OAuth 2.0 & OpenID Connect 基礎 @ OpenID Meetup Fukuoka

OAuth 2.0 & OpenID Connect 基礎 @ OpenID Meetup Fukuoka

48ae3f36c0d73d2fa0f07f99ed5f66fd?s=128

Nov Matake

March 29, 2019
Tweet

Transcript

  1. OAuth 2.0 & OpenID Connect جૅ Nov Matake

  2. Nov Matake ⿣OpenID Foundation Japan ⿣ࣄ຿ہ௕ ⿣ΤόϯδΣϦετ ⿣຋༁ WG Ϧʔμʔ

    ⿣Rubyist ⿣YAuth.jp LLC ୅ද
  3. OAuth 2.0 ͱ OpenID Connect ͲͪΒ΋ʮͳΜͪΌΒIDͰϩάΠϯʯ ͰΑ͘࢖ΘΕΔϓϩτίϧ

  4. ͳΜͪΌΒIDͰϩάΠϯ ⿣Facebook ID ͰϩάΠϯ : OAuth 2.0 ⿣GitHub ID ͰϩάΠϯ

    : OAuth 2.0 ⿣Google ID ͰϩάΠϯ : OpenID Connect ⿣Yahoo! JAPAN ID ͰϩάΠϯ : OpenID Connect ⿣LINE ID ͰϩάΠϯ : OpenID Connect ⿣ࣗࣾ Web App ͷ ID Ͱࣗࣾ iOS/Android App ʹϩάΠϯ : OAuth 2.0 ⿣ࣗࣾ Web App ʹ͸ Google ID ͰϩάΠϯ : OpenID Connect + OAuth 2.0
  5. None
  6. None
  7. None
  8. None
  9. None
  10. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  11. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  12. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  13. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  14. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  15. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  16. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  17. None
  18. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  19. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  20. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  21. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  22. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  23. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Welcome back! Backend API Access
  24. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  25. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  26. None
  27. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  28. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  29. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  30. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  31. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  32. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  33. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  34. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  35. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  36. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  37. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server
  38. ·ͣ͸جૅ͔Β…

  39. OAuth 2.0 جૅ

  40. Abstract - RFC 6749 : The OAuth 2.0 Authorization Framework

    “The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” IUUQTUPPMTJFUGPSHIUNMSGD
  41. Abstract - RFC 6749 : The OAuth 2.0 Authorization Framework

    (຋༁൛) ʮOAuth 2.0 ͸, αʔυύʔςΟʔΞϓϦέʔγϣϯʹΑΔHTTPαʔϏε΁ ͷݶఆతͳΞΫηεΛՄೳʹ͢ΔೝՄϑϨʔϜϫʔΫͰ͋Δ. αʔυύʔ ςΟʔΞϓϦέʔγϣϯʹΑΔΞΫηεݖͷऔಘʹ͸, ϦιʔεΦʔφʔͱ HTTPαʔϏεͷؒͰಉҙͷͨΊͷΠϯλϥΫγϣϯΛ൐͏৔߹΋͋Δ͕, αʔυύʔςΟʔΞϓϦέʔγϣϯࣗ਎͕ࣗΒͷݖݶʹ͓͍ͯΞΫηεΛڐ Մ͢Δ৔߹΋͋Δ.ʯ IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPSGDKBIUNM
  42. ʮͳΜͪΌΒ ID ͰϩάΠϯʯΑΓ΋ ʮͳΜͪΌΒ API ͱ࿈ܞʯ͕ຊདྷͷ༻్

  43. None
  44. None
  45. None
  46. None
  47. None
  48. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  49. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  50. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  51. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  52. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  53. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  54. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  55. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server API ఏڙଆ API ར༻ଆ 5PLFOൃߦΛ୲͏ "1*ఏڙΛ୲͏ ·ͱΊͯ “OAuth Server” ͱ΋ݺ͹ΕΔ “OAuth Client” ͱݺ͹ΕΔ
  56. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server RFC 6749 - The OAuth 2.0 Authorization Framework RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
  57. RFC 6749 - The OAuth 2.0 Authorization Framework ⿣OAuth Core

    ͱ͔ݺ͹ΕΔ΍ͭ ⿣API ʹΞΫηε͢ΔͨΊͷτʔΫϯ (Access Token) ͷऔಘํ๏ΛఆΊΔ ⿣ݪจ : https://tools.ietf.org/html/rfc6749 ⿣຋༁ : https://openid-foundation-japan.github.io/rfc6749.ja
  58. RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token

