Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OpenID Connect 1.0 with Spring Security #jjug_ccc #jjug_ccc_b / oidc-with-spring-security

OpenID Connect 1.0 with Spring Security #jjug_ccc #jjug_ccc_b / oidc-with-spring-security

OpenID Connect 1.0は、OAuth 2.0をベースとした認証プロトコルです。このセッションでは次の内容をわかりやすく解説します。

- OpenID Connect 1.0の概要とフロー
- なぜOAuthは「認可」でOpenID Connectは「認証」なのか
- Spring Securityの利用方法

このセッションは中級者向けです。次の知識を前提として解説します。

- OAuth 2.0の認可コードグラントのフローを説明できる
- Spring Security 5.xのOAuth 2.0機能を使ったことがある(既に非推奨となっている「Spring Security OAuth2」ではありません)

5dbaf4015e7f249ab21b195ced8e9e46?s=128

Masatoshi Tada

May 23, 2021
Tweet

Transcript

  1. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 0QFO*%$POOFDU XJUI4QSJOH4FDVSJUZ ג

    ΧαϨΞϧଟాਅහ ೥݄೔ ++6($$$4QSJOH 1
  2. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ͜ͷηογϣϯʹ͍ͭͯ ▸ 0QFO*%$POOFDUʢҎԼ0*%$ʣ͓Αͼ

    
 4QSJOH4FDVSJUZͷؔ࿈ػೳΛ 
 ෼͔Γ΍͘͢ղઆ͠·͢ ▸ αϯϓϧίʔυ ▸ IUUQTHJUIVCDPN.BTBUPTIJ5BEBPJEDXJUI TQSJOHTFDVSJUZ 2
  3. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ඞཁͳલఏ஌ࣝ ▸ ͜ͷηογϣϯ͸ʲதڃऀ޲͚ʳͰ͢

    ▸ ҎԼͷલఏ஌͕ࣝඞཁͰ͢ ▸ 0"VUIͷ"VUIPSJ[BUJPO$PEF(SBOU'MPXΛ 
 આ໌Ͱ͖Δ ▸ 4QSJOH4FDVSJUZͷ0"VUIػೳΛ࢖ͬͨ͜ͱ͕͋Δ ▸ /PUl4QSJOH4FDVSJUZ0"VUIz 3
  4. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ؀ڥ ▸ +%,

    ;VMV$PNNVOJUZ NBD04 "3.  ▸ 4QSJOH4FDVSJUZ ▸ 4QSJOH#PPU ▸ ,FZDMPBL 4
  5. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ͜ͷηογϣϯͷ݁࿦ ▸ "VUI԰͞ΜͷຊΛ

    
 ಡΜͰ͍ͩ͘͞ʂʂʂ ▸ ҎԼʮ"VUI԰ຊʯ ▸ IUUQT BVUIZBCPPUIQN JUFNT 5
  6. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 0"VUIͷجૅΛ஌Γ͍ͨํ͸ʜ 6 https://www.slideshare.net/masatoshitada7/oauth-20spring-security-51-121418814

  7. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 4QSJOH4FDVSJUZͷ0"VUIػೳͷ࢓૊ΈΛ஌Γ͍ͨํ ͸ʜ 7

    https://speakerdeck.com/masatoshitada/oauth2-with-spring-security
  8. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ࣗݾ঺հ ▸ ଟాਅහʢ!TVLF@NBTBʣ

    ▸ ݚमτϨʔφʔ!ΧαϨΞϧ ▸ +BWB4QSJOH1ZUIPO(P 
 .JDSPTFSWJDFT,VCFSOFUFT ▸ 7.XBSFೝఆߨࢣ ▸ ೔ຊ4QSJOHϢʔβձελοϑ 8
  9. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD גࣜձࣾΧαϨΞϧ ▸ ଞࣾʹ͸ແ͍৭ʑͳϓϩάϥϛϯάݴޠͷ

    
 ݚमΛఏڙ͍ͯ͠·͢ʂ 9
  10. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 🎉1ZUIPOݚमϦϦʔε🎉 10 1ZUIPOೖ໳

    
 جຊจ๏ɺϥΠϒϥϦͷར༻ɺ8FCεΫϨΠϐϯά 
 ʢ೔ؒʣ 'MBTLʹΑΔ1ZUIPO8FCΞϓϦέʔγϣϯ։ൃ 
 %#ΞΫηεɺ3&45ɺ+BWB4DSJQU࿈ܞɺηΩϡϦςΟ 
 ʢ೔ؒʣ
  11. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 4QSJOHݚम͍Ζ͍Ζ 11 7.XBSF5BO[Vೝఆ4QSJOH$PSF5SBJOJOH

