ID連携の仕組み・認証/認可について理解を深める

Transcript

1. 2020/10/09 Enterprise Account 3 Associate Consultant ID連携の仕組み・認証/認可について 理解を深める

2. 2 ID ID ID $ sw_vers ProductName: Mac OS X

   ProductVersion: 10.14.5 BuildVersion: 18F132 $ rbenv -v rbenv 1.1.1 $ ruby -v ruby 2.3.7p456 (2018-03-28 revision 63024) [universal.x86_64-darwin18]

3. 3 4. Appendix 1. Basic 2. SAML 3. OAuth 2.0

   1. 1. 2. 2. 3. 1. 2. SAML 3. OAuth 2.0 4. OpenID Connect 5. SCIM Agenda

4. 4 ID 1. (Authentication) • • • Verifying the identity

   of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.(*) (Authorization) • • The right or a permission that is granted to a system entity to access a system resource.(*) (*) HP https://csrc.nist.gov/glossary/term/authorization

5. 5 1 1. WHAT YOU ARE (inherence factor) • •

   2. WHAT YOU HAVE (possession factor) • • 3. WHAT YOU KNOW (knowledge factor) • • 1.

6. 6 1. B A B A A B A

7. 7 2. 1990 1999 i 2002 SAML 2007 iPhone 2011

   SCIM 1.0 2012 OAuth 2.0 OpenID Connect 2014 OAuth 1.0 (+ ) • SOAP API XML( ) (RSS (XML) ) • • • • Web • Cookie • • JSON • Web API XML JSON • • ID • ( OAuth 2.0 ) ID JSON (SAML OpenID Connect ) (3-1) (3-2) (3-3) (3-4) (3-5) 2003 OCI

8. 8 3-1. Web ) LDAP Active Directory Web

9. • • • • • • • • Cookie •

   9 3-1. Web ID ID Web

10. 10 XML SAML 3-2. SAML • • • • Cookie

    ID • XML https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf

11. 11 3-2. SAML IdP(Identity Provider) SP(Service Provider) IdP IdP

12. 12 3-2. SAML IdP(Identity Provider) SP(Service Provider) SP (AuthnRequest) (SAML

    Response)

13. 13 SAML 3-2. SAML https://help.salesforce.com/articleView?id=sso_provider_azure.htm&type=5 MyAzure

14. 14 OpenID Connect OAuth 2.0 3-3. OAuth 2.0 • ID

    • ID http://openid-foundation-japan.github.io/rfc6749.ja.html#grant-code (=ID Password ) A) , . , , , , ( ) URI . B) ( ) , / . C) , ( ) URI , . URI , , . D) . , . URI . E) , , URI (C) URI . , , .

15. 15 3-3. OAuth 2.0 (Client) (Resource Owner)

16. 16 3-3. OAuth 2.0 (Resource Owner) Twitter (Twitter) Twitter (Client)

17. 17 3-3. OAuth 2.0 Qiita OAuth 2.0

18. 18 3-3. OAuth 2.0 URL twitter.com~

19. 19 3-3. OAuth 2.0

20. 20 OAuth 2.0 3-3. OAuth 2.0 (Resource Owner) (Client) (

    ) (Resource Owner) (Client) (= ) ( = OAuth 2.0 ) http://www.thread-safe.com/2012/01/problem-with-oauth- for-authentication.html

21. 21 OAuth 2.0 OpenID Connect 3-4. OpenID Connect • •

    OAuth 2.0 JSON ID (OAuth 2.0 Identity Layer OpenID Connect) A) , . , , , , ( ) URI . B) (OpenID Provider) ( ) , / . C) , ( ) URI , . URI , , . D) (OpenID Provider) . , (OpenID Provider) . URI . E) (OpenID Provider) , , URI (C) URI . , , ID Token . + ID Token OpenID Provider Relying Party(RP) OpenID Connect ID Token ID Token

