Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2.0 & OpenID Connect 基礎 @ OpenID Meetup Fukuoka

Nov Matake
March 29, 2019
Technology
2
590

OAuth 2.0 & OpenID Connect 基礎 @ OpenID Meetup Fukuoka

Nov Matake

March 29, 2019
Tweet

More Decks by Nov Matake

See All by Nov Matake
OpenID Summit 2024 - Translation WG
nov
0
230
OpenID Summit 2024 - Panel : Celebrating Ten Years of OpenID Connect
nov
0
250
What’s Passkey @ AXIES 2023
nov
0
1.8k
NIST SP800-63C (rev.4) Federation & Assertions - OpenID BizDay #16
nov
0
39
#fidcon WebAuthn, Next Stage - #idcon vol.29
nov
0
1.8k
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID TechNight vol.17
nov
0
6
Sign in with Apple ~ diff from OIDC / OAuth 2.0 & characteristic identifiers design ~ - #idcon vol.27
nov
0
4
IIW #13 report at idcon #10
nov
2
69

Other Decks in Technology

See All in Technology
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
プラットフォームってつくることより計測することが重要なんじゃないかという話 / Platform Engineering Meetup #8
taishin
1
370
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
1
370
現代CSSフレームワークの内部実装とその仕組み
poteboy
7
3.6k
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
1.3k
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
530
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.4k
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
260
JAWS-UG Bedrock Claude Night
yamahiro
3
610
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
780
LLM開発・活用の舞台裏@2024.04.25
yushin_n
1
340
require(ESM)とECMAScript仕様
uhyo
3
760

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
Bash Introduction
62gerente
604
210k
Teambox: Starting and Learning
jrom
128
8.4k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
BBQ
matthewcrist
80
8.8k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Design by the Numbers
sachag
274
18k
Building Applications with DynamoDB
mza
88
5.6k
Embracing the Ebb and Flow
colly
80
4.1k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Designing the Hi-DPI Web
ddemaree
276
33k

Transcript

  1. OAuth 2.0 & OpenID Connect جૅ Nov Matake

  2. Nov Matake ⿣OpenID Foundation Japan ⿣ࣄ຿ہ௕ ⿣ΤόϯδΣϦετ ⿣຋༁ WG Ϧʔμʔ

    ⿣Rubyist ⿣YAuth.jp LLC ୅ද

  3. OAuth 2.0 ͱ OpenID Connect ͲͪΒ΋ʮͳΜͪΌΒIDͰϩάΠϯʯ ͰΑ͘࢖ΘΕΔϓϩτίϧ

  4. ͳΜͪΌΒIDͰϩάΠϯ ⿣Facebook ID ͰϩάΠϯ : OAuth 2.0 ⿣GitHub ID ͰϩάΠϯ

    : OAuth 2.0 ⿣Google ID ͰϩάΠϯ : OpenID Connect ⿣Yahoo! JAPAN ID ͰϩάΠϯ : OpenID Connect ⿣LINE ID ͰϩάΠϯ : OpenID Connect ⿣ࣗࣾ Web App ͷ ID Ͱࣗࣾ iOS/Android App ʹϩάΠϯ : OAuth 2.0 ⿣ࣗࣾ Web App ʹ͸ Google ID ͰϩάΠϯ : OpenID Connect + OAuth 2.0
  5. None
  6. None
  7. None
  8. None
  9. None

  10. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

  11. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

  12. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

  13. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

  14. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

  15. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!

  16. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    Server FB Server Get FB UID via FB API Welcome back!
  17. None

  18. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

  19. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

  20. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

  21. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

  22. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

  23. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Welcome back! Backend API Access

  24. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!

