Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3

ritou
October 27, 2021

OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3

下記イベントの発表資料です。
https://idance.connpass.com/event/226073/

ritou

October 27, 2021
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. OAuth 2.0࢓༷঺հ


    JAR, PAR, RAR
    #iddance Lesson3


    TwitterͷOAuth 2.0ͱ͔CIBAͷ࢖͍ॴΛ஌Ζ͏ͷձ
    @ritou 2021/10/27

    View Slide

  2. ຊ೔঺հ͢Δ࢓༷
    • RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured
    Authorization Request (JAR)


    • RFC 9126 OAuth 2.0 Pushed Authorization Requests


    • OAuth 2.0 Rich Authorization Requests(2021/10/27࣌఺Ͱ͸Draft08)

    2

    View Slide

  3. ຊ೔ͷ಺༰
    • OAuth 2.0ͷೝՄϦΫΤετͱ͸


    • RFC6749Ͱఆٛ͞Ε͍ͯΔೝՄϦΫΤετͷ՝୊ͱ͸


    • JAR, PAR, RARͦΕͧΕͷ࢓༷ͰԿ͕ఆٛ͞Ε͍ͯΔͷ͔

    3

    View Slide

  4. OAuth 2.0ͷೝՄϦΫΤετͱ͸

    4

    View Slide

  5. OAuth 2.0ͷྲྀΕ

    5
    3FTPVSDF0XOFS
    $MJFOU "VUIPSJ[BUJPO4FSWFS
    3FTPVSDF4FSWFS
    Ϣʔβʔ͸$MJFOUͰผαʔϏε
    ͷϦιʔεΛར༻͍ͨ͠
    "VUI;4FSWFSʹϦμ
    ΠϨΫτͯ͠

    ϦιʔεΞΫηεΛཁٻ
    ϦιʔεΞΫηεͷݖݶΛఏڙ
    ̏ ϩάΠϯͯ͠ɺ
    $MJFOUʹϦιʔεΞΫηεΛఏڙ͢
    Δ͜ͱʹಉҙ
    3FTPVSDF4FSWFS͔Βऔಘ
    ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ
    !
    "
    #
    $
    %
    &

    View Slide

  6. OAuth 2.0ͷೝՄϦΫΤετ

    6
    3FTPVSDF0XOFS
    $MJFOU "VUIPSJ[BUJPO4FSWFS
    3FTPVSDF4FSWFS
    Ϣʔβʔ͸$MJFOUͰผαʔϏε
    ͷϦιʔεΛར༻͍ͨ͠
    "VUI;4FSWFSʹϦμ
    ΠϨΫτͯ͠

    ϦιʔεΞΫηεΛཁٻ
    ϦιʔεΞΫηεͷݖݶΛఏڙ
    ̏ ϩάΠϯͯ͠ɺ
    $MJFOUʹϦιʔεΞΫηεΛఏڙ͢
    Δ͜ͱʹಉҙ
    3FTPVSDF4FSWFS͔Βऔಘ
    ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ
    !
    "
    #
    $
    %
    &

    View Slide


  7. 7

    View Slide

  8. OAuth 2.0ͷೝՄϨεϙϯε

    8
    3FTPVSDF0XOFS
    $MJFOU "VUIPSJ[BUJPO4FSWFS
    3FTPVSDF4FSWFS
    Ϣʔβʔ͸$MJFOUͰผαʔϏε
    ͷϦιʔεΛར༻͍ͨ͠
    "VUI;4FSWFSʹϦμ
    ΠϨΫτͯ͠

    ϦιʔεΞΫηεΛཁٻ
    ϦιʔεΞΫηεͷݖݶΛఏڙ
    ̏ ϩάΠϯͯ͠ɺ
    $MJFOUʹϦιʔεΞΫηεΛఏڙ͢
    Δ͜ͱʹಉҙ
    3FTPVSDF4FSWFS͔Βऔಘ
    ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ
    !
    "
    #
    $
    %
    &

    View Slide


  9. 9

    View Slide

  10. RFC6749Ͱఆٛ͞Ε͍ͯΔ


    ೝՄϦΫΤετͷ՝୊ͱ͸

    10

    View Slide

  11. RFC6749ͷఆٛ
    • The client constructs the request URI by adding the following
    parameters to the query component of the authorization
    endpoint URI using the "application/x-www-form-urlencoded"
    format, …

    11

    View Slide

  12. ΫΤϦύϥϝʔλར༻ͷಛ௃


    (JARͷ1. Introduction)
    A. the communication through the user agents is not integrity
    protected, and thus, the parameters can be tainted (integrity
    protection failure) : ύϥϝʔλ͸վม͞ΕΔՄೳੑ͕͋Δ