22. 22 ID Token • Issuer(OpenID Provider) Audience(RP) Subject(User) • JWT(JSON

    Web Token ) • JWT JWS(JSON Web Signature) JWE(JSON Web Encryption) 2 ID Token OpenID Connect ID Token JWT 3-4. OpenID Connect eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ.ewogImlz cyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4 Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAi bi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEz MTEyODA5NzAsCiAibmFtZSI6ICJKYW5lIERvZSIsCiAiZ2l2ZW5fbmFtZSI6 ICJKYW5lIiwKICJmYW1pbHlfbmFtZSI6ICJEb2UiLAogImdlbmRlciI6ICJm ZW1hbGUiLAogImJpcnRoZGF0ZSI6ICIwMDAwLTEwLTMxIiwKICJlbWFpbCI6 ICJqYW5lZG9lQGV4YW1wbGUuY29tIiwKICJwaWN0dXJlIjogImh0dHA6Ly9l eGFtcGxlLmNvbS9qYW5lZG9lL21lLmpwZyIKfQ.rHQjEmBqn9Jre0OLykYNn spA10Qql2rvx4FsD00jwlB0Sym4NzpgvPKsDjn_wMkHxcp6CilPcoKrWHcip R2iAjzLvDNAReF97zoJqq880ZD1bwY82JDauCXELVR9O6_B0w3K-E7yM2mac AAgNCUwtik6SjoSUZRcf-O5lygIyLENx882p6MtmwaL1hd6qn5RZOQ0TLrOY u0532g9Exxcm-ChymrB4xLykpDj3lUivJt63eEGGN6DH5K6o33TcxkIjNrCD 4XB1CKKumZvCedgHHF3IAK4dVEDSUoGlH9z4pP_eWYNXvqQOjGs-rDaQzUHl 6cQQWNiDpWOl_lxXjQEvQ ID Token(JWS) (JWS) . . (JWT) . . . . ???????

23. 23 ID Token < > 3-4. OpenID Connect $ echo

    'eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ' | base64 -D {"kid":"1e9gdk7","alg":"RS256" alg kid ID https://tools.ietf.org/html/rfc7515#section-4.1 BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature) https://tools.ietf.org/html/rfc7515#section-7.1 base64url eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ.ewogImlz cyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4 Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAi bi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEz MTEyODA5NzAsCiAibmFtZSI6ICJKYW5lIERvZSIsCiAiZ2l2ZW5fbmFtZSI6 ICJKYW5lIiwKICJmYW1pbHlfbmFtZSI6ICJEb2UiLAogImdlbmRlciI6ICJm ZW1hbGUiLAogImJpcnRoZGF0ZSI6ICIwMDAwLTEwLTMxIiwKICJlbWFpbCI6 ICJqYW5lZG9lQGV4YW1wbGUuY29tIiwKICJwaWN0dXJlIjogImh0dHA6Ly9l eGFtcGxlLmNvbS9qYW5lZG9lL21lLmpwZyIKfQ.rHQjEmBqn9Jre0OLykYNn spA10Qql2rvx4FsD00jwlB0Sym4NzpgvPKsDjn_wMkHxcp6CilPcoKrWHcip R2iAjzLvDNAReF97zoJqq880ZD1bwY82JDauCXELVR9O6_B0w3K-E7yM2mac AAgNCUwtik6SjoSUZRcf-O5lygIyLENx882p6MtmwaL1hd6qn5RZOQ0TLrOY u0532g9Exxcm-ChymrB4xLykpDj3lUivJt63eEGGN6DH5K6o33TcxkIjNrCD 4XB1CKKumZvCedgHHF3IAK4dVEDSUoGlH9z4pP_eWYNXvqQOjGs-rDaQzUHl 6cQQWNiDpWOl_lxXjQEvQ ID Token

24. eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ.ewogImlz cyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4 Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAi bi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEz MTEyODA5NzAsCiAibmFtZSI6ICJKYW5lIERvZSIsCiAiZ2l2ZW5fbmFtZSI6 ICJKYW5lIiwKICJmYW1pbHlfbmFtZSI6ICJEb2UiLAogImdlbmRlciI6ICJm ZW1hbGUiLAogImJpcnRoZGF0ZSI6ICIwMDAwLTEwLTMxIiwKICJlbWFpbCI6 ICJqYW5lZG9lQGV4YW1wbGUuY29tIiwKICJwaWN0dXJlIjogImh0dHA6Ly9l eGFtcGxlLmNvbS9qYW5lZG9lL21lLmpwZyIKfQ.rHQjEmBqn9Jre0OLykYNn spA10Qql2rvx4FsD00jwlB0Sym4NzpgvPKsDjn_wMkHxcp6CilPcoKrWHcip

