Javaで実装して学ぶOAuth 2.0！

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 +BWBͰ࣮૷ֶͯ͠Ϳ 0"VUIʂ
ג ΧαϨΞϧଟాਅහ ++6($$$4QSJOH

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ͜ͷηογϣϯʹ͍ͭͯ ▸
ೝՄϓϩτίϧʮ0"VUIʯʹ͍ͭͯɺ  جૅ͔Βৄ͘͠ղઆ͠·͢ ▸ +BWBͰೝՄαʔόʔɾϦιʔεαʔόʔɾ  ΫϥΠΞϯτΛ࣮૷ͨ͠ྫ΋ղઆ͠·͢ 2

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ࣗݾ঺հ ▸
ଟాਅහʢ!TVLF@NBTBʣ ▸ ݚमτϨʔφʔ!ΧαϨΞϧ ▸ ઐ໳ɿ+BWB&&4QSJOH ▸ 1JWPUBMೝఆߨࢣ ▸ (MBTT'JTIϢʔβʔձӡӦϝϯόʔ ▸ ++6($$$ɿճ࿈ଓճ໨ͷొஃ 3

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 גࣜձࣾΧαϨΞϧ ▸
*5ڭҭˍγεςϜ։ൃ ▸ IUUQTXXXDBTBSFBMDPKQMTTFSWJDF PQFOTFNJOBSUPQJOEFYIUNM ▸ ଞࣾʹ͸ແ͍ϓϩάϥϛϯάݚम͕ڧΈʂ ▸ +BWB&&ɺ4QSJOHɺ1JWPUBMೝఆίʔεɺ"QQMFೝఆίʔ εɺ+BWB4DSJQUɺJ04ɺ"OESPJEɺɾɾɾ 4

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶃ 0"VUIͱ͸ʁ
ᶄ 0"VUIͷొ৔ਓ෺ ᶅ 0"VUIͷೝՄͷྲྀΕ ᶆ αϯϓϧΞϓϦͷߏ੒ ᶇ ৄࡉͱ࣮૷ɿΞΫηετʔΫϯऔಘ·Ͱ ᶈ ৄࡉͱ࣮૷ɿϦιʔεΞΫηε·Ͱ ᶉ ͦͷଞͷηΩϡϦςΟߟྀࣄ߲ ᶊ ·ͱΊ 5

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0"VUIͱ͸ʁ 3'$ΑΓ
▸ ೝՄͷྲྀΕΛنఆͨ͠ϓϩτίϧ ▸ ʮαʔυύʔςΟʔΞϓϦέʔγϣϯʹΑΔ)551 αʔϏε΁ͷݶఆతͳΞΫηεΛՄೳʹ͢ΔೝՄϑϨʔ ϜϫʔΫͰ͋Δʯ ▸ 0"VUIͱ͸શ͘ͷผ෺ ▸ ʮ0"VUIϓϩτίϧΛഇࢭ͠ɺͦͷ୅ସͱͳΔ΋ ͷʯ 7

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ೝূͱೝՄ ▸
ೝূ "VUIFOUJDBUJPO"VUI/ "VUI$ ▸ ຊਓ֬ೝɻ͍ΘΏΔϩάΠϯɻ ▸ ೝՄ "VUIPSJ[BUJPO"VUI; ▸ ຊਓ֬ೝޙʹɺͦͷਓʹͦͷॲཧͷ࣮ߦݖݶ͕͋Δ͔ Ͳ͏͔ͷ֬ೝɻ 8

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ΞΫηετʔΫϯͱ͸ ▸
ΫϥΠΞϯτ͕ϦιʔεαʔόʔʹΞΫηε͢Δ ࡍͷʮ௨ߦखܗʯͷΑ͏ͳ΋ͷ ▸ ೝՄαʔόʔ͔Βൃߦ͞ΕΔ 9 GET /api/todos HTTP 1.1 Host: resource-server.com Authorization:Bearer yd2Dcweij334SSx ΞΫηετʔΫϯ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 είʔϓͱ͸ ▸
ΫϥΠΞϯτ͕ΞΫηεՄೳͳൣғ 10

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0"VUIͷొ৔ਓ෺ ᶃ
ϦιʔεΦʔφʔ 3FTPVSDF0XOFS ᶄ Ϧιʔεαʔόʔ 3FTPVSDF4FSWFS ᶅ ΫϥΠΞϯτ $MJFOU ᶆ ೝՄαʔόʔ "VUIPSJ[BUJPO4FSWFS 12 υΩϡϝϯτ΍ϥΠϒϥϦͰසग़ → ਖ਼֬ʹ֮͑Δ͜ͱ͕ॏཁʂ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶃϦιʔεΦʔφʔ ▸
อޢ͞ΕͨϦιʔε΁ͷΞΫηεΛڐՄ͢Δਓؒ ▸ ػցͷ৔߹΋͋Δ ▸ 5XJUUFSͳΒʮਓਓͷϢʔβʔʯ 13

