Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
OAuth, Transactional Authorization, and other security related stuff Ryo Kajiwara @ lepidum IETF106 Report Session, ISOC-JP
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
Why OAuth Now?
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
͍͍ͩͨ͜ͷهࣄͷԆ ͷΛ͠·͢ https:/ /lepidum.co.jp/blog/ 2019-12-03/future-of-oauth/
Slide 6
Slide 6 text
OAuth 2.0ɺਓྨʹૣ ͗ͨ͢ͷͰʁ ͱݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢
Slide 7
Slide 7 text
OAuth 2.0ͷ͓͞Β͍ OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ • Authorization Code Grant • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant ͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
ײతʹҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷͷͱͷܾఆతͳҧ͍ ʮΫϥΠΞϯτ͕ࣗϦιʔεΦʔφʔͰ͋Δʯέʔεʹ͏ ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization ServerΞ ΫηετʔΫϯΛฦ͍ͯ͠Δɻ
Slide 15
Slide 15 text
Կ͕Ϛζ͍ͷ(1) • Implicit GrantͰϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕ɻ • ϦΫΤετɾϨεϙϯεͷheader/bodyHTTPSͳΒ҉߸Խ͞ ΕΔ͕… • ྫ: ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩά ʹΞΫηετʔΫϯ͕ͬͯ… • ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…
Slide 16
Slide 16 text
Կ͕Ϛζ͍ͷ(2) • Resource Owner Password Credentials Grantը૾ͷऍͷ௨ Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ • ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯ Ͱݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ • ͳͷͰɺͱͱ͔Βͯ͠ҠߦతΛҙਤ͞Ε͍ͯͨɻ͕ɺ ࠓͰ༻͠ଓ͚͍ͯΔ࣮͕ଘࡏ͢Δ… • ࠷৽ͷSecurity BCPʹMUST NOT useͱॻ͔Ε͍ͯΔɻ
Slide 17
Slide 17 text
ฏͨ͘ݴ͏ͱ • RFC6749͚ͩಡΉͷͰෆेʹͳͬͯ͠·ͬͨ • ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ • ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
OAuth 2.1
Slide 20
Slide 20 text
͜ΕԿ ࠓճͷձ߹ͰॳొͷఏҊͰɺʮOAuthؔͷυΩϡϝϯτͱͬͪ Β͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊؒҧ͍ͷͳ͍OAuth͕࣮ Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏ͷɻ ۩ମతʹɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security- topics-13(OAuth Security BCP) + RFC 8628(Device Flow)ͷ͍͍ͱ͜औ Γ("OAuth: the Good Parts")ͱͯ͠ఏҊ͞Εͨɻ
Slide 21
Slide 21 text
OAuth 2.0Ͱ͜͏ͩͬͨ • Authorization Code Grant • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant
Slide 22
Slide 22 text
OAuth 2.1Ͱ͜͏ͳΔ • Authorization Code Grant • ͨͩ͠ɺPKCE(Proof Key for Code Exchange; RFC7636)ͷར༻͕ ඞਢɺΑͬͯݫີʹAuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓ ੑ͕͋ΔΘ͚Ͱͳ͍ • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Device Grant
