Slide 1

Slide 1 text

我是誰︖我在哪︖ 聊聊 Web 的身分驗證

Slide 2

Slide 2 text

ABOUT MILES CURRENT Senior Developer @ 104 Corp. Volunteer @ DevOps Taiwan TAG PHP, Docker, DevOps [email protected] MilesChou

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

今天將會聊些什麼 Terminology Scenario Native App Security Topic

Slide 5

Slide 5 text

Terminology Authentication Entity Identifier

Slide 6

Slide 6 text

Server User

Slide 7

Slide 7 text

Server User Entity

Slide 8

Slide 8 text

Server User Entity Identifier

Slide 9

Slide 9 text

Server User Entity Identifier Miles Miles

Slide 10

Slide 10 text

Server User Entity Identifier Authentication Miles Miles

Slide 11

Slide 11 text

基本的安全問題 請求真的是該使⽤者本身的意願所發出的請求嗎︖ 有沒有可能被竄改︖有沒有機會造假︖ 回應真的是伺服器的回應嗎︖ 有沒有可能被竄改︖有沒有機會造假︖

Slide 12

Slide 12 text

Scenario 從前從前,有個網站提供了很多服務

Slide 13

Slide 13 text

安安你好,第⼀一次來來嗎? 第⼀一次來來的都是絕緣⼈人哦! 為了了讓你不再絕緣, 你先跟我講好,要怎麼驗證你是誰!

Slide 14

Slide 14 text

註冊的⽬的 使⽤者提供憑證資訊,如帳號、密碼、etc 伺服器提供 metadata

Slide 15

Slide 15 text

註冊的⽅法 線上註冊 私訊註冊 線下註冊

Slide 16

Slide 16 text

User Login 身為⼀個使⽤者,我希望能使⽤網站提供的服務

Slide 17

Slide 17 text

安安你好,第⼆二次來來嗎? 站著!⼝口令?誰? 我知道你是麥爾斯了了,可是我⾦金金⿂魚腦! 24 分鐘內記得過來來刷新⼀一下!

Slide 18

Slide 18 text

User Login Challenge State Management Mechanism

Slide 19

Slide 19 text

實作 Laravel Auth Zend Authentication

Slide 20

Slide 20 text

Server-side Authentication 身為⼀個伺服器,我希望能呼叫網站提供的 API

Slide 21

Slide 21 text

How about Authorization?

Slide 22

Slide 22 text

Server-side Authentication Trusted Server VPN、鎖 IP、發 token、etc. OAuth 2.0 Facebook、Google、GitHub、AWS、etc.

Slide 23

Slide 23 text

Terminology - OAuth 2.0 Authorization Resource Owner Resource Server Client Authorization Server

Slide 24

Slide 24 text

Authorization Server Resource Owner Resource Server Client Authorization Request

Slide 25

Slide 25 text

Authorization Server Resource Owner Resource Server Client Authorization Grant

Slide 26

Slide 26 text

Authorization Server Resource Owner Resource Server Client Authorization Grant

Slide 27

Slide 27 text

Authorization Server Resource Owner Resource Server Client Access Token

Slide 28

Slide 28 text

Authorization Server Resource Owner Resource Server Client Access Token

Slide 29

Slide 29 text

Authorization Server Resource Owner Resource Server Client Protected Resource

Slide 30

Slide 30 text

微信偷連結 Facebook︖ 到底花⽣省魔術︖請看 VCR!

Slide 31

Slide 31 text

微信偷連結 Facebook︖ Facebook 實作了 OAuth 2.0 微信 App 為 Client 授權範圍

Slide 32

Slide 32 text

Third-party Login 身為⼀個外部網站,我希望能透過貴站做身分驗證

Slide 33

Slide 33 text

安安你好,你是麥爾斯的跟班嗎? 有刷過麥爾斯的臉就可以進場了了哦! 但過⼀一回兒後, 我還會再跟麥爾斯確認,你還是不是他的跟班

Slide 34

Slide 34 text

Third-party Login OAuth 2.0 Facebook, Google, GitHub, etc. OpenID Connect AppleID, Line, Google, Auth0, etc. SAML GitHub, Google, etc.

Slide 35

Slide 35 text

Server User Provider Authentication Check

Slide 36

Slide 36 text

OpenID Connect

Slide 37

Slide 37 text

OpenID Connect Based-on OAuth 2.0 Use JWT on ID token Discovery Dynamic Client Registration

Slide 38

Slide 38 text

Authorization Server Client End User Login

Slide 39

Slide 39 text

Authorization Server Client End User Redirect to Authorization Server scope=openid

Slide 40

Slide 40 text

Authorization Server Client End User Authorization Request

Slide 41

Slide 41 text

GET / POST

Slide 42

Slide 42 text

Authorization Server Client End User Challenge

Slide 43

Slide 43 text

Authorization Server Client End User User Credentials

Slide 44

Slide 44 text

Authorization Server Client End User Authorization Request

Slide 45

Slide 45 text

Authorization Server Client End User Authorization Grant

Slide 46

Slide 46 text

Authorization Server Client End User Redirect to Client with Code

Slide 47

Slide 47 text

Authorization Server Client End User Use Code to get Access Token ID Token

Slide 48

Slide 48 text

ID token

Slide 49

Slide 49 text

簽章 圖⽚來源:https://en.wikipedia.org/wiki/File:Private_key_signing.svg

Slide 50

Slide 50 text

簽章演算法 HS256 - HMVC using SHA-256 Line RS256 - RSASSA-PKCS1-v1_5 using SHA-256 AppleID, Google ES256 - ECDSA using P-256 and SHA-256 AppleID

Slide 51

Slide 51 text

Discovery AppleID Line Google

Slide 52

Slide 52 text

⽤用講的不就很會? 做⼀一個來來看看啊!

Slide 53

Slide 53 text

Demo

Slide 54

Slide 54 text

Native App

Slide 55

Slide 55 text

先講結論 不要⽤嵌入式 User Agent,即麻煩又危險 可使⽤ PKCE 來解決這個問題

Slide 56

Slide 56 text

Chrome on Mobile 圖⽚來源:https://www.ory.sh/oauth2-for-mobile-app-spa-browser/

Slide 57

Slide 57 text

App on Mobile 圖⽚來源:https://www.ory.sh/oauth2-for-mobile-app-spa-browser/

Slide 58

Slide 58 text

Security Topic

Slide 59

Slide 59 text

基本 TLS CSRF XSS CSP Same-origin Policy

Slide 60

Slide 60 text

HTML 登入 無標準協定 網路釣⿂

Slide 61

Slide 61 text

Covert Redirect Redirect url 驗證

Slide 62

Slide 62 text

清除登入狀態 Token Revoke 的時機 OpenID Session Management Front-Channel Logout Back-Channel Logout

Slide 63

Slide 63 text

Extra - Password 千萬不要存明碼 MD5 與 SHA1 已被認為是不安全的演算法 建議使⽤ SHA256

Slide 64

Slide 64 text

Extra - Cookie 問題核⼼在於過度依賴 Cookie 作為身分驗證的⼿段 CSRF Session Hijacking Session Fixation Weak Confidentiality Weak Integrity

Slide 65

Slide 65 text

Q & A