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶄϦιʔεαʔόʔ ▸
อޢ͞ΕͨϦιʔεΛϗετ͢Δαʔόʔ ▸ ϦιʔεʹΞΫηε͢Δʹ͸ΞΫηετʔΫϯ͕ඞཁ ▸ 5XJUUFSͳΒʮͭͿ΍͖αʔόʔʯ 14

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶅΫϥΠΞϯτ ▸
ϦιʔεΦʔφʔͷೝՄΛಘͯɺͦͷ୅ཧͱͯ͠อ ޢ͞ΕͨϦιʔεʹΞΫηε͢ΔΞϓϦέʔγϣϯ ▸ αʔόʔαΠυ8FCΞϓϦɺΫϥΠΞϯταΠυ8FCΞ ϓϦɺωΠςΟϒΞϓϦͳͲଟछଟ༷ ▸ 5XJUUFSͳΒʮUXJUUFSDPNʯʮ5XFFU%FDLʯʮJ04 "OESPJE༻ΫϥΠΞϯτʯʮ%PPSLFFQFSʯͳͲ 15

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶆೝՄαʔόʔ ▸
ϦιʔεΦʔφʔͷೝূͱೝՄऔಘͷ੒ޭޙɺ  ΞΫηετʔΫϯΛΫϥΠΞϯτʹൃߦ͢Δαʔ όʔ ▸ 5XJUUFSͳΒ͹ʮϢʔβʔ৘ใαʔόʔʯ 16

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 5XJUUFSͰొ৔ਓ෺·ͱΊ 17
twitter.com ࠓ೔͸CCC!  ָ͠Έͩͳʔ Ϧιʔε  Φʔφʔ ΫϥΠΞϯτ Ϧιʔεαʔόʔ ೝՄαʔόʔ ೝՄ ΞΫηε  τʔΫϯ  ෇༩ ΞΫηε  τʔΫϯ ͭͿ΍͖ ̔෼ܦաʁ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 <$.>+BWBݚम࣮ࢪதʂ ▸
+BWB&&+4'ɺ+1"ɺ$%*ʹΑΔεϚʔτ։ൃ ▸ +BWB&&+"934 ▸ 4QSJOH͸͡Ίͯͷ4QSJOH.7$ ▸ &⒎FDUJWF+BWBͷཧղͱ'JOE#VHTͷ׆༻ ▸ ͱ͜ͱΜ࢖͏ʂ+6OJUϑΝϛϦʔ 18 https://www.casareal.co.jp/ls/service/openseminar/java

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ΫϥΠΞϯτͷछྨʹΑΔͭͷάϥϯτλΠϓ ᶃ
ೝՄίʔυάϥϯτ ▸ ओʹαʔόʔαΠυ8FCΞϓϦ ᶄ ΠϯϓϦγοτάϥϯτ ▸ ओʹΫϥΠΞϯταΠυ8FCΞϓϦ ᶅ ϦιʔεΦʔφʔύεϫʔυΫϨσϯγϟϧάϥϯτ ▸ ओʹϦιʔεαʔόʔެࣜͷωΠςΟϒΞϓϦ ᶆ ΫϥΠΞϯτΫϨσϯγϟϧάϥϯτ ▸ ΫϥΠΞϯτࣗ਎ͷ৘ใʹΞΫηε͢Δ৔߹ͳͲ 20 ←ࠓճ͸ίϨ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ೝՄίʔυάϥϯτͷಛ௃ ▸
ೝՄαʔόʔ͸ɺ·ͣΞΫηετʔΫϯͷҾ׵݊  ೝՄίʔυ ΛΫϥΠΞϯτʹൃߦ͢Δ ▸ ϦμΠϨΫτͱΫΤϦύϥϝʔλΛར༻ͯ͠ɺ8FCϒϥ΢β Λܦ༝ͯ͠౉͢ ▸ ΫϥΠΞϯτ͸ɺೝՄίʔυΛೝՄαʔόʔʹఏࣔ͠ɺ ΞΫηετʔΫϯΛड͚औΔ ▸ 8FCϒϥ΢βʹ௚઀ΞΫηετʔΫϯΛ౉͞ͳ͍Α͏ʹ͢Δ ͨΊʢ΋͠8FCϒϥ΢β͕ѱ͍ਓʹ৐ͬऔΒΕͯͨΒΞ΢τͳͷͰʣ 21

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ॏཁͳͭͷΤϯυϙΠϯτ ᶃ
ೝՄΤϯυϙΠϯτ ೝՄαʔόʔ ▸ ೝՄը໘ΛϨεϙϯε͢Δ63- ᶄ τʔΫϯΤϯυϙΠϯτ ೝՄαʔόʔ ▸ ΞΫηετʔΫϯΛൃߦ͢Δ63- ᶅ ϦμΠϨΫτΤϯυϙΠϯτ ΫϥΠΞϯτ ▸ ೝՄίʔυൃߦޙͷϦμΠϨΫτઌͷ63- 22