    R2iAjzLvDNAReF97zoJqq880ZD1bwY82JDauCXELVR9O6_B0w3K-E7yM2mac AAgNCUwtik6SjoSUZRcf-O5lygIyLENx882p6MtmwaL1hd6qn5RZOQ0TLrOY u0532g9Exxcm-ChymrB4xLykpDj3lUivJt63eEGGN6DH5K6o33TcxkIjNrCD 4XB1CKKumZvCedgHHF3IAK4dVEDSUoGlH9z4pP_eWYNXvqQOjGs-rDaQzUHl 6cQQWNiDpWOl_lxXjQEvQ 24 ID Token < > 3-4. OpenID Connect BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature) https://tools.ietf.org/html/rfc7515#section-7.1 base64url $ echo 'ewogImlz > cyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4 > Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAi > bi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEz > MTEyODA5NzAsCiAibmFtZSI6ICJKYW5lIERvZSIsCiAiZ2l2ZW5fbmFtZSI6 > ICJKYW5lIiwKICJmYW1pbHlfbmFtZSI6ICJEb2UiLAogImdlbmRlciI6ICJm > ZW1hbGUiLAogImJpcnRoZGF0ZSI6ICIwMDAwLTEwLTMxIiwKICJlbWFpbCI6 > ICJqYW5lZG9lQGV4YW1wbGUuY29tIiwKICJwaWN0dXJlIjogImh0dHA6Ly9l  eGFtcGxlLmNvbS9qYW5lZG9lL21lLmpwZyIKfQ' | base64 –D { "iss": "http://server.example.com", "sub": "248289761001", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": "[email protected]", "picture": "http://example.com/janedoe/me.jpg"} ID Token https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

25. eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ.ewogImlz cyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4 Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAi bi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEz MTEyODA5NzAsCiAibmFtZSI6ICJKYW5lIERvZSIsCiAiZ2l2ZW5fbmFtZSI6 ICJKYW5lIiwKICJmYW1pbHlfbmFtZSI6ICJEb2UiLAogImdlbmRlciI6ICJm ZW1hbGUiLAogImJpcnRoZGF0ZSI6ICIwMDAwLTEwLTMxIiwKICJlbWFpbCI6 ICJqYW5lZG9lQGV4YW1wbGUuY29tIiwKICJwaWN0dXJlIjogImh0dHA6Ly9l eGFtcGxlLmNvbS9qYW5lZG9lL21lLmpwZyIKfQ.rHQjEmBqn9Jre0OLykYNn spA10Qql2rvx4FsD00jwlB0Sym4NzpgvPKsDjn_wMkHxcp6CilPcoKrWHcip

    R2iAjzLvDNAReF97zoJqq880ZD1bwY82JDauCXELVR9O6_B0w3K-E7yM2mac AAgNCUwtik6SjoSUZRcf-O5lygIyLENx882p6MtmwaL1hd6qn5RZOQ0TLrOY u0532g9Exxcm-ChymrB4xLykpDj3lUivJt63eEGGN6DH5K6o33TcxkIjNrCD 4XB1CKKumZvCedgHHF3IAK4dVEDSUoGlH9z4pP_eWYNXvqQOjGs-rDaQzUHl 6cQQWNiDpWOl_lxXjQEvQ 25 ID Token < > 3-4. OpenID Connect BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature) https://tools.ietf.org/html/rfc7515#section-7.1 base64url $ base64url decode rHQjEmBqn9{ }l_lxXjQEvQ | od -tu1 -An 239 191 189 116 35 18 96 106 239 191 189 239 191 189 107 123 67 239 191 189 239 191 189 70 13 239 191 189 239 191 189 64 239 191 189 68 42 239 191 189 106 239 191 189 199 129 108 15 77 35 239 191 189 80 116 75 41 239 191 189 55 58 96 239 191 189 239 191 189 239 191 94 52 4 239 191 189 10 ID Token

26. 26 ID SCIM 3-5. SCIM • ID • • •

    • ID ( OAuth 2.0 ) JSON { “username”:”taro”, “password”:”****”, “Auth_type”:”bearer_token”, … } SCIM SCIM SCIM SCIM HTTP HTTP HTTP HTTP POST PUT(replace) PATH(modify) DELETE / GET ※SCIM : System for Cross-Domain Identity Management https://blogs.oracle.com/cloud-platform/introduction-to-scim

27. 27 • ID • ID • ID

28. Appendix

29. 29 Basic Basic : macOS apache $ which httpd /usr/sbin/httpd

    $ which apachectl /usr/sbin/apachectl $ /usr/sbin/httpd -version Server version: Apache/2.4.34 (Unix) Server built: Feb 22 2019 20:20:11

