OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3

by ritou

Slide 1

Slide 1 text

OAuth 2.0࢓༷঺հ JAR, PAR, RAR #iddance Lesson3 TwitterͷOAuth 2.0ͱ͔CIBAͷ࢖͍ॴΛ஌Ζ͏ͷձ @ritou 2021/10/27

Slide 2

Slide 2 text

ຊ೔঺հ͢Δ࢓༷ • RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) • RFC 9126 OAuth 2.0 Pushed Authorization Requests • OAuth 2.0 Rich Authorization Requests(2021/10/27࣌఺Ͱ͸Draft08) 2

Slide 3

Slide 3 text

ຊ೔ͷ಺༰ • OAuth 2.0ͷೝՄϦΫΤετͱ͸ • RFC6749Ͱఆٛ͞Ε͍ͯΔೝՄϦΫΤετͷ՝୊ͱ͸ • JAR, PAR, RARͦΕͧΕͷ࢓༷ͰԿ͕ఆٛ͞Ε͍ͯΔͷ͔ 3

Slide 4

Slide 4 text

OAuth 2.0ͷೝՄϦΫΤετͱ͸ 4

Slide 5

Slide 5 text

OAuth 2.0ͷྲྀΕ 5 3FTPVSDF0XOFS $MJFOU "VUIPSJ[BUJPO4FSWFS 3FTPVSDF4FSWFS Ϣʔβʔ͸$MJFOUͰผαʔϏε ͷϦιʔεΛར༻͍ͨ͠ "VUI;4FSWFSʹϦμ ΠϨΫτͯ͠   ϦιʔεΞΫηεΛཁٻ ϦιʔεΞΫηεͷݖݶΛఏڙ ̏ ϩάΠϯͯ͠ɺ $MJFOUʹϦιʔεΞΫηεΛఏڙ͢ Δ͜ͱʹಉҙ 3FTPVSDF4FSWFS͔Βऔಘ ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ ! " # $ % &

Slide 6

Slide 6 text

OAuth 2.0ͷೝՄϦΫΤετ 6 3FTPVSDF0XOFS $MJFOU "VUIPSJ[BUJPO4FSWFS 3FTPVSDF4FSWFS Ϣʔβʔ͸$MJFOUͰผαʔϏε ͷϦιʔεΛར༻͍ͨ͠ "VUI;4FSWFSʹϦμ ΠϨΫτͯ͠   ϦιʔεΞΫηεΛཁٻ ϦιʔεΞΫηεͷݖݶΛఏڙ ̏ ϩάΠϯͯ͠ɺ $MJFOUʹϦιʔεΞΫηεΛఏڙ͢ Δ͜ͱʹಉҙ 3FTPVSDF4FSWFS͔Βऔಘ ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ ! " # $ % &

Slide 7

Slide 7 text

Slide 8

Slide 8 text

OAuth 2.0ͷೝՄϨεϙϯε 8 3FTPVSDF0XOFS $MJFOU "VUIPSJ[BUJPO4FSWFS 3FTPVSDF4FSWFS Ϣʔβʔ͸$MJFOUͰผαʔϏε ͷϦιʔεΛར༻͍ͨ͠ "VUI;4FSWFSʹϦμ ΠϨΫτͯ͠   ϦιʔεΞΫηεΛཁٻ ϦιʔεΞΫηεͷݖݶΛఏڙ ̏ ϩάΠϯͯ͠ɺ $MJFOUʹϦιʔεΞΫηεΛఏڙ͢ Δ͜ͱʹಉҙ 3FTPVSDF4FSWFS͔Βऔಘ ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ ! " # $ % &

Slide 9

Slide 9 text

Slide 10

Slide 10 text

RFC6749Ͱఆٛ͞Ε͍ͯΔ ೝՄϦΫΤετͷ՝୊ͱ͸ 10

Slide 11

Slide 11 text

RFC6749ͷఆٛ • The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, … 11

Slide 12

Slide 12 text

ΫΤϦύϥϝʔλར༻ͷಛ௃ (JARͷ1. Introduction) A. the communication through the user agents is not integrity protected, and thus, the parameters can be tainted (integrity protection failure) : ύϥϝʔλ͸վม͞ΕΔՄೳੑ͕͋Δ B. the source of the communication is not authenticated (source authentication failure) : ϦΫΤετݩͷೝূ͕Ͱ͖ͳ͍ C. the communication through the user agents can be monitored (containment/con fi dentiality failure) : ϒϥ΢β΋·ͨͪ͜ΒΛ… 12

