Slide 1

Slide 1 text

!"#$%&'(#)*+,- /01'-#2345678 /9%:01.;%<=>?@=A.BCDEFG.H$%&'(.I J?ACK.LMLLNONLF.

Slide 2

Slide 2 text

• https://ritou.hatenablog.com • FedCMೖ໳ ͦͷ1 ~ ID࿈ܞͷ՝୊ͱFedCMͷΞϓϩʔν • FedCMೖ໳ ͦͷ2 ~ ݱঢ়ͷFedCM࣮૷ղઆ • FedCMೖ໳ ͦͷ3 ~ OIDCͱͷࠩ෼ղઆ (·ͩԼॻ͖) $%&'(5678#PQ  2

Slide 3

Slide 3 text

• FedCMͷID࿈ܞϑϩʔ • OIDCͱͷࠩ෼ • ࠩ෼ղফͷͨΊͷΞϓϩʔν RSTU  3

Slide 4

Slide 4 text

• IdP : Identity Provider. ଞαʔϏεʹରͯ͠Ϣʔβʔ৘ใΛ ఏڙ͢Δ αʔϏε • RP : Relying Party. IdPͷϢʔβʔ৘ใΛ༻͍ͯೝূػೳΛ࣮ ݱ͢Δ αʔϏε • Ϣʔβʔ : IdP/RPͦΕͧΕΛར༻͢ΔϢʔβʔ • ϒϥ΢β : FedCMʹରԠͨ͠ϒϥ΢β VWXY  4

Slide 5

Slide 5 text

1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ 2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸ FedCMͷAPIΛݺͼग़͢ 3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ 4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ 01Z[\]  5

Slide 6

Slide 6 text

VWXY-01Z[\]  6

Slide 7

Slide 7 text

1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ 2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸ FedCMͷAPIΛݺͼग़͢ 3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ 4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ 01Z[\]  7

Slide 8

Slide 8 text

^_`abcdefghigj  8

Slide 9

Slide 9 text

01Z[#klmin  9

Slide 10

Slide 10 text

opqr#01Z[]s  10

Slide 11

Slide 11 text

opqr#01Z[]s  11 • FedCM͕༗ޮ͔Ͳ͏͔ͷ൑ఆ • ID࿈ܞཁٻ

Slide 12

Slide 12 text

0&p.t%Au&uAuv]s  12

Slide 13

Slide 13 text

0&p.t%Au&uAuv]s  13 • Top level domain manifest • IdP manifest f ile

Slide 14

Slide 14 text

'D?%:A.t%Au&uAu.v]s  14

Slide 15

Slide 15 text

'D?%:A.t%Au&uAu.v]s  15 • Client metadata Endpoint

Slide 16

Slide 16 text

hwxiy#z{`ij|njv]s  16

Slide 17

Slide 17 text

hwxiy#z{`ij|njv]s  17 • Client metadata Endpoint

Slide 18

Slide 18 text

}~•lal#01;C€%:v]s  18

Slide 19

Slide 19 text

}~•lal#01;C€%:v]s  19 • Accounts list endpoint

Slide 20

Slide 20 text

01;C€%:v•78‚ƒNV„…†  20

Slide 21

Slide 21 text

01;C€%:v•78‚ƒNV„…†  21 • ID Token Endpoint

Slide 22

Slide 22 text

PC/Android ͷ Chrome Canary Ͱಈ࡞֬ೝͰ͖·͢ɻ • IdP : https://ex-fedcm-idp.herokuapp.com/ • RP : https://ex-fedcm-rp.herokuapp.com/ ‡ˆ‰Š  22

Slide 23

Slide 23 text

• FedCMͷID࿈ܞϑϩʔ • OIDCͱͷࠩ෼ • ࠩ෼ղফͷͨΊͷΞϓϩʔν RSTU  23

Slide 24

Slide 24 text

• ݱঢ়ͷFedCMͰͰ͖Δ͜ͱ͸ʮϑϩϯτνϟϯωϧͰͷ IDTokenͷ΍ΓͱΓʯ $%&'(  24

Slide 25

Slide 25 text

• Authorization Code Flow • ϑϩϯτνϟϯωϧ : Authorization Code (+ ID Token) • όοΫνϟϯωϧ : ID Token / AT / RT • Implicit Flow <- ͜Εʹ͍ۙ • ϑϩϯτνϟϯωϧ : ID Token (+ α) • Hybrid Flow (ུ) /01'.$DC‹Œ  25

Slide 26

Slide 26 text

/01'.0t9D?