30. 30 1. test html .htpasswd Basic $ pwd /Library/WebServer/Documents/test $

    ls -lha total 24 drwxr-xr-x 5 root wheel 160B 9 20 17:46 . drwxr-xr-x 7 root wheel 224B 9 20 17:36 .. -rw-r--r-- 1 root wheel 19B 9 20 17:26 .htpasswd -rw-r--r-- 1 root wheel 269B 9 20 17:23 index.html $ sudo cat index.html <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <title>Documemt</title> </head> <body> <div>TEST</div> </body> </html> $ sudo cat .htpasswd test:lw/IetAOw6j.Y ※ (https://tech-unlimited.com/makehtpasswd.html)

31. 31 2. apache httpd.conf apache Basic Basic $ sudo cat

    /etc/apache2/httpd.conf <Directory "/Library/WebServer/Documents/test"> AuthUserFile /Library/WebServer/Documents/test/.htpasswd AuthGroupFile /dev/null AuthName "Basic Auth" AuthType Basic Require valid-user </Directory> $ sudo /usr/sbin/apachectl restart

32. 32 3. Basic $ curl -vvv -L http://localhost/test * Trying

    ::1... < HTTP/1.1 401 Unauthorized < Date: Sun, 20 Sep 2020 09:03:25 GMT < Server: Apache/2.4.34 (Unix) < WWW-Authenticate: Basic realm="Basic Auth" Basic < Content-Length: 381 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> * Connection #0 to host localhost left intact

33. 33 4. Basic http://localhost/test .htpasswd ID/Password TEST ID/Password = prod

    )

34. 34 ID/Password 500 apache (/private/var/log/apache2/error_log) Basic $ sudo view /private/var/log/apache2/error_log

    [Sun Sep 20 18:08:40.791302 2020] [authn_file:error] [pid 1479] (2)No such file or directory: [client ::1:50462] AH01620: Could not open password file: /Library/WebServer/Documents/test1

35. SAML 35 <samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/acs' Destination='https://app.onelogin.com/trust/saml2/http-redirect/sso/527167a5-f611-40be-9a6d- 781fd9ee6b94' ID='_a2d98302-942a-48dd-8a39-eecd3111fc68' IssueInstant='2020-09-19T01:08:06Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'

    xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'> <saml:Issuer>http://localhost:3000/saml/metadata</saml:Issuer> <samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid- format:emailAddress'/> </samlp:AuthnRequest> (AuthnRequest) XML SAML SP URL SP ID IdP SP (NameID)

36. 36 (SAML Response) XML SAML <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2b39863179da0358f10bb499d6ac0e64062e89e1d" InResponseTo="szqd0c3d0u3vpz5jwna4p24iso42opc4" Version="2.0"

    IssueInstant="2013-04-01T00:30:00Z" Destination="https://(sub_domain).cybozu.com/saml/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://(idp_host) <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success"> </saml:Subject> <saml:Conditions NotBefore="2013-04-01T00:20:00Z" NotOnOrAfter="2013-04-01T00:40:00Z"> <saml:AudienceRestriction> <saml:Audience>https://(sub_domain).cybozu.com </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2013-04-01T00:29:30Z" SessionIndex="s2901e6c0e0cc0c8f1aa1075215125b2676774dd01"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>

37. 37 OAuth 2.0

38. 38 OAuth 2.0 1. Github $ git clone https://github.com/authlete/useless-oauth-server $

    cd useless-oauth-server 2. Sinatra $ sudo gem install sinatra -n /usr/local/bin Successfully installed rack-2.2.3 Fetching: tilt-2.0.10.gem (100%) ( ) Done installing documentation for rack, tilt, rack-protection, ruby2_keywords, mustermann, sinatra after 325 seconds 6 gems installed 3. $ ruby server.rb 4. ( URL ) http://localhost:4567/authorization?response_type=code&client_id=1&redirect_uri=http://example.com/&scope=read+write &state=mystate Login ID Password john john Approve

39. 39 OAuth 2.0 5. RP

40. 40 OAuth 2.0 6. $ CODE=1HJ1gTVM $ curl http://localhost:4567/token ¥

    > -d grant_type=authorization_code ¥ > -d code=$CODE ¥ > -d client_id=1 ¥ > -d redirect_uri=http://example.com/ {"access_token":"2gyx3nHg","token_type":"Bearer","expires_in":86400,"scope":"read write"} (Resource Owner) API API OAuth2.0
41. None