Slide 13

Slide 13 text

Webϒϥ΢βΛհͨ͠σʔλૹ৴ํ๏ • GETϦΫΤετͷΫΤϦύϥϝʔλ • GET https://www.example.com/endpoint?foo=var&… • GETϦΫΤετͷϑϥάϝϯτίϯϙʔωϯτ • GET https://www.example.com/endpoint#foo=var&… • POSTϦΫΤετͷϦΫΤετϘσΟ 13

Slide 14

Slide 14 text

ΑΓ҆શʹ͢ΔͨΊʹʁ • ΫΤϦύϥϝʔλ/ϦΫΤετϘσΟʹJWT(JWS, JWS+JWE)Λࢦఆ • https://www.example.com/endpoint?data=eyJ… • ΫΤϦύϥϝʔλ/ϦΫΤετϘσΟʹJWTͷࢀরΛࢦఆ • https://www.example.com/endpoint? data_uri=https%3A%2F%2F… 14

Slide 15

Slide 15 text

͜ΕΛೝՄϦΫΤετʹ ద༻͢Δͷ͕ࠓճ঺հ͢Δ… 15

Slide 16

Slide 16 text

ͷલʹʂ 16

Slide 17

Slide 17 text

͢Ͱʹ͜ͷΑ͏ͳ࢓૊Έ͸ ೝՄϨεϙϯεͰ࢖ΘΕ͍ͯΔ • ೝՄϨεϙϯεͰฦ͞ΕΔՄೳੑ͕͋Δύϥϝʔλ • state • Authorization Code • ID Token(OIDC) • Access Token, Token Type, Refresh Token, Expires in… 17

Slide 18

Slide 18 text

ೝՄϨεϙϯεͷ࢓༷ • ֤छτʔΫϯΛؚΉೝՄϨεϙϯε͸ΫΤϦύϥϝʔλͰ͸ฦͣ͞ʹ ϑϥάϝϯτίϯϙʔωϯτΛར༻(Implicit Grant, Hybrid Flow) • ೝՄίʔυΛΫΤϦύϥϝʔλ/ϑϥάϝϯτίϯϙʔωϯτͰฦ ͠ɺΫϥΠΞϯτ͸όοΫνϟϯωϧͰ֤छτʔΫϯΛϦΫΤετ (Authorization Code Grant) ≒ ࢀরΛ౉͢ • ೝՄϨεϙϯεࣗମΛJWS, JWS+JWEͰอޢ (JARM) = JWTͰอޢ 18

Slide 19

Slide 19 text

લஔ͖͸͜͜·Ͱ 19

Slide 20

Slide 20 text

͜ͷΑ͏ͳอޢΛೝՄϦΫΤετʹ ద༻͢Δࡍʹ࢖͑Δͷ͕ࠓճ঺հ͢Δ JAR/PAR/RAR Ͱ͢ 20

Slide 21

Slide 21 text

RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) 21

Slide 22

Slide 22 text

֓ཁ • JWTΛར༻ͯ͠ΞϓϦέʔγϣϯϨϕϧͰೝՄϦΫΤετͷηΩϡϦ ςΟϦεΫΛܰݮ͢Δ • ॺ໊(JWS)ʹΑΓ੔߹ੑอޢɺੜ੒ݩͷݕূ͕Մೳ • ҉߸Խ(JWE)ʹΑΓTLSʹӨڹ͠ͳ͍ػີੑอޢ • ୈ3ऀ͕ೝՄϦΫΤετͷ಺༰Λݕূͯ͠ॺ໊͢Δ͜ͱ΋Մೳ • JWTͦͷ΋ͷͰ͸ͳ͘ࢀরΛૹΔ͜ͱ΋Մೳ 22

Slide 23

Slide 23 text

Request Object • ೝՄϦΫΤετΛJWTܗࣜͰදݱͨ͠΋ͷ • ύϥϝʔλ͸JWTͷΫϨʔϜ(JSON)ʹ֨ೲ • JWSʹΑΓॺ໊͢Δ৔߹͸ “iss”, “aud” ΛؚΉ • “aud” ͕ೝՄαʔόʔͷ஋ • ඞཁʹԠͯ͡JWT(RFC7519) Ͱఆٛ͞Ε͍ͯΔΫϨʔϜΛར༻ 23

