Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
IETF 107 Report Session: OAuth/TxAuth
Search
sylph01
April 22, 2020
Technology
0
83
IETF 107 Report Session: OAuth/TxAuth
sylph01
April 22, 2020
Tweet
Share
More Decks by sylph01
See All by sylph01
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
180
Adding Security to Microcontroller Ruby
sylph01
2
3k
Secure Messaging at IETF 118
sylph01
0
61
Adventures in the Dungeons of OpenSSL
sylph01
0
430
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
260
Build and Learn Rails Authentication
sylph01
8
2k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
250
DNS Encryption and Its Controversies
sylph01
0
690
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1.3k
Other Decks in Technology
See All in Technology
Vue.js、Nuxtの機能を使い、 大量のコピペコードをリファクタリングする
igayamaguchi
3
800
パートナー企業のテクニカルサポートエンジニアとして気になる、より良い AWS サポートの利活用について
kazzpapa3
0
180
テクニカルライターのチームで「目標」をどう決めたか / MVV for a Team of Technical Writers
lycorptech_jp
PRO
3
150
暴カワでビデオシンセサイザーを導入する技術
yuchi
2
120
最新のWasm事情
askua
5
2.5k
XSS攻撃から考察するAWS設定不備の恐怖/20241012 Hironobu Otaki
shift_evolve
0
110
自然言語処理を役立てるのはなぜ難しいのか
pfn
PRO
14
4.2k
WSUSが非推奨に!? Windowsの更新管理を改めて勉強する!
ebibibi
0
550
The road to green code (with Sonar)
bluehats
0
150
RDS for Db2 データ移行編 - Part2:S3経由のバックアップ・リストアでデータ移行 /20241011-RDSforDb2-dojo
mayumihirano
0
140
From naive to advanced RAG: the complete guide
glaforge
0
620
データ分析基盤のためにS3を深堀りする~アーキテクチャ設計の考え方のヒントに~
nrinetcom
PRO
1
740
Featured
See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
114
6.9k
What's in a price? How to price your products and services
michaelherold
243
11k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.5k
Building Applications with DynamoDB
mza
90
6k
KATA
mclloyd
29
13k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
504
140k
GitHub's CSS Performance
jonrohan
1030
450k
The Cost Of JavaScript in 2023
addyosmani
43
5.9k
4 Signs Your Business is Dying
shpigford
180