    Usage ⿣OAuth Bearer ͱ͔ݺ͹ΕΔ΍ͭ ⿣औಘͨ͠ “Bearer ͳ” Access Token ͷར༻ํ๏ΛఆΊΔ ⿣ੈͷதͷ OAuth 2.0 ࣮૷ͷ 99% Ҏ্͸͜Εʹ֘౰ ⿣ݪจ : https://tools.ietf.org/html/rfc6750 ⿣຋༁ : https://openid-foundation-japan.github.io/rfc6750.ja
  59. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  60. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  61. Authorization Request Params ⿣client_id : OAuth Client ͷࣝผࢠ ⿣redirect_uri :

    OAuth Client ͷ Callback URL ⿣response_type : “code” ݻఆ ⿣RFC6749 Ͱ͸ “token” ͱ͍͏஋΋ఆٛ͞Ε͍ͯΔ͕ݱࡏ͸ඇਪ঑ͷྲྀΕ ⿣scope : OAuth Server ͕ఆΊΔʮݶఆతͳ API ΞΫηεݖݶʯΛࣔ͢஋ ⿣state : OAuth Client ͷ౰֘ Session ʹඥ͍ͮͨ೚ҙͷ஋
  62. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  63. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  64. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  65. Authorization Response Params ⿣code : Authorization Code ͱΑ͹ΕΔҰ࣌τʔΫϯ ⿣state :

    Authorization Request Ͱ Client ͕ࢦఆͨ͠஋ ⿣Client ͷ Session ʹඥ͍͍ͮͯͳ͍஋ͷ৔߹͸ CSRF ߈ܸΛड͚͍ͯΔ
  66. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  67. Token Request Params ⿣grant_type : “authorization_code” ݻఆ ⿣code : Authorization

    Response Ͱड͚औͬͨ Authorization Code ⿣redirect_uri : Authorization Response Λड͚औͬͨ Callback URL ⿣Basic ೝূ : client_id & client_secret Λར༻ ⿣Native App ΍ JS App ͳͲ secret Λ࣋ͨͳ͍ΞϓϦ͸লུՄ
  68. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  69. Token Response Params ⿣access_token : API ΞΫηεʹར༻͢ΔτʔΫϯ ⿣refresh_token : access_token

    Λ࠶ൃߦ͢Δࡍʹར༻͢ΔτʔΫϯ ⿣token_type : “Bearer” ݻఆ (case insensible) ⿣expires_in : ౰֘ access_token ͷ༗ޮظݶ
  70. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  71. Resource Request Params ⿣Authorization Header : “Bearer” εΩʔϚͰ access_token Λࢦఆ

  72. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  73. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  74. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  75. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  76. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  77. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  78. OAuth Server’s Official SDKs

  79. https://oauth.net/code/

  80. OpenID Connect جૅ

  81. OAuth 2.0 Λ ʮͳΜͪΌΒ ID ͰϩάΠϯʯ Ͱར༻͢ΔͨΊʹ֦ுͨ͠࢓༷

  82. OAuth 2.0 ͰͷʮͳΜͪΌΒ ID ͰϩάΠϯʯ ⿣Access Token Λऔಘ͢Δํ๏͸ඪ४Խ͞Ε͍ͯΔ ⿣User ID

    (+ Profile Info) Λऔಘ͢Δํ๏͸֤ API Provider ͝ͱʹόϥόϥ ⿣FB Graph API ⿣https://developers.facebook.com/docs/graph-api/reference/user ⿣Github API ⿣https://developer.github.com/v3/users/#get-the-authenticated-user
  83. OpenID Connect ⿣OAuth 2.0 ʹՃ͑ͯҎԼΛඪ४Խ ⿣User ID & Profile Info

    ͷऔಘํ๏ ⿣API Server ͕ϢʔβʔΛೝূͨ͠ࡍͷΠϕϯτ৘ใͷऔಘํ๏ ⿣ೝূ೔࣌, ೝূํࣜ etc. ⿣OAuth 2.0 ͕ఆΊͨ෦෼͸ͦͷ··׆༻ ⿣Access Token औಘɾར༻ํ๏
  84. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  85. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server API ఏڙଆ "VUIFOUJDBUJPO4FSWFS ͱ΋ݺ͹ΕΔ ·ͱΊͯ “Identity Provider (IdP)” ͱ΋ݺ͹ΕΔ “Relying Party (RP)” ͱݺ͹ΕΔ API ར༻ଆ
  86. IUUQTPQFOJEOFUDPOOFDU