Slide 24

Slide 24 text

Request Object 24

Slide 25

Slide 25 text

Request Object URI • Request ObjectΛίϯςϯπͱͯ͠ฦ͢URI • ࣄલʹೝՄϦΫΤετΛड͚ͨೝՄαʔόʔ͕ΫϥΠΞϯτʹ޲͚ͯ Request Object URIΛఏڙ͢Δ৔߹(PAR)͸Α͠ͳʹ΍ͬͯྑ͍ 25

Slide 26

Slide 26 text

ೝՄϦΫΤετͷ֦ு • ೝՄϦΫΤετʹؚ·ΕΔύϥϝʔλ • “client_id” • “request” or “request_uri” 26

Slide 27

Slide 27 text

ྫ. ΫϥΠΞϯτ͕༻ҙͨ͠ Request Object Λ request ύϥϝʔλͰࢦఆ 27

Slide 28

Slide 28 text

ྫ. ΫϥΠΞϯτ͕༻ҙͨ͠ Request Object ͷ ࢀরΛ request_uri ύϥϝʔλͰࢦఆ 28

Slide 29

Slide 29 text

ྫ. ΫϥΠΞϯτҎ֎͕༻ҙͨ͠ Request Object Λ request ύϥϝʔλͰࢦఆ 29 Authorization RequestͷϑΥʔϚοτ͕ݫີʹܾΊΒΕ͍ͯͨΓɺ ୈ3ऀػؔͷݕূ͕ߦΘΕΔϢʔεέʔε

Slide 30

Slide 30 text

ྫ. ΫϥΠΞϯτҎ֎͕༻ҙͨ͠ Request Object Λ ࢀরΛ request_uri ύϥϝʔλͰࢦఆ 30 Request Object Λϗετ͢Δ৔ॴ͸ Client ͱ͸ݶΒͳ͍

Slide 31

Slide 31 text

ྫ. ೝՄαʔόʔ͕ΫϥΠΞϯτʹఏڙͨ͠ request_uri ύϥϝʔλΛࢦఆ 31 ಺෦ͰAuthorization RequestΛࢀরʹߦ͘ͷͰɺ ωοτϫʔΫ্ΛRequest Object͕ૹΒΕΔ෦෼͸ͳ͍

Slide 32

Slide 32 text

RFC 9126 OAuth 2.0 Pushed Authorization Requests 32

Slide 33

Slide 33 text

֓ཁ • RFC6749ͷೝՄϦΫΤετͷಛ௃͸JARͰઆ໌ͨ͠௨Γ • ֦ு࢓༷Λར༻ͨ͠ೝՄϦΫΤετ΍ JAR ͷ Request Object Λར༻ ͢Δ৔߹ɺϦΫΤετͷαΠζ͕େ͖͘ͳΔՄೳੑ͕͋Δ • ΫϥΠΞϯτ͕ೝՄαʔόʔʹೝՄϦΫΤετΛૹ৴ͯͦ͠ͷޙͷॲ ཧʹར༻͢Δ request_uri ͷ஋Λఏڙ͢Δํ๏Λఆٛ 33

Slide 34

Slide 34 text

(࠶ܝࡌ) ೝՄαʔόʔ͕ΫϥΠΞϯτʹ ఏڙͨ͠ request_uri ύϥϝʔλΛࢦఆ 34 ͜ΕΛඪ४Խͨ͠΋ͷ͕PAR

Slide 35

Slide 35 text

1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ 35 PARΤϯυϙΠϯτΛ৽ઃ

Slide 36

Slide 36 text

1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ 36 ΫϥΠΞϯτೝূ + ೝՄϦΫΤετͷύϥϝʔλ

Slide 37

Slide 37 text

1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ 37 Request Object ΋ PARΤϯυϙΠϯτʹૹ৴Ͱ͖Δɻ = 3rd Party͕ݕূͨ͠ೝՄϦΫΤετ΋ ࢦఆՄೳ

