఏڙΛ୲͏ ·ͱΊͯ “OAuth Server” ͱ΋ݺ͹ΕΔ “OAuth Client” ͱݺ͹ΕΔ
  31. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server RFC 6749 - The OAuth 2.0 Authorization Framework RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
  32. RFC 6749 - The OAuth 2.0 Authorization Framework ⿣OAuth Core

    ͱ͔ݺ͹ΕΔ΍ͭ ⿣API ʹΞΫηε͢ΔͨΊͷτʔΫϯ (Access Token) ͷऔಘํ๏ΛఆΊΔ ⿣ݪจ : https://tools.ietf.org/html/rfc6749 ⿣຋༁ : https://openid-foundation-japan.github.io/rfc6749.ja
  33. RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token

    Usage ⿣OAuth Bearer ͱ͔ݺ͹ΕΔ΍ͭ ⿣औಘͨ͠ “Bearer ͳ” Access Token ͷར༻ํ๏ΛఆΊΔ ⿣ੈͷதͷ OAuth 2.0 ࣮૷ͷ 99% Ҏ্͸͜Εʹ֘౰ ⿣ݪจ : https://tools.ietf.org/html/rfc6750 ⿣຋༁ : https://openid-foundation-japan.github.io/rfc6750.ja
  34. Authorization Request Params ⿣client_id : OAuth Client ͷࣝผࢠ ⿣redirect_uri :

    OAuth Client ͷ Callback URL ⿣response_type : “code” ݻఆ ⿣RFC6749 Ͱ͸ “token” ͱ͍͏஋΋ఆٛ͞Ε͍ͯΔ͕ݱࡏ͸ඇਪ঑ͷྲྀΕ ⿣scope : OAuth Server ͕ఆΊΔʮݶఆతͳ API ΞΫηεݖݶʯΛࣔ͢஋ ⿣state : OAuth Client ͷ౰֘ Session ʹඥ͍ͮͨ೚ҙͷ஋
  35. Authorization Response Params ⿣code : Authorization Code ͱΑ͹ΕΔҰ࣌τʔΫϯ ⿣state :

    Authorization Request Ͱ Client ͕ࢦఆͨ͠஋ ⿣Client ͷ Session ʹඥ͍͍ͮͯͳ͍஋ͷ৔߹͸ CSRF ߈ܸΛड͚͍ͯΔ
  36. Token Request Params ⿣grant_type : “authorization_code” ݻఆ ⿣code : Authorization

    Response Ͱड͚औͬͨ Authorization Code ⿣redirect_uri : Authorization Response Λड͚औͬͨ Callback URL ⿣Basic ೝূ : client_id & client_secret Λར༻ ⿣Native App ΍ JS App ͳͲ secret Λ࣋ͨͳ͍ΞϓϦ͸লུՄ
  37. Token Response Params ⿣access_token : API ΞΫηεʹར༻͢ΔτʔΫϯ ⿣refresh_token : access_token

    Λ࠶ൃߦ͢Δࡍʹར༻͢ΔτʔΫϯ ⿣token_type : “Bearer” ݻఆ (case insensible) ⿣expires_in : ౰֘ access_token ͷ༗ޮظݶ
  38. OAuth 2.0 ͰͷʮͳΜͪΌΒ ID ͰϩάΠϯʯ ⿣Access Token Λऔಘ͢Δํ๏͸ඪ४Խ͞Ε͍ͯΔ ⿣User ID

    (+ Profile Info) Λऔಘ͢Δํ๏͸֤ API Provider ͝ͱʹόϥόϥ ⿣FB Graph API ⿣https://developers.facebook.com/docs/graph-api/reference/user ⿣Github API ⿣https://developer.github.com/v3/users/#get-the-authenticated-user
  39. OpenID Connect ⿣OAuth 2.0 ʹՃ͑ͯҎԼΛඪ४Խ ⿣User ID & Profile Info

