AWSだ! Google Cloudだ! Azureだ! 認証連携だ！

@ken5scal, 2024/05/22 AWSͩ! Google Cloudͩ! Azureͩ! ೝূ࿈ܞͩʂ

Πϯτϩ

- ϚϧνΫϥ΢υͷར༻Λආ͚ΒΕͳ͘ͳΓɺٱ͍͠ - ϚϧνΫϥ΢υԼͰͷϫʔΫϩʔυؒͷॲཧ΋̍ͭͰ͋Δ - ͦͷॲཧͷલఏͱͯ͠ೝূ͕ॏཁͰ͋Δ - ͦͷ͋ͱͷೝূख๏ͷબ୒ͱ࣮૷ͷแׅతͳϦεΫରԠʹ͍ͭͯɺ ϊ΢ϋ΢ͷڞ༗ -
ͦΕʹ൐͏ٞ࿦ͷ׆ൃԽ٩(Ň•̀ω•́Ň)و - ౰ࣾ΁ͷڵຯΛ͋͛Δ ࠓ೔ͷ໨త

- ॴଐ - ࡾҪ෺࢈σδλϧɾΞηοτϚωδϝϯτ - ίʔϙϨʔτγεςϜ෦ - LayerX Fintechࣄۀ෦ʢˢʹग़޲ʣ -
ݸਓ׆ಈ - िؒχϡʔεϨʔλʔɺPodCastɺಉਓࢽ - དྷྺ - SIer > ࢿ࢈؅ཧɾՈܭ฽ɾձܭSP > ূ݊ձࣾ > ݱ ৬ @ken5scal χϡʔεϨλʔ: https://ken5scal.notion.site/54bda4932da14add9e9911ab3e9a6e5c podcast: https://open.spotify.com/show/73sFeKzUIkSYfCZWVBNO70

k8s౳ͷCNCFϓϩμΫτΛ࢖͏ن໛ʹ ͳΕ͍ͯͳ͍ͷͰɺجຊɺ ϚωʔδυɾαʔϏεʹཔΔ

- ࣗ෼͕ରԠͨ͜͠ͱ͋ΔϚϧνΫϥ΢υϢʔεέʔε - ূ݊αʔϏε΍ࢿ࢈ӡ༻ͷ͓٬༷޲͚๏ఆா฽ͷGDriveϑΝΠϧ؅ཧ - ۚ༥αʔϏεʹ͓͚ΔϩάɾΠϕϯτͷू໿ - Entra ID (AzureAD)ͷIaCత؅ཧ
- AWS্ͷσʔλΛBigQueryج൫΁సૹ - ্هରԠதʹ;ͱࢥͬͨ͜ͱ͕͋Δ ࠓ೔ͷഎܠ

AWS <-> AzureADؒͷworkload Identityೝূ https://docs.aws.amazon.com/cognito/latest/developerguide/authentication- fl ow.html - ~2022/10 -
Long Lived Secrets

AWS <-> AzureADؒͷworkload Identityೝূ - ~2022/10 - Long Lived Secrets

AWS <-> AzureADؒͷworkload Identityೝূ https://docs.aws.amazon.com/cognito/latest/developerguide/authentication- fl ow.html - 2022/10~ -
Short Lived

AWS <-> AzureADؒͷworkload Identityೝূ

# header { "kid": "ap-northeast-15", "typ": "JWS", "alg": "RS512" }
# Payload { "sub": “ap-northeast-1:{Cognito Pool ID಺ͷIdentity ID}”, "aud": “ap-northeast-1:{Cognito Pool Provider ID}“, "amr": [ "authenticated", “{Cognito Pool ID಺ͷIdentity໊}”, "{Cognito Pool ID಺ͷIdentity໊}:ap-northeast-1:{Pol Provider ID}:${Developer ID}” ], "iss": "https://cognito-identity.amazonaws.com", "https://cognito-identity.amazonaws.com/identity-pool-arn": “arn:aws:cognito-identity:ap- northeast-1:${AWS Account ID}:identitypool/ap-northeast-1:${Pool ID}”, "exp": 1716244163, "iat": 1716243263 } 13

