OPTiM サービスでの OAuth 2.0/OpenID Connect と 周辺技術の活用事例

Transcript

1. Copyright © 2019 OPTiM Corp. All Rights Reserved. 1 .

   2 / 0// 2 CAI D

2. Copyright © 2019 OPTiM Corp. All Rights Reserved. 2
   

   p Yuu Kikuchi p Works at OPTiM Inc. (2014 ~) p Engineer at Platform business division p in OPTiM... • OPTiM Store (2016 ~) • OPTiM Cloud IoT OS/LANDLOG (2017 ~) p in OIDF-J… • Enterprise Identity WG Phase 3 (2016 ~) • KYC WG (2019 ~)

3. Copyright © 2019 OPTiM Corp. All Rights Reserved. 3 p

   SaaS Marketplace p O S p T M P

4. Copyright © 2019 OPTiM Corp. All Rights Reserved. 4 p

   AI/IoT M (PaaS) p P S O p (LANDLOG) T (AGRI EARTH) I C M

5. Copyright © 2019 OPTiM Corp. All Rights Reserved. 5 (

   ) / (

6. Copyright © 2019 OPTiM Corp. All Rights Reserved. 6 I

   T p IoT Platform o S u p O I C C p Microservice Architecture C p OAuth Resource Server l • Access Token C d

7. Copyright © 2019 OPTiM Corp. All Rights Reserved. 7 p

   Shared Database • Authorization Server Resource Server Access Token e • eDB k S p Token Introspection • Access Token T R T Authorization Server • Authorization Server k p Formatted Access Token • Access Token A • Resource Server Access Token Resource Server k c S

8. Copyright © 2019 OPTiM Corp. All Rights Reserved. 8

9. Copyright © 2019 OPTiM Corp. All Rights Reserved. 9

10. Copyright © 2019 OPTiM Corp. All Rights Reserved. 10 JSON

    Web Token

11. Copyright © 2019 OPTiM Corp. All Rights Reserved. 11

12. Copyright © 2019 OPTiM Corp. All Rights Reserved. 12 OAuth

    2.0
    Access Token
    JSON Web Token(JSON Web Signature)
     - r-weblife (http://d.hatena.ne.jp/ritou/20140927/1411811648)

13. Copyright © 2019 OPTiM Corp. All Rights Reserved. 20 B

    p $!&'+5
    7;#<4@=/6 OAuth PKCE (RFC7636) A3 p Device 57;08
    JWT Profile for OAuth 2.0 Client Authentication (RFC7523) A3 p '* "%(?9'+1 ,-.)D 
    OpenID Connect Session Management A3 • :'+2C  
    iOS 12 (ITP2.0) > 

14. Copyright © 2019 OPTiM Corp. All Rights Reserved. 21 (

    ( ) (

15. Copyright © 2019 OPTiM Corp. All Rights Reserved. 22 P

    S p SaaS Marketplace o • SaaS Marketplace T e • ID i p OPTiM Store • API t ”Contract API” • r M P SO ”SCIM API” • IDaaS Single-Sign On “OpenID Connect"

16. Copyright © 2019 OPTiM Corp. All Rights Reserved. 23 OPTiM

    Store API Docs (https://optim-corp.github.io/optim_store_api_docs/)

17. Copyright © 2019 OPTiM Corp. All Rights Reserved. 24 3ϥΠηϯεߪೖ

    3ϥΠηϯεߪೖ ςφϯτ४උ׬ྃ ςφϯτ࡞੒ SCIM ॳظઃఆ OIDC ॳظઃఆ ϥΠηϯεߪೖ׬ྃ ϥΠηϯε෇༩ (3ਓ෼) ΞΧ΢ϯτ࡞੒ End User ʹ Push ௨஌

18. Copyright © 2019 OPTiM Corp. All Rights Reserved. 25 p

    CP JWT RP • RSA JWK p RP JWT I • RSA A • JWK

19. Copyright © 2019 OPTiM Corp. All Rights Reserved. 26 )

    ( (

20. Copyright © 2019 OPTiM Corp. All Rights Reserved. 27 ()

    ( (

21. Copyright © 2019 OPTiM Corp. All Rights Reserved. 28 )

    ( ) (

22. Copyright © 2019 OPTiM Corp. All Rights Reserved. 29 3ϥΠηϯεߪೖ

    3ϥΠηϯεߪೖ ςφϯτ४උ׬ྃ ςφϯτ࡞੒ SCIM ॳظઃఆ OIDC ॳظઃఆ ϥΠηϯεߪೖ׬ྃ ϥΠηϯε෇༩ (3ਓ෼) ΞΧ΢ϯτ࡞੒ End User ʹ Push ௨஌

23. Copyright © 2019 OPTiM Corp. All Rights Reserved. 30 p

    Contract API M JWT RP C • Payload SCIM Client A p RP I P OAuth Client

24. Copyright © 2019 OPTiM Corp. All Rights Reserved. 31 Request

    Response JWT Payload

25. Copyright © 2019 OPTiM Corp. All Rights Reserved. 32 3ϥΠηϯεߪೖ

    3ϥΠηϯεߪೖ ςφϯτ४උ׬ྃ ςφϯτ࡞੒ SCIM ॳظઃఆ OIDC ॳظઃఆ ϥΠηϯεߪೖ׬ྃ ϥΠηϯε෇༩ (3ਓ෼) ΞΧ΢ϯτ࡞੒ End User ʹ Push ௨஌

26. Copyright © 2019 OPTiM Corp. All Rights Reserved. 33 p

    Contract API IA IAD JWT IdP p IdP IA OpenID Connect Client • OpenID Connect / OAuth 2.0 Dynamic Client Registration C

27. Copyright © 2019 OPTiM Corp. All Rights Reserved. 34 Request

    Response JWT Payload

28. Copyright © 2019 OPTiM Corp. All Rights Reserved. 35 3ϥΠηϯεߪೖ

    3ϥΠηϯεߪೖ ςφϯτ४උ׬ྃ ςφϯτ࡞੒ SCIM ॳظઃఆ OIDC ॳظઃఆ ϥΠηϯεߪೖ׬ྃ ϥΠηϯε෇༩ (3ਓ෼) ΞΧ΢ϯτ࡞੒ End User ʹ Push ௨஌ SCIM 
    

29. Copyright © 2019 OPTiM Corp. All Rights Reserved. 36 

      
      

30. Copyright © 2019 OPTiM Corp. All Rights Reserved. 40 GR_

    p OAuth Client / OIDC RP UX[ab W< • 3(16,58./,58ZEEQ `C>: • (BackendM ) &).-2)8%Cookie^! • 7*&'2%DF" H!AS #! •  ">NIdP ./,58%=9LB] • PKCE  code_challenge %J ?I C>: p @\ ;$
    JWT  iat/exp J PT +- >? • " IaaS 
    ,-04@O KWYVF  

31. Copyright © 2019 OPTiM Corp. All Rights Reserved. 41 dear

    Connect

32. Copyright © 2019 OPTiM Corp. All Rights Reserved. 42