Slide 1

Slide 1 text

OAuth, Transactional Authorization, and other security related stuff Ryo Kajiwara @ lepidum IETF106 Report Session, ISOC-JP

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Why OAuth Now?

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

͍͍ͩͨ͜ͷهࣄͷԆ ௕ͷ࿩Λ͠·͢ https:/ /lepidum.co.jp/blog/ 2019-12-03/future-of-oauth/

Slide 6

Slide 6 text

OAuth 2.0ɺਓྨʹ͸ૣ ͗ͨ͢ͷͰ͸ʁ ͱ͸ݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢ ໰୊

Slide 7

Slide 7 text

OAuth 2.0ͷ͓͞Β͍ OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ͸ • Authorization Code Grant • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant ͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

௚ײతʹ͸ҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷ΋ͷͱͷܾఆతͳҧ͍͸ ʮΫϥΠΞϯτࣗ਎͕ϦιʔεΦʔφʔͰ͋Δʯέʔεʹ࢖͏΋ ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization Server͸Ξ ΫηετʔΫϯΛฦ͍ͯ͠Δɻ

Slide 15

Slide 15 text

Կ͕Ϛζ͍ͷ(1) • Implicit GrantͰ͸ϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ΋ ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕໰୊ɻ • ϦΫΤετɾϨεϙϯεͷheader/body͸HTTPSͳΒ҉߸Խ͞ ΕΔ͕… • ྫ: ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩά ʹΞΫηετʔΫϯ͕࢒ͬͯ… • ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…

Slide 16

Slide 16 text

Կ͕Ϛζ͍ͷ(2) • Resource Owner Password Credentials Grant͸ը૾ͷ஫ऍͷ௨ Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ ஌Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ • ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯ Ͱݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ • ͳͷͰɺ΋ͱ΋ͱ͔Βͯ͠Ҡߦ໨తΛҙਤ͞Ε͍ͯͨɻ͕ɺ ࠓͰ΋࢖༻͠ଓ͚͍ͯΔ࣮૷͕ଘࡏ͢Δ… • ࠷৽ͷSecurity BCPʹ͸MUST NOT useͱॻ͔Ε͍ͯΔɻ

Slide 17

Slide 17 text

ฏͨ͘ݴ͏ͱ • RFC6749͚ͩಡΉͷͰෆे෼ʹͳͬͯ͠·ͬͨ • ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ • ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

OAuth 2.1

Slide 20

Slide 20 text

͜Ε͸Կ ࠓճͷձ߹Ͱॳొ৔ͷఏҊͰɺʮOAuthؔ܎ͷυΩϡϝϯτͱͬͪ Β͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊ͹ؒҧ͍ͷͳ͍OAuth͕࣮ ૷Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏΋ͷɻ ۩ମతʹ͸ɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security- topics-13(OAuth Security BCP) + RFC 8628(Device Flow)ͷ͍͍ͱ͜औ Γ("OAuth: the Good Parts")ͱͯ͠ఏҊ͞Εͨɻ

Slide 21

Slide 21 text

OAuth 2.0Ͱ͸͜͏ͩͬͨ • Authorization Code Grant • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant

Slide 22

Slide 22 text

OAuth 2.1Ͱ͸͜͏ͳΔ • Authorization Code Grant • ͨͩ͠ɺPKCE(Proof Key for Code Exchange; RFC7636)ͷར༻͕ ඞਢɺΑͬͯݫີʹ͸AuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓ ׵ੑ͕͋ΔΘ͚Ͱ͸ͳ͍ • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Device Grant

Slide 23

Slide 23 text

PKCE URLͷҰ෦͔ΒImplicitͰ͸ΞΫηετʔΫϯ͕औΕΔͱઆ໌ͨ͠ ͕ɺAuthorization Code GrantͰ͸ΞΫηετʔΫϯʹҾ͖׵͑Մೳ ͳAuthorization Code͕URLதʹฦ͖ͬͯͯɺ߈ܸऀ͸͜ΕΛಘΔ͜ ͱ͕ՄೳɻεϚʔτϑΥϯͳͲͷΤϯυσόΠεʹਖ਼౰ͳΫϥΠΞ ϯτͱಉډ͢Δѱҙͷ͋ΔΞϓϦέʔγϣϯ͕͜ͷ஋Λར༻ͯ͠ ΞΫηετʔΫϯΛ৐ͬऔΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻ Authorization Codeͷ৐ͬऔΓʹΑΔ߈ܸΛchallenge-responseʹ Αͬͯ๷͙ͷ͕PKCEͷ໾໨ɻ