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ೝՄίʔυʹΑΔΞΫηετʔΫϯऔಘ 23
ೝՄαʔόʔ ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β※ ※Webϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢ ᶃॳճΞΫηε ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ ᶇೝՄίʔυൃߦʴϦμΠϨΫτ ᶈೝՄίʔυ ᶉΞΫηετʔΫϯ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ΞΫηετʔΫϯΛར༻ͨ͠ϦιʔεΞΫηε 24
ೝՄαʔόʔ ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ੥ٻॻ࡞੒  ࢿྉ༣ૹ Ϧιʔε  αʔόʔ ᶃϦΫΤετ ᶅΞΫηε  ɹτʔΫϯ  ɹݕূ ᶆϢʔβʔ৘ใ΍είʔϓ ᶈϨεϙϯε ᶉϨεϙϯε ᶇείʔϓΛ  ɹνΣοΫ ᶄϦιʔεʹΞΫηε  with ΞΫηετʔΫϯ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0"VUI࢓༷Ͱະఆٛͷ෦෼ᶃ 25
ೝՄαʔόʔ ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ᶃॳճΞΫηε ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ ᶇೝՄίʔυൃߦʴϦμΠϨΫτ ᶈೝՄίʔυ ᶉΞΫηετʔΫϯ Ͳ͏ೝՄ͢Δ͔͸ܾ·ͬͯͳ͍  ˠ։ൃऀ͕࡞ΓࠐΉඞཁ͕͋Δ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0"VUI࢓༷Ͱະఆٛͷ෦෼ᶄ 26
ೝՄαʔόʔ ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ੥ٻॻ࡞੒  ࢿྉ༣ૹ Ϧιʔε  αʔόʔ ᶃϦΫΤετ ᶅΞΫηε  ɹτʔΫϯ  ɹݕূ ᶆϢʔβʔ৘ใ΍είʔϓ ᶈϨεϙϯε ᶉϨεϙϯε ᶇείʔϓΛ  ɹνΣοΫ ᶄϦιʔεʹΞΫηε  with ΞΫηετʔΫϯ ΞΫηετʔΫϯΛ  ૹΔ෦෼Ҏ֎͸  ΄ͱΜͲະఆٛ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ΞΫηετʔΫϯ΍είʔϓͷνΣοΫํ๏ "
Ϧιʔεαʔόʔ͔ΒೝՄ αʔόʔʹ໰͍߹ΘͤΔ # ڞ༗σʔλϕʔεͳͲΛར ༻͢Δ $ ϦιʔεαʔόʔͱೝՄαʔ όʔΛಉҰαʔόʔʹ͢Δ 27 ←ࠓճ͸ίϨ ※είʔϓ͸ΞΫηετʔΫϯ ʹؚΊΔํ๏΋͋ΔʢJWTʣ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0"VUIͱʮೝূʯ ▸
0"VUI͸ʮೝՄʯ ▸ ͔͠͠ʮೝূʯ͕ඞཁͳՕॴ΋͍͔ͭ͋͘Δ 28

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ೝূ͕ඞཁͳՕॴᶃ 29
ೝՄαʔόʔ ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ᶃॳճΞΫηε ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ ᶇೝՄίʔυൃߦʴϦμΠϨΫτ ᶈೝՄίʔυ ᶉΞΫηετʔΫϯ ೝՄͨ͠ͷ͸ຊ౰ʹϦιʔεΦʔφʔʁ  ˠϦιʔεΦʔφʔͷIDɾύεϫʔυͰೝূ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ೝূ͕ඞཁͳՕॴᶄ 30
ೝՄαʔόʔ ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ᶃॳճΞΫηε ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ ᶇೝՄίʔυൃߦʴϦμΠϨΫτ ᶈೝՄίʔυ ᶉΞΫηετʔΫϯ ೝՄίʔυΛૹ͖ͬͯͨͷ͸ຊ౰ʹΫϥΠΞϯτʁ  ˠclient_idɾclient_secretͰBASICೝূ ※client_idͱclient_secret͸ɺೝՄαʔόʔʹࣄલʹൃߦͯ͠΋Β͏

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ೝূ͕ඞཁͳՕॴᶅ 31
ೝՄαʔόʔ ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ੥ٻॻ࡞੒  ࢿྉ༣ૹ Ϧιʔε  αʔόʔ ᶃϦΫΤετ ᶅΞΫηε  ɹτʔΫϯ  ɹݕূ ᶆϢʔβʔ৘ใ΍είʔϓ ᶈϨεϙϯε ᶉϨεϙϯε ᶇείʔϓΛ  ɹνΣοΫ ᶄϦιʔεʹΞΫηε  with ΞΫηετʔΫϯ ΞΫηετʔΫϯΛૹ͖ͬͯͨͷ͸  ຊ౰ʹϦιʔεαʔόʔʁ  ˠϦιʔεαʔόʔͷIDɾύεϫʔυ  ͰBASICೝূ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ΞΫηετʔΫϯͷೝূ͸ʁ ▸
ΞΫηετʔΫϯൃߦޙͷϦιʔεΦʔφʔຊਓ ֬ೝ͸͠ͳ͍ ▸ ΞΫηετʔΫϯʹ༗ޮظݶΛ͚ͭΔɺ  ΞΫηετʔΫϯͷ࠶ൃߦ SFGSFTIτʔΫϯ ɺ  ΞΫηετʔΫϯͷണୣ SFWPLF ɺ  ͳͲͷߟྀ͸ඞਢ ▸ ࣌ؒͷ౎߹্ɺࠓճ͸಺༰ʹؚΊ·ͤΜ 32