AWS <-> AzureADؒͷworkload Identityೝূ https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation

```shell $ aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id ap- northeast-1:${POOL ID} --logins
“${USER NAME}=${Developer Identifiers}” ``` ```Go func getOpenIdToken(ctx context.Context, awsConfig aws.Config) (*cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput, error) { svc := cognitoidentity.NewFromConfig(awsConfig) input := &cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{ IdentityPoolId: aws.String(os.Getenv("COGNITO_IDENTITY_POOL_ID")), Logins: map[string]string{ os.Getenv(“USER NAME"): os.Getenv(“Developer Identity”), }, } return svc.GetOpenIdTokenForDeveloperIdentity(ctx, input) } ``` 15

“${USER NAME}=${Developer Identifiers}” ``` ```Go func getOpenIdToken(ctx context.Context, awsConfig aws.Config) (*cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput, error) { svc := cognitoidentity.NewFromConfig(awsConfig) input := &cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{ IdentityPoolId: aws.String(os.Getenv("COGNITO_IDENTITY_POOL_ID")), Logins: map[string]string{ os.Getenv(“USER NAME"): os.Getenv(“Developer Identity”), }, } return svc.GetOpenIdTokenForDeveloperIdentity(ctx, input) } ``` 16 cognitoidentity:GetOpenIdTokenForDeveloperIdentity ͑͋͞Ε͹ɺಉҰAWS޶͔Β͸೚ҙʹ࣮ߦՄೳɻ ϦιʔεϙϦγʔ΋͔͚ΒΕͳ͍ɻ

- ͦ͜·Ͱߟྀ͢Δ͔ʁ - ؂ࠪϩάಡΈऔΓͳΒNo - σΟϨΫτϦɾΦϒδΣΫ τ΍ݖݶͷWriteɾҰ෦Read ͸Yes ϫʔΫϩʔυͳΓ͢·͠ϦεΫ

AWS -> GCP -> GWS

- ͜͜਺೥Ͱɺshort-lived token͕҆શͰ͋Δ͜ͱΛલ ఏͱͨ͠ϫʔΫϩʔυ࿈ܞΛ࣮૷͖͕ͯͨ͠ɺͦͷલ ఏ͕ਖ਼͔Assured͔ͨͬͨ͠ - ຊ౰ʹshort-lived͚͕ͩ҆શੑͷཁ݅ͳͷ͔ʁ - ΑΓแׅతʹݟΔ΂͖Ͱ͸ʁ ࠓ೔ͷഎܠ

- ઃఆɾߏ੒࡞ۀ΋ؚΊɺೝূϓϩηεΛՄࢹԽ͢Δ - ϢʔεέʔεͷཁٻϨϕϧΛܾΊΔ - ཁٻϨϕϧͱ࣮૷ͷΪϟοϓʹ͍ͭͯɺڴҖϞσϧΛڵ͢ - ڴҖʹԠͨ͡ରԠɾରࡦΛܾΊΔ TL;DR