21k
Into the Great Unknown - MozCon
thekraken
31
1.4k
How STYLIGHT went responsive
nonsquared
95
5.1k
Transcript
OAuth, TxAuth @ IETF 107 Ryo Kajiwara @ lepidum
؆୯ʹഎܠհ OAuthͦͷͷͷenhancementsͷ΄͔ɺ OAuthͷεϖοΫࠈʢਤJustin Richer ࢯͷXYZհεϥΠυΑΓ࠶ߏͨ͠ ͷʣʹରԠ͢ΔͨΊʹҎԼͷಈ͖͕ग़ͯ ͖ͨ: • OAuth 2.0ͱՄೳͳݶΓޓੑΛอͬ
ͨ··ෆཁͳ༷ΛΓࣺͯͯ৽͘͠ υΩϡϝϯτΛ࡞Δ OAuth 2.1 • ޓੑΛؾʹͤͣ৽͍͠Ϣʔεέʔε ΧόʔͰ͖ΔΑ͏ʹ͢Δ XYZ
؆୯ʹഎܠհ • OAuthͷ4ͭͷGrant(Flow)ͷ͏ͪɺResource Owner Password CredentialsMUST NOT implementɺImplicit GrantSHOULD NOT
useͱͳͬͨ • ͨͩ͠Implicit GrantSender-Constrained Access TokenΛ༻͍ͳ ͍ݶΓͱ͍͏ୠ͠ॻ͖͕͍͍ͭͯΔ • Sender-Constrainedͱ: ΞΫηετʔΫϯͷൃߦઌͱར༻ऀͷ ҰகΛదʹอূͰ͖Δੑ࣭Λ࣋ͭΞΫηετʔΫϯͷ͜ͱ • ݱࡏҰൠతͳͷͦͷ۠ผͷͳ͍BearerτʔΫϯ
ৄ͘͠લճͷεϥΠ υݟͯ https:/ /speakerdeck.com/sylph01/ oauth-transactional-authorization- at-ietf106
OAuth
ओͳupdate • OAuth 2.0 Token Exchange -> RFC 8693 (2020/1)
• OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens -> RFC 8705 (2020/2) • Resource Indicators for OAuth 2.0 -> RFC 8707 (2020/2) • JSON Web Token Best Current Practices -> RFC 8725 (2020/2)
ओͳupdate • OAuth 2.0 Security Best Current Practice: ߋ৽தɻݱࡏdraft-15 •
OAuth 2.0 Pushed Authorization Requests͕WG documentԽ • OAuth 2.0 Rich Authorization Requests͕WG documentԽ • DPoP (Demonstration of Proof-of-Possession at the Application Layer)͕WG documentԽ • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens͕WGLC
ਐߦதͷI-D (IETF 106͔Βͷࠩ) • The OAuth 2.1 Authorization Framework (draft-parecki-oauth-
v2-1-01) • OAuth 2.0 DPoP for the Implicit Flow (draft-jones-oauth-dpop- implicit-00) • The OAuth 2.0 Authorization Framework: Claims (draft-spencer- oauth-claims-01)
TxAuth Transactional Authorization and Delegation
charterͷٞ ࣄલͷconsensus callͰWGܗʹ͍ͭͯ20ਓ͔Βࢍɺ1ਓ͔Β ରɻ Agenda BashingʹͯCharterʹ͓͚Δ"Identity"ͷ༻๏ʹ͍ͭͯࢦఠ ͕͋ΓɺAgenda Bashingͷ࣌ؒ΄΅͜ͷٞͰΊΔ͜ͱͱ ͳͬͨɻ۩ମతʹɺOAuthʹ͓͍ͯIdentity֓೦ѻ͓ͬͯΒ ͣɺOpenID
ConnectͰॳΊͯೝূͷ֓೦͕ਖ਼ࣜʹొ͢Δͷͷɺ ͜ΕΒΛ࠶ར༻͢Δͱͨ͠Charterͷείʔϓ͕Ͳ͜·ͰΛѻ͏͔ ʹ͍ͭͯ໌֬Խ͢Δඞཁ͕͋Δɺͱͷࢦఠɻ
