Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3

658c29959d8a9fd352afa440a5813137?s=47 ritou
October 27, 2021

OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3

下記イベントの発表資料です。
https://idance.connpass.com/event/226073/

658c29959d8a9fd352afa440a5813137?s=128

ritou

October 27, 2021
Tweet

Transcript

  1. OAuth 2.0࢓༷঺հ JAR, PAR, RAR #iddance Lesson3 TwitterͷOAuth 2.0ͱ͔CIBAͷ࢖͍ॴΛ஌Ζ͏ͷձ @ritou

    2021/10/27
  2. ຊ೔঺հ͢Δ࢓༷ • RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured

    Authorization Request (JAR) • RFC 9126 OAuth 2.0 Pushed Authorization Requests • OAuth 2.0 Rich Authorization Requests(2021/10/27࣌఺Ͱ͸Draft08)  2
  3. ຊ೔ͷ಺༰ • OAuth 2.0ͷೝՄϦΫΤετͱ͸ • RFC6749Ͱఆٛ͞Ε͍ͯΔೝՄϦΫΤετͷ՝୊ͱ͸ • JAR, PAR, RARͦΕͧΕͷ࢓༷ͰԿ͕ఆٛ͞Ε͍ͯΔͷ͔

     3
  4. OAuth 2.0ͷೝՄϦΫΤετͱ͸  4

  5. OAuth 2.0ͷྲྀΕ  5 3FTPVSDF0XOFS $MJFOU "VUIPSJ[BUJPO4FSWFS  3FTPVSDF4FSWFS 

    Ϣʔβʔ͸$MJFOUͰผαʔϏε ͷϦιʔεΛར༻͍ͨ͠ "VUI;4FSWFSʹϦμ ΠϨΫτͯ͠ 
 ϦιʔεΞΫηεΛཁٻ ϦιʔεΞΫηεͷݖݶΛఏڙ ̏ ϩάΠϯͯ͠ɺ $MJFOUʹϦιʔεΞΫηεΛఏڙ͢ Δ͜ͱʹಉҙ 3FTPVSDF4FSWFS͔Βऔಘ ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ ! " # $ % &
  6. OAuth 2.0ͷೝՄϦΫΤετ  6 3FTPVSDF0XOFS $MJFOU "VUIPSJ[BUJPO4FSWFS  3FTPVSDF4FSWFS 

    Ϣʔβʔ͸$MJFOUͰผαʔϏε ͷϦιʔεΛར༻͍ͨ͠ "VUI;4FSWFSʹϦμ ΠϨΫτͯ͠ 
 ϦιʔεΞΫηεΛཁٻ ϦιʔεΞΫηεͷݖݶΛఏڙ ̏ ϩάΠϯͯ͠ɺ $MJFOUʹϦιʔεΞΫηεΛఏڙ͢ Δ͜ͱʹಉҙ 3FTPVSDF4FSWFS͔Βऔಘ ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ ! " # $ % &
  7.  7

  8. OAuth 2.0ͷೝՄϨεϙϯε  8 3FTPVSDF0XOFS $MJFOU "VUIPSJ[BUJPO4FSWFS  3FTPVSDF4FSWFS 

    Ϣʔβʔ͸$MJFOUͰผαʔϏε ͷϦιʔεΛར༻͍ͨ͠ "VUI;4FSWFSʹϦμ ΠϨΫτͯ͠ 
 ϦιʔεΞΫηεΛཁٻ ϦιʔεΞΫηεͷݖݶΛఏڙ ̏ ϩάΠϯͯ͠ɺ $MJFOUʹϦιʔεΞΫηεΛఏڙ͢ Δ͜ͱʹಉҙ 3FTPVSDF4FSWFS͔Βऔಘ ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ ! " # $ % &
  9.  9