- ΠϯτϩμΫγϣϯ - ϚϧνΫϥ΢υ࣌୅ - ೝূ - ϦεΫධՁͱڴҖϞσϦϯά - ·ͱΊ
ΞδΣϯμ

ϚϧνΫϥ΢υ࣌୅

- ʮෳ਺ͷϫʔΫϩʔυʹରͯ͠ෳ਺ͷύϒϦοΫ Ϋϥ΢υ ϕϯμʔ͕ఏڙ ͢ΔΫϥ΢υ ίϯϐϡʔςΟϯά αʔϏεΛ࢖༻͢Δ͜ͱΛࢦ͠·͢ʯ - By https://cloud.google.com/learn/what-is-multicloud
- 2006: - AWS(β), Google Apps for Your Domain(ݱGoogle Workspaces)ొ৔ - 2024: - Azure, GC, AWS, Oracle, Cloud fl are…. ϚϧνΫϥ΢υɹͱ͸

- શͯΛमΊɺӡ༻͢Δʹ͸ଟେͳίετ͕ඞཁ - ౷੍ͷ؍఺Ͱ͸ɺ୯ҰͷϓϩόΠμʹد͍ͤͨͱ͜Ζ… - ͔͠͠ɺϓϥοτϑΥʔϜͷൃలͱͱ΋ʹɺಛఆϢʔεέʔ εʹಛఆϓϥοτϑΥʔϜΛબ୒͢Δʮݸผ࠷దԽʯ΋গͳ ͘ͳ͍Α͏ʹݟ͑Δ Ϋϥ΢υϓϥοτϑΥʔϜͷଟ༷Խ

- ϦεΫ෼ࢄ - ಛఆͷػೳɾαʔϏεͰͷ༏Ґੑ - શମͰͷޮ཰ੑɾ੔߹ੑ - ࣄۀͷن໛ WhyϚϧνΫϥ΢υ

- όοΫΞοϓػೳɾσʔλͷ෼ࢄ - ϕϯμʔϩοΫΠϯ౳ͷϓϩόΠμʔϦεΫରԠ WhyϚϧνΫϥ΢υ - ϦεΫ෼ࢄ

- ͢ͰʹσϑΝΫτͳαʔϏε͕͋Δ৔߹ - ൺֱత৽͍ٕ͠ज़ίϯηϓτʹ͓͚Δαϙʔτͷ༗ແ - Con fi dential ComputingɺLLM -
৽͍͠ϢʔεέʔεΛ࣮૷͢Δࡍͷαϙʔτͷ༗ແ - Google Workspacesͷ؂ࠪϩάʹ͓͚ΔBigQueryͰͷσʔλ෼ੳ - App Runner͕ͳ͍ͱ͖ɾ͋Δ͍͸ग़ͨͱ͖ͷGC Cloud Run WhyϚϧνΫϥ΢υ-ಛఆͷػೳ - αʔϏεͰͷ༏Ґੑ

- ֤छαʔϏεͷϩάɾΠϕϯτͷอ؅ - σʔλ෼ੳ࣌ʹ͓͚ΔσʔλͷҰݩԽ - ίϯτϩʔϧϓϨʔϯͷӡ༻ - ϓϥοτϑΥʔϜҠߦ׬ྃ·Ͱͷฒߦӡ༻ WhyϚϧνΫϥ΢υ -
ಛఆྖҬͰͷશମ࠷దԽ

- اۀ಺Ͱ΋ෳ਺ࣄۀΛߦ͍ͬͯΔ৔߹͸ɺͦͷ୯Ґ΍ೳྗ ʹ͋Θͤͨબ୒͕߹ཧతʹͳΔ͜ͱ΋͋Δ - ങऩ౳ʹΑΓͦ͏ͳΔ͜ͱ΋͋Δ WhyϚϧνΫϥ΢υ - اۀɾࣄۀͷن໛

- ౷੍ɾηΩϡϦςΟͷ෼ࢄ - ෳࡶੑͷ૿Ճ - ૬ޓӡ༻ੑ - ϕϯμʔ؅ཧ ϚϧνΫϥ΢υͷϦεΫ

- ౷੍ɾηΩϡϦςΟͷ෼ࢄ - ৭ʑ͋Δ͕ಛʹʮೝূʯ - ෳࡶੑͷ૿Ճ - ૬ޓӡ༻ੑ - ϕϯμʔ؅ཧ
ϚϧνΫϥ΢υͷϦεΫ

- ਓؒʹΑΔೝূ - ͪ͜Β͸SAMLͱ͔OIDCͰ৭ʑ͋Δ - ඇਓؒతʁͳೝূ - Cloud workload: -
ʮA logical bundle of software and data that is present in, and processed by, a cloud computing technologyʯ - https://csrc.nist.gov/glossary/term/cloud_workload - AWSͰ͸ɺEC2ɺLambdaɺApp RunnerɺECS Service౳ - ࠓճ͸ͪ͜Β ೝূͷதͰϫʔΫϩʔυ

- ࣌୅͸ϚϧνΫϥ΢υ΁ - ϚϧνΫϥ΢υͱͳΔঢ়گ͸૿͑ͨ - ආ͚Δܾఆɾ੹೚Λෛ͑Δཱ৔ʹ͋Ε͹࿩͸ผ - ͦͷͨΊͷೝূʹ͍ͭͯޠΔ ·ͱΊ

ೝূͱ͸

ೝূ (Authentication) - Ϧιʔε΁ͷΞΫηεલͷඞཁ৚݅ͱͯ͠ɺϢʔ βʔɺϓϩηεɺσόΠε౳ͷ౰ਓͰ͋Δ͔ͷ ݕূΛ͢Δ͜ͱ

- ͋Μ·ΓେࣄͰ͸ͳ͍ͷͰɺ௚༁͔Β௚ͯ͠·ͤΜ͕ɺ - AAL1: - ཁٻऀ͕ՃೖऀͷΞΧ΢ϯτʹඥ෇͚ΒΕͨೝূثΛ੍ޚ͍ͯ͠Δ͜ͱʹରͯ͋͠Δఔ౓ͷอূΛఏڙ͠·͢ɻ AAL1Ͱ͸ɺ޿ൣͳೝূٕज़Λ࢖༻ͯ͠ɺγϯάϧϑΝΫλʔ·ͨ͸ϚϧνϑΝΫλʔೝূͷ͍ͣΕ͔Λཁٻ͠· ͢ɻೝূͷ੒ޭʹ͸ɺཁٻऀ͕҆શͳೝূϓϩτίϧΛ௨ͯ͡ɺೝূثͷॴ࣋ͱ੍ޚΛূ໌͢Δඞཁ͕͋Γ·͢. - AAL
