Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
認証・認可の仕組みを理解する上で知っておきたい基礎知識/auth-overview
Search
nishina
May 08, 2020
Programming
1
240
認証・認可の仕組みを理解する上で知っておきたい基礎知識/auth-overview
nishina
May 08, 2020
Tweet
Share
More Decks by nishina
See All by nishina
1週間で終わらせるはじめてのGo言語学習/beginner-study-go
nishina555
1
150
Postmanを利用したAPI開発/postman-tutorial
nishina555
0
99
テキスト校正ツールtextlintの 紹介と導入方法/textlint-overview
nishina555
0
96
REST APIとの比較でざっくり理解するGraphQL/graphql-introduction
nishina555
0
190
ウィンドウ操作に便利な ショートカットとアプリ紹介/mac-window-shortcut
nishina555
0
160
IPアドレス(IPv4)の仕組み/overview-of-ipaddress
nishina555
0
150
図で理解する自然言語処理/nlp_tutorial
nishina555
0
270
ToDoアプリで学ぶReact/Redux入門/vtecx2_lt2
nishina555
2
3k
DiveIntoOSSThroughHacktoberfest_SPMKT
nishina555
1
330
Other Decks in Programming
See All in Programming
Back to the Future: Let me tell you about the ACP protocol
terhechte
0
130
「ちょっと古いから」って避けてた技術書、今だからこそ読もう
mottyzzz
8
5.5k
Le côté obscur des IA génératives
pascallemerrer
0
130
iOSエンジニア向けの英語学習アプリを作る!
yukawashouhei
0
190
明日から始めるリファクタリング
ryounasso
0
120
CSC305 Lecture 04
javiergs
PRO
0
260
The Flutter Journey of Building a Live Streaming App — With a Side of Performance Tuning
u503
1
100
チームの境界をブチ抜いていけ
tokai235
0
110
なぜあの開発者はDevRelに伴走し続けるのか / Why Does That Developer Keep Running Alongside DevRel?
nrslib
3
380
Goで実践するドメイン駆動開発 AIと歩み始めた新規プロダクト開発の現在地
imkaoru
4
770
技術的負債の正体を知って向き合う / Facing Technical Debt
irof
0
120
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
210
Featured
See All Featured
Automating Front-end Workflow
addyosmani
1371
200k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
368
20k
Become a Pro
speakerdeck
PRO
29
5.5k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
GraphQLとの向き合い方2022年版
quramy
49