    
 ϋΠϨϕϧͳ4QSJOHͷجૅ 
 ʢ೔ؒʣ 7.XBSF5BO[Vೝఆ4QSJOH$MPVE%FWFMPQFS 
 4QSJOH$MPVEʹΑΔϚΠΫϩαʔϏε։ൃ 
 ʢ೔ؒʣ جૅ͔Βͷ4QSJOH#PPU 
 8FCɺ%#ΞΫηεɺ3&45ɺηΩϡϦςΟ 
 ʢ೔ؒʣ
  12. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ໨࣍ ▸ 0"VUIͷ෮शͱʮ0"VUIೝূʯͷ໰୊఺

    ▸ 0QFO*%$POOFDUʹΑΔೝূ ▸ 4QSJOH4FDVSJUZͰͷར༻ ▸ ·ͱΊ 12
  13. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ໨࣍ ▸ 0"VUIͷ෮शͱʮ0"VUIೝূʯͷ໰୊఺

    ▸ 0QFO*%$POOFDUʹΑΔೝূ ▸ 4QSJOH4FDVSJUZͰͷར༻ ▸ ·ͱΊ 13
  14. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ೝূͱೝՄ ▸ ೝূʢ"VUIFOUJDBUJPO"VUI/

    "VUI$ʣ ▸ ௨৴ͷ૬ख͕୭ʢԿʣͰ͋Δ͔Λ֬ೝ͢Δ͜ͱ ▸ ೝՄʢ"VUIPSJ[BUJPO"VUI;ʣ ▸ ͱ͋Δಛఆͷ৚݅ʹରͯ͠ɺϦιʔεΞΫηεͷݖݶ Λ༩͑Δ͜ͱ 14 @daisuke_m͞ΜʮΑ͘Θ͔ΔೝূͱೝՄʯΑΓҾ༻ 
 https://dev.classmethod.jp/articles/authentication-and-authorization/
  15. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 0*%$ͱ͸ l0QFO*%$POOFDU͸ 

    
 0"VUIϓϩτίϧͷ্ʹ 
 γϯϓϧͳΞΠσϯςΟςΟϨΠϠʔΛ 
 ෇༩ͨ͠΋ͷͰ͋Δz 15 OpenID Connect Core 1.0ͷ೔ຊޠ༁ΑΓҾ༻ 
 http://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html#Introduction 0"VUIϕʔεͷೝূϓϩτίϧ
  16. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 0"VUIͱ͸ ▸ ೝՄͷྲྀΕΛنఆͨ͠ϓϩτίϧ

    ▸ 3'$ ೔ຊޠ൛΋͋Δ  ▸ 0"VUIͱ͸ผ෺ ▸ 4USVUTͱ4USVUT͘Β͍ҧ͏ ▸ ೝূϓϩτίϧ0QFO*%$POOFDU 
 ͷϕʔεʹͳ͍ͬͯΔ 16
  17. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ΞΫηετʔΫϯͱ͸ ▸ ΫϥΠΞϯτ͕ϦιʔεαʔόʔʹΞΫηε͢Δࡍʹ

    
 ඞཁͳ੾ූʢ㱠*%ΧʔυʣͷΑ͏ͳ΋ͷ ▸ "VUIPSJ[BUJPOϦΫΤετϔομʔʹ෇Ճ͢Δ ▸ Authorization: Bearer ΞΫηετʔΫϯ ▸ ࢓༷Ͱ͸ϑΥʔϚοτະࢦఆ͕ͩɺ֓Ͷ࣍ͷछྨ ᶃ ϥϯμϜͳจࣈྻʢ0QBRVF5PLFOʣ ᶄ +85ʢ+40/8FC5PLFOɺޙड़ʣ 17
  18. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 0QBRVF5PLFO ▸ ϥϯμϜͳจࣈྻΛΞΫηετʔΫϯʹ͢Δ

    ▸ ྫɿkjew834wkmfw89cy98j ▸ ΞΫηετʔΫϯࣗମʹϢʔβʔ໊΍ 
 ΫϥΠΞϯτ໊ͳͲͷ৘ใ͸ؚ·Ε͍ͯͳ͍ ▸ 5PLFO*OUSPTQFDUJPOͳͲͰೝՄαʔόʔʹ 
 ໰͍߹ΘͤΕ͹৘ใΛऔಘՄೳ 18
  19. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD +85 +40/8FC5PLFOδϣοτ ▸