  25. Init Redirect Authenticate & Consent Redirect Get Tokens End-User MF

    App MF Server Backend API Access Welcome back!
  26. None

  27. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  28. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  29. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  30. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  31. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  32. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  33. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  34. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  35. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  36. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  37. Init Redirect Authenticate & Consent Redirect Get Tokens Get FB

    UID via FB API End-User MF App FB Server Redirect Redirect Get Tokens Backend API Access Choose FB ID Welcome back! MF Server

  38. ·ͣ͸جૅ͔Β…

  39. OAuth 2.0 جૅ

  40. Abstract - RFC 6749 : The OAuth 2.0 Authorization Framework

    “The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” IUUQTUPPMTJFUGPSHIUNMSGD

  41. Abstract - RFC 6749 : The OAuth 2.0 Authorization Framework

    (຋༁൛) ʮOAuth 2.0 ͸, αʔυύʔςΟʔΞϓϦέʔγϣϯʹΑΔHTTPαʔϏε΁ ͷݶఆతͳΞΫηεΛՄೳʹ͢ΔೝՄϑϨʔϜϫʔΫͰ͋Δ. αʔυύʔ ςΟʔΞϓϦέʔγϣϯʹΑΔΞΫηεݖͷऔಘʹ͸, ϦιʔεΦʔφʔͱ HTTPαʔϏεͷؒͰಉҙͷͨΊͷΠϯλϥΫγϣϯΛ൐͏৔߹΋͋Δ͕, αʔυύʔςΟʔΞϓϦέʔγϣϯࣗ਎͕ࣗΒͷݖݶʹ͓͍ͯΞΫηεΛڐ Մ͢Δ৔߹΋͋Δ.ʯ IUUQTPQFOJEGPVOEBUJPOKBQBOHJUIVCJPSGDKBIUNM

  42. ʮͳΜͪΌΒ ID ͰϩάΠϯʯΑΓ΋ ʮͳΜͪΌΒ API ͱ࿈ܞʯ͕ຊདྷͷ༻్

  43. None
  44. None
  45. None
  46. None
  47. None

  48. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  49. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  50. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  51. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  52. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  53. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  54. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  55. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server API ఏڙଆ API ར༻ଆ 5PLFOൃߦΛ୲͏ "1*ఏڙΛ୲͏ ·ͱΊͯ “OAuth Server” ͱ΋ݺ͹ΕΔ “OAuth Client” ͱݺ͹ΕΔ

  56. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server RFC 6749 - The OAuth 2.0 Authorization Framework RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage

  57. RFC 6749 - The OAuth 2.0 Authorization Framework ⿣OAuth Core

    ͱ͔ݺ͹ΕΔ΍ͭ ⿣API ʹΞΫηε͢ΔͨΊͷτʔΫϯ (Access Token) ͷऔಘํ๏ΛఆΊΔ ⿣ݪจ : https://tools.ietf.org/html/rfc6749 ⿣຋༁ : https://openid-foundation-japan.github.io/rfc6749.ja

  58. RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token

    Usage ⿣OAuth Bearer ͱ͔ݺ͹ΕΔ΍ͭ ⿣औಘͨ͠ “Bearer ͳ” Access Token ͷར༻ํ๏ΛఆΊΔ ⿣ੈͷதͷ OAuth 2.0 ࣮૷ͷ 99% Ҏ্͸͜Εʹ֘౰ ⿣ݪจ : https://tools.ietf.org/html/rfc6750 ⿣຋༁ : https://openid-foundation-japan.github.io/rfc6750.ja

  59. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  60. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  61. Authorization Request Params ⿣client_id : OAuth Client ͷࣝผࢠ ⿣redirect_uri :

    OAuth Client ͷ Callback URL ⿣response_type : “code” ݻఆ ⿣RFC6749 Ͱ͸ “token” ͱ͍͏஋΋ఆٛ͞Ε͍ͯΔ͕ݱࡏ͸ඇਪ঑ͷྲྀΕ ⿣scope : OAuth Server ͕ఆΊΔʮݶఆతͳ API ΞΫηεݖݶʯΛࣔ͢஋ ⿣state : OAuth Client ͷ౰֘ Session ʹඥ͍ͮͨ೚ҙͷ஋