  10. RFC6749Ͱఆٛ͞Ε͍ͯΔ ೝՄϦΫΤετͷ՝୊ͱ͸  10

  11. RFC6749ͷఆٛ • The client constructs the request URI by adding

    the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, …  11
  12. ΫΤϦύϥϝʔλར༻ͷಛ௃ (JARͷ1. Introduction) A. the communication through the user agents

    is not integrity protected, and thus, the parameters can be tainted (integrity protection failure) : ύϥϝʔλ͸վม͞ΕΔՄೳੑ͕͋Δ B. the source of the communication is not authenticated (source authentication failure) : ϦΫΤετݩͷೝূ͕Ͱ͖ͳ͍ C. the communication through the user agents can be monitored (containment/con fi dentiality failure) : ϒϥ΢β΋·ͨͪ͜ΒΛ…  12
  13. Webϒϥ΢βΛհͨ͠σʔλૹ৴ํ๏ • GETϦΫΤετͷΫΤϦύϥϝʔλ • GET https://www.example.com/endpoint?foo=var&… • GETϦΫΤετͷϑϥάϝϯτίϯϙʔωϯτ • GET

    https://www.example.com/endpoint#foo=var&… • POSTϦΫΤετͷϦΫΤετϘσΟ  13
  14. ΑΓ҆શʹ͢ΔͨΊʹʁ • ΫΤϦύϥϝʔλ/ϦΫΤετϘσΟʹJWT(JWS, JWS+JWE)Λࢦఆ • https://www.example.com/endpoint?data=eyJ… • ΫΤϦύϥϝʔλ/ϦΫΤετϘσΟʹJWTͷࢀরΛࢦఆ • https://www.example.com/endpoint?

    data_uri=https%3A%2F%2F…  14
  15. ͜ΕΛೝՄϦΫΤετʹ ద༻͢Δͷ͕ࠓճ঺հ͢Δ…  15

  16. ͷલʹʂ  16

  17. ͢Ͱʹ͜ͷΑ͏ͳ࢓૊Έ͸ ೝՄϨεϙϯεͰ࢖ΘΕ͍ͯΔ • ೝՄϨεϙϯεͰฦ͞ΕΔՄೳੑ͕͋Δύϥϝʔλ • state • Authorization Code •

    ID Token(OIDC) • Access Token, Token Type, Refresh Token, Expires in…  17
  18. ೝՄϨεϙϯεͷ࢓༷ • ֤छτʔΫϯΛؚΉೝՄϨεϙϯε͸ΫΤϦύϥϝʔλͰ͸ฦͣ͞ʹ ϑϥάϝϯτίϯϙʔωϯτΛར༻(Implicit Grant, Hybrid Flow) • ೝՄίʔυΛΫΤϦύϥϝʔλ/ϑϥάϝϯτίϯϙʔωϯτͰฦ ͠ɺΫϥΠΞϯτ͸όοΫνϟϯωϧͰ֤छτʔΫϯΛϦΫΤετ

    (Authorization Code Grant) ≒ ࢀরΛ౉͢ • ೝՄϨεϙϯεࣗମΛJWS, JWS+JWEͰอޢ (JARM) = JWTͰอޢ  18
  19. લஔ͖͸͜͜·Ͱ  19

  20. ͜ͷΑ͏ͳอޢΛೝՄϦΫΤετʹ ద༻͢Δࡍʹ࢖͑Δͷ͕ࠓճ঺հ͢Δ JAR/PAR/RAR Ͱ͢  20

  21. RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request

    (JAR)  21
  22. ֓ཁ • JWTΛར༻ͯ͠ΞϓϦέʔγϣϯϨϕϧͰೝՄϦΫΤετͷηΩϡϦ ςΟϦεΫΛܰݮ͢Δ • ॺ໊(JWS)ʹΑΓ੔߹ੑอޢɺੜ੒ݩͷݕূ͕Մೳ • ҉߸Խ(JWE)ʹΑΓTLSʹӨڹ͠ͳ͍ػີੑอޢ • ୈ3ऀ͕ೝՄϦΫΤετͷ಺༰Λݕূͯ͠ॺ໊͢Δ͜ͱ΋Մೳ

    • JWTͦͷ΋ͷͰ͸ͳ͘ࢀরΛૹΔ͜ͱ΋Մೳ  22
  23. Request Object • ೝՄϦΫΤετΛJWTܗࣜͰදݱͨ͠΋ͷ • ύϥϝʔλ͸JWTͷΫϨʔϜ(JSON)ʹ֨ೲ • JWSʹΑΓॺ໊͢Δ৔߹͸ “iss”, “aud”