Identityʹ͍ͭͯɺิ ޙʹѻ͏XYZͱXAuthͰOpenID ConnectͰొͨ͠Identity Claims ֓೦Λ࠷ॳ͔ΒϓϩτίϧϨϕϧͰαϙʔτ͍ͯ͠Δʹʮ࠶ར༻ ͍ͯ͠Δʯɻ ͜Ε͕ʮ୯ͳΔೝՄ͞Ε͏ΔใͷҰछʯͳͷ͔ɺʮIdentityʹؔ ΘΔͷͱͯ͠ಛผѻ͍͖͢ͷʯͳͷ͔ʹҙݟͷ૬ҧ͕͋ Δɺͱ͍͏ೝࣝɻ OpenID
Connectͱ͍͏ଞͷSDOͰٞ͞Ε͍ͯΔωλΛઆ໌φγʹ IETFʹ࣋ͪࠐΉͳɺͱ͍͏͋Δɻ
XYZ ΄΅લճઆ໌ͨ͠௨ΓͳͷͰུɻ
XAuth 2020ʹͳͬͯର߅അͱͯ͠৽ͨʹొͨ͠ఏҊن֨ɻ ฏͨ͘ݴ͏ͳΒɺGrant֓೦Λத৺ʹɺClient͕GrantΛੜ͠ૢ ࡞͢ΔRESTful APIͱͯ͠ೝՄͷΈΛඋͨ͠͠ن֨ɻXYZ͕ TransactionʢೝՄΛΊ͙ΔऔҾʣΛத৺ʹ͍ͯ͠Δͷʹର͠ɺ XAuthೝՄͷत༩(Grant)ΛΊ͙ͬͯClient͕Grant Serverʹରͯ͠ ૢ࡞Λߦ͏ɺͱ͍͏த৺֓೦ͷҧ͍͕͋Δɻ
XYZ vs XAuth Interaction • XYZ: redirect, user_code, didcomm ͱ͍ͬͨՄೳͳΠϯλϥΫ
γϣϯΛͯ͢ྻڍ͢ΔɻASՄೳͳinteraction capabilityͰԠ ɺϙϦγʔʹج͍ͮͯཁٻ͢Δ • XAuth: ClientredirectΛߦ͏͜ͱ͕Ͱ͖Δ͔ɺͦΕͱindirect ͳinteractionΛඞਢͱ͢Δ͔Λࢦఆ͢ΔɻGSར༻͖͢ύϥ ϝʔλͰԠ͠ɺαϙʔτ͞Ε͍ͯͳ͚ΕΤϥʔ
XYZ vs XAuth Data Representation • XYZ: TransactionΛத৺֓೦ͱ͢ΔɻTransactionΛͱΓ·͘ InteractionͷͨΊʹ୯ҰͷURLΛར༻͢ΔɻhandleΛͬͯϦΫ Τετؒͷܧଓੑ(≒Transactionͷܧଓ)Λද͢ɻ
• XAuth: RESTfulͳϓϩτίϧɻGS URI͕GSͷࣝผࢠͰ͋Γɺ GrantΛੜ͢ΔͨΊͷURIɻURIΛ௨ͯ͠GrantAuthorizationͱ ରԠ͢ΔΞΫηετʔΫϯΛؔ࿈͚ͮΔɻ
XYZ vs XAuth Client Authentication • XYZ: Clientdetached JWS, DPoP,
OAuth PoP, HTTP Sig, MTLSͳͲ ͷʮҰൠతͳʯํ๏Λͬͯbound keysͷuseΛূ໌͢ΔɻRSʹ ͍ͭͯಉ༷ʹରԠ͍ͯ͠Δkey binding mechanismΛར༻͢ Δɻ • XAuth: ClientXYZͱಉ༷ʹbound keysͷuseΛGSͷauth mechanismͰূ໌͢Δ͕ɺσϑΥϧτJOSEΛ༻͍Δ ɻRSͷΞΫηεOAuth 2.0ಉ༷Bearer tokenɻ֦ுՄ
XYZ vs XAuth OAuth / OIDC Compatibility • XYZ: ClientͷࣝผʹKey
HandleΛ༻͍ΔɻID Token claimsͷα ϙʔτ͕͋Δɻresource handleΛ༻͍ͨscopeʹΑΔRich Resource Requestɻtransaction handleΛ༻͍ͨaccess token refreshɻOIDC UserInfo Endpointͷར༻͕Մೳɻ • XAuth: OAuth 2.0ಉ༷Client IDͰClientΛࣝผɻDynamic Client public key valueͰࣝผ(XYZಉ༷)ɻOAuth scopeͷͦͷ··ͷར ༻ɻRAR͕ͦͷ··ར༻ԽɻOIDC ClaimΛͦͷ··ར༻Մɻ
XYZ vs XAuth Discovery • XYZ: Transaction EndpointͰͯ͢ͷૢ࡞Λ։࢝͢ΔɻClientՄ ೳͳCapabilityͷϦετΛASʹૹ৴ɺASͦͷத͔Βαϙʔτ͠ ͍ͯΔͷͷҰཡΛฦ͢ɻ
• XAuth: ClientGS URI/Grant URI/AuthZ URIʹOPTIONS callΛ͢Δ ͜ͱͰGSͷcapabilityΛΔ
None
·ͱΊɺࢲݟ • ݱOAuthͷେ͖ͳ՝Sender-Constrainedੑͱͷಆ͍ • oauth WGͷworkͷ͏ͪɺMutual-TLS Client Authentication(RFC 8705)ͦͷ࣮ݱͷͨΊͷେ͖ͳҰาͰ͋ΓɺDPoPͷWG itemԽ
ͦͷྲྀΕΛΜͰ͍Δͱ͍͑Δ • XYZɺXAuthτʔΫϯͷSender-ConstrainedੑΛ৫ΓࠐΜ্ͩ Ͱ৽ͨͳϢʔεέʔεΛαϙʔτ͢Δ͜ͱΛతͱ͍ͯ͠Δ • ͔͠͠ͲͬͪͰ·ͱ·ΔΜͩΖ͏…