    ϔομʔ +40/ ɺϖΠϩʔυ +40/ ɺॺ໊Λ 
 ͦΕͧΕ#BTF63-ͰΤϯίʔυͯ͠ʮʯͰ࿈݁ ▸ +40/ͳͷͰ༷ʑͳ৘ใΛؚΊΒΕΔ ▸ ॺ໊ʹϔομʔʴϖΠϩʔυΛʮʯͰ࿈݁ͯ͠ 
 ɹɹɹೝՄαʔόʔͷൿີ伴Ͱ҉߸Խ ▸ ॺ໊ΛೝՄαʔόʔͷެ։伴Ͱ෮߸Խͯ͠ 
 ϔομʔʴϖΠϩʔυͱҰக͍ͯ͠Ε͹ɺ 
 վ᜵͞Ε͍ͯͳ͍ͱ෼͔Δ 19
  20. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD +85ͷߏ଄ 20 eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJzbGcyMG9uOVg2c

    zZFOExmNDZfQmRuaExHQy1xZnIyMVlvWE9nQVFKRlIwIn0 .eyJqdGkiOiI4YzUyN mMzZC03OTA0LTQ2MWItOGU5ZS1jNDE5YTQ1NmFlNDMiLCJleHAiOjE1Mzg4MTM0Mj YsIm5iZiI6MCwiaWF0IjoxNTM4ODEzMTI2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N 0OjkwMDAvYXV0aC9yZWFsbXMvaGVsbG8tYXBpIiwiYXVkIjoidHJhaW5pbmc2LWZy b250LXNlcnZpY2UiLCJzdWIiOiIxYWI5Yjg4Ny0yNDRhLTRjZTktYTBjMy1iZTc2Z GE4NzZiMTQiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJ0cmFpbmluZzYtZnJvbnQtc2 VydmljZSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjA4MjU3OTFlLTE 3ODQtNGQxMC1hMjYyLTAzM2U4YmE3OWViMCIsImFjciI6IjEiLCJhbGxvd2VkLW9y aWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6e yJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LC JyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWN jb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwi c2NvcGUiOiJoZWxsbzpyZWFkIHByb2ZpbGUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiO iJ1c2VyIn0 .fH8s3HaOFjC1CiZeWUP2O1AB2ruDPh9VRnFqSkRoM2zCTpqWgrkiQ BKW3r9RQAD_gsZCi3G7s0tQSCmuAMoht7gLgH9rFKzdKhuKiISeDUF7v2baPva8fH VN8zP1YF84XnVxq-zVThXLBdDgTRXWWI0_RG6x- vJVDRv00gvDwPPvA3WxxIGcekuEjl3ChQhFHozDiEglAlN- vlkDV2IvxVtON4GJ1UAwIj9uTpyAoIVY8oOy_0mMuevzxBSXk2HUxWr2Vrvhj3c2a RrchCOHPsDELtX0CmEBj_bU38d1XbHL30Ar7PWGvpPeSkM3mIykR- osPDSXJwq8gUSAda0JeQ ϔομʔ ϖΠϩʔυ ిࢠॺ໊
  21. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ϖΠϩʔυΛσίʔυ͢Δͱ 21 jwt.io

    Λར༻ είʔϓ໊΍ Ϣʔβʔ໊
  22. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 5XJUUFSͷྫͰొ৔ਓ෺·ͱΊ 22 UXJUUFSDPN

    ͜Μʹͪ͸ 
 ָ͠Έͩͳʔ Ϧιʔε 
 Φʔφʔ ΫϥΠΞϯτ Ϧιʔεαʔόʔ ೝՄαʔόʔ ೝՄ ΞΫηε 
 τʔΫϯ 
 ෇༩ ΞΫηε 
 τʔΫϯ ͭͿ΍͖ ※ຊ౰͸Twitter͸OAuth 1.0Λ࢖͍ͬͯ·͢
  23. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD άϥϯτλΠϓʢΞΫηετʔΫϯͷऔಘํ๏ʣ ᶃ ೝՄίʔυ