2: - ཁٻऀ͕ՃೖऀͷΞΧ΢ϯτʹඥ෇͚ΒΕͨೝূثΛ੍ޚ͍ͯ͠Δ͜ͱʹରͯ͠ߴ͍৴པΛఏڙ͠·͢ɻೝূͷ ੒ޭʹ͸ɺ҆શͳೝূϓϩτίϧΛ௨ͯ͡ɺҟͳΔ2ͭͷೝূཁૉͷॴ࣋ͱ੍ޚΛূ໌͢Δඞཁ͕͋Γ·͢ɻ AAL2͓ΑͼͦΕҎ্Ͱ͸ɺঝೝ͞Εͨ҉߸ٕज़͕ඞཁͰ͢ɻ - AAL 3: - ཁٻऀ͕ՃೖऀͷΞΧ΢ϯτʹඥ෇͚ΒΕͨೝূثΛ੍ޚ͍ͯ͠Δ͜ͱʹରͯ͠ඇৗʹߴ͍৴པΛఏڙ͠·͢ɻ AAL3ͷೝূ͸ɺ҉߸ϓϩτίϧΛ௨ͨ͡伴ͷॴ࣋ͷূ໌ʹج͍͍ͮͯ·͢ɻAAL3ͷೝূʹ͸ɺϋʔυ΢ΣΞϕʔ εͷೝূثͱɺݕূऀͳΓ͢·͠଱ੑΛఏڙ͢Δೝূث͕ඞཁͰ͢ɻಉ͡σόΠε͕͜ΕΒͷཁ݅Λ྆ํຬͨ͢ ͜ͱ΋ՄೳͰ͢ɻAAL3Ͱೝূ͢ΔͨΊʹ͸ɺཁٻऀ͕҆શͳೝূϓϩτίϧΛ௨ͯ͡ɺ2ͭͷҟͳΔೝূཁૉͷ ॴ࣋ͱ੍ޚΛূ໌͢Δඞཁ͕͋Γ·͢ɻঝೝ͞Εͨ҉߸ٕज़͕ඞཁͰ͢ ೝূͷڧ౓ʢAuthenticator Assurance Levelʣ

Requirement AAL1 AAL2 AAL3 Permitted authenticator types Memorized Secret; Look-up
Secret; Out-of-Band; SF OTP Device; MF OTP Device; SF Crypto Software; SF Crypto Device; MF Crypto Software; MF OTP Device; MF Crypto Software; MF Crypto Device; or Memorized Secret plus: • Look-up Secret • Out-of-Band • SF OTP Device • SF Crypto Software MF Crypto Device; SF Crypto Device plus Memorized Secret; SF OTP Device plus MF Crypto Device or Software; SF OTP Device plus SF Crypto Software plus Memorized Secret Reauthentication 30 days 12 hours or 30 minutes inactivity; MAY use one authentication factor 12 hours or 15 minutes inactivity; SHALL use both authentication factors Security controls SP 800-53 Low Baseline (or equivalent) SP 800-53 Moderate Baseline (or equivalent) SP 800-53 High Baseline (or equivalent) Veri fi er- impersonation resistance  Not required Not required Required Veri fi er-compromise resistance Not required Not required Required Replay resistance Not required Required Required Authentication intent Not required Recommended Required https://pages.nist.gov/800-63-3/sp800-63b.html#sec4

- ೝূ৘ใ΍౰ਓ৘ใΛҟ ͳΔωοτϫʔΫ܈ʹ఻ ୡ͢Δ͜ͱ ೝূ࿈ܞʢFederationʣ