14k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.2k
Speed Design
sergeychernyshev
32
1.1k
The Art of Programming - Codeland 2020
erikaheidi
56
14k
A designer walks into a library…
pauljervisheath
209
24k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
132
19k
Transcript
ਔՊ ढ़ ೝূɾೝՄͷΈΛཧղ͢Δ্Ͱ ͓͖͍ͬͯͨجૅࣝ
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
• ೝূͱೝՄͷҧ͍ʹ͍ͭͯ • ηογϣϯೝূͱτʔΫϯೝূͷҧ͍ʹ͍ͭͯ • ೝূͷηΩϡϦςΟϦεΫXSSɾCSRFʹ͍ͭͯ ೝূɾೝՄʹؔ͢Δ֓ཁͱجૅࣝͷڞ༗ ϞϊϦγοΫͳΞϓϦΛׂ͢Δʹ͋ͨΓɺೝূɾೝՄͷ࣮ํ๏ ͷݕ౼ආ͚ͯ௨Ε·ͤΜɻ
Լ४උͱͯ͠ɺࠓճೝূɾೝՄͷجૅࣝʹ͍ͭͯ·ͱΊ·ͨ͠
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূ࣮ख๏
• ·ͱΊ
• εςʔτϑϧ • ݱࡏͷঢ়ଶΛͭ • ྫ: FTP, TCP, BGP, OSPF,
EIGRP, SMTP, SSH • εςʔτϨε • ݱࡏͷঢ়ଶΛͨͳ͍ • ྫ: HTTP, UDP, IP, DNS εςʔτϑϧͱεςʔτϨεʹ͍ͭͯ σʔλ௨৴ʹεςʔτϑϧͱεςʔτϨεͷ2छྨ͕͋Δ
εςʔτϑϧͳΓͱΓ ͝จʁ ηοτͷυϦϯΫʁ ళͰঌ্͕͠Γ·͔͢ʁ ϋϯόʔΨʔηοτ͍ͩ͘͞ ίʔϥ͍ͩ͘͞ ͍
εςʔτϨεͳΓͱΓ ͝จʁ ηοτͷ߹ɺυϦϯΫจͯ͠Լ͍͞ จͷࡍళͰঌ্͕͠Δ͔͓͑Լ͍͞ ϋϯόʔΨʔηοτ͍ͩ͘͞ ϋϯόʔΨʔηοτͱίʔϥ͍ͩ͘͞ ϋϯόʔΨʔηοτͱίʔϥ͍ͩ͘͞ ళͰ৯·͢
• WebαΠτHTTP௨৴Λར༻͢ΔͷͰεςʔτϨε • ࣮ࡍʹECαΠτͷʮങ͍Χΰʯɺঢ়ଶʹԠͯ͡ αΠτͷڍಈΛม͍͑ͨ ηογϣϯͷඞཁੑ HTTP௨৴ͰεςʔτϑϧΛ࣮ݱ͢ΔͨΊͷׂ͕ηογϣϯ
• Cookie • WebStorage • SessionStorage • LocalStorage ηογϣϯใͷอଘઌ
ΫϥΠΞϯτ(ϒϥβ)ʹCookieͱWebStorageͷ2छྨ͕ଘࡏ
• αʔόʔଆͷηογϣϯΛཧ͢ΔͨΊͷͷ • 4KBͷσʔλαΠζ੍͕͋Δ • ΫϥΠΞϯτ͔ΒαʔόʔͷϦΫΤετ࣌ࣗಈૹ৴ • αʔόʔ͔ΒΫϥΠΞϯτͷϨεϙϯε࣌ Set-Cookieϔομʔʹηοτͯ͠ૹΒΕΔ
ηογϣϯใͷอଘઌ: Cookie
• ΫϥΠΞϯτଆͷηογϣϯΛཧ͢Δͷ • ΫϥΠΞϯτଆͰར༻Ͱ͖ΔσʔλϕʔεͷΑ͏ͳͷ • ϒϥβ͕։͍ͯΔ͚࣌ͩར༻ՄೳͳʮSessionStorageʯ • ӬଓతʹσʔλΛอଘͰ͖ΔʮLocalStorageʯ ηογϣϯใͷอଘઌ:
WebStorage
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
• ೝূʢAuthenticationʣ • ୭Ͱ͋Δ͔Λ֬ೝ͢Δ͜ͱ • ྫ: ύεϫʔυೝূɺࢦೝূͳͲ • ೝূʹࣦഊͨ͠ͱ͖ͷΤϥʔʮ401 Unauthorizedʯ
• ೝՄʢAuthorizationʣ • ૢ࡞ͷݖݶΛ༩͑Δ͜ͱ • ྫ: Ӿཡ੍ݶͷ͋ΔϖʔδͷΞΫηεͳͲ • ݖݶෆʹΑΔΤϥʔʮ403 Forbiddenʯ ೝূͱೝՄͷҧ͍
ೝূͷख๏ʹ͍ͭͯ ηογϣϯʔεͷೝূ ʢεςʔτϑϧʣ τʔΫϯϕʔεͷೝূ ʢεςʔτϨεʣ
ηογϣϯʔεͷೝূ 1. ΫϨσϯγϟϧΛPOST 2. ೝূޭޙɺηογϣϯใ ͕ฦͬͯ͘Δ 3. ηογϣϯใΛར༻ͯ͠ ೝՄ௨৴Λߦ͏