    ▸ ओʹαʔόʔαΠυ8FCΞϓϦέʔγϣϯ ᶄ ΠϯϓϦγοτʢඇਪ঑ʣ ▸ ओʹΫϥΠΞϯταΠυ8FCΞϓϦέʔγϣϯ ᶅ ϦιʔεΦʔφʔύεϫʔυΫϨσϯγϟϧʢඇਪ঑ʣ ▸ ओʹެࣜͷεϚϗΞϓϦͳͲ ᶆ ΫϥΠΞϯτΫϨσϯγϟϧ ▸ ΫϥΠΞϯτࣗ਎ͷ৘ใऔಘ 23
  24. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ೝՄίʔυʹΑΔΞΫηετʔΫϯऔಘ 24 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β˞ ˞8FCϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢ ᶃॳճΞΫηε
  25. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ೝՄίʔυʹΑΔΞΫηετʔΫϯऔಘ 25 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β˞ ˞8FCϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢ ᶃॳճΞΫηε ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ
  26. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ೝՄίʔυʹΑΔΞΫηετʔΫϯऔಘ 26 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β˞ ˞8FCϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢ ᶃॳճΞΫηε ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘
  27. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ೝՄίʔυʹΑΔΞΫηετʔΫϯऔಘ 27 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β˞ ˞8FCϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢ ᶃॳճΞΫηε ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ ϦιʔεΦʔφʔͷ Ϣʔβʔ໊ʴύεϫʔυΛ ೖྗ͢Δ͜ͱ͕ଟ͍ ˠ0"VUI͕ೝূͰ͋Δͱ צҧ͍͠΍͍͢
  28. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ೝՄίʔυʹΑΔΞΫηετʔΫϯऔಘ 28 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β˞ ˞8FCϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢ ᶃॳճΞΫηε ᶇೝՄίʔυൃߦʴϦμΠϨΫτ ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ
  29. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ೝՄίʔυʹΑΔΞΫηετʔΫϯऔಘ 29 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β˞ ˞8FCϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢ ᶃॳճΞΫηε ᶇೝՄίʔυൃߦʴϦμΠϨΫτ ᶈೝՄίʔυ ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ
  30. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ೝՄίʔυʹΑΔΞΫηετʔΫϯऔಘ 30 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β˞ ˞8FCϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢ ᶃॳճΞΫηε ᶇೝՄίʔυൃߦʴϦμΠϨΫτ ᶈೝՄίʔυ ᶉΞΫηετʔΫϯ ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ
  31. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ΞΫηετʔΫϯΛར༻ͨ͠ϦιʔεΞΫηε 31 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β ੥ٻॻ࡞੒ 
 ࢿྉ༣ૹ Ϧιʔε 
 αʔόʔ ᶃϦΫΤετ
  32. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ΞΫηετʔΫϯΛར༻ͨ͠ϦιʔεΞΫηε 32 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β ੥ٻॻ࡞੒ 
 ࢿྉ༣ૹ Ϧιʔε 
 αʔόʔ ᶃϦΫΤετ ᶄϦιʔεʹΞΫηε 
 XJUIΞΫηετʔΫϯ
  33. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ΞΫηετʔΫϯΛར༻ͨ͠ϦιʔεΞΫηε 33 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β ੥ٻॻ࡞੒ 
 ࢿྉ༣ૹ Ϧιʔε 
 αʔόʔ ᶃϦΫΤετ ᶅΞΫηε 
 ɹτʔΫϯ 
 ɹݕূ ᶄϦιʔεʹΞΫηε 
 XJUIΞΫηετʔΫϯ ΞΫηετʔΫϯ͕ +85ܗࣜͷ৔߹͸ෆཁ
  34. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ΞΫηετʔΫϯΛར༻ͨ͠ϦιʔεΞΫηε 34 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β ੥ٻॻ࡞੒ 
 ࢿྉ༣ૹ Ϧιʔε 
 αʔόʔ ᶃϦΫΤετ ᶅΞΫηε 
 ɹτʔΫϯ 
 ɹݕূ ᶆݕূ݁ՌΛฦ͢ ᶄϦιʔεʹΞΫηε 
 XJUIΞΫηετʔΫϯ ΞΫηετʔΫϯ͕ +85ܗࣜͷ৔߹͸ෆཁ
  35. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ΞΫηετʔΫϯΛར༻ͨ͠ϦιʔεΞΫηε 35 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β ੥ٻॻ࡞੒ 
 ࢿྉ༣ૹ Ϧιʔε 
 αʔόʔ ᶃϦΫΤετ ᶅΞΫηε 
 ɹτʔΫϯ 
 ɹݕূ ᶆݕূ݁ՌΛฦ͢ ᶇݕূ݁ՌΛ 
 ɹ֬ೝ ᶄϦιʔεʹΞΫηε 
 XJUIΞΫηετʔΫϯ
  36. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ΞΫηετʔΫϯΛར༻ͨ͠ϦιʔεΞΫηε 36 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β ੥ٻॻ࡞੒ 
 ࢿྉ༣ૹ Ϧιʔε 
 αʔόʔ ᶃϦΫΤετ ᶅΞΫηε 
 ɹτʔΫϯ 
 ɹݕূ ᶆݕূ݁ՌΛฦ͢ ᶈϨεϙϯε ᶇݕূ݁ՌΛ 
 ɹ֬ೝ ᶄϦιʔεʹΞΫηε 
 XJUIΞΫηετʔΫϯ
  37. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ΞΫηετʔΫϯΛར༻ͨ͠ϦιʔεΞΫηε 37 ೝՄαʔόʔ

