Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
我是誰︖我在哪︖ 聊聊 Web 的身分驗證
Slide 2
Slide 2 text
ABOUT MILES CURRENT Senior Developer @ 104 Corp. Volunteer @ DevOps Taiwan TAG PHP, Docker, DevOps jangconan@gmail.com MilesChou
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
今天將會聊些什麼 Terminology Scenario Native App Security Topic
Slide 5
Slide 5 text
Terminology Authentication Entity Identifier
Slide 6
Slide 6 text
Server User
Slide 7
Slide 7 text
Server User Entity
Slide 8
Slide 8 text
Server User Entity Identifier
Slide 9
Slide 9 text
Server User Entity Identifier Miles Miles
Slide 10
Slide 10 text
Server User Entity Identifier Authentication Miles Miles
Slide 11
Slide 11 text
基本的安全問題 請求真的是該使⽤者本身的意願所發出的請求嗎︖ 有沒有可能被竄改︖有沒有機會造假︖ 回應真的是伺服器的回應嗎︖ 有沒有可能被竄改︖有沒有機會造假︖
Slide 12
Slide 12 text
Scenario 從前從前,有個網站提供了很多服務
Slide 13
Slide 13 text
安安你好,第⼀一次來來嗎? 第⼀一次來來的都是絕緣⼈人哦! 為了了讓你不再絕緣, 你先跟我講好,要怎麼驗證你是誰!
Slide 14
Slide 14 text
註冊的⽬的 使⽤者提供憑證資訊,如帳號、密碼、etc 伺服器提供 metadata
Slide 15
Slide 15 text
註冊的⽅法 線上註冊 私訊註冊 線下註冊
Slide 16
Slide 16 text
User Login 身為⼀個使⽤者,我希望能使⽤網站提供的服務
Slide 17
Slide 17 text
安安你好,第⼆二次來來嗎? 站著!⼝口令?誰? 我知道你是麥爾斯了了,可是我⾦金金⿂魚腦! 24 分鐘內記得過來來刷新⼀一下!
Slide 18
Slide 18 text
User Login Challenge State Management Mechanism
Slide 19
Slide 19 text
實作 Laravel Auth Zend Authentication
Slide 20
Slide 20 text
Server-side Authentication 身為⼀個伺服器,我希望能呼叫網站提供的 API
Slide 21
Slide 21 text
How about Authorization?
Slide 22
Slide 22 text
Server-side Authentication Trusted Server VPN、鎖 IP、發 token、etc. OAuth 2.0 Facebook、Google、GitHub、AWS、etc.
Slide 23
Slide 23 text
Terminology - OAuth 2.0 Authorization Resource Owner Resource Server Client Authorization Server
Slide 24
Slide 24 text
Authorization Server Resource Owner Resource Server Client Authorization Request
Slide 25
Slide 25 text
Authorization Server Resource Owner Resource Server Client Authorization Grant
Slide 26
Slide 26 text
Authorization Server Resource Owner Resource Server Client Authorization Grant
Slide 27
Slide 27 text
Authorization Server Resource Owner Resource Server Client Access Token
Slide 28
Slide 28 text
Authorization Server Resource Owner Resource Server Client Access Token
Slide 29
Slide 29 text
Authorization Server Resource Owner Resource Server Client Protected Resource
Slide 30
Slide 30 text
微信偷連結 Facebook︖ 到底花⽣省魔術︖請看 VCR!
Slide 31
Slide 31 text
微信偷連結 Facebook︖ Facebook 實作了 OAuth 2.0 微信 App 為 Client 授權範圍
Slide 32
Slide 32 text
Third-party Login 身為⼀個外部網站,我希望能透過貴站做身分驗證
Slide 33
Slide 33 text
安安你好,你是麥爾斯的跟班嗎? 有刷過麥爾斯的臉就可以進場了了哦! 但過⼀一回兒後, 我還會再跟麥爾斯確認,你還是不是他的跟班
Slide 34
Slide 34 text
Third-party Login OAuth 2.0 Facebook, Google, GitHub, etc. OpenID Connect AppleID, Line, Google, Auth0, etc. SAML GitHub, Google, etc.
Slide 35
Slide 35 text
Server User Provider Authentication Check
Slide 36
Slide 36 text
OpenID Connect
Slide 37
Slide 37 text
OpenID Connect Based-on OAuth 2.0 Use JWT on ID token Discovery Dynamic Client Registration
Slide 38
Slide 38 text
Authorization Server Client End User Login
Slide 39
Slide 39 text
Authorization Server Client End User Redirect to Authorization Server scope=openid
Slide 40
Slide 40 text
Authorization Server Client End User Authorization Request
Slide 41
Slide 41 text
GET / POST
Slide 42
Slide 42 text
Authorization Server Client End User Challenge
Slide 43
Slide 43 text
Authorization Server Client End User User Credentials
Slide 44
Slide 44 text
Authorization Server Client End User Authorization Request
Slide 45
Slide 45 text
Authorization Server Client End User Authorization Grant
Slide 46
Slide 46 text
Authorization Server Client End User Redirect to Client with Code
Slide 47
Slide 47 text
Authorization Server Client End User Use Code to get Access Token ID Token
Slide 48
Slide 48 text
ID token
Slide 49
Slide 49 text
簽章 圖⽚來源:https://en.wikipedia.org/wiki/File:Private_key_signing.svg
Slide 50
Slide 50 text
簽章演算法 HS256 - HMVC using SHA-256 Line RS256 - RSASSA-PKCS1-v1_5 using SHA-256 AppleID, Google ES256 - ECDSA using P-256 and SHA-256 AppleID
Slide 51
Slide 51 text
Discovery AppleID Line Google
Slide 52
Slide 52 text
⽤用講的不就很會? 做⼀一個來來看看啊!
Slide 53
Slide 53 text
Demo
Slide 54
Slide 54 text
Native App
Slide 55
Slide 55 text
先講結論 不要⽤嵌入式 User Agent,即麻煩又危險 可使⽤ PKCE 來解決這個問題
Slide 56
Slide 56 text
Chrome on Mobile 圖⽚來源:https://www.ory.sh/oauth2-for-mobile-app-spa-browser/
Slide 57
Slide 57 text
App on Mobile 圖⽚來源:https://www.ory.sh/oauth2-for-mobile-app-spa-browser/
Slide 58
Slide 58 text
Security Topic
Slide 59
Slide 59 text
基本 TLS CSRF XSS CSP Same-origin Policy
Slide 60
Slide 60 text
HTML 登入 無標準協定 網路釣⿂
Slide 61
Slide 61 text
Covert Redirect Redirect url 驗證
Slide 62
Slide 62 text
清除登入狀態 Token Revoke 的時機 OpenID Session Management Front-Channel Logout Back-Channel Logout
Slide 63
Slide 63 text
Extra - Password 千萬不要存明碼 MD5 與 SHA1 已被認為是不安全的演算法 建議使⽤ SHA256
Slide 64
Slide 64 text
Extra - Cookie 問題核⼼在於過度依賴 Cookie 作為身分驗證的⼿段 CSRF Session Hijacking Session Fixation Weak Confidentiality Weak Integrity
Slide 65
Slide 65 text
Q & A