- FAL1: - Ճೖऀ͕RP(Relying Party)ʹରͯ͠Bearer AssetionΛड͚औΔ͜ͱΛڐՄ͠·͢ɻ͜ͷ Assertion͸ɺঝೝ͞Εͨ҉߸ٕज़Λ࢖༻ͯ͠IdPʹΑͬͯॺ໊͞Ε·͢ɻ - FAL2: -
Ξαʔγϣϯ͕ঝೝ͞Εͨ҉߸ٕज़Λ࢖༻ͯ͠҉߸Խ͞ΕɺRP͚͕ͩͦΕΛ෮߸Ͱ͖ΔΑ͏ʹ ͢Δཁ݅Λ௥Ճ͠·͢ - FAL3: - Ճೖऀ͕ɺΞαʔγϣϯࣗମʹՃ͑ͯɺΞαʔγϣϯ಺Ͱࢀর͞ΕΔ҉߸伴ͷॴ࣋ূ໌Λఏࣔ ͢Δ͜ͱΛཁٻ͠·͢ɻ͜ͷΞαʔγϣϯ͸ɺIdPʹΑͬͯॺ໊͞ΕɺೝՄ͞Εͨ҉߸ٕज़Λ࢖ ༻ͯ͠RPʹରͯ͠҉߸Խ͞Ε·͢ɻ ೝূ࿈ܞͷڧ౓ʢFederation Assurance Levelʣ

ೝূ࿈ܞͷڧ౓ Requirement FAL1 FAL2 FAL3 Assetion Type Bearer Bearer Holder
of key Signing Not required Signed by IdP Signed by IdP Encryption Not required Encrypted Encrypted

- ೝূͱೝূ࿈ܞͷఆٛ - ͦΕͧΕͷڧ౓ͱཁҼ - ϢʔεέʔεʹԠͨ͡Ϩϕϧબ୒ʢϦεΫରԠʣ͕ॏཁ ·ͱΊ

ϦεΫධՁͱ ڴҖϞσϦϯά

ೝূ - A-1: Assertion Manufacture or Modi fi cation -
A-2: Theft - A-3: Duplication - A-4: Eavesdropping - A-5: Of fl ine Cracking - A-6: Side Channel Attack - A-7: Phishing or Pharming - A-8: Social engineering - A-9: Online Guessing - A-10: Endpoint Compromise - A-11: Unauthorized Binding ڴҖ https://pages.nist.gov/800-63-3/sp800-63b.html#sec8 ೝূ࿈ܞ - F-1: Assertion Manufacture or Modi fi cation - F-2: Assertion Disclosure - F-3: Assertion Repudiation by the IdP - F-4: Assertion Repudiation by the Subscriber - F-5: Assertion Redirect - F-6: Assertion Reuse - F-7: Assertion Substitution

AWS -> AzureAD έʔεᶃ

ͲΕ͙Β͍ͷϨϕϧΛٻΊΒΕΔ͔ʢϦεΫධՁʣ - ຌྫɹɹɹ: ϦεΫߴۀ຿ - ɹɹɹɹɹ: ϦεΫ௿ۀ຿

“${USER NAME}=${Developer Identifiers}” ``` ```Go func getOpenIdToken(ctx context.Context, awsConfig aws.Config) (*cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput, error) { svc := cognitoidentity.NewFromConfig(awsConfig) input := &cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{ IdentityPoolId: aws.String(os.Getenv("COGNITO_IDENTITY_POOL_ID")), Logins: map[string]string{ os.Getenv(“USER NAME"): os.Getenv(“Developer Identity”), }, } return svc.GetOpenIdTokenForDeveloperIdentity(ctx, input) } ``` 47 cognitoidentity:GetOpenIdTokenForDeveloperIdentity ͑͋͞Ε͹ɺಉҰAWS޶͔Β͸೚ҙʹ࣮ߦՄೳɻ ϦιʔεϙϦγʔ΋͔͚ΒΕͳ͍ɻ