Slide 27

Slide 27 text

• IdP metadata : OpenID Provider Con f iguration ͰٵऩՄೳ • Client৘ใཁٻ : ະఆٛ • ΞΧ΢ϯτϦετཁٻ : ະఆٛ • ID Tokenཁٻ -> Implicit Flowʹ͍ۙ • ϒϥ΢βʹAuthN Response͕౉͞ΕΔ • ະఆٛ/লུ͞Εͨύϥϝʔλ $%&'(.BŒ./01'  27

Slide 28

Slide 28 text

• ༻్ : ιʔγϟϧϩάΠϯػೳ(ϦιʔεΞΫηεͳ͠)ͷ γϣʔτΧοτͱͯ͠ͷΈར༻Ͱ͖Δ • ϦιʔεΞΫηε·Ͱαϙʔτͯ͠΄͍͠ਓ͸࢖͑ͳ͍ • ID Token ʹؚ·ΕΔ஋ • IdPʹґଘ /01'.op  28

Slide 29

Slide 29 text

• ༻్ʹ͍ͭͯ͸RPͱಉ༷ • ࣮૷ : FedCMରԠͷͨΊͷಠ֦ࣗு͕ඞཁ • Authorization Endpointͷ֦ுʁ • OIDCະఆٛͷΤϯυϙΠϯτ • ID Token ʹؚ·ΕΔ஋ • ݱঢ়Ͱ͸ύϥϝʔλҎ֎ͰܾΊΔඞཁ͕͋Δ /01'.0&p  29

Slide 30

Slide 30 text

• FedCMͷID࿈ܞϑϩʔ • OIDCͱͷࠩ෼ • ࠩ෼ղফͷͨΊͷΞϓϩʔν RSTU  30

Slide 31

Slide 31 text

FedCM - OIDC ؒͷࠩ෼ղফͷͨΊʹ 1. FedCM ͕ OIDC ʹدͤΔ 2. FedCM ͷͨΊʹOIDCΛ֦ு͢Δ 1 Ͱ Implicit Flow ʹدͤΑ͏ͱͯ͠΋OIDCະఆٛͷϦΫΤε τ/Ϩεϙϯε΋͋ΔͷͰ 1, 2 ͷ྆ํ͕ඞཁͦ͏ɻ SAML͸֦ுେมͳΜ͡Όͳ͍ͷʁ •Ž+•#•‘#zghl’  31

Slide 32

Slide 32 text

• id_token_endpoint = Authorization Endpoint • Authentication Request • “response_type=id_token” • “prompt=none” • “login_hint” + Cookie Ͱ൑ఆ • “scope”, “claims” ύϥϝʔλΛαϙʔτ $%&'(b/01'5“”f  32

Slide 33

Slide 33 text

• FedCMಠࣗͷϦΫΤετ • Client Metadata Request • Account List Request • JSONܗࣜͰID TokenΛཁٻ • response_mode: body # body Ͱ Authentication Response Λཁٻ • redirect_uri: “urn…” # fedcm ༻ͷ஋ͱ͔ /01'.•–A%:Œ?C:.—CJ.$%&'(  33

Slide 34

Slide 34 text

• ݱঢ়ͷFedCMͰߦΘΕ͍ͯΔϦΫΤετ/ϨεϙϯεΛઆ໌ ͨ͠ • FedCM ͱ OIDC ͷϓϩτίϧͱͯ͠ͷҧ͍Λઆ໌ͨ͠ • OIDC Implicit Flow ૬౰ͷγϣʔτΧοτతͳཱͪҐஔʹ ͳ͍ͬͯΔ • IdPͷ௥ՃରԠͷίετ͕͋Δҹ৅ͳͷͰɺࠩ෼ղফͷΞϓ ϩʔνʹࠓޙ͸஫໨ ˜-‘  34

Slide 35

Slide 35 text

™š›  35