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

ࠓޙͲ͏ͳΔͷʁ IETF 106Ͱ͸ࠓޙͲ͏΍ͬͯਐΊΔ΂͖͔Λٞ࿦͢ΔαΠυϛʔ ςΟϯάཱ͕ͬͨɻ େଟ਺ͷࢀՃऀ͸OAuthͦͷ΋ͷͷෳࡶੑͱRFC6749ͱ͍͏େຊͷ υΩϡϝϯτʹݱࡏ࢖͑ͳ͍߲໨͕͋Δͱ͍͏͜ͱʹݒ೦͸ࣔ͠ ͍͕ͯͨɺҰํͰ(࣍ʹઆ໌͢Δ)txauthͷworkͱOAuth WGͷwork ͱฒߦͯ͠ਐΊΔ͜ͱͷࠔ೉͞΁ͷݒ೦Λ͍ࣔͯͨ͠ɻ

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

txauth Transactional Authorization and Delegation

Slide 28

Slide 28 text

ͦ΋ͦ΋ transactional ͱ͸ https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- annabelle ʹ͋Δ໰୊ఏ͕ٞඇৗʹΘ͔Γ΍͍͢ɻʮΤϯυϢʔ βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋ͠໭ͬͯ ͘Δʹ͸Ͳ͏ͨ͠ΒΑ͍͔ʁʯ (ྫ) εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷ࢓૊ΈͰ͸ߪೖͷݪҼʹ ͳ͍ͬͯΔ໰୊Λղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕๨ ΕΒΕͯ͠·͍ͬͯͨɻ

Slide 29

Slide 29 text

ͦ΋ͦ΋ transactional ͱ͸ • γϣοϓͷαΠτͰߦ͏͜ͱ • ຊͷߪೖΛ͍ͨ͠ • ͔͠͠࢒ߴ͕଍Γͳ͍ • ܾࡁखஈͷαΠτͰߦ͏͜ͱ • ೝূɺ࢒ߴͷิॆ • γϣοϓͷαΠτʹ໭ͬͯߦ͏͜ͱ • τϥϯβΫγϣϯͷ࠶։ → ࢒ߴ͕͋ΔͷͰߪೖ

Slide 30

Slide 30 text

ͦ΋ͦ΋ transactional ͱ͸ ࣗ෼ͷࡶͳղऍͱͯ͠͸ɺ ͋ΔߦҝΛߦ͏ೝՄΛಘΔखଓ͖ΛҰ࿈ͷτϥϯβΫγϣϯͱΈ ͳ͠ɺτϥϯβΫγϣϯʹೝՄʹඞཁͳഎܠ৘ใʢΞΫηετʔ ΫϯɺΞΫηετʔΫϯΛಘΔͨΊͷଐੑ৘ใɺ·ͨϦιʔε ΦʔφʔͷೝূͷͨΊͷূ໌ʣΛؔ࿈෇͚͍ͯ͘͜ͱ ͱ͍͏ղऍɻ

Slide 31

Slide 31 text

XYZ

Slide 32

Slide 32 text

XYZͱ͸ Transactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊ ऀ͸OAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ΋͋ΔɻIETFతʹ͸draft- richer-transactional-authz-04ɻ OAuth 2.0ͱͷޓ׵ੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭ͠௚ͨ͠Β Ͳ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻ txauth BoF͸લճOAuth WG಺Ͱߦͬͨ͜ͷఏҊΛ΋ͱʹɺ৽͘͠ WGΛܗ੒͢ΔͨΊʹ։͔Εͨɻ

Slide 33

Slide 33 text

ղܾ͍ͨ͠ओཁͳ໰୊ • ϑϩϯτνϟϯωϧͷอޢ • ϒϥ΢βͱαʔόʔͷؒͰ৘ใΛ౉͢ํ๏ͷอޢͷͨΊʹͨ ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ • dynamic registration • OAuth͸ΫϥΠΞϯτͷ੩తͳొ࿥Λҙਤͯ͠࡞ΒΕ͕ͨɺ ࣮ࡍ͸ಈతʹ௥Ճ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ൐͍redirect URI ͷݕূͳͲͰηΩϡϦςΟ໰୊͕ੜ͍ͯ͡Δ

Slide 34

Slide 34 text

ղܾ͍ͨ͠ओཁͳ໰୊ • scope ͷఆٛ • ΞΫηε͍ͨ͠஋ʁ • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ) • ͲͷϦιʔεαʔόʔʁ • ... https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- limitations-of-oauth-2

