OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3

Transcript

1. OAuth 2.0࢓༷঺հ JAR, PAR, RAR #iddance Lesson3 TwitterͷOAuth 2.0ͱ͔CIBAͷ࢖͍ॴΛ஌Ζ͏ͷձ @ritou

   2021/10/27

2. ຊ೔঺հ͢Δ࢓༷ • RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured

   Authorization Request (JAR) • RFC 9126 OAuth 2.0 Pushed Authorization Requests • OAuth 2.0 Rich Authorization Requests(2021/10/27࣌఺Ͱ͸Draft08)  2

3. ຊ೔ͷ಺༰ • OAuth 2.0ͷೝՄϦΫΤετͱ͸ • RFC6749Ͱఆٛ͞Ε͍ͯΔೝՄϦΫΤετͷ՝୊ͱ͸ • JAR, PAR, RARͦΕͧΕͷ࢓༷ͰԿ͕ఆٛ͞Ε͍ͯΔͷ͔

    3

4. OAuth 2.0ͷೝՄϦΫΤετͱ͸  4

5. OAuth 2.0ͷྲྀΕ  5 3FTPVSDF
   0XOFS $MJFOU "VUIPSJ[BUJPO
   4FSWFS
   3FTPVSDF
   4FSWFS
   

   Ϣʔβʔ͸$MJFOUͰผαʔϏε ͷϦιʔεΛར༻͍ͨ͠ 
   "VUI;
   4FSWFSʹϦμ ΠϨΫτͯ͠ 
 ϦιʔεΞΫηεΛཁٻ 
   ϦιʔεΞΫηεͷݖݶΛఏڙ ̏ 
   ϩάΠϯͯ͠ɺ
   $MJFOUʹϦιʔεΞΫηεΛఏڙ͢ Δ͜ͱʹಉҙ 
   3FTPVSDF
   4FSWFS͔Βऔಘ ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ ! " # $ % &

6. OAuth 2.0ͷೝՄϦΫΤετ  6 3FTPVSDF
   0XOFS $MJFOU "VUIPSJ[BUJPO
   4FSWFS
   3FTPVSDF
   4FSWFS
   

   Ϣʔβʔ͸$MJFOUͰผαʔϏε ͷϦιʔεΛར༻͍ͨ͠ 
   "VUI;
   4FSWFSʹϦμ ΠϨΫτͯ͠ 
 ϦιʔεΞΫηεΛཁٻ 
   ϦιʔεΞΫηεͷݖݶΛఏڙ ̏ 
   ϩάΠϯͯ͠ɺ
   $MJFOUʹϦιʔεΞΫηεΛఏڙ͢ Δ͜ͱʹಉҙ 
   3FTPVSDF
   4FSWFS͔Βऔಘ ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ ! " # $ % &

7.  7

8. OAuth 2.0ͷೝՄϨεϙϯε  8 3FTPVSDF
   0XOFS $MJFOU "VUIPSJ[BUJPO
   4FSWFS
   3FTPVSDF
   4FSWFS
   

   Ϣʔβʔ͸$MJFOUͰผαʔϏε ͷϦιʔεΛར༻͍ͨ͠ 
   "VUI;
   4FSWFSʹϦμ ΠϨΫτͯ͠ 
 ϦιʔεΞΫηεΛཁٻ 
   ϦιʔεΞΫηεͷݖݶΛఏڙ ̏ 
   ϩάΠϯͯ͠ɺ
   $MJFOUʹϦιʔεΞΫηεΛఏڙ͢ Δ͜ͱʹಉҙ 
   3FTPVSDF
   4FSWFS͔Βऔಘ ͨ͠஋Λར༻͢ΔαʔϏεΛఏڙ ! " # $ % &

9.  9

10. RFC6749Ͱఆٛ͞Ε͍ͯΔ ೝՄϦΫΤετͷ՝୊ͱ͸  10

11. RFC6749ͷఆٛ • The client constructs the request URI by adding

    the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, …  11

12. ΫΤϦύϥϝʔλར༻ͷಛ௃ (JARͷ1. Introduction) A. the communication through the user agents

    is not integrity protected, and thus, the parameters can be tainted (integrity protection failure) : ύϥϝʔλ͸վม͞ΕΔՄೳੑ͕͋Δ B. the source of the communication is not authenticated (source authentication failure) : ϦΫΤετݩͷೝূ͕Ͱ͖ͳ͍ C. the communication through the user agents can be monitored (containment/con fi dentiality failure) : ϒϥ΢β΋·ͨͪ͜ΒΛ…  12

13. Webϒϥ΢βΛհͨ͠σʔλૹ৴ํ๏ • GETϦΫΤετͷΫΤϦύϥϝʔλ • GET https://www.example.com/endpoint?foo=var&… • GETϦΫΤετͷϑϥάϝϯτίϯϙʔωϯτ • GET

    https://www.example.com/endpoint#foo=var&… • POSTϦΫΤετͷϦΫΤετϘσΟ  13

14. ΑΓ҆શʹ͢ΔͨΊʹʁ • ΫΤϦύϥϝʔλ/ϦΫΤετϘσΟʹJWT(JWS, JWS+JWE)Λࢦఆ • https://www.example.com/endpoint?data=eyJ… • ΫΤϦύϥϝʔλ/ϦΫΤετϘσΟʹJWTͷࢀরΛࢦఆ • https://www.example.com/endpoint?