    ΫϥΠΞϯτ Ϧιʔε 
 Φʔφʔ 8FC 
 ϒϥ΢β ੥ٻॻ࡞੒ 
 ࢿྉ༣ૹ Ϧιʔε 
 αʔόʔ ᶃϦΫΤετ ᶅΞΫηε 
 ɹτʔΫϯ 
 ɹݕূ ᶆݕূ݁ՌΛฦ͢ ᶈϨεϙϯε ᶉϨεϙϯε ᶇݕূ݁ՌΛ 
 ɹ֬ೝ ᶄϦιʔεʹΞΫηε 
 XJUIΞΫηετʔΫϯ
  38. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ʮ0"VUIೝূʯ͸Կ͕໰୊ʁ ▸ ΫϥΠΞϯτʹ͸ɺΞΫηετʔΫϯ͕ࣗ෼Ѽͯʹ

    
 ൃߦ͞Εͨ΋ͷ͔֬ೝ͢Δज़͕ͳ͍ ▸ ѱҙͷ͋ΔΫϥΠΞϯτຢ͸ϦιʔεΦʔφʔ޲͚ʹ 
 ൃߦ͞ΕͨΞΫηετʔΫϯʹࠩ͠ସ͑ΒΕͯ΋ؾ͚ͮͳ͍ ▸ ΞΫηετʔΫϯΛ+85ʹͯͦ͠ͷதʹΫϥΠΞϯτ໊Λ 
 ؚΊΕ͹ɺ্هͷ֬ೝ͸Մೳ ▸ ͨͩ͠0"VUIͰ͸߲໨໊ͳͲ͕ඪ४Խ͞Ε͍ͯͳ͍ ▸ ଞʹ΋৭ʑ͋Δɾɾɾ͸ͣ 38
  39. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ͜ͷষͷ·ͱΊ ▸ 0*%$ͷલʹ0"VUIΛ͔ͬ͠Γཧղ͠·͠ΐ

    ͏ ▸ ѱҙͷ͋ΔΫϥΠΞϯτຢ͸ϦιʔεΦʔφʔ ͷΞΫηετʔΫϯʹࠩ͠ସ͑ΒΕͯ΋ɺ 
 ΫϥΠΞϯτ͸ؾ͚ͮͳ͍ͷͰʮ0"VUIೝূʯ ͸ةݥ 39
  40. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ໨࣍ ▸ 0"VUIͷ෮शͱʮ0"VUIೝূʯͷ໰୊఺

    ▸ 0QFO*%$POOFDUʹΑΔೝূ ▸ 4QSJOH4FDVSJUZͰͷར༻ ▸ ·ͱΊ 40
  41. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD <࠶ܝ>0*%$ͱ͸ l0QFO*%$POOFDU͸ 

    
 0"VUIϓϩτίϧͷ্ʹ 
 γϯϓϧͳΞΠσϯςΟςΟϨΠϠʔΛ 
 ෇༩ͨ͠΋ͷͰ͋Δz 41 OpenID Connect Core 1.0ͷ೔ຊޠ༁ΑΓҾ༻ 
 http://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html#Introduction 0"VUIϕʔεͷೝূϓϩτίϧ
  42. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 0*%$ͱ͸ 0QFO*%$POOFDU 


    ʹ0"VUI *%τʔΫϯ 
 6TFS*OGPΤϯυϙΠϯτ 42 Auth԰ຊΑΓҾ༻ 
 https://authya.booth.pm/items/1550861 0"VUIʹɺೝূ༻ͷ*%τʔΫϯͱ 
 ඪ४ͷϢʔβʔ৘ใ"1*ΛՃ͑ͨ΋ͷ
  43. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ొ৔ਓ෺໊ͷରԠ 43 ͜Μʹͪ͸

    
 ָ͠Έͩͳʔ 3FTPVSDF0XOFS 
 &OE6TFS $MJFOU 
 3FMZJOH1BSUZ 31 3FTPVSDF4FSWFS 
 6TFS*OGP&OEQPJOU "VUIPSJ[BUJPO4FSWFS 
 0QFO*%1SPWJEFS 01 ˞ ※Ұൠʹ͸ʮID Provider (IdP)ʯͱ΋ݺ͹Ε·͕͢ɺ 
 ɹ࢓༷ॻͰ͸ʮOpenID Provider (OP)ʯͱॻ͔Ε͍ͯ·͢
  44. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ࠓճͷαϯϓϧΞϓϦͷߏ੒ ▸ 3FMZJOH1BSUZʹ4QSJOH4FDVSJUZͰ࡞੒ͨ͠

    
 ɹɹɹɹɹɹɹΞϓϦ ▸ 0QFO*%1SPWJEFSʹ,FZDMPBL ▸ 6TFS*OGP&OEQPJOUʹ,FZDMPBL 44
  45. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD %&.0 45