    B. the source of the communication is not authenticated (source
    authentication failure) : ϦΫΤετݩͷೝূ͕Ͱ͖ͳ͍


    C. the communication through the user agents can be monitored
    (containment/con
    fi
    dentiality failure) : ϒϥ΢β΋·ͨͪ͜ΒΛ…

    12

    View Slide

  13. Webϒϥ΢βΛհͨ͠σʔλૹ৴ํ๏
    • GETϦΫΤετͷΫΤϦύϥϝʔλ


    • GET https://www.example.com/endpoint?foo=var&…


    • GETϦΫΤετͷϑϥάϝϯτίϯϙʔωϯτ


    • GET https://www.example.com/endpoint#foo=var&…


    • POSTϦΫΤετͷϦΫΤετϘσΟ

    13

    View Slide

  14. ΑΓ҆શʹ͢ΔͨΊʹʁ
    • ΫΤϦύϥϝʔλ/ϦΫΤετϘσΟʹJWT(JWS, JWS+JWE)Λࢦఆ


    • https://www.example.com/endpoint?data=eyJ…


    • ΫΤϦύϥϝʔλ/ϦΫΤετϘσΟʹJWTͷࢀরΛࢦఆ


    • https://www.example.com/endpoint?
    data_uri=https%3A%2F%2F…

    14

    View Slide

  15. ͜ΕΛೝՄϦΫΤετʹ


    ద༻͢Δͷ͕ࠓճ঺հ͢Δ…

    15

    View Slide

  16. ͷલʹʂ

    16

    View Slide

  17. ͢Ͱʹ͜ͷΑ͏ͳ࢓૊Έ͸


    ೝՄϨεϙϯεͰ࢖ΘΕ͍ͯΔ
    • ೝՄϨεϙϯεͰฦ͞ΕΔՄೳੑ͕͋Δύϥϝʔλ


    • state


    • Authorization Code


    • ID Token(OIDC)


    • Access Token, Token Type, Refresh Token, Expires in…

    17

    View Slide

  18. ೝՄϨεϙϯεͷ࢓༷
    • ֤छτʔΫϯΛؚΉೝՄϨεϙϯε͸ΫΤϦύϥϝʔλͰ͸ฦͣ͞ʹ
    ϑϥάϝϯτίϯϙʔωϯτΛར༻(Implicit Grant, Hybrid Flow)


    • ೝՄίʔυΛΫΤϦύϥϝʔλ/ϑϥάϝϯτίϯϙʔωϯτͰฦ
    ͠ɺΫϥΠΞϯτ͸όοΫνϟϯωϧͰ֤छτʔΫϯΛϦΫΤετ
    (Authorization Code Grant) ≒ ࢀরΛ౉͢


    • ೝՄϨεϙϯεࣗମΛJWS, JWS+JWEͰอޢ (JARM) = JWTͰอޢ

    18

    View Slide

  19. લஔ͖͸͜͜·Ͱ

    19

    View Slide

  20. ͜ͷΑ͏ͳอޢΛೝՄϦΫΤετʹ


    ద༻͢Δࡍʹ࢖͑Δͷ͕ࠓճ঺հ͢Δ


    JAR/PAR/RAR Ͱ͢

    20

    View Slide

  21. RFC 9101


    The OAuth 2.0 Authorization
    Framework: JWT-Secured
    Authorization Request (JAR)