Slide 35

Slide 35 text

ಛ௃(1) εϥΠυ https:/ /datatracker.ietf.org/meeting/106/materials/ slides-106-txauth-xyz Λ΋ͱʹઆ໌͢Δͱɺ • ΫϥΠΞϯτ͸ͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗ෼ࣗ਎ͷೝࣝ ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ ϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝ • ͜ΕͰ৘ใ͕଍Γͳ͚Ε͹αʔόʔ͕࣍ʹ͜ͷ৘ใ͕΄͍͠ɺ ͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)

Slide 36

Slide 36 text

ಛ௃(2) • ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰ΍ΓͱΓΛ͢Δ (p.24) • Ϣʔβʔ͕αʔόʔͱ΍ΓͱΓΛͨ͋͠ͱɺAuthorization Server ͸"interaction handle"ͱͦͷϋογϡΛੜ੒(p.27-29)͠ɺͦΕΛ ΫϥΠΞϯτʹฦ͢ • ΫϥΠΞϯτ͸"transaction handle"ͱ"interaction handle"Λར༻ ͯ͠τϥϯβΫγϣϯΛ࠶։(p.32) • handle͸աڈͷ஋΁ͷࢀর

Slide 37

Slide 37 text

XYZҎ֎ͷఏҊ: Rich and Pushed Authorization Requests • https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ • https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/

Slide 38

Slide 38 text

Rich Authorization Requests ۚ༥ܥ΍੓෎ܥͳͲͷڧ͍ηΩϡϦςΟ͕ٻΊΒΕΔྖҬͰOAuth Λ࢖͏͜ͱΛҙਤͯ͠ఏҊ͞ΕͨOAuth 2.0ͷ֦ுɻ ڧ͍ηΩϡϦςΟΛٻΊΒΕΔϢʔεέʔεͰ͸ݖݶ͕΋ͷ͘͢͝ ࡉཻ͔͍౓Ͱઃఆ͞Ε͍ͯΔ͕ɺݱঢ়ͷOAuthͷscopeͰ͸͜ΕΛ ఻͖͑Εͳ͍͠ɺݱঢ়ͷOAuthͰ͸αʔόʔݻ༗ͷΞΫηετʔΫ ϯΛ෷͍ग़͢ͳͲͷࡉ੍͔͍ޚ͕Ͱ͖ͳ͍ɻ

Slide 39

Slide 39 text

Rich Authorization Requests ੈͷதʹଘࡏ͢Δղ๏ͱͯ͠͸ • scope_detailsύϥϝʔλ֦ு (PolishAPI) • ผͷϦιʔεΛ࢖ͬͯڐ୚಺༰Λදݱ (UK OB, NextGenPSD2, yes.com) ͕͋Δ͕͜ΕΛҰൠԽ͍ͨ͠ɻ

Slide 40

Slide 40 text

Pushed Authorization Requests Authorization Requestͷ৘ใΛࣄલʹAuthorization Serverʹpush͢ Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔ࢓૊Έɻ ΫϥΠΞϯτೝূʹඞཁͳ৘ใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜ ͱͰΑΓڧྗͳೝূ͕Մೳɻ POSTϦΫΤετͰࣄલʹURLΛಘΔ࢓૊ΈͰ͋Δͷ΋ॏཁ(body͸ HTTPSͰอޢ͞ΕΔ)ɻ

Slide 41

Slide 41 text

Other WG Business • Security BCPͷupdate • ϒϥ΢βϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ • DPoP(Demonstration of Proof-of-Possession at the Application Layer) • εϥΠυ๯಄ʹSender-Constrained Access TokenͷͨΊͷPoP ͷྺ࢙Λ·ͱΊ͍ͯΔ

Slide 42

Slide 42 text

Sender-Constrained Access Token ͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠஌Γಘͳ͍৘ใΛ࢖ͬͯɺΞΫηε τʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈෇͚Δํ๏(<-> Bearer τʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ෇༩͢Δ)ɻ Token Binding (draft-ietf-oauth-token-binding-08) ΍ Mutual TLS Client Authentication (draft-ietf-oauth-mtls-17) ͳͲͷํ๏͕ఏҊ͞ Ε͍ͯΔ͕ͲͪΒ΋work in progressɻ

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

એ఻: ٕज़ॻయ8 1೔໨(2/29) ೔ຊޠ࠷଎XYZղઆຊɺ ग़·͢ https:/ /cryptic-command.net/