    ͷऔಘํ๏ ⿣API Server ͕ϢʔβʔΛೝূͨ͠ࡍͷΠϕϯτ৘ใͷऔಘํ๏ ⿣ೝূ೔࣌, ೝূํࣜ etc. ⿣OAuth 2.0 ͕ఆΊͨ෦෼͸ͦͷ··׆༻ ⿣Access Token औಘɾར༻ํ๏
  40. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server API ఏڙଆ "VUIFOUJDBUJPO4FSWFS ͱ΋ݺ͹ΕΔ ·ͱΊͯ “Identity Provider (IdP)” ͱ΋ݺ͹ΕΔ “Relying Party (RP)” ͱݺ͹ΕΔ API ར༻ଆ
  41. OpenID Connect = OAuth 2.0 + … ⿣“openid” scope ⿣౰֘ϦΫΤετ͕

    OpenID Connect ͷϦΫΤετͰ͋Δ (= End-User ͷ ࣝผࢠΛཁٻ͍ͯ͠Δ) ͜ͱΛࣔ͢஋ ⿣ID Token ⿣ॺ໊෇͖Ͱ Authentication Session ͷ৘ใΛؚΉτʔΫϯ (Assertion) ⿣User Info API ⿣ඪ४Խ͞Εͨ JSON ϑΥʔϚοτͰϢʔβʔϓϩϑΟʔϧ৘ใΛฦ͢
  42. ID Token ͷத਎ ⿣iss (issuer) : ID Token ൃߦओମ (IdP)

    ͷࣝผࢠ ⿣aud (audience) : ID Token ൃߦ૬ख (RP) ͷࣝผࢠ ⿣sub (subject) : IdP ͕ൃߦͨ͠ End-User ͷࣝผࢠ ⿣iat (issued_at) & exp (expires_at) : ൃߦ೔࣌ͱ༗ޮظݶ (UNIX Timestamp) ⿣nonce : ϦΫΤετ࣌ʹड͚औͬͨ஋ (AuthZ Req & Token Res Binding) ⿣at_hash : ಉ࣌ʹൃߦ͞Εͨ Access Token ͷϋογϡ஋ ⿣ଞʹ΋ auth_time, acr, amr, azp, c_hash etc... IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUDPSF@IUNM*%5PLFO
  43. Init Authenticate Consent Redirect Get Tokens API Access End-User Client

    Authorization Server Resource Server Redirect
  44. ⿣sub ⿣name ⿣given_name ⿣family_name ⿣middle_name ⿣nickname ⿣preferred_username ⿣profile ⿣picture ⿣website

    ⿣email ⿣email_verified ⿣gender ⿣birthdate ⿣zoneinfo ⿣locale ⿣phone_number ⿣phone_number_veri fied ⿣address ⿣updated_at User Info ͷத਎ IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUDPSF@IUNM$MBJNT
  45. Init Authenticate Consent Redirect Get Tokens API Access End-User Client

    Authorization Server Resource Server Redirect
  46. OAuth 2.0 ࢖͏ͱ͜Ζ ⿣OpenID Connect Λαϙʔτ͍ͯ͠ͳ͍ IdP ͷ ID ͰϩάΠϯ

    ⿣ʮͳΜͪΌΒ ID ͰϩάΠϯʯ͸ෆཁͰ API ͚ͩΛ࢖͍͍ͨ࣌ ⿣ࣗࣾαʔϏεͰࣾ֎ and/or ࣾ಺޲͚ʹ API Λఏڙ͍ͨ࣌͠ ⿣JS / iOS / Android App Ͱ Backend Server ͱ API ܦ༝Ͱ΍ΓऔΓ͍ͨ࣌͠
  47. OpenID Connect ࢖͏ͱ͜Ζ ⿣OpenID Connect Λαϙʔτ͍ͯ͠Δ IdP ͷ ID ͰϩάΠϯ

    ⿣ʮͳΜͪΌΒ ID ͰϩάΠϯʯͭͭ͠ IdP ͕ఏڙ͢Δଞ API ΋࢖͍͍ͨ࣌ ⿣ࣗࣾαʔϏεͰࣾ֎ and/or ࣾ಺޲͚ʹೝূج൫ (+ API) Λఏڙ͍ͨ࣌͠ ⿣microservices Ά͍΍ͭͱ͔