    ΛؚΉ • “aud” ͕ೝՄαʔόʔͷ஋ • ඞཁʹԠͯ͡JWT(RFC7519) Ͱఆٛ͞Ε͍ͯΔΫϨʔϜΛར༻  23
  24. Request Object  24

  25. Request Object URI • Request ObjectΛίϯςϯπͱͯ͠ฦ͢URI • ࣄલʹೝՄϦΫΤετΛड͚ͨೝՄαʔόʔ͕ΫϥΠΞϯτʹ޲͚ͯ Request Object

    URIΛఏڙ͢Δ৔߹(PAR)͸Α͠ͳʹ΍ͬͯྑ͍  25
  26. ೝՄϦΫΤετͷ֦ு • ೝՄϦΫΤετʹؚ·ΕΔύϥϝʔλ • “client_id” • “request” or “request_uri” 

    26
  27. ྫ. ΫϥΠΞϯτ͕༻ҙͨ͠ Request Object Λ request ύϥϝʔλͰࢦఆ  27

  28. ྫ. ΫϥΠΞϯτ͕༻ҙͨ͠ Request Object ͷ ࢀরΛ request_uri ύϥϝʔλͰࢦఆ  28

  29. ྫ. ΫϥΠΞϯτҎ֎͕༻ҙͨ͠ Request Object Λ request ύϥϝʔλͰࢦఆ  29 Authorization

    RequestͷϑΥʔϚοτ͕ݫີʹܾΊΒΕ͍ͯͨΓɺ ୈ3ऀػؔͷݕূ͕ߦΘΕΔϢʔεέʔε
  30. ྫ. ΫϥΠΞϯτҎ֎͕༻ҙͨ͠ Request Object Λ ࢀরΛ request_uri ύϥϝʔλͰࢦఆ  30

    Request Object Λϗετ͢Δ৔ॴ͸ Client ͱ͸ݶΒͳ͍
  31. ྫ. ೝՄαʔόʔ͕ΫϥΠΞϯτʹఏڙͨ͠ request_uri ύϥϝʔλΛࢦఆ  31 ಺෦ͰAuthorization RequestΛࢀরʹߦ͘ͷͰɺ ωοτϫʔΫ্ΛRequest Object͕ૹΒΕΔ෦෼͸ͳ͍

  32. RFC 9126 OAuth 2.0 Pushed Authorization Requests  32

  33. ֓ཁ • RFC6749ͷೝՄϦΫΤετͷಛ௃͸JARͰઆ໌ͨ͠௨Γ • ֦ு࢓༷Λར༻ͨ͠ೝՄϦΫΤετ΍ JAR ͷ Request Object Λར༻

    ͢Δ৔߹ɺϦΫΤετͷαΠζ͕େ͖͘ͳΔՄೳੑ͕͋Δ • ΫϥΠΞϯτ͕ೝՄαʔόʔʹೝՄϦΫΤετΛૹ৴ͯͦ͠ͷޙͷॲ ཧʹར༻͢Δ request_uri ͷ஋Λఏڙ͢Δํ๏Λఆٛ  33
  34. (࠶ܝࡌ) ೝՄαʔόʔ͕ΫϥΠΞϯτʹ ఏڙͨ͠ request_uri ύϥϝʔλΛࢦఆ  34 ͜ΕΛඪ४Խͨ͠΋ͷ͕PAR

  35. 1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ  35 PARΤϯυϙΠϯτΛ৽ઃ

  36. 1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ  36 ΫϥΠΞϯτೝূ + ೝՄϦΫΤετͷύϥϝʔλ

  37. 1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ  37 Request Object ΋ PARΤϯυϙΠϯτʹૹ৴Ͱ͖Δɻ = 3rd

