* 外部認証基盤の話 * Auth0 / Amazon Cognito / Firebase Authentication / Netlify Identity の比較 * Auth0 を選んだ理由
࣍ੈೝূϓϥοτϑΥʔϜ“Auth0” ΛͬͯΈͨςΫʮ࠷ۙͷWebٕज़ʹ͍ͭͯϫΠϫΠޠΔձʯ2018/09/27ʢʣTakahiro Tsuchiya / @corocn
View Slide
Agenda• ࣗݾհ• ֎෦ೝূج൫ͷ• αʔϏεͷൺֱ• ೝূج൫αʔϏε “Auth0” ͷհ
ࣗݾհ• @corocn / Takahiro Tsuchiya / و༟• Misoca Inc.• Auth0 Ambassador
ຊΛॻ͖·ٕͨ͠ज़ॻయ4Ͱ൦ AmazonͰൢചத·ͨվగ͍ͨ͠ʂ
ࠓͷ͓
ΣϒΞϓϦέʔγϣϯͱ ֎෦ೝূج൫ͷ
WebαʔϏεΛ࡞ΔͳΒೝূͷΈඞਢʹͳΔ
ͰຊʹϢʔβʔʹఏڙ͍ͨ͠ͷೝূ͡Όͳ͍
ͬͱαʔϏεͷຊ࣭తͳͱ͜Ζʹ࣌ؒΛ͍͍ͨ
Ͱೝূͬͯ͘͠ͳ͍ʁશવΘ͔Γ·ͤΜਓྨʹೝূ͍͠
Ͳ͏ͬͯػೳ࣮͢Δʁ
ࣗͰҰ͔Β࣮͢Δ• Βͳ͍΄͏͕͍͍• ηΩϡϦςΟϗʔϧΛ࡞Δࣗ৴͕͋Δ• ंྠͷ࠶ൃ໌• ηΩϡϦςΟͷ࣮ϊϋ֎ʹग़ͯ͜ͳ͍ͷͰ͍͠
Frameworkඪ४ͷϥΠϒϥϦΛ͏• ͋ΔఔϨʔϧʹΕΔ• ࠷ݶͷػೳ͔͠ͳ͍• ڽͬͨॲཧͰ్ʹഁ͕ͪ͠• RailsͷDevise? Sorcery? ΈΜͳਏ͍ਏ͍ͱݴ͍ͬͯͬͯΔΑ͏ͳɾɾɾ
https://qiita.com/cigalecigales/items/73d7bd7ec59a001ccd74
৽͍༷͠ʹैͰ͖·͔͢ʁ• ύεϫʔυೝূ• SSO, Social Login, ύεϫʔυϨε• MFAʢଟཁૉೝূʣ• FIDO 1.0 ʢU2F, UAFʣ• FIDO 2.0ʢU2F + UAFʣ, WebAuthn API͙ͦ͢͜·Ͱഭ͍ͬͯΔ
ͦ͏ͩ ֎෦ͷೝূج൫ ͓͏
ҙ͍ͨ͜͠ͱ
• ֎෦αʔϏεΛ͑ηΩϡϦςΟϦεΫ͕ফ͑ΔΘ͚Ͱͳ͍• ࿈ܞ෦։ൃऀͰ࣮͢Δ• ͪΌΜͱཧղ͔ͯ͠ΒΘͳ͍ͱવࣄނ• ͰͪΌΜͱ͑େ෯ʹ࣮࣌ؒอकίετΛݮͰ͖Δ
͍Ζ͍Ζࢼͨ͠
ࢼͯ͠ΈͨೝূαʔϏε• Amazon Cognito• Firebase Authentication• Netlify Identity• Auth0 ← ࠷ऴతʹ͜Εʹམͪண͘
Amazon Cognito• AWSͷਂ͍͕ࣝཁٻ͞ΕΔ• UserPool, ID PoolͳͲ֓೦͕͍͠• ֶशίετ͕ߴ͍• αʔϏε͕AWSͬͨΓͳΒݕ౼͍͍͚ͯ͠Ͳɺݕ౼͢Δͷʹ͕͔͔࣌ؒΓͦ͏
Firebase Authentication• ແྉʢҰ෦ΦϖϨʔγϣϯʹ੍ݶ༗Γʣ• γϯϓϧɻμογϡϘʔυ͔ͳΓ؆ૉɻ• αʔϏεܧଓੑͳ͠• GCPଞFirebaseαʔϏεΛ͏લఏͳΒ˕• ࡉ੍͔͍͕ॻ͚ͳ͍ͷ͕ਏ͍• υΩϡϝϯτಡΈͮΒ͍