Slide 38

Slide 38 text

2. PARΤϯυϙΠϯτ͔ΒͷϨεϙϯε 38

Slide 39

Slide 39 text

2. PARΤϯυϙΠϯτ͔ΒͷϨεϙϯε 39 request_uri ͱ ༗ޮظݶ

Slide 40

Slide 40 text

3. ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετ 40

Slide 41

Slide 41 text

3. ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετ 41

Slide 42

Slide 42 text

ಛ௃ • ؆୯ͳखॱͰػີੑͱ੔߹ੑͷอޢͱ൱ೝ๷ࢭΛ࣮ݱՄೳ • ΫϥΠΞϯτೝূ • ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετΛൿಗ • ϦιʔεΦʔφʔͱͷର࿩ͷલʹΫϥΠΞϯτΛೝূ͢Δ͜ͱͰɺૣ ͍ஈ֊ͰͷͳΓ͢·͠΍ೝՄϦΫΤετͷվ᜵ɺޡ༻Λ๷ࢭՄೳ 42

Slide 43

Slide 43 text

OAuth 2.0 + JAR + PAR vs OAuth 1.0 43 ྲྀΕ͸͍͍ͩͨҰॹ

Slide 44

Slide 44 text

OAuth 2.0 Rich Authorization Requests (2021/10/27࣌఺Ͱ͸Draft08) 44

Slide 45

Slide 45 text

֓ཁ • ೝՄϦΫΤετʹࢦఆ͞ΕΔϦιʔεΞΫηεͷର৅͸ͬ͘͟Γͯ͠ ͍Δ • OAuth 2.0 ͷೝՄϦΫΤετͰఆٛ͞Ε͍ͯΔ scope • RFC8707 Resource Indicators for OAuth 2.0 Ͱఆٛ͞Ε͍ͯΔ resource • ֹۚΛؚΉܾࡁϦΫΤετ΍ࡉ͔͍ϑΝΠϧ୯ҐͷಡΈॻ͖ΛදݱͰ ͖ΔΑ͏ͳύϥϝʔλΛఆٛ͢Δ 45

Slide 46

Slide 46 text

authorization_details ύϥϝʔλ 46 ܾࡁཁٻɺࢀরɺΩϟϯηϧ ΞΧ΢ϯτ৘ใࢀরͱܾࡁཁٻɺࢀরɺΩϟϯηϧ

Slide 47

Slide 47 text

authorization_details ύϥϝʔλ • type : ϦιʔεΞΫηεͷछྨ(ඞਢ) • locations : Ϧιʔε΋͘͠͸Ϧιʔεαʔόʔ (Ͳ͜Ͱ) • actions : ϦιʔεͰ࣮ߦ͞ΕΔΞΫγϣϯ • datatypes : Ϧιʔε͔Βཁٻ͞Ε͍ͯΔσʔλͷछྨ • identi fi er : APIͰར༻ՄೳͳϦιʔεͷࣝผࢠ • privileges : ϦιʔεͰཁٻ͞ΕΔݖݶͷछྨ΍Ϩϕϧ 47

Slide 48

Slide 48 text

OIDC ͷ scope Λ authorization_details Ͱදݱ 48 • scope “openid email pro fi le” • claims • max_age • acr_values

Slide 49

Slide 49 text

OIDC ͷ scope Λ authorization_details Ͱදݱ 49

Slide 50

Slide 50 text

ೝՄϦΫΤετ • URLΤϯίʔυͨ͠஋Λࢦఆ(௕͍) 50

Slide 51

Slide 51 text

PAR / RAR ͱͷ਌࿨ੑ • ύϥϝʔλͷ௕͞ • ηΩϡϦςΟ • վ᜵๷ࢭͷͨΊ… • ϓϥΠόγʔ • ࿙Ӯ๷ࢭͷͨΊ… 51

Slide 52

Slide 52 text

·ͱΊ • ೝՄϦΫΤετʹؔ͢Δ3ͭͷ࢓༷Λ঺հͨ͠ • User-AgentΛར༻͢Δσʔλͷ΍ΓऔΓΛ҆શʹ͢Δ࢓૊ΈΛҙࣝ ͠ͳ͕Β֤࢓༷Λཧղ͠Α͏ • ΑΓࡉ͔͍ϦιʔεΞΫηεཁٻͷදݱํ๏ΛϢʔεέʔεͱ૊Έ߹ Θͤͯཧղ͠Α͏ 52

Slide 53

Slide 53 text

࠷ޙʹ • Advent Calendar ࠓ೥΋΍Γ·͠ΐ͏ • ࢀՃํ๏ • ࢀՃද໌Λ͢Δ (ଟ෼ࠓ೥΋Qiita) • 12݄தʹެ։Ͱ͖ͦ͏ͳهࣄΛ༻ҙ͓ͯ͘͠(Qiita͡Όͳͯ͘΋ok) 53