OAuth, TxAuth @ IETF 107 Ryo Kajiwara @ lepidum

؆୯ʹഎܠ঺հ OAuthͦͷ΋ͷͷenhancementsͷ΄͔ɺ OAuthͷεϖοΫ஍ࠈʢਤ͸Justin Richer ࢯͷXYZ঺հεϥΠυΑΓ࠶ߏ੒ͨ͠΋ ͷʣʹରԠ͢ΔͨΊʹҎԼͷಈ͖͕ग़ͯ ͖ͨ: • OAuth 2.0ͱՄೳͳݶΓޓ׵ੑΛอͬ ͨ··ෆཁͳ࢓༷Λ੾Γࣺͯͯ৽͘͠ υΩϡϝϯτΛ࡞Δ OAuth 2.1 • ޓ׵ੑΛؾʹͤͣ৽͍͠Ϣʔεέʔε ΋ΧόʔͰ͖ΔΑ͏ʹ͢Δ XYZ

؆୯ʹഎܠ঺հ • OAuthͷ4ͭͷGrant(Flow)ͷ͏ͪɺResource Owner Password Credentials͸MUST NOT implementɺImplicit Grant͸SHOULD NOT useͱͳͬͨ • ͨͩ͠Implicit Grant͸Sender-Constrained Access TokenΛ༻͍ͳ ͍ݶΓͱ͍͏ୠ͠ॻ͖͕͍͍ͭͯΔ • Sender-Constrainedͱ͸: ΞΫηετʔΫϯͷൃߦઌͱར༻ऀͷ ҰகΛద੾ʹอূͰ͖Δੑ࣭Λ࣋ͭΞΫηετʔΫϯͷ͜ͱ • ݱࡏҰൠతͳͷ͸ͦͷ۠ผͷͳ͍BearerτʔΫϯ

ৄ͘͠͸લճͷεϥΠ υݟͯ https:/ /speakerdeck.com/sylph01/ oauth-transactional-authorization- at-ietf106

OAuth

ओͳupdate • OAuth 2.0 Token Exchange -> RFC 8693 (2020/1) • OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens -> RFC 8705 (2020/2) • Resource Indicators for OAuth 2.0 -> RFC 8707 (2020/2) • JSON Web Token Best Current Practices -> RFC 8725 (2020/2)

ओͳupdate • OAuth 2.0 Security Best Current Practice: ߋ৽தɻݱࡏdraft-15 • OAuth 2.0 Pushed Authorization Requests͕WG documentԽ • OAuth 2.0 Rich Authorization Requests͕WG documentԽ • DPoP (Demonstration of Proof-of-Possession at the Application Layer)͕WG documentԽ • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens͕WGLC

ਐߦதͷI-D (IETF 106͔Βͷࠩ෼) • The OAuth 2.1 Authorization Framework (draft-parecki-oauth- v2-1-01) • OAuth 2.0 DPoP for the Implicit Flow (draft-jones-oauth-dpop- implicit-00) • The OAuth 2.0 Authorization Framework: Claims (draft-spencer- oauth-claims-01)

TxAuth Transactional Authorization and Delegation

charterͷٞ࿦ ࣄલͷconsensus callͰWGܗ੒ʹ͍ͭͯ20ਓ͔Βࢍ੒ɺ1ਓ͔Β൓ ରɻ Agenda BashingʹͯCharterʹ͓͚Δ"Identity"ͷ༻๏ʹ͍ͭͯࢦఠ ͕͋ΓɺAgenda Bashingͷ࣌ؒ͸΄΅͜ͷٞ࿦Ͱ઎ΊΔ͜ͱͱ ͳͬͨɻ۩ମతʹ͸ɺOAuthʹ͓͍ͯ͸Identity֓೦͸ѻ͓ͬͯΒ ͣɺOpenID ConnectͰॳΊͯೝূͷ֓೦͕ਖ਼ࣜʹొ৔͢Δ΋ͷͷɺ ͜ΕΒΛ࠶ར༻͢Δͱͨ͠Charterͷείʔϓ͕Ͳ͜·ͰΛѻ͏͔ ʹ͍ͭͯ໌֬Խ͢Δඞཁ͕͋Δɺͱͷࢦఠɻ

Identityʹ͍ͭͯɺิ଍ ޙʹѻ͏XYZͱXAuthͰ͸OpenID ConnectͰొ৔ͨ͠Identity Claims ֓೦Λ࠷ॳ͔ΒϓϩτίϧϨϕϧͰαϙʔτ͍ͯ͠Δʹʮ࠶ར༻ ͍ͯ͠Δʯɻ ͜Ε͕ʮ୯ͳΔೝՄ͞Ε͏Δ৘ใͷҰछʯͳͷ͔ɺʮIdentityʹؔ ΘΔ΋ͷͱͯ͠ಛผѻ͍͢΂͖΋ͷʯͳͷ͔ʹҙݟͷ૬ҧ͕͋ Δɺͱ͍͏ೝࣝɻ OpenID Connectͱ͍͏ଞͷSDOͰٞ࿦͞Ε͍ͯΔωλΛઆ໌φγʹ IETFʹ࣋ͪࠐΉͳɺͱ͍͏࿩΋͋Δɻ