  62. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  63. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  64. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  65. Authorization Response Params ⿣code : Authorization Code ͱΑ͹ΕΔҰ࣌τʔΫϯ ⿣state :

    Authorization Request Ͱ Client ͕ࢦఆͨ͠஋ ⿣Client ͷ Session ʹඥ͍͍ͮͯͳ͍஋ͷ৔߹͸ CSRF ߈ܸΛड͚͍ͯΔ

  66. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  67. Token Request Params ⿣grant_type : “authorization_code” ݻఆ ⿣code : Authorization

    Response Ͱड͚औͬͨ Authorization Code ⿣redirect_uri : Authorization Response Λड͚औͬͨ Callback URL ⿣Basic ೝূ : client_id & client_secret Λར༻ ⿣Native App ΍ JS App ͳͲ secret Λ࣋ͨͳ͍ΞϓϦ͸লུՄ

  68. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  69. Token Response Params ⿣access_token : API ΞΫηεʹར༻͢ΔτʔΫϯ ⿣refresh_token : access_token

    Λ࠶ൃߦ͢Δࡍʹར༻͢ΔτʔΫϯ ⿣token_type : “Bearer” ݻఆ (case insensible) ⿣expires_in : ౰֘ access_token ͷ༗ޮظݶ

  70. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  71. Resource Request Params ⿣Authorization Header : “Bearer” εΩʔϚͰ access_token Λࢦఆ

  72. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  73. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  74. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  75. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  76. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  77. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  78. OAuth Server’s Official SDKs

  79. https://oauth.net/code/

  80. OpenID Connect جૅ

  81. OAuth 2.0 Λ ʮͳΜͪΌΒ ID ͰϩάΠϯʯ Ͱར༻͢ΔͨΊʹ֦ுͨ͠࢓༷

  82. OAuth 2.0 ͰͷʮͳΜͪΌΒ ID ͰϩάΠϯʯ ⿣Access Token Λऔಘ͢Δํ๏͸ඪ४Խ͞Ε͍ͯΔ ⿣User ID

    (+ Profile Info) Λऔಘ͢Δํ๏͸֤ API Provider ͝ͱʹόϥόϥ ⿣FB Graph API ⿣https://developers.facebook.com/docs/graph-api/reference/user ⿣Github API ⿣https://developer.github.com/v3/users/#get-the-authenticated-user

  83. OpenID Connect ⿣OAuth 2.0 ʹՃ͑ͯҎԼΛඪ४Խ ⿣User ID & Profile Info

    ͷऔಘํ๏ ⿣API Server ͕ϢʔβʔΛೝূͨ͠ࡍͷΠϕϯτ৘ใͷऔಘํ๏ ⿣ೝূ೔࣌, ೝূํࣜ etc. ⿣OAuth 2.0 ͕ఆΊͨ෦෼͸ͦͷ··׆༻ ⿣Access Token औಘɾར༻ํ๏

  84. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  85. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server API ఏڙଆ "VUIFOUJDBUJPO4FSWFS ͱ΋ݺ͹ΕΔ ·ͱΊͯ “Identity Provider (IdP)” ͱ΋ݺ͹ΕΔ “Relying Party (RP)” ͱݺ͹ΕΔ API ར༻ଆ

  86. IUUQTPQFOJEOFUDPOOFDU

  87. IUUQTPQFOJEOFUDPOOFDU

  88. IUUQTPQFOJEOFUXH

  89. ࢓༷܈΋͍ͬͺ͍͋ͬͯ Ϣʔεέʔε͝ͱʹ WG ͕֦ுͯ͠Δ͚Ͳ େࣄͳ͜ͱ͸ 3 ఺ͷΈ

  90. OpenID Connect = OAuth 2.0 + … ⿣“openid” scope ⿣౰֘ϦΫΤετ͕

    OpenID Connect ͷϦΫΤετͰ͋Δ (= End-User ͷ ࣝผࢠΛཁٻ͍ͯ͠Δ) ͜ͱΛࣔ͢஋ ⿣ID Token ⿣ॺ໊෇͖Ͱ Authentication Session ͷ৘ใΛؚΉτʔΫϯ (Assertion) ⿣User Info API ⿣ඪ४Խ͞Εͨ JSON ϑΥʔϚοτͰϢʔβʔϓϩϑΟʔϧ৘ใΛฦ͢