Slide 23
Slide 23 text
PKCE URLͷҰ෦͔ΒImplicitͰΞΫηετʔΫϯ͕औΕΔͱઆ໌ͨ͠ ͕ɺAuthorization Code GrantͰΞΫηετʔΫϯʹҾ͖͑Մೳ ͳAuthorization Code͕URLதʹฦ͖ͬͯͯɺ߈ܸऀ͜ΕΛಘΔ͜ ͱ͕ՄೳɻεϚʔτϑΥϯͳͲͷΤϯυσόΠεʹਖ਼ͳΫϥΠΞ ϯτͱಉډ͢Δѱҙͷ͋ΔΞϓϦέʔγϣϯ͕͜ͷΛར༻ͯ͠ ΞΫηετʔΫϯΛͬऔΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻ Authorization CodeͷͬऔΓʹΑΔ߈ܸΛchallenge-responseʹ Α͙ͬͯͷ͕PKCEͷɻ
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
ࠓޙͲ͏ͳΔͷʁ IETF 106ͰࠓޙͲ͏ͬͯਐΊΔ͖͔Λٞ͢ΔαΠυϛʔ ςΟϯάཱ͕ͬͨɻ େଟͷࢀՃऀOAuthͦͷͷͷෳࡶੑͱRFC6749ͱ͍͏େຊͷ υΩϡϝϯτʹݱࡏ͑ͳ͍߲͕͋Δͱ͍͏͜ͱʹݒ೦ࣔ͠ ͍͕ͯͨɺҰํͰ(࣍ʹઆ໌͢Δ)txauthͷworkͱOAuth WGͷwork ͱฒߦͯ͠ਐΊΔ͜ͱͷࠔ͞ͷݒ೦Λ͍ࣔͯͨ͠ɻ
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
txauth Transactional Authorization and Delegation
Slide 28
Slide 28 text
ͦͦ transactional ͱ https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- annabelle ʹ͋Δఏ͕ٞඇৗʹΘ͔Γ͍͢ɻʮΤϯυϢʔ βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋͬͯ͠ ͘ΔʹͲ͏ͨ͠ΒΑ͍͔ʁʯ (ྫ) εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷΈͰߪೖͷݪҼʹ ͳ͍ͬͯΔΛղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕ ΕΒΕͯ͠·͍ͬͯͨɻ
Slide 29
Slide 29 text
ͦͦ transactional ͱ • γϣοϓͷαΠτͰߦ͏͜ͱ • ຊͷߪೖΛ͍ͨ͠ • ͔͠͠ߴ͕Γͳ͍ • ܾࡁखஈͷαΠτͰߦ͏͜ͱ • ೝূɺߴͷิॆ • γϣοϓͷαΠτʹͬͯߦ͏͜ͱ • τϥϯβΫγϣϯͷ࠶։ → ߴ͕͋ΔͷͰߪೖ
Slide 30
Slide 30 text
ͦͦ transactional ͱ ࣗͷࡶͳղऍͱͯ͠ɺ ͋ΔߦҝΛߦ͏ೝՄΛಘΔखଓ͖ΛҰ࿈ͷτϥϯβΫγϣϯͱΈ ͳ͠ɺτϥϯβΫγϣϯʹೝՄʹඞཁͳഎܠใʢΞΫηετʔ ΫϯɺΞΫηετʔΫϯΛಘΔͨΊͷଐੑใɺ·ͨϦιʔε ΦʔφʔͷೝূͷͨΊͷূ໌ʣΛؔ࿈͚͍ͯ͘͜ͱ ͱ͍͏ղऍɻ
Slide 31
Slide 31 text
XYZ
Slide 32
Slide 32 text
XYZͱ Transactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊ ऀOAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ͋ΔɻIETFతʹdraft- richer-transactional-authz-04ɻ OAuth 2.0ͱͷޓੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭͨ͠͠Β Ͳ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻ txauth BoFલճOAuth WGͰߦͬͨ͜ͷఏҊΛͱʹɺ৽͘͠ WGΛܗ͢ΔͨΊʹ։͔Εͨɻ
Slide 33
Slide 33 text
ղܾ͍ͨ͠ओཁͳ • ϑϩϯτνϟϯωϧͷอޢ • ϒϥβͱαʔόʔͷؒͰใΛ͢ํ๏ͷอޢͷͨΊʹͨ ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ • dynamic registration • OAuthΫϥΠΞϯτͷ੩తͳొΛҙਤͯ͠࡞ΒΕ͕ͨɺ ࣮ࡍಈతʹՃ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ͍redirect URI ͷݕূͳͲͰηΩϡϦςΟ͕ੜ͍ͯ͡Δ
Slide 34
Slide 34 text
ղܾ͍ͨ͠ओཁͳ • scope ͷఆٛ • ΞΫηε͍ͨ͠ʁ • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ) • ͲͷϦιʔεαʔόʔʁ • ... https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- limitations-of-oauth-2