Netlify Identity• ָ࣮ͩͬͨ• ػೳ͕Γͯͳͯ͘ɺϩʔΧϧͰͷσόοά͕ࠔͩͬͨͷͰΪϒΞοϓ• ݱࡏվળ͍ͯ͠Δ͔͠Εͳ͍
Auth0• ֶशίετͷ͞ɺ֦ுੑͷߴ͕͞࠷ߴ• ࠷ऴతʹ͜Εʹམͪண͘
Auth0ͬͯʁ• Ϋϥυೝূϕϯμʔ• IDaaSʢIdentity as a Serviceʣ• ຊࣾ Bellevue, Washington• ϑϧϦϞʔτϫʔΫΛ࠾༻• Company OffsiteʢΧϯΫϯͱ͔ύφϚͱ͔ʣ
IDaaS• اۀID͕ࢥ͍ු͔Ϳ͔ʢOkta, OneLoginͱ͔ʣ• Auth0ͷ߹C͚Ͱ͍͍͢ҹ•
ͱΓ͋͑ͣ৮ͬͯࢼͤΔ• جຊແྉͰ͑Δʢ22ؒEnterprise൛͕ࢼͤΔʣ• 7000Ϣʔβʔɺແ੍ݶϩάΠϯ• ύεϫʔυϨεରԠ• ΈࠐΈϑΥʔϜʢLockʣ← ͋ͱͰ• ιʔγϟϧϩάΠϯʢ2ݸ·Ͱʣ• ແ੍ݶͷϧʔϧఆٛ ← ͋ͱͰ
๛ͳνϡʔτϦΞϧ
https://auth0.com/docs
Mobile
SPA
Web App 1
Web App 2
Backend API
• νϡʔτϦΞϧ͕Ұ௨Γἧ͍ͬͯΔ• JWT Handbook ೝূܥͷϒϩά• ͘ຊޠ൛Ͱͳ͍͔ͳʙʁʢνϥο• jwt.io powered by Auth0• ϒϥβͰ͑ΔJWTͷσόοάπʔϧ
Lock
Lock• Auth0͕ఏڙ͢ΔࠐΈϩάΠϯϑΥʔϜ• ֤छϓϥοτϑΥʔϜରԠ• ଟݴޠରԠ• ෦Ͱ Auth0 SDKʢauth0.jsͳͲʣΛ͍ͬͯΔ• ࡉ੍͔͍ޚ͕ඞཁͳ߹ͪ͜ΒΛ• νϡʔτϦΞϧ auth0.jsΛ࣮ͬͨ
• Social LoginͳͲɺઃఆLockʹଈ࣌ө• Auth0͕อ༗͢ΔdevΩʔ͕ॳظͰઃఆ͞Ε͍ͯΔͷͰɺͱΓ͋͑ͣࢼͤΔʢخ͍͠ʣ• ਖ਼ࣜʹ͏߹औಘͯ͠ઃఆ͢Δ͜ͱ
Webtask
Webtask• AWS LambdaϥΠΫͳαʔόϨεڥΛࣗલͰอ༗͍ͯ͠Δ• JavaScriptɺC#Ͱهड़Մ• Node v8ͳͷͰasync await• WebtaskʹΑͬͯߴ͍֦ுੑΛ࣮ݱ͍ͯ͠Δ
Rule
Rule• ೝূػೳͷ֦ுRuleͰઃఆ• ྫ1ʣυϝΠϯΛ੍ݶ͍ͨ͠• ྫ2ʣ໊دͤΛ࣮ݱ͍ͨ͠• ࣮ߦج൫Webtask• ϢʔεέʔεผʹେྔͷςϯϓϨʔτ͕ఏڙ͞Ε͍ͯΔͷͰɺগ͠मਖ਼͢Δ͚ͩͰ͍͍ͩͨಈ͘
Rule: Template
Rule: Whitelist
ͦͷଞ• ϢʔβʔμογϡϘʔυ͕ඪ४උ• Auth0 GuardianʢMFAʣ• FIDO2ͷରԠʁ → AddonͰՄೳ
·ͱΊ• αʔϏε։ൃαʔϏεͷຊ࣭ʹྗ͖͢• ࣮ίετݮͷͨΊʹɺ֎෦ͷೝূج൫Λ͏ͷ͋Γ• Auth0ଟػೳͰ֦ுੑ͕ߴ͍ͷͰɺબࢶͱͯ͠༗• ϦεΫΛͪΌΜͱཧղ͔ͯ͠Β͏͠
͋Γ͕ͱ͏͍͟͝·ͨ͠