  91. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  92. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  93. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  94. None
  95. None

  96. ID Token ͷத਎ ⿣iss (issuer) : ID Token ൃߦओମ (IdP)

    ͷࣝผࢠ ⿣aud (audience) : ID Token ൃߦ૬ख (RP) ͷࣝผࢠ ⿣sub (subject) : IdP ͕ൃߦͨ͠ End-User ͷࣝผࢠ ⿣iat (issued_at) & exp (expires_at) : ൃߦ೔࣌ͱ༗ޮظݶ (UNIX Timestamp) ⿣nonce : ϦΫΤετ࣌ʹड͚औͬͨ஋ (AuthZ Req & Token Res Binding) ⿣at_hash : ಉ࣌ʹൃߦ͞Εͨ Access Token ͷϋογϡ஋ ⿣ଞʹ΋ auth_time, acr, amr, azp, c_hash etc... IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUDPSF@IUNM*%5PLFO

  97. Init Authenticate Consent Redirect Get Tokens API Access End-User Client

    Authorization Server Resource Server Redirect
  98. None

  99. ⿣sub ⿣name ⿣given_name ⿣family_name ⿣middle_name ⿣nickname ⿣preferred_username ⿣profile ⿣picture ⿣website

    ⿣email ⿣email_verified ⿣gender ⿣birthdate ⿣zoneinfo ⿣locale ⿣phone_number ⿣phone_number_veri fied ⿣address ⿣updated_at User Info ͷத਎ IUUQTPQFOJEOFUTQFDTPQFOJEDPOOFDUDPSF@IUNM$MBJNT

  100. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  101. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server

  102. Init Redirect Authenticate Consent Redirect Get Tokens API Access End-User

    Client Authorization Server Resource Server
  103. None

  104. Init Authenticate Consent Redirect Get Tokens API Access End-User Client

    Authorization Server Resource Server Redirect
  105. None

  106. OAuth 2.0 + ID Token + UserInfo API = OpenID

    Connect

  107. ʲ࠷ޙʹิ଍ʳ OAuth 2.0 / OpenID Connect ࢖͍෼͚

  108. OAuth 2.0 ࢖͏ͱ͜Ζ ⿣OpenID Connect Λαϙʔτ͍ͯ͠ͳ͍ IdP ͷ ID ͰϩάΠϯ

    ⿣ʮͳΜͪΌΒ ID ͰϩάΠϯʯ͸ෆཁͰ API ͚ͩΛ࢖͍͍ͨ࣌ ⿣ࣗࣾαʔϏεͰࣾ֎ and/or ࣾ಺޲͚ʹ API Λఏڙ͍ͨ࣌͠ ⿣JS / iOS / Android App Ͱ Backend Server ͱ API ܦ༝Ͱ΍ΓऔΓ͍ͨ࣌͠

  109. OpenID Connect ࢖͏ͱ͜Ζ ⿣OpenID Connect Λαϙʔτ͍ͯ͠Δ IdP ͷ ID ͰϩάΠϯ

    ⿣ʮͳΜͪΌΒ ID ͰϩάΠϯʯͭͭ͠ IdP ͕ఏڙ͢Δଞ API ΋࢖͍͍ͨ࣌ ⿣ࣗࣾαʔϏεͰࣾ֎ and/or ࣾ಺޲͚ʹೝূج൫ (+ API) Λఏڙ͍ͨ࣌͠ ⿣microservices Ά͍΍ͭͱ͔
  110. None