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0"VUIͱ҉߸Խ ▸
҉߸Խ͸ඞਢ ▸ ೝՄίʔυɺΞΫηετʔΫϯɺೝূ৘ใͳͲɺ  ػີ৘ใ͕ωοτϫʔΫ্ʹඈͼަ͏ͨΊ ▸ ͢΂ͯͷ௨৴Λ)5514Ͱߦͬͨํ͕Α͍ 33 ̍̔෼ܦաʁ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 <$.>1JWPUBMೝఆݚम࣮ࢪதʂ ▸
$PSF4QSJOH ▸ ᶃ݄೔ʙ೔ɺᶄ݄೔ʙ೔ ▸ ϋΠϨϕϧͳʮ4QSJOHͷجૅʯ ▸ %*ɺ"01ɺςετɺ%#ɺτϥϯβΫγϣϯɺ 8FCɺ3&45ɺ4FDVSJUZɺ4QSJOH#PPUɺ .JDSPTFSWJDFTʜ 34 https://www.casareal.co.jp/ls/service/openseminar/pivotal

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ࠓճͷαϯϓϧΞϓϦ ▸
50%0؅ཧΞϓϦ ▸ ೝՄαʔόʔ ▸ Ϧιʔεαʔόʔ ▸ ಡΈॻ͖ΫϥΠΞϯτ ▸ ಡΉ͚ͩΫϥΠΞϯτ 36 ੥ٻॻ࡞੒  ࢿྉ༣ૹ JSON HTML ΞΫηε  τʔΫϯ ݕূ ίʔυ -> https://github.com/MasatoshiTada/oltu-todo

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 "QBDIF0MUV ▸
0"VUIͷ+BWBʹΑΔࢀর࣮૷తͳଘࡏ ▸ IUUQTPMUVBQBDIFPSH ▸ 0"VUI࢓༷Ͱܾ·͍ͬͯΔ෦෼ͷΈ࣮૷͞ Ε͍ͯΔ ▸ ࣗ෼Ͱ࡞ΓࠐΉ෦෼͕ଟʑ͋Δ ▸ 0QFO*%$POOFDUɺ+85ͳͲͷػೳ΋͋Δ 38

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0MUVͷػೳ ▸
ڞ௨ ▸ ϦΫΤετ΍ϨεϙϯεΛ૊ΈཱͯΔ ▸ ඞཁͳύϥϝʔλؚ͕·Ε͍ͯΔ͔΋νΣοΫ͢Δ ▸ ೝՄαʔόʔ ▸ ೝՄίʔυ΍ΞΫηετʔΫϯΛੜ੒͢Δʢ.%PS 66*%ʣ ▸ ΞΫηετʔΫϯΛؚΉ+40/Λੜ੒͢Δ 39

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0MUVͷػೳ ଓ͖
▸ Ϧιʔεαʔόʔ ▸ ΞΫηετʔΫϯΛݕূ͢ΔαʔϒϨοτϑΟϧλʔ ▸ ΫϥΠΞϯτ ▸ ΞΫηετʔΫϯΛೝՄαʔόʔ͔Βऔಘ͢Δ 40

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ͦͷଞͷ0"VUIରԠϥΠϒϥϦ ▸
4QSJOH4FDVSJUZ0"VUI ▸ ߴػೳ͕ͩެࣜυΩϡϝϯτ͕গͳ͍ ▸ IUUQTQSPKFDUTTQSJOHJPTQSJOHTFDVSJUZPBVUIEPDT PBVUIIUNM ▸ 5FSBTPMVOB։ൃΨΠυϥΠϯ͕ৄ͍͠ʢઅ0"VUIʣ ▸ 4QSJOH4FDVSJUZʹ΋0"VUIػೳ͕ՃΘΔ༧ఆ ▸ IUUQTHJUIVCDPNTQSJOHQSPKFDUTTQSJOHTFDVSJUZUSFF NBTUFSPBVUI 41

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ͦͷଞͷ0"VUIରԠϥΠϒϥϦ ଓ͖
▸ QBDK ▸ IUUQXXXQBDKPSH ▸ ༷ʑͳϑϨʔϜϫʔΫͱͷ࿈ܞϥΠϒϥϦ͕͋Δ ▸ 4QSJOH.7$ɺ+"934ɺ1MBZɺ4QBSLɺɾɾɾ ▸ 4QSJOHҎ֎ͳΒ͹͔ͬͪ͜΋ʁʢະௐࠪʣ 42