    data_uri=https%3A%2F%2F…  14

15. ͜ΕΛೝՄϦΫΤετʹ ద༻͢Δͷ͕ࠓճ঺հ͢Δ…  15

16. ͷલʹʂ  16

17. ͢Ͱʹ͜ͷΑ͏ͳ࢓૊Έ͸ ೝՄϨεϙϯεͰ࢖ΘΕ͍ͯΔ • ೝՄϨεϙϯεͰฦ͞ΕΔՄೳੑ͕͋Δύϥϝʔλ • state • Authorization Code •

    ID Token(OIDC) • Access Token, Token Type, Refresh Token, Expires in…  17

18. ೝՄϨεϙϯεͷ࢓༷ • ֤छτʔΫϯΛؚΉೝՄϨεϙϯε͸ΫΤϦύϥϝʔλͰ͸ฦͣ͞ʹ ϑϥάϝϯτίϯϙʔωϯτΛར༻(Implicit Grant, Hybrid Flow) • ೝՄίʔυΛΫΤϦύϥϝʔλ/ϑϥάϝϯτίϯϙʔωϯτͰฦ ͠ɺΫϥΠΞϯτ͸όοΫνϟϯωϧͰ֤छτʔΫϯΛϦΫΤετ

    (Authorization Code Grant) ≒ ࢀরΛ౉͢ • ೝՄϨεϙϯεࣗମΛJWS, JWS+JWEͰอޢ (JARM) = JWTͰอޢ  18

19. લஔ͖͸͜͜·Ͱ  19

20. ͜ͷΑ͏ͳอޢΛೝՄϦΫΤετʹ ద༻͢Δࡍʹ࢖͑Δͷ͕ࠓճ঺հ͢Δ JAR/PAR/RAR Ͱ͢  20

21. RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request

    (JAR)  21

22. ֓ཁ • JWTΛར༻ͯ͠ΞϓϦέʔγϣϯϨϕϧͰೝՄϦΫΤετͷηΩϡϦ ςΟϦεΫΛܰݮ͢Δ • ॺ໊(JWS)ʹΑΓ੔߹ੑอޢɺੜ੒ݩͷݕূ͕Մೳ • ҉߸Խ(JWE)ʹΑΓTLSʹӨڹ͠ͳ͍ػີੑอޢ • ୈ3ऀ͕ೝՄϦΫΤετͷ಺༰Λݕূͯ͠ॺ໊͢Δ͜ͱ΋Մೳ

    • JWTͦͷ΋ͷͰ͸ͳ͘ࢀরΛૹΔ͜ͱ΋Մೳ  22

23. Request Object • ೝՄϦΫΤετΛJWTܗࣜͰදݱͨ͠΋ͷ • ύϥϝʔλ͸JWTͷΫϨʔϜ(JSON)ʹ֨ೲ • JWSʹΑΓॺ໊͢Δ৔߹͸ “iss”, “aud”

    ΛؚΉ • “aud” ͕ೝՄαʔόʔͷ஋ • ඞཁʹԠͯ͡JWT(RFC7519) Ͱఆٛ͞Ε͍ͯΔΫϨʔϜΛར༻  23

24. Request Object  24

25. Request Object URI • Request ObjectΛίϯςϯπͱͯ͠ฦ͢URI • ࣄલʹೝՄϦΫΤετΛड͚ͨೝՄαʔόʔ͕ΫϥΠΞϯτʹ޲͚ͯ Request Object

    URIΛఏڙ͢Δ৔߹(PAR)͸Α͠ͳʹ΍ͬͯྑ͍  25

26. ೝՄϦΫΤετͷ֦ு • ೝՄϦΫΤετʹؚ·ΕΔύϥϝʔλ • “client_id” • “request” or “request_uri” 

    26

27. ྫ. ΫϥΠΞϯτ͕༻ҙͨ͠ Request Object Λ request ύϥϝʔλͰࢦఆ  27

28. ྫ. ΫϥΠΞϯτ͕༻ҙͨ͠ Request Object ͷ ࢀরΛ request_uri ύϥϝʔλͰࢦఆ  28

29. ྫ. ΫϥΠΞϯτҎ֎͕༻ҙͨ͠ Request Object Λ request ύϥϝʔλͰࢦఆ  29 Authorization

    RequestͷϑΥʔϚοτ͕ݫີʹܾΊΒΕ͍ͯͨΓɺ ୈ3ऀػؔͷݕূ͕ߦΘΕΔϢʔεέʔε

30. ྫ. ΫϥΠΞϯτҎ֎͕༻ҙͨ͠ Request Object Λ ࢀরΛ request_uri ύϥϝʔλͰࢦఆ  30

    Request Object Λϗετ͢Δ৔ॴ͸ Client ͱ͸ݶΒͳ͍

31. ྫ. ೝՄαʔόʔ͕