of key Signing Not required Signed by IdP Signed by IdP Encryption Not required Encrypted Encrypted

- ௿ϦεΫۀ຿Ͱ͋Ε͹໰୊ͳ͍ - ߴϦεΫۀ຿Ͱ͋Ε͹Ϩϕϧཁ݅Λຬͨ͞ͳ͍ - ຬͨͤͳ͍ϦεΫΛ୅ସखஈͳͲʹΑΓ௿ݮɺ͋Δ͍͸ ड༰͢Δඞཁ͕͋Δ - AAL, FAL૒ํͰͷରࡦΛཁ͢Δ
- ۩ମతʹͲ͜Λʁ ݁Ռ

ෆ଍ͨ͠ߏ੒(≒ηΩϡϦςΟϗʔϧʣͱ͠ɺͦ͜Λ͚ͭΔڴҖʹରԠ CloudTrailͰσʔλΠϕϯτΛ༗ޮʹ͠ GetDeveloperIdentityTokenΠϕϯτΛ ୟ͘RoleΛ؂ࢹ  ʢʴLambdaΛVPC഑Լʹ͓͍ͯsource IPΛ؂ ࢹʣ LambdaΛVPC഑Լʹ͓͍ͯsource IPΛ؂ࢹ

AWS -> AzureAD έʔεᶄ

ͲΕ͙Β͍ͷϨϕϧΛٻΊΒΕΔ͔ʢϦεΫධՁʣ - ຌྫɹɹɹ: ϦεΫߴۀ຿ - ɹɹɹɹɹ: ϦεΫ௿ۀ຿

- ௿ϦεΫۀ຿Ͱ͋Ε͹໰୊ͳ͍ - ߴϦεΫۀ຿Ͱ͋Ε͹Ϩϕϧཁ݅Λຬͨ͞ͳ͍ - ຬͨͤͳ͍ϦεΫΛ୅ସखஈͳͲʹΑΓ௿ݮɺ͋Δ͍͸ ड༰͢Δඞཁ͕͋Δ - AAL, FAL૒ํͰͷରࡦΛཁ͢Δ
- ۩ମతʹͲ͜Λʁ ݁Ռ

ෆ଍ͨ͠ߏ੒(≒ηΩϡϦςΟϗʔϧʣͱ͠ɺͦ͜Λ͚ͭΔڴҖʹରԠ - LambdaΛVPC഑Լʹ͓͍ͯɺGraph APIΛୟ ͘source IPΛ؂ࢹ - ݖݶͷ࠷খԽ - CredentialൃߦͷΠϕϯτ؂ࢹ

AWS -> GCP -> GWS

AWS -> GCP -> GWS ೚ҙͷϢʔβʔʹ ImpersonateͰ͖Δ…

ͲΕ͙Β͍ͷϨϕϧΛٻΊΒΕΔ͔ʢϦεΫධՁʣ - ຌྫɹɹɹ: ϦεΫߴۀ຿

of key Signing Not required Signed by IdP Signed by IdP Encryption Not required Encrypted Encrypted ಉ͡Google಺ͩ͠

- Ϩϕϧཁ݅Λຬ͍ͨͯ͠Δ - ೚ҙͷGWSʹϢʔβʔʹImpersonateͰ͖Δͷ͸ ΍͹͍͔Βɺݖݶείʔϓ͸࠷খԽ͢Δ͢Δඞཁ ͕͋Δʢຊൃදͷର৅֎ʣ ݁Ռ

ෆ଍ͨ͠ߏ੒(≒ηΩϡϦςΟϗʔϧʣͱ͠ɺͦ͜Λ͚ͭΔڴҖʹରԠ ೚ҙͷϢʔβʔʹ ImpersonateͰ͖Δ… GWS؂ࠪϩά͔Βɺ” Delegate”Πϕ ϯτͷ؂ࢹ OAuth2.0 Scopeͷ࠷খԽ ઐ༻Ϣʔβʔͷ༻ҙͱ؂ࢹ

- Short lived token୯ମͰ҆શੑ͕ܾ·ΔΘ͚Ͱ ͸ͳ͍ - ൃߦϓϩηε΍੍ݶͳͲΛཧղ͠Α͏ - ϫʔΫϩʔυؒͷΞΫηεͰɺReplay Resistanceཁ݅౳ʹΑΔߴ͍ϋʔυϧͰɺͳ͔
ͳ͔AALΛຬͨ͢ͷ͕೉͍͠ɻFAL΋ಉ༷ - ͱ͸͍͑ɺϦεΫ༧๷͕Ͱ͖ͳ͍ͷ΋͋ΔɻͲ ͏͢Δ͔ʁ ·ͱΊ

·ͱΊ

LayerX Fintechࣄۀ෦ ͸xxxΤϯδχΞΛ ઈࢍ࠾༻தͰ͢ʂ https://open.talentio.com/r/1/c/layerx/pages/87524 DM (X): @ken5scal

AWSだ! Google Cloudだ! Azureだ! 認証連携だ！

AWSだ! Google Cloudだ! Azureだ! 認証連携だ！

More Decks by Kengo Suzuki

Other Decks in Technology

Featured

Transcript