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ͦͷଞͷ0"VUIରԠϥΠϒϥϦ ଓ͖
▸ +BWB&&4FDVSJUZ"1* ▸ +BWB&&͔Βͷ৽ػೳ ▸ 0"VUI͸&&͔Βͷ༧ఆ ▸ ࢀর࣮૷͸4PUFSJB ▸ IUUQTHJUIVCDPNKBWBFFTFDVSJUZTQFDTPUFSJB 43

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0MUVҎ֎ͷ࢖༻ٕज़ ▸
͋͑ͯͷ+BWB&& ▸ +"934 +FSTFZ ▸ .7$ 0[BSL ▸ 1BZBSB.JDSP1SPpMF  ࣮ߦՄೳ+"3 ▸ 5IZNFMFBG 44 ̎̑෼ܦաʁ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 <$.>1JWPUBMೝఆݚम࣮ࢪதʂ ▸
4QSJOH#PPU%FWFMPQFS ▸ ॳճɿ݄೔ʙ೔ ▸ 4QSJOH#PPUͷجૅ͔ΒԠ༻·Ͱ ▸ 1JWPUBMͱڞ࠵Ͱମݧηϛφʔ΍Γ·͢ʂ 45 https://www.casareal.co.jp/ls/service/openseminar/pivotal

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶃॳճΞΫηε 47
ೝՄαʔόʔ ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ᶃॳճΞΫηε ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ ᶇೝՄίʔυൃߦʴϦμΠϨΫτ ᶈೝՄίʔυ ᶉΞΫηετʔΫϯ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶃॳճΞΫηε ▸
ΫϥΠΞϯτ͕·ͩΞΫηετʔΫϯΛ࣋ͬͯ ͍ͳ͍  ˠೝՄαʔόʔͷೝՄΤϯυϙΠϯτ΁ϦμΠϨ Ϋτ͢Δ ▸ ೝՄΤϯυϙΠϯτ΁ͷΞΫηεʹඞཁͳΫΤϦύϥ ϝʔλ΋෇Ճ͢Δ 48

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶃॳճΞΫηε 49
ύϥϝʔλ໊ ҙຯ response_type ඞͣ”code”(ೝՄίʔυൃߦΛද͢) redirect_uri ϦμΠϨΫτΤϯυϙΠϯτͷURL state CSRFτʔΫϯ client_id ΫϥΠΞϯτΛࣝผ͢ΔID ▸ ඞཁͳΫΤϦύϥϝʔλҰཡ

ೝՄΤϯυϙΠϯτ΁ϦμΠϨΫτ͢Δίʔυ 50 // ϦμΠϨΫτઌͷURLΛ૊ΈཱͯΔ OAuthClientRequest oAuthRequest = OAuthClientRequest .authorizationLocation(“https://localhost:8888/api/authorize”) .setResponseType(“code”) .setClientId(“readwriteclient”) .setRedirectURI(“https://localhost:8081/api/redirect”) .setState("xyz") .buildQueryMessage(); // ೝՄΤϯυϙΠϯτ΁ϦμΠϨΫτ return Response.status(Response.Status.FOUND) .location(URI.create(oAuthRequest.getLocationUri())) .build(); readwrite-client/src/main/java/com/example/readwriteclient/web/exception/mapper/AccessTokenRequiredExceptionMapper.java ೝՄΤϯυϙΠϯτURL response_type client_id redirect_uri state※ ※stateͷ”xyz”͸Ծͷ஋Ͱ͢ɻຊདྷ͸ϥϯμϜͳจࣈྻʹ͠·͢ɻ

ΫϥΠΞϯτ͔Β8FCϒϥ΢β΁ͷϨεϙϯε ▸ ೝՄαʔόʔͷೝՄΤϯυϙΠϯτ΁ϦμΠϨΫτ 51 302 FOUND Location: https://localhost:8888/api/authorize? response_type=code&redirect_uri=https%3A%2F%2Flo calhost%3A8081%2Fapi%2Fredirect&state=xyz&client _id=readwriteclient

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτʙᶅೝՄը໘ ▸
8FCϒϥ΢β͕ɺઌ΄ͲͷϦμΠϨΫτͰࢦఆ ͞Εͨ63-ʹϦΫΤετ 53 GET https://localhost:8888/api/authorize? response_type=code&redirect_uri=https%3A%2F%2Flo calhost%3A8081%2Fapi%2Fredirect&state=xyz&client _id=readwriteclient

ೝՄΤϯυϙΠϯτͷίʔυ 54 @GET @Controller public String goToApprovalView(@Context HttpServletRequest req) throws OAuthProblemException, OAuthSystemException { // ϦΫΤετͷੜ੒ʢඞཁͳύϥϝʔλͷνΣοΫ΋ߦ͏ʣ OAuthAuthzRequest oAuthRequest = new OAuthAuthzRequest(req); …(தུ)… // ೝՄը໘΁ϑΥϫʔυ models.put("client", client); models.put("state", oAuthRequest.getState()); return "approval.html"; } authorization-server/src/main/java/com/example/authorizationserver/web/controller/AuthorizationController.java