  46. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD *%τʔΫϯͱ͸ ▸ Ϣʔβʔ໊ͳͲͷ৘ใؚ͕·Εͨ+85

    ▸ 01͔ΒΞΫηετʔΫϯͱҰॹʹ෇༩͞ΕΔ 46
  47. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD *%τʔΫϯͷऔಘ 47 0QFO*%1SPWJEFS

    3FMZJOH1BSUZ &OE6TFS 8FC 
 ϒϥ΢β˞ ˞8FCϒϥ΢β͸ɺ࢓༷ॻͰ͸ʮϢʔβʔΤʔδΣϯτʯͱهࡌ͞Ε͍ͯ·͢ ᶃॳճΞΫηε ᶇೝՄίʔυൃߦʴϦμΠϨΫτ ᶈೝՄίʔυ ᶉΞΫηετʔΫϯʴ*%τʔΫϯ ᶄೝՄΤϯυϙΠϯτʹϦμΠϨΫτ ᶅೝՄը໘ ᶆೝՄ ΞΫηετʔΫϯͱҰॹʹ *%τʔΫϯ͕౉͞ΕΔ
  48. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD *%τʔΫϯͷத਎ 48 https://jwt.io/

    Λར༻ σίʔυ݁Ռ +85
  49. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD *%τʔΫϯͷத਎ 49 https://jwt.io/

    Λར༻ Ϣʔβʔ৘ใ ͦͷଞ΋Ζ΋Ζ
  50. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD *%τʔΫϯϖΠϩʔυ಺ͷॏཁDMBJN 50 claim

    આ໌ iss Issuer Identi fi erʢOPΛද͢URLɺޙड़ʣ sub End-UserͷࣝผࢠʢOP಺ͰͷηογϣϯIDʣ aud OAuth 2.0ͰͷΫϥΠΞϯτID iat OP͕JWTΛൃߦͨ࣌͠ࠁʢ1970-01-01͔Βͷඵ਺ʣ exp IDτʔΫϯͷ༗ޮظݶʢiat͔Βͷඵ਺ʣ
  51. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ͦͷଞͷओͳඪ४DMBJN 51 ▸

    OBNF ▸ HJWFO@OBNF ▸ GBNJMZ@OBNF ▸ NJEEMF@OBNF ▸ OJDLOBNF ▸ QSFGFSSFE@VTFSOBNF ▸ FNBJM ▸ FNBJ@WFSJ fi FE ▸ CJSUIEBUF ▸ QIPOF@OVNCFS ▸ QIPOF@OVNCFS@WFSJ fi FE ▸ BEESFTT
  52. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ඪ४ͷείʔϓ 52 scope

    આ໌ openid OIDCར༻࣌ʹඞਢ pro fi le (Optional) nameɺfamily_nameͳͲΛऔಘՄೳ email (Optional) emailɾemail_veri fi edΛऔಘՄೳ address (Optional) addressΛऔಘՄೳ phone (Optional) phone_numberɾphone_number_veri fi edΛऔಘՄೳ
  53. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD *%τʔΫϯऔಘޙɺ31͕֬ೝ͢΂͖ओͳ͜ͱ ▸ BVEʹ31ࣗ਎ͷΫϥΠΞϯτ*%ؚ͕·ΕΔ

    ▸ *%τʔΫϯ͕ɺѱҙͷ͋ΔଞͷΫϥΠΞϯτ͔Β 
 ྲྀ༻͞Εͨ΋ͷͰͳ͍ ▸ ݱࡏ࣌ࠁJBU FYQ ▸ *%τʔΫϯ͕ظݶ੾ΕͰͳ͍ 53
  54. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD <ٙ໰>ඞཁ߲໨ΛؚΜͩ+85ΛΞΫηετʔΫϯʹ͢Ε͹ 
 ɹɹɹ0"VUIೝূ͸0,ͳͷͰ͸ʁ🤔

    ▸ ͨͿΜ0,ͩͱࢥ͍·͢ʢࣗ৴ແ͠ʣ ▸ ҎԼ͕0*%$ͷҙٛͩͱߟ͍͑ͯ·͢ ▸ 0"VUIͷ࢓༷Λվมͤͣͦͷ··׆͔ͨ͜͠ͱ ▸ +85ʹؚ·ΕΔ΂͖߲໨Λඪ४Խͨ͜͠ͱ 54
  55. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 6TFS*OGPΤϯυϙΠϯτ΁ͷΞΫηε 55 $

    curl -X GET -H "Authorization: Bearer ΞΫηετʔΫϯ" \ http://UserInfoΤϯυϙΠϯτ | jq { "sub": "19736c99-d864-4876-8234-388ccfc0cdc8", "email_verified": false, "name": "John Doe", "preferred_username": "user", "given_name": "John", "family_name": "Doe", "email": "user@example.com" } ▸ ΞΫηετʔΫϯ͕ඞཁ
  56. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 0*%$%JTDPWFSZ ▸ 31͕01ͱͷ΍ΓͱΓʹඞཁͳ৘ใΛ