Slide 35
Slide 35 text
ಛ(1) εϥΠυ https:/ /datatracker.ietf.org/meeting/106/materials/ slides-106-txauth-xyz Λͱʹઆ໌͢Δͱɺ • ΫϥΠΞϯτͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗࣗͷೝࣝ ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ ϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝ • ͜ΕͰใ͕Γͳ͚Εαʔόʔ͕࣍ʹ͜ͷใ͕΄͍͠ɺ ͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)
Slide 36
Slide 36 text
ಛ(2) • ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰΓͱΓΛ͢Δ (p.24) • Ϣʔβʔ͕αʔόʔͱΓͱΓΛͨ͋͠ͱɺAuthorization Server "interaction handle"ͱͦͷϋογϡΛੜ(p.27-29)͠ɺͦΕΛ ΫϥΠΞϯτʹฦ͢ • ΫϥΠΞϯτ"transaction handle"ͱ"interaction handle"Λར༻ ͯ͠τϥϯβΫγϣϯΛ࠶։(p.32) • handleաڈͷͷࢀর
Slide 37
Slide 37 text
XYZҎ֎ͷఏҊ: Rich and Pushed Authorization Requests • https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ • https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/
Slide 38
Slide 38 text
Rich Authorization Requests ۚ༥ܥܥͳͲͷڧ͍ηΩϡϦςΟ͕ٻΊΒΕΔྖҬͰOAuth Λ͏͜ͱΛҙਤͯ͠ఏҊ͞ΕͨOAuth 2.0ͷ֦ுɻ ڧ͍ηΩϡϦςΟΛٻΊΒΕΔϢʔεέʔεͰݖݶ͕ͷ͘͢͝ ࡉཻ͔͍Ͱઃఆ͞Ε͍ͯΔ͕ɺݱঢ়ͷOAuthͷscopeͰ͜ΕΛ ͖͑Εͳ͍͠ɺݱঢ়ͷOAuthͰαʔόʔݻ༗ͷΞΫηετʔΫ ϯΛ͍ग़͢ͳͲͷࡉ੍͔͍ޚ͕Ͱ͖ͳ͍ɻ
Slide 39
Slide 39 text
Rich Authorization Requests ੈͷதʹଘࡏ͢Δղ๏ͱͯ͠ • scope_detailsύϥϝʔλ֦ு (PolishAPI) • ผͷϦιʔεΛͬͯڐ༰Λදݱ (UK OB, NextGenPSD2, yes.com) ͕͋Δ͕͜ΕΛҰൠԽ͍ͨ͠ɻ
Slide 40
Slide 40 text
Pushed Authorization Requests Authorization RequestͷใΛࣄલʹAuthorization Serverʹpush͢ Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔΈɻ ΫϥΠΞϯτೝূʹඞཁͳใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜ ͱͰΑΓڧྗͳೝূ͕Մೳɻ POSTϦΫΤετͰࣄલʹURLΛಘΔΈͰ͋Δͷॏཁ(body HTTPSͰอޢ͞ΕΔ)ɻ
Slide 41
Slide 41 text
Other WG Business • Security BCPͷupdate • ϒϥβϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ • DPoP(Demonstration of Proof-of-Possession at the Application Layer) • εϥΠυ಄ʹSender-Constrained Access TokenͷͨΊͷPoP ͷྺ࢙Λ·ͱΊ͍ͯΔ
Slide 42
Slide 42 text
Sender-Constrained Access Token ͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠Γಘͳ͍ใΛͬͯɺΞΫηε τʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈͚Δํ๏(<-> Bearer τʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ༩͢Δ)ɻ Token Binding (draft-ietf-oauth-token-binding-08) Mutual TLS Client Authentication (draft-ietf-oauth-mtls-17) ͳͲͷํ๏͕ఏҊ͞ Ε͍ͯΔ͕ͲͪΒwork in progressɻ
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
એ: ٕज़ॻయ8 1(2/29) ຊޠ࠷XYZղઆຊɺ ग़·͢ https:/ /cryptic-command.net/