ೝՄը໘͕Ϩεϙϯε͞ΕΔ 55

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶆೝՄʙᶇೝՄίʔυൃߦʴϦμΠϨΫτ ▸
ೝՄը໘ʹϦιʔεΦʔφʔͷ*%ɾύεϫʔυ Λೖྗͯ͠ೝՄ͢Δ 57

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶆೝՄʙᶇೝՄίʔυൃߦʴϦμΠϨΫτ ▸
ೖྗ͞Εͨ*%ͳͲΛड͚औΔίϯτϩʔϥʔ 58 @POST public Response approve(@FormParam("loginId") String loginId, @FormParam("password") String password, @FormParam("client_id") String clientId, @Context HttpServletRequest httpServletRequest) { // ϦιʔεΦʔφʔͷೝূ ResourceOwner resourceOwner = resourceOwnerService.findByLoginId(loginId); if (!resourceOwner.getPassword().equals(password)) { throw new NotAuthorizedException(…); } // ೝՄίʔυͷൃߦ OAuthIssuer oAuthIssuer = new OAuthIssuerImpl(new MD5Generator()); String authCode = oAuthIssuer.authorizationCode(); authorization-server/src/main/java/com/example/authorizationserver/web/controller/ApprovalController.java

// ΫϥΠΞϯτͷऔಘ Client client = clientService.getClient(clientId); // ೝՄίʔυͱϦιʔεΦʔφʔΛϗϧμʔʹอଘ authorizationCodeHolder.addResourceOwner( authCode, resourceOwner); authorizationCodeHolder.addClient(authCode, client); // Ϩεϙϯεͷ࡞੒ OAuthResponse oAuthResponse = OAuthASResponse .authorizationResponse(httpServletRequest, 302) .setCode(authCode) // ೝՄίʔυ .setParam(“state”, state) // state .location(client.getRedirectUri()) // redirect_uri .buildQueryMessage(); // ΫϥΠΞϯτͷϦμΠϨΫτΤϯυϙΠϯτʹϦμΠϨΫτ return Response.status(oAuthResponse.getResponseStatus()) .location(URI.create(oAuthResponse.getLocationUri())) .build(); } authorization-server/src/main/java/com/example/authorizationserver/web/controller/ApprovalController.java

▸ ೝՄαʔόʔ͔Β8FCϒϥ΢β΁ͷϨεϙϯε ▸ ΫϥΠΞϯτͷϦμΠϨΫτΤϯυϙΠϯτ΁ϦμΠ ϨΫτ 302 FOUND Location: https://localhost:8081/api/redirect? code=876c4b7339cd3a3bd416a0772fdbf8af&state=xyz ೝՄίʔυ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶈೝՄίʔυʙᶉΞΫηετʔΫϯ ▸
8FCϒϥ΢β͕ɺΫϥΠΞϯτͷϦμΠϨΫτ ΤϯυϙΠϯτʹϦΫΤετ 62 GET https://localhost:8081/api/redirect? code=876c4b7339cd3a3bd416a0772fdbf8af&state=xyz ೝՄίʔυ

ΫϥΠΞϯτͷϦμΠϨΫτΤϯυϙΠϯτͷίʔυ 63 @GET @Controller public String redirect(@QueryParam("code") String authCode) { // τʔΫϯΤϯυϙΠϯτ΁ͷϦΫΤετͷੜ੒ OAuthClientRequest oAuthClientRequest = OAuthClientRequest .tokenLocation("https://localhost:8888/api/token") .setClientId("readwriteclient") .setClientSecret("password") .setRedirectURI("https://localhost:8081/api/redirect") .setCode(authCode) .setGrantType(GrantType.AUTHORIZATION_CODE) .buildBodyMessage(); // BASICೝূϔομʔΛ෇Ճ oAuthClientRequest.addHeader(HttpHeaders.AUTHORIZATION, Constants.AUTH_HEADER_VALUE); readwrite-client/src/main/java/com/example/readwriteclient/web/controller/RedirectController.java

// τʔΫϯΤϯυϙΠϯτʹϦΫΤετͯ͠ɺΞΫηετʔΫϯΛऔಘ OAuthClient oAuthClient = new OAuthClient( new URLConnectionClient()); OAuthJSONAccessTokenResponse oAuthAccessTokenResponse = oAuthClient.accessToken(oAuthClientRequest); String accessToken = oAuthAccessTokenResponse.getAccessToken(); // ηογϣϯείʔϓͳϗϧμʔʹΞΫηετʔΫϯΛอଘ accessTokenHolder.setAccessToken(accessToken); // Ұཡը໘ʹϦμΠϨΫτ return "redirect:/todo/index"; } readwrite-client/src/main/java/com/example/readwriteclient/web/controller/RedirectController.java

τʔΫϯΤϯυϙΠϯτ΁ͷϦΫΤετ಺༰ ▸ ΫϥΠΞϯτˠೝՄαʔόʔ 65 POST /api/token Host: localhost:8888 Authorization: Basic cmVhZHdyaXRlY2xpZW50OnBhc3N3b3Jk Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=876c4b7339cd3a3bd416 a0772fdbf8af&redirect_uri=https%3A%2F%2Flocalhost%3A808 1%2Fapi%2Fredirect

