Upgrade to Pro — share decks privately, control downloads, hide ads and more …

現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight ...

ritou
June 21, 2022

現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19

下記イベントの発表資料です。
https://openid.connpass.com/event/249281/

ritou

June 21, 2022
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. • https://ritou.hatenablog.com • FedCMೖ໳ ͦͷ1 ~ ID࿈ܞͷ՝୊ͱFedCMͷΞϓϩʔν • FedCMೖ໳ ͦͷ2

    ~ ݱঢ়ͷFedCM࣮૷ղઆ • FedCMೖ໳ ͦͷ3 ~ OIDCͱͷࠩ෼ղઆ (·ͩԼॻ͖) $%&'(5678#PQ  2
  2. • IdP : Identity Provider. ଞαʔϏεʹରͯ͠Ϣʔβʔ৘ใΛ ఏڙ͢Δ αʔϏε • RP

    : Relying Party. IdPͷϢʔβʔ৘ใΛ༻͍ͯೝূػೳΛ࣮ ݱ͢Δ αʔϏε • Ϣʔβʔ : IdP/RPͦΕͧΕΛར༻͢ΔϢʔβʔ • ϒϥ΢β : FedCMʹରԠͨ͠ϒϥ΢β VWXY  4
  3. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ 2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸ FedCMͷAPIΛݺͼग़͢ 3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ

    4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ 01Z[\]  5
  4. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ 2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸ FedCMͷAPIΛݺͼग़͢ 3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ

    4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ 01Z[\]  7
  5. • Authorization Code Flow • ϑϩϯτνϟϯωϧ : Authorization Code (+

    ID Token) • όοΫνϟϯωϧ : ID Token / AT / RT • Implicit Flow <- ͜Εʹ͍ۙ • ϑϩϯτνϟϯωϧ : ID Token (+ α) • Hybrid Flow (ུ) /01'.$DC‹Œ  25
  6. • IdP metadata : OpenID Provider Con f iguration ͰٵऩՄೳ

    • Client৘ใཁٻ : ະఆٛ • ΞΧ΢ϯτϦετཁٻ : ະఆٛ • ID Tokenཁٻ -> Implicit Flowʹ͍ۙ • ϒϥ΢βʹAuthN Response͕౉͞ΕΔ • ະఆٛ/লུ͞Εͨύϥϝʔλ $%&'(.BŒ./01'  27
  7. • ༻్ʹ͍ͭͯ͸RPͱಉ༷ • ࣮૷ : FedCMରԠͷͨΊͷಠ֦ࣗு͕ඞཁ • Authorization Endpointͷ֦ுʁ •

    OIDCະఆٛͷΤϯυϙΠϯτ • ID Token ʹؚ·ΕΔ஋ • ݱঢ়Ͱ͸ύϥϝʔλҎ֎ͰܾΊΔඞཁ͕͋Δ /01'.0&p  29
  8. FedCM - OIDC ؒͷࠩ෼ղফͷͨΊʹ 1. FedCM ͕ OIDC ʹدͤΔ 2.

    FedCM ͷͨΊʹOIDCΛ֦ு͢Δ 1 Ͱ Implicit Flow ʹدͤΑ͏ͱͯ͠΋OIDCະఆٛͷϦΫΤε τ/Ϩεϙϯε΋͋ΔͷͰ 1, 2 ͷ྆ํ͕ඞཁͦ͏ɻ SAML͸֦ுେมͳΜ͡Όͳ͍ͷʁ •Ž+•#•‘#zghl’  31
  9. • id_token_endpoint = Authorization Endpoint • Authentication Request • “response_type=id_token”

    • “prompt=none” • “login_hint” + Cookie Ͱ൑ఆ • “scope”, “claims” ύϥϝʔλΛαϙʔτ $%&'(b/01'5“”f  32
  10. • FedCMಠࣗͷϦΫΤετ • Client Metadata Request • Account List Request

    • JSONܗࣜͰID TokenΛཁٻ • response_mode: body # body Ͱ Authentication Response Λཁٻ • redirect_uri: “urn…” # fedcm ༻ͷ஋ͱ͔ /01'.•–A%:Œ?C:.—CJ.$%&'(  33
  11. • ݱঢ়ͷFedCMͰߦΘΕ͍ͯΔϦΫΤετ/ϨεϙϯεΛઆ໌ ͨ͠ • FedCM ͱ OIDC ͷϓϩτίϧͱͯ͠ͷҧ͍Λઆ໌ͨ͠ • OIDC

    Implicit Flow ૬౰ͷγϣʔτΧοτతͳཱͪҐஔʹ ͳ͍ͬͯΔ • IdPͷ௥ՃରԠͷίετ͕͋Δҹ৅ͳͷͰɺࠩ෼ղফͷΞϓ ϩʔνʹࠓޙ͸஫໨ ˜-‘  34