    
 औಘ͢ΔͨΊͷ࢓༷ ▸ 0QUJPOBMͳͷͰ01΍31͕ରԠͯ͠ͳ͍Մೳੑ ΋͋Γ ▸ ,FZDMPBL΍4QSJOH4FDVSJUZ͸ରԠ͍ͯ͠Δ 56
  57. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD *TTVFS ▸ 01Λද͢63-

    ▸ ,FZDMPBLͷ৔߹͸ 
 IUUQ*1ΞυϨεBVUISFBMNTϨϧϜ໊ ▸ ΞΫηε͢Δͱ͜Μͳ৘ใ͕औಘͰ͖Δ 57
  58. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD τʔΫϯΤϯυϙΠϯτͳͲͷऔಘ ▸ *TTVFS63-ͷޙʹ

    
 XFMMLOPXOPQFOJEDPO fi HVSBUJPO 
 Λଓ͚Δ 58
  59. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ͜ͷষͷ·ͱΊ ▸ 0*%$0"VUI

    *%τʔΫϯ 
 ɹɹɹɹ 6TFS*OGPΤϯυϙΠϯτ ▸ *%τʔΫϯ͸ ▸ +85ܗࣜ ▸ ΞΫηετʔΫϯͱҰॹʹฦ͞ΕΔ ▸ ΫϥΠΞϯτ*%ͳͲͷ߲໨໊͕ඪ४Ͱఆٛ͞Ε͍ͯΔ ▸ 0*$%%JTDPWFSZͰ৭Μͳ63-ΛऔಘՄೳ 59
  60. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ໨࣍ ▸ 0"VUIͷ෮शͱʮ0"VUIೝূʯͷ໰୊఺

    ▸ 0QFO*%$POOFDUʹΑΔೝূ ▸ 4QSJOH4FDVSJUZͰͷར༻ ▸ ·ͱΊ 60
  61. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 4QSJOH4FDVSJUZͰͷ0*%$ར༻ ▸ 31ͷػೳʢԼهʣ͕ఏڙ͞Ε͍ͯΔ

    ▸ *%τʔΫϯʢʴΞΫηετʔΫϯʣΛऔಘ ▸ औಘޙʹ*%τʔΫϯΛݕূʢࣗಈʣ ▸ 6TFS*OGPΤϯυϙΠϯτʹΞΫηεʢࣗಈʣ ▸ 31*OJUJBUFE-PHPVU 61
  62. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ඞཁͳϥΠϒϥϦ 62 <dependency>

    <groupId>org.springframework.boot</groupId> <artifactId> spring-boot-starter-oauth2-client </artifactId> </dependency> 0*%$ػೳ΋ؚ·Ε͍ͯΔ
  63. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD BQQMJDBUJPOZNM 63 spring.security.oauth2.client.registration.hello:

    provider: ೚ҙͷ໊લ .registrationͷޙʹ΋ࢦఆ͢Δ client-id: ΫϥΠΞϯτ*% client-secret: ΫϥΠΞϯτγʔΫϨοτ client-name: ೚ҙͷ໊લ ը໘දࣔͰ࢖ΘΕΔ client-authentication-method: ΫϥΠΞϯτೝূํ๏ authorization-grant-type: άϥϯτλΠϓ redirect-uri: ϦμΠϨΫτΤϯυϙΠϯτͷ63- scope: ͜ͷΞϓϦͷείʔϓΛΧϯϚ۠੾ΓͰࢦఆ ˞εϖʔεͷ౎߹্Ͱ:".-ܗࣜͰॻ͍͍ͯ·͕͢ɺݸਓతʹ͸QSPQFSUJFT೿Ͱ͢ 0"VUIͷ৔߹ͱ ॻ͖ํ͸શ͘ಉ͡
  64. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD BQQMJDBUJPOZNMʢଓ͖ʣ 64 spring.security.oauth2.client.provider.hello:

    user-name-attribute: 6TFS*OGP+40/ͷϢʔβʔ໊Λද͢ଐੑ໊ issuer-uri: ೝՄαʔόʔͷ*TTVFS*EFOUJ fi FS 01͕0*%$%JTDPWFSZରԠͷ৔߹ɺ ଞͷ߲໨͸ෆཁ
  65. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD +BWB$PO fi H

    65 @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.oauth2Login() ... } } 0"VUIͷ৔߹ͱಉ͡
  66. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 3FTU5FNQMBUFͷλΠϜΞ΢τઃఆ ▸ ৄࡉ͸(JU)VC্ͷιʔείʔυɺ