τʔΫϯΤϯυϙΠϯτͷίʔυ 66 @POST @Produces(MediaType.APPLICATION_JSON) public Response token( @Context HttpServletRequest httpServletRequest) { // τʔΫϯϦΫΤετʹඞཁͳύϥϝʔλΛνΣοΫ OAuthTokenRequest oauthRequest = new OAuthTokenRequest(httpServletRequest); …(தུ)… // ΞΫηετʔΫϯͱϦϑϨογϡτʔΫϯൃߦ OAuthIssuer oAuthIssuer = new OAuthIssuerImpl(new MD5Generator()); String accessToken = oAuthIssuer.accessToken(); String refreshToken = oAuthIssuer.refreshToken(); authorization-server/src/main/java/com/example/authorizationserver/web/controller/TokenController.java

// Ϩεϙϯε͢ΔJSONͷ࡞੒ OAuthResponse oAuthResponse = OAuthASResponse .tokenResponse(Response.Status.OK.getStatusCode()) .setAccessToken(accessToken) .setExpiresIn("3600") .setRefreshToken(refreshToken) .buildJSONMessage(); ɹ// ΫϥΠΞϯτʹ200 OKͰϨεϙϯε return Response.ok(oAuthResponse.getBody()) .build(); authorization-server/src/main/java/com/example/authorizationserver/web/controller/TokenController.java

τʔΫϯΤϯυϙΠϯτ͔Βͷ+40/Ϩεϙϯε ▸ ೝՄαʔόʔˠΫϥΠΞϯτ 68 200 OK {"access_token":"ffb085abdadf4235c33aa0f042a4f5eb","ref resh_token":"b1669b4c5fdc984f9bd5252bc2f50f52","expires _in":3600} ΞΫηετʔΫϯ ̏̔෼ܦաʁ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶃϦΫΤετ ʙᶄϦιʔεʹΞΫηεXJUIΞΫηετʔΫϯ
71 ೝՄαʔόʔ ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ੥ٻॻ࡞੒  ࢿྉ༣ૹ Ϧιʔε  αʔόʔ ᶃϦΫΤετ ᶅΞΫηε  ɹτʔΫϯ  ɹݕূ ᶆϢʔβʔ৘ใ΍είʔϓ ᶈϨεϙϯε ᶉϨεϙϯε ᶇείʔϓΛ  ɹνΣοΫ ᶄϦιʔεʹΞΫηε  with ΞΫηετʔΫϯ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶃϦΫΤετ ʙᶄϦιʔεʹΞΫηεXJUIΞΫηετʔΫϯ
▸ ΫϥΠΞϯτ͔ΒϦιʔεαʔόʔʹϦΫΤετ ▸ ΞΫηετʔΫϯΛ"VUIPSJ[BUJPOϔομʔʹ෇Ճ 72 GET /api/v1/todos Authorization : Bearer ffb085abdadf4235c33aa0f042a4f5eb ΞΫηετʔΫϯ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 73 ೝՄαʔόʔ
ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ੥ٻॻ࡞੒  ࢿྉ༣ૹ Ϧιʔε  αʔόʔ ᶃϦΫΤετ ᶅΞΫηε  ɹτʔΫϯ  ɹݕূ ᶆϢʔβʔ৘ใ΍είʔϓ ᶈϨεϙϯε ᶉϨεϙϯε ᶇείʔϓΛ  ɹνΣοΫ ᶄϦιʔεʹΞΫηε  with ΞΫηετʔΫϯ ᶅΞΫηετʔΫϯݕূʙᶆϢʔβʔ৘ใ΍είʔϓ

"QBDIF0MUVͰ͸ɺϦιʔεαʔόʔ༻ͷ  αʔϒϨοτϑΟϧλʔ͕༻ҙ͞Ε͍ͯΔ 75 <filter> <filter-name>OAuthFilter</filter-name> <filter-class> org.apache.oltu.oauth2.rsfilter.OAuthFilter </filter-class> </filter> <filter-mapping> <filter-name>OAuthFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> resource-server/src/main/webapp/WEB-INF/web.xml

0"VUI'JMUFS͔Βɺ0"VUI341SPWJEFS࣮૷Ϋ ϥε͕ݺ͹ΕΔ ▸ XFCYNMʹԼهͷఆ͕ٛඞཁ 76 <context-param> <param-name>oauth.rs.provider-class</param-name> <param-value> com.example.resourceserver.oauth.MyOAuthRSProvider </param-value> </context-param> resource-server/src/main/webapp/WEB-INF/web.xml