τʔΫϯϕʔεͷೝূʢ1/3ʣ 1. ΫϨσϯγϟϧΛPOST 2. ೝূޭޙɺτʔΫϯ͕ฦͬͯ ͘Δ 3. τʔΫϯΛར༻ͯ͠ೝՄ௨৴Λ ߦ͏
ɾํ๏1: Authorizationϔομʔʹ τʔΫϯΛηοτ ɾํ๏2: CookieʹτʔΫϯΛอଘ
• ࣝผࢠܕ • DBʹτʔΫϯͷใΛอଘ͓ͯ͘͠λΠϓͷτʔΫϯ • แܕ • ΞΫηετʔΫϯʹඥ͘ใΛΞΫηετʔΫϯࣗମͷதʹຒ ΊࠐΉͷɻ •
JWTแܕ τʔΫϯϕʔεͷೝূʢ2/3ʣ τʔΫϯͷछྨʹ͍ͭͯ \ lTDPQFzlYYYz lDMJFOU@JEzlYYYz lFYQzlYYYz lJBUzlYYYz lTVCzlYYYz lJTTzlYYYz lKUJzlYYYz ^ แܕ ࣝผࢠܕ
• OAuth2.0ʹ͍ͭͯ • τʔΫϯͷܗࣜɺτʔΫϯͷཁٻͱͦͷԠͳͲɺ τʔΫϯͷ༷Λඪ४Խͨ͠ͷ • ʮೝՄʯΛඪ४Խͨ͠ͷͰ͋Γʮೝূʯ෦ είʔϓ֎ • OAuth2.0Ͱඪ४Խ͞Ε͍ͯΔϑϩʔ
• ೝՄίʔυϑϩʔ • ΠϯϓϦγοτϑϩʔ • ϦιʔεΦʔφʔɾύεϫʔυɾΫϨσϯγϟϧζϑϩʔ • ΫϥΠΞϯτɾΫϨσϯγϟϧζϑϩʔ • ϦϑϨογϡτʔΫϯϑϩʔ τʔΫϯϕʔεͷೝূʢ3/3ʣ
• XSS • ѱҙͷ͋ΔJavaScript͕ΫϥΠΞϯτଆͰ࣮ߦ͞Εɺ ػີใ͕ൈ͔ΕΔͳͲͷඃ͕ൃੜ͢Δ੬ऑੑ • ΫϥΠΞϯτଆͰൃੜ͢Δ੬ऑੑ • CSRF •
ѱҙͷ͋ΔϦΫΤετΛαʔόʔड͚͚ɺ ҙਤ͠ͳ͍ॲཧ͕ߦΘΕͯ͠·͏੬ऑੑ • αʔόʔଆͰൃੜ͢Δ੬ऑੑ ೝূɾೝՄʹ͓͚ΔηΩϡϦςΟϦεΫ
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
• ηογϣϯϕʔε • τʔΫϯϕʔε • CookieʹอଘɺϦΫΤετ࣌ʹCookieΛࣗಈૹ৴ • CookieʹอଘɺAuthorizationϔομʔʹ༩ͯ͠ϦΫΤετ • LocalStorageʹอଘɺAuthorizationϔομʔʹ༩ͯ͠
ϦΫΤετ ೝূɾೝՄͷख๏·ͱΊ ηογϣϯϕʔε1ͭɺτʔΫϯϕʔε3ͭͷ߹ܭ4छྨΛհ ࢀߟIUUQTRJJUBDPN)JSPNJJUFNTFBGGE
• XSSରࡦ • Cookieʹhttp:onlyΛ͚ͭΔ͜ͱͰJavaScriptͰΞΫηε Ͱ͖ͳ͍Α͏ʹ͢Δ • CSRFରࡦ • CSRFτʔΫϯ •
ύεϫʔυΛ࠶ೖྗ͢Δ༷ʹ͢Δ ηογϣϯϕʔε Cookieࣗಈૹ৴͞ΕΔͷͰɺѱҙͷ͋ΔϦΫΤετ͔ผ ͢ΔͨΊʹCSRFରࡦʹ͍ͭͯߟ͑Δඞཁ͕͋Δ
• XSSରࡦ • Cookieʹhttp:onlyΛ͚ͭΔ͜ͱͰJavaScriptͰΞΫηε Ͱ͖ͳ͍Α͏ʹ͢Δ • CSRFରࡦ • CSRFτʔΫϯ •
ύεϫʔυΛ࠶ೖྗ͢Δ༷ʹ͢Δ τʔΫϯϕʔε: Cookieʹอଘɾૹ৴ ηογϣϯϕʔεͷ࣌ͱಉ͡
• XSSରࡦ • ϑϨʔϜϫʔΫͷػೳΛར༻ͯ͠ϥΠϒϥϦʹ੬ऑੑ͕ ͳ͍͔νΣοΫ • CSRFରࡦ • CookieͷτʔΫϯݕূͰར༻͠ͳ͍ͷͰߟྀෆཁ
τʔΫϯϕʔε: Cookieʹอଘɾϔομʔૹ৴ ϔομʔʹηοτ͢ΔτʔΫϯΛCookie͔ΒऔΓग़ͨ͢Ίʹ http:falseʹ͠ͳ͍ͱ͍͚ͳ͍ͷͰXSS੬ऑੑ͕ൃੜ͢Δ
• XSSରࡦ • ϑϨʔϜϫʔΫͷػೳΛར༻ͯ͠ϥΠϒϥϦʹ੬ऑੑ͕ ͳ͍͔νΣοΫ • CSRFରࡦ • LocalStorageͷσʔλϦΫΤετ࣌ʹࣗಈͰૹΒΕΔ͜ ͱͳ͍ͷͰߟྀෆཁ
τʔΫϯϕʔε: LocalStorageʹอଘɾϔομʔૹ৴ LocalStorageJavaScriptͰΞΫηεͰ͖ΔͷͰXSSͷϦεΫ ͋Γ
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
• ೝূ୭Ͱ͋Δ͔Λ֬ೝ͢Δ͜ͱɺೝՄૢ࡞ͷݖݶΛ༩͑ Δ͜ͱ • ೝূํ๏ʹηογϣϯํࣜͱτʔΫϯํࣜͷ2͕ͭ͋Δ • ೝূͷΈΛ࣮͢Δ߹XSSͱCSRFͷ੬ऑੑΛҙࣝ ͢Δ ·ͱΊ