    Party͕ݕূͨ͠ೝՄϦΫΤετ΋ ࢦఆՄೳ
  38. 2. PARΤϯυϙΠϯτ͔ΒͷϨεϙϯε  38

  39. 2. PARΤϯυϙΠϯτ͔ΒͷϨεϙϯε  39 request_uri ͱ ༗ޮظݶ

  40. 3. ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετ  40

  41. 3. ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετ  41

  42. ಛ௃ • ؆୯ͳखॱͰػີੑͱ੔߹ੑͷอޢͱ൱ೝ๷ࢭΛ࣮ݱՄೳ • ΫϥΠΞϯτೝূ • ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετΛൿಗ • ϦιʔεΦʔφʔͱͷର࿩ͷલʹΫϥΠΞϯτΛೝূ͢Δ͜ͱͰɺૣ ͍ஈ֊ͰͷͳΓ͢·͠΍ೝՄϦΫΤετͷվ᜵ɺޡ༻Λ๷ࢭՄೳ

     42
  43. OAuth 2.0 + JAR + PAR vs OAuth 1.0 

    43 ྲྀΕ͸͍͍ͩͨҰॹ
  44. OAuth 2.0 Rich Authorization Requests (2021/10/27࣌఺Ͱ͸Draft08)  44

  45. ֓ཁ • ೝՄϦΫΤετʹࢦఆ͞ΕΔϦιʔεΞΫηεͷର৅͸ͬ͘͟Γͯ͠ ͍Δ • OAuth 2.0 ͷೝՄϦΫΤετͰఆٛ͞Ε͍ͯΔ scope •

    RFC8707 Resource Indicators for OAuth 2.0 Ͱఆٛ͞Ε͍ͯΔ resource • ֹۚΛؚΉܾࡁϦΫΤετ΍ࡉ͔͍ϑΝΠϧ୯ҐͷಡΈॻ͖ΛදݱͰ ͖ΔΑ͏ͳύϥϝʔλΛఆٛ͢Δ  45
  46. authorization_details ύϥϝʔλ  46 ܾࡁཁٻɺࢀরɺΩϟϯηϧ ΞΧ΢ϯτ৘ใࢀরͱܾࡁཁٻɺࢀরɺΩϟϯηϧ

  47. authorization_details ύϥϝʔλ • type : ϦιʔεΞΫηεͷछྨ(ඞਢ) • locations : Ϧιʔε΋͘͠͸Ϧιʔεαʔόʔ

    (Ͳ͜Ͱ) • actions : ϦιʔεͰ࣮ߦ͞ΕΔΞΫγϣϯ • datatypes : Ϧιʔε͔Βཁٻ͞Ε͍ͯΔσʔλͷछྨ • identi fi er : APIͰར༻ՄೳͳϦιʔεͷࣝผࢠ • privileges : ϦιʔεͰཁٻ͞ΕΔݖݶͷछྨ΍Ϩϕϧ  47
  48. OIDC ͷ scope Λ authorization_details Ͱදݱ  48 • scope

    “openid email pro fi le” • claims • max_age • acr_values
  49. OIDC ͷ scope Λ authorization_details Ͱදݱ  49

  50. ೝՄϦΫΤετ • URLΤϯίʔυͨ͠஋Λࢦఆ(௕͍)  50

  51. PAR / RAR ͱͷ਌࿨ੑ • ύϥϝʔλͷ௕͞ • ηΩϡϦςΟ • վ᜵๷ࢭͷͨΊ…

    • ϓϥΠόγʔ • ࿙Ӯ๷ࢭͷͨΊ…  51
  52. ·ͱΊ • ೝՄϦΫΤετʹؔ͢Δ3ͭͷ࢓༷Λ঺հͨ͠ • User-AgentΛར༻͢Δσʔλͷ΍ΓऔΓΛ҆શʹ͢Δ࢓૊ΈΛҙࣝ ͠ͳ͕Β֤࢓༷Λཧղ͠Α͏ • ΑΓࡉ͔͍ϦιʔεΞΫηεཁٻͷදݱํ๏ΛϢʔεέʔεͱ૊Έ߹ Θͤͯཧղ͠Α͏ 

    52
  53. ࠷ޙʹ • Advent Calendar ࠓ೥΋΍Γ·͠ΐ͏ • ࢀՃํ๏ • ࢀՃද໌Λ͢Δ (ଟ෼ࠓ೥΋Qiita)

    • 12݄தʹެ։Ͱ͖ͦ͏ͳهࣄΛ༻ҙ͓ͯ͘͠(Qiita͡Όͳͯ͘΋ok)  53