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶅΞΫηετʔΫϯݕূʙᶆϢʔβʔ৘ใ΍είʔϓ 77
public class MyOAuthRSProvider implements OAuthRSProvider { @Override public OAuthDecision validateRequest(String rsId, String accessToken, HttpServletRequest httpServletRequest) { // ೝՄαʔόʔ΁HTTPΞΫηεͯ͠ΞΫηετʔΫϯͷਖ਼౰ੑνΣοΫ MultivaluedHashMap<String, String> formParams = …; formParams.putSingle("access_token", accessToken); Response response = ClientBuilder.newBuilder() .build() .target("https://localhost:8888/api/check_token") .request() .header("Content-Type", "application/x-www-form-urlencoded") .header("Authorization", Constants.AUTH_HEADER_VALUE) .post(Entity.form(formParams)); // ΞΫηετʔΫϯ͸ਖ਼౰ͳΒ͹200͕ฦͬͯ͘Δ if (response.getStatusInfo().equals(Response.Status.OK)) { // ໭Γ஋Λฦ͢ } resource-server/src/main/java/com/example/resourceserver/oauth/MyOAuthRSProvider.java

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶅΞΫηετʔΫϯݕূʙᶆϢʔβʔ৘ใ΍είʔϓ 78
▸ ೝՄαʔόʔ͔ΒͷϨεϙϯε 200 OK Content-Type: application/json { “login_id” : “user1”, “client” : { “client_id” : “readwriteclient”, … “scope_types” : [“read”, “write”] } } είʔϓ৘ใ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 79 ೝՄαʔόʔ
ΫϥΠΞϯτ Ϧιʔε  Φʔφʔ Web  ϒϥ΢β ੥ٻॻ࡞੒  ࢿྉ༣ૹ Ϧιʔε  αʔόʔ ᶃϦΫΤετ ᶅΞΫηε  ɹτʔΫϯ  ɹݕূ ᶆϢʔβʔ৘ใ΍είʔϓ ᶈϨεϙϯε ᶉϨεϙϯε ᶇείʔϓΛ  ɹνΣοΫ ᶄϦιʔεʹΞΫηε  with ΞΫηετʔΫϯ ᶇείʔϓΛνΣοΫʙᶉϨεϙϯε

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ᶇείʔϓΛνΣοΫʙᶉϨεϙϯε ▸
Ϧιʔεαʔόʔͷίϯτϩʔϥʔϝιουʹ !3PMFT"MMPXFEͰείʔϓΛࢦఆ 80 @Path("/todos") public class TodoController { @RolesAllowed("read") @GET @Produces("application/json") public Response findAll() { … } @RolesAllowed("write") @POST @Consumes("application/json") public Response add(Todo todo) { … } } resource-server/src/main/java/com/example/resourceserver/web/controller/TodoController.java ̐̌෼ܦաʁ

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 0"VUI࢓༷ॻΑΓ ▸
ຊࢿྉͰະ঺հͷࣄ߲ ▸ ೝՄίʔυϦμΠϨΫτ63*ͷૢ࡞ ▸ ϑΟογϯάΞλοΫ ▸ ΫϩεαΠτϦΫΤετϑΥʔδΣϦ  ɾɾɾͳͲ ▸ ඞͣ࢓༷ॻΛνΣοΫ͠·͠ΐ͏ʂ ▸ IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJP SGDKBIUNMBODIPS 83

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ηΩϡϦςΟؔ࿈ͷ࢓༷ॻ ▸
3'$0"VUI5ISFBU.PEFMBOE 4FDVSJUZ$POTJEFSBUJPOT ▸ IUUQXXXSGDFEJUPSPSHJOGPSGD ▸ 3'$0"VUI5PLFO3FWPDBUJPO ▸ IUUQPQFOJEGPVOEBUJPOKBQBOHJUIVCJP SGDKBIUNM 84

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 "QBDIF0MUV͸࢖͑Δ͔ʁ ▸
͋͘·Ͱʮֶश༻ʯͱ͍͏ͷ͕ݸਓతͳײ૝ ▸ ػೳ͕࠷௿ݶͰੜ࢈ੑ͸͋·Γྑ͘ͳ͍ ▸ υΩϡϝϯτ͕গͳ͍ʴக໋తͳؒҧ͍ ▸ ͦͷଞͷηΩϡϦςΟࣄ߲͸͢΂ͯࣗݾ੹೚ ▸ جຊతʹ͸4QSJOH4FDVSJUZ0"VUI΍QBDKͳ ͲΛ࢖ͬͨ΄͏͕ྑ͍͔΋ 88

(C) CASAREAL, Inc. All rights reserved. #jjug_ccc #ccc_e5 ͞Βʹֶश͢ΔͨΊʹ ▸
0"VUI࢓༷ॻ೔ຊޠ൛ ▸ IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPSGDKBIUNM ▸ 0"VUIΛ͸͡ΊΑ͏ ▸ IUUQTXXXPSFJMMZDPKQCPPLT ▸ 0"VUIશϑϩʔͷਤղͱಈը ▸ IUUQRJJUBDPN5BLBIJLP,BXBTBLJJUFNTFCGBG ▸ ࠓߋฉ͚ͳ͍0"VUI ▸ IUUQTXXXTMJEFTIBSFOFUQIQITBPBVUI 90

Javaで実装して学ぶOAuth 2.0！

Javaで実装して学ぶOAuth 2.0！

More Decks by Masatoshi Tada

Other Decks in Technology

Featured

Transcript