    21

    View Slide

  22. ֓ཁ
    • JWTΛར༻ͯ͠ΞϓϦέʔγϣϯϨϕϧͰೝՄϦΫΤετͷηΩϡϦ
    ςΟϦεΫΛܰݮ͢Δ


    • ॺ໊(JWS)ʹΑΓ੔߹ੑอޢɺੜ੒ݩͷݕূ͕Մೳ


    • ҉߸Խ(JWE)ʹΑΓTLSʹӨڹ͠ͳ͍ػີੑอޢ


    • ୈ3ऀ͕ೝՄϦΫΤετͷ಺༰Λݕূͯ͠ॺ໊͢Δ͜ͱ΋Մೳ


    • JWTͦͷ΋ͷͰ͸ͳ͘ࢀরΛૹΔ͜ͱ΋Մೳ

    22

    View Slide

  23. Request Object
    • ೝՄϦΫΤετΛJWTܗࣜͰදݱͨ͠΋ͷ


    • ύϥϝʔλ͸JWTͷΫϨʔϜ(JSON)ʹ֨ೲ


    • JWSʹΑΓॺ໊͢Δ৔߹͸ “iss”, “aud” ΛؚΉ


    • “aud” ͕ೝՄαʔόʔͷ஋


    • ඞཁʹԠͯ͡JWT(RFC7519) Ͱఆٛ͞Ε͍ͯΔΫϨʔϜΛར༻

    23

    View Slide

  24. Request Object

    24

    View Slide

  25. Request Object URI
    • Request ObjectΛίϯςϯπͱͯ͠ฦ͢URI


    • ࣄલʹೝՄϦΫΤετΛड͚ͨೝՄαʔόʔ͕ΫϥΠΞϯτʹ޲͚ͯ
    Request Object URIΛఏڙ͢Δ৔߹(PAR)͸Α͠ͳʹ΍ͬͯྑ͍

    25

    View Slide

  26. ೝՄϦΫΤετͷ֦ு
    • ೝՄϦΫΤετʹؚ·ΕΔύϥϝʔλ


    • “client_id”


    • “request” or “request_uri”