XYZ ΄΅લճઆ໌ͨ͠௨ΓͳͷͰུɻ

XAuth 2020೥ʹͳͬͯର߅അͱͯ͠৽ͨʹొ৔ͨ͠ఏҊن֨ɻ ฏͨ͘ݴ͏ͳΒ͹ɺGrant֓೦Λத৺ʹɺClient͕GrantΛੜ੒͠ૢ ࡞͢ΔRESTful APIͱͯ͠ೝՄͷ࢓૊ΈΛ੔උ͠௚ͨ͠ن֨ɻXYZ͕ TransactionʢೝՄΛΊ͙ΔऔҾʣΛத৺ʹ͍ͯ͠Δͷʹର͠ɺ XAuth͸ೝՄͷत༩(Grant)ΛΊ͙ͬͯClient͕Grant Serverʹରͯ͠ ૢ࡞Λߦ͏ɺͱ͍͏த৺֓೦ͷҧ͍͕͋Δɻ

XYZ vs XAuth Interaction • XYZ: redirect, user_code, didcomm ͱ͍ͬͨՄೳͳΠϯλϥΫ γϣϯΛ͢΂ͯྻڍ͢ΔɻAS͸Մೳͳinteraction capabilityͰԠ ౴ɺϙϦγʔʹج͍ͮͯཁٻ͢Δ • XAuth: Client͸redirectΛߦ͏͜ͱ͕Ͱ͖Δ͔ɺͦΕͱ΋indirect ͳinteractionΛඞਢͱ͢Δ͔Λࢦఆ͢ΔɻGS͸ར༻͢΂͖ύϥ ϝʔλͰԠ౴͠ɺαϙʔτ͞Ε͍ͯͳ͚Ε͹Τϥʔ

XYZ vs XAuth Data Representation • XYZ: TransactionΛத৺֓೦ͱ͢ΔɻTransactionΛͱΓ·͘ InteractionͷͨΊʹ୯ҰͷURLΛར༻͢ΔɻhandleΛ࢖ͬͯϦΫ Τετؒͷܧଓੑ(≒Transactionͷܧଓ)Λද͢ɻ • XAuth: RESTfulͳϓϩτίϧɻGS URI͕GSͷࣝผࢠͰ͋Γɺ GrantΛੜ੒͢ΔͨΊͷURIɻURIΛ௨ͯ͠Grant΍Authorizationͱ ରԠ͢ΔΞΫηετʔΫϯΛؔ࿈͚ͮΔɻ

XYZ vs XAuth Client Authentication • XYZ: Client͸detached JWS, DPoP, OAuth PoP, HTTP Sig, MTLSͳͲ ͷʮҰൠతͳʯํ๏Λ࢖ͬͯbound keysͷuseΛূ໌͢ΔɻRSʹ ͍ͭͯ΋ಉ༷ʹରԠ͍ͯ͠Δkey binding mechanismΛར༻͢ Δɻ • XAuth: Client͸XYZͱಉ༷ʹbound keysͷuseΛGSͷauth mechanismͰূ໌͢Δ͕ɺσϑΥϧτ͸JOSEΛ༻͍Δ ɻRS΁ͷΞΫηε͸OAuth 2.0ಉ༷Bearer tokenɻ֦ு͸Մ

XYZ vs XAuth OAuth / OIDC Compatibility • XYZ: Clientͷࣝผʹ͸Key HandleΛ༻͍ΔɻID Token claimsͷα ϙʔτ͕͋Δɻresource handleΛ༻͍ͨscopeʹΑΔRich Resource Requestɻtransaction handleΛ༻͍ͨaccess token refreshɻOIDC UserInfo Endpointͷར༻͕Մೳɻ • XAuth: OAuth 2.0ಉ༷Client IDͰClientΛࣝผɻDynamic Client͸ public key valueͰࣝผ(XYZಉ༷)ɻOAuth scopeͷͦͷ··ͷར ༻ɻRAR͕ͦͷ··ར༻ԽɻOIDC ClaimΛͦͷ··ར༻Մɻ

XYZ vs XAuth Discovery • XYZ: Transaction EndpointͰ͢΂ͯͷૢ࡞Λ։࢝͢ΔɻClient͸Մ ೳͳCapabilityͷϦετΛASʹૹ৴ɺAS͸ͦͷத͔Βαϙʔτ͠ ͍ͯΔ΋ͷͷҰཡΛฦ͢ɻ • XAuth: Client͸GS URI/Grant URI/AuthZ URIʹOPTIONS callΛ͢Δ ͜ͱͰGSͷcapabilityΛ஌Δ

No content

·ͱΊɺࢲݟ • ݱ୅OAuthͷେ͖ͳ՝୊͸Sender-Constrainedੑͱͷಆ͍ • oauth WGͷworkͷ͏ͪɺMutual-TLS Client Authentication(RFC 8705)͸ͦͷ࣮ݱͷͨΊͷେ͖ͳҰาͰ͋ΓɺDPoPͷWG itemԽ ΋ͦͷྲྀΕΛ἞ΜͰ͍Δͱ͍͑Δ • XYZɺXAuth͸τʔΫϯͷSender-ConstrainedੑΛ৫ΓࠐΜ্ͩ Ͱ৽ͨͳϢʔεέʔεΛαϙʔτ͢Δ͜ͱΛ໨తͱ͍ͯ͠Δ • ͔͠͠ͲͬͪͰ·ͱ·ΔΜͩΖ͏…