  87. IUUQTPQFOJEOFUDPOOFDU

  88. IUUQTPQFOJEOFUXH

  89. ࢓༷܈΋͍ͬͺ͍͋ͬͯ Ϣʔεέʔε͝ͱʹ WG ͕֦ுͯ͠Δ͚Ͳ େࣄͳ͜ͱ͸ 3 ఺ͷΈ

  90. OpenID Connect = OAuth 2.0 + … ⿣“openid” scope ⿣౰֘ϦΫΤετ͕

    OpenID Connect ͷϦΫΤετͰ͋Δ (= End-User ͷ ࣝผࢠΛཁٻ͍ͯ͠Δ) ͜ͱΛࣔ͢஋ ⿣ID Token ⿣ॺ໊෇͖Ͱ Authentication Session ͷ৘ใΛؚΉτʔΫϯ (Assertion) ⿣User Info API ⿣ඪ४Խ͞Εͨ JSON ϑΥʔϚοτͰϢʔβʔϓϩϑΟʔϧ৘ใΛฦ͢
  91. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  92. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  93. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  94. None
  95. None
  96. ID Token ͷத਎ ⿣iss (issuer) : ID Token ൃߦओମ (IdP)

    ͷࣝผࢠ ⿣aud (audience) : ID Token ൃߦ૬ख (RP) ͷࣝผࢠ ⿣sub (subject) : IdP ͕ൃߦͨ͠ End-User ͷࣝผࢠ ⿣iat (issued_at) & exp (expires_at) : ൃߦ೔࣌ͱ༗ޮظݶ (UNIX Timestamp) ⿣nonce : ϦΫΤετ࣌ʹड͚औͬͨ஋ (AuthZ Req & Token Res Binding) ⿣at_hash : ಉ࣌ʹൃߦ͞Εͨ Access Token ͷϋογϡ஋ ⿣ଞʹ΋ auth_time, acr, amr, azp, c_hash etc... IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUDPSF@IUNM*%5PLFO
  97. Init Authenticate Consent Redirect Get Tokens API Access End-User Client

    Authorization Server Resource Server Redirect
  98. None
  99. ⿣sub ⿣name ⿣given_name ⿣family_name ⿣middle_name ⿣nickname ⿣preferred_username ⿣profile ⿣picture ⿣website

    ⿣email ⿣email_verified ⿣gender ⿣birthdate ⿣zoneinfo ⿣locale ⿣phone_number ⿣phone_number_veri fied ⿣address ⿣updated_at User Info ͷத਎ IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUDPSF@IUNM$MBJNT
  100. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  101. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  102. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  103. None
  104. Init Authenticate Consent Redirect Get Tokens API Access End-User Client

    Authorization Server Resource Server Redirect
  105. None
  106. OAuth 2.0 + ID Token + UserInfo API = OpenID

    Connect
  107. ʲ࠷ޙʹิ଍ʳ OAuth 2.0 / OpenID Connect ࢖͍෼͚

  108. OAuth 2.0 ࢖͏ͱ͜Ζ ⿣OpenID Connect Λαϙʔτ͍ͯ͠ͳ͍ IdP ͷ ID ͰϩάΠϯ

    ⿣ʮͳΜͪΌΒ ID ͰϩάΠϯʯ͸ෆཁͰ API ͚ͩΛ࢖͍͍ͨ࣌ ⿣ࣗࣾαʔϏεͰࣾ֎ and/or ࣾ಺޲͚ʹ API Λఏڙ͍ͨ࣌͠ ⿣JS / iOS / Android App Ͱ Backend Server ͱ API ܦ༝Ͱ΍ΓऔΓ͍ͨ࣌͠
  109. OpenID Connect ࢖͏ͱ͜Ζ ⿣OpenID Connect Λαϙʔτ͍ͯ͠Δ IdP ͷ ID ͰϩάΠϯ

    ⿣ʮͳΜͪΌΒ ID ͰϩάΠϯʯͭͭ͠ IdP ͕ఏڙ͢Δଞ API ΋࢖͍͍ͨ࣌ ⿣ࣗࣾαʔϏεͰࣾ֎ and/or ࣾ಺޲͚ʹೝূج൫ (+ API) Λఏڙ͍ͨ࣌͠ ⿣microservices Ά͍΍ͭͱ͔
  110. None