    26

    View Slide

  27. ྫ. ΫϥΠΞϯτ͕༻ҙͨ͠ Request Object Λ


    request ύϥϝʔλͰࢦఆ

    27

    View Slide

  28. ྫ. ΫϥΠΞϯτ͕༻ҙͨ͠ Request Object ͷ


    ࢀরΛ request_uri ύϥϝʔλͰࢦఆ

    28

    View Slide

  29. ྫ. ΫϥΠΞϯτҎ֎͕༻ҙͨ͠ Request Object Λ


    request ύϥϝʔλͰࢦఆ

    29
    Authorization RequestͷϑΥʔϚοτ͕ݫີʹܾΊΒΕ͍ͯͨΓɺ


    ୈ3ऀػؔͷݕূ͕ߦΘΕΔϢʔεέʔε

    View Slide

  30. ྫ. ΫϥΠΞϯτҎ֎͕༻ҙͨ͠ Request Object Λ


    ࢀরΛ request_uri ύϥϝʔλͰࢦఆ

    30
    Request Object Λϗετ͢Δ৔ॴ͸ Client ͱ͸ݶΒͳ͍

    View Slide

  31. ྫ. ೝՄαʔόʔ͕ΫϥΠΞϯτʹఏڙͨ͠
    request_uri ύϥϝʔλΛࢦఆ

    31
    ಺෦ͰAuthorization RequestΛࢀরʹߦ͘ͷͰɺ


    ωοτϫʔΫ্ΛRequest Object͕ૹΒΕΔ෦෼͸ͳ͍

    View Slide

  32. RFC 9126


    OAuth 2.0


    Pushed Authorization Requests

    32

    View Slide

  33. ֓ཁ
    • RFC6749ͷೝՄϦΫΤετͷಛ௃͸JARͰઆ໌ͨ͠௨Γ


    • ֦ு࢓༷Λར༻ͨ͠ೝՄϦΫΤετ΍ JAR ͷ Request Object Λར༻
    ͢Δ৔߹ɺϦΫΤετͷαΠζ͕େ͖͘ͳΔՄೳੑ͕͋Δ


    • ΫϥΠΞϯτ͕ೝՄαʔόʔʹೝՄϦΫΤετΛૹ৴ͯͦ͠ͷޙͷॲ
    ཧʹར༻͢Δ request_uri ͷ஋Λఏڙ͢Δํ๏Λఆٛ

    33

    View Slide

  34. (࠶ܝࡌ) ೝՄαʔόʔ͕ΫϥΠΞϯτʹ


    ఏڙͨ͠ request_uri ύϥϝʔλΛࢦఆ

    34
    ͜ΕΛඪ४Խͨ͠΋ͷ͕PAR

    View Slide

  35. 1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ

    35
    PARΤϯυϙΠϯτΛ৽ઃ

    View Slide

  36. 1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ

    36
    ΫϥΠΞϯτೝূ + ೝՄϦΫΤετͷύϥϝʔλ

    View Slide

  37. 1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ

    37
    Request Object ΋


    PARΤϯυϙΠϯτʹૹ৴Ͱ͖Δɻ


    =


    3rd Party͕ݕূͨ͠ೝՄϦΫΤετ΋


    ࢦఆՄೳ

    View Slide

  38. 2. PARΤϯυϙΠϯτ͔ΒͷϨεϙϯε

    38

    View Slide

  39. 2. PARΤϯυϙΠϯτ͔ΒͷϨεϙϯε

    39
    request_uri ͱ ༗ޮظݶ

    View Slide

  40. 3. ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετ

    40

    View Slide

  41. 3. ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετ

    41

    View Slide

  42. ಛ௃
    • ؆୯ͳखॱͰػີੑͱ੔߹ੑͷอޢͱ൱ೝ๷ࢭΛ࣮ݱՄೳ


    • ΫϥΠΞϯτೝূ


    • ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετΛൿಗ


    • ϦιʔεΦʔφʔͱͷର࿩ͷલʹΫϥΠΞϯτΛೝূ͢Δ͜ͱͰɺૣ
    ͍ஈ֊ͰͷͳΓ͢·͠΍ೝՄϦΫΤετͷվ᜵ɺޡ༻Λ๷ࢭՄೳ

    42

    View Slide

  43. OAuth 2.0 + JAR + PAR vs OAuth 1.0

    43
    ྲྀΕ͸͍͍ͩͨҰॹ

    View Slide

  44. OAuth 2.0


    Rich Authorization Requests


    (2021/10/27࣌఺Ͱ͸Draft08)

    44

    View Slide

  45. ֓ཁ
    • ೝՄϦΫΤετʹࢦఆ͞ΕΔϦιʔεΞΫηεͷର৅͸ͬ͘͟Γͯ͠
    ͍Δ


    • OAuth 2.0 ͷೝՄϦΫΤετͰఆٛ͞Ε͍ͯΔ scope


    • RFC8707 Resource Indicators for OAuth 2.0 Ͱఆٛ͞Ε͍ͯΔ
    resource


    • ֹۚΛؚΉܾࡁϦΫΤετ΍ࡉ͔͍ϑΝΠϧ୯ҐͷಡΈॻ͖ΛදݱͰ
    ͖ΔΑ͏ͳύϥϝʔλΛఆٛ͢Δ

    45

    View Slide

  46. authorization_details ύϥϝʔλ

    46
    ܾࡁཁٻɺࢀরɺΩϟϯηϧ
    ΞΧ΢ϯτ৘ใࢀরͱܾࡁཁٻɺࢀরɺΩϟϯηϧ

    View Slide

  47. authorization_details ύϥϝʔλ
    • type : ϦιʔεΞΫηεͷछྨ(ඞਢ)


    • locations : Ϧιʔε΋͘͠͸Ϧιʔεαʔόʔ (Ͳ͜Ͱ)


    • actions : ϦιʔεͰ࣮ߦ͞ΕΔΞΫγϣϯ


    • datatypes : Ϧιʔε͔Βཁٻ͞Ε͍ͯΔσʔλͷछྨ


    • identi
    fi
    er : APIͰར༻ՄೳͳϦιʔεͷࣝผࢠ


    • privileges : ϦιʔεͰཁٻ͞ΕΔݖݶͷछྨ΍Ϩϕϧ

    47

    View Slide

  48. OIDC ͷ scope Λ


    authorization_details Ͱදݱ

    48
    • scope “openid email pro
    fi
    le”


    • claims


    • max_age


    • acr_values

    View Slide

  49. OIDC ͷ scope Λ


    authorization_details Ͱදݱ

    49

    View Slide

  50. ೝՄϦΫΤετ
    • URLΤϯίʔυͨ͠஋Λࢦఆ(௕͍)

    50

    View Slide

  51. PAR / RAR ͱͷ਌࿨ੑ
    • ύϥϝʔλͷ௕͞


    • ηΩϡϦςΟ


    • վ᜵๷ࢭͷͨΊ…


    • ϓϥΠόγʔ


    • ࿙Ӯ๷ࢭͷͨΊ…

    51

    View Slide

  52. ·ͱΊ
    • ೝՄϦΫΤετʹؔ͢Δ3ͭͷ࢓༷Λ঺հͨ͠


    • User-AgentΛར༻͢Δσʔλͷ΍ΓऔΓΛ҆શʹ͢Δ࢓૊ΈΛҙࣝ
    ͠ͳ͕Β֤࢓༷Λཧղ͠Α͏


    • ΑΓࡉ͔͍ϦιʔεΞΫηεཁٻͷදݱํ๏ΛϢʔεέʔεͱ૊Έ߹
    Θͤͯཧղ͠Α͏

    52

    View Slide

  53. ࠷ޙʹ
    • Advent Calendar ࠓ೥΋΍Γ·͠ΐ͏


    • ࢀՃํ๏


    • ࢀՃද໌Λ͢Δ (ଟ෼ࠓ೥΋Qiita)


    • 12݄தʹެ։Ͱ͖ͦ͏ͳهࣄΛ༻ҙ͓ͯ͘͠(Qiita͡Όͳͯ͘΋ok)

    53

    View Slide