    
 ͓ΑͼԼهͷࢿྉΛࢀর 66 https://speakerdeck.com/masatoshitada/oauth2-with-spring-security
  67. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 31*OJUJBUFE-PHPVUͷར༻ ▸ 31ͰͷϩάΞ΢τޙʹɺ

    
 ϒϥ΢βΛ01ͷFOE@TFTTJPO@FOEQPJOUʹ 
 ϦμΠϨΫτͤͯ͞ɺ01͔Β΋ϩάΞ΢τ͢Δ ▸ 63-͸01$PO fi HVSBUJPO*OGPSNBUJPOͰऔಘՄೳ ▸ OidcClientInitiatedLogoutSuccessHand lerΛઃఆ 67
  68. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 31*OJUJBUFE-PHPVUͷར༻ @EnableWebSecurity public

    class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private ClientRegistrationRepository clientRegistrationRepository; private LogoutSuccessHandler oidcLogoutSuccessHandler() { // RP-Initiated LogoutΛߦ͏LogoutSuccessHandler OidcClientInitiatedLogoutSuccessHandler handler = new OidcClientInitiatedLogoutSuccessHandler( this.clientRegistrationRepository); // OP͔ΒͷϩάΞ΢τޙʹϦμΠϨΫτ͞ΕΔURLΛࢦఆ // {baseUrl}ͰRPͷϕʔεURLʢྫ: http://localhost:8080ʣΛઃఆՄೳ handler.setPostLogoutRedirectUri("{baseUrl}"); return handler; }
  69. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 31*OJUJBUFE-PHPVUͷར༻ 69 @Override

    protected void configure(HttpSecurity http) throws Exception { ... http.logout(logout -> logout .logoutSuccessHandler(oidcLogoutSuccessHandler()) ); } }
  70. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD *%τʔΫϯͷऔಘ 70 @Controller

    public class HogeController { @GetMapping("/hoge") public String hoge(OAuth2AuthenticationToken authentication) { OidcUser oidcUser = (OidcUser) authentication.getPrincipal(); String idToken = oidcUser.getIdToken().getTokenValue(); ... } } ίϯτϩʔϥʔϝιουͷҾ਺ʹ OAuth2AuthenticationTokenΛ 
 ࢦఆ͢Δ͚ͩ
  71. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD Ϋϥεߏ଄ 71

  72. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ͜ͷষͷ·ͱΊ ▸ ࢖͍ํ͸΄΅0"VUIͷ৔߹ͱಉ͡

    ▸ 31*OJUJBUFEϩάΞ΢τͰ01͔Β΋ϩάΞ΢τ Մೳ 72
  73. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ໨࣍ ▸ 0"VUIͷ෮शͱʮ0"VUIೝূʯͷ໰୊఺

    ▸ 0QFO*%$POOFDUʹΑΔೝূ ▸ 4QSJOH4FDVSJUZͰͷར༻ ▸ ·ͱΊ 73
  74. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ຊηογϣϯͷ·ͱΊ ▸ ʮ0"VUIೝূʯ͸ةݥ

    ▸ 0*%$0"VUI *%τʔΫϯ 
 ɹɹɹɹ 6TFS*OGPΤϯυϙΠϯτ ▸ 4QSJOH4FDVSJUZͰ31Λ؆୯ʹ࣮૷Ͱ͖Δ 74
  75. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ࢀߟॻ੶ 75

  76. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 0*%$ؔ࿈࢓༷ॻ ▸ 0QFO*%$POOFDU$PSF

    ▸ IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUDPSF@IUNM ▸ 0QFO*%$POOFDU%JTDPWFSZ ▸ IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUEJTDPWFSZ@IUNM ▸ 0QFO*%$POOFDU31*OJUJBUFE-PHPVU ▸ IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDU SQJOJUJBUFE@IUNM 76
  77. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ଞʹ΋͍ΖΜͳ࢓༷͕͋ΔͬΆ͍ 77 https://openid.net/connect/

    ϩάΞ΢τͷ࢓༷ͱ͔ ؾʹͳͬͯ·͢👀
  78. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD 4QSJOH4FDVSJUZ3FGFSFODF ▸ IUUQTEPDTTQSJOHJPTQSJOHTFDVSJUZTJUF

    EPDTDVSSFOUSFGFSFODFIUNMPBVUI ▸ 0*%$ػೳͷ͜ͱ͸0"VUIػೳͷઆ໌ʹೖΓ ࠞͬͯ͡ΔͷͰɺͪΐͬͱ୳ͮ͠Β͍ 78
  79. (C) CASAREAL, Inc. All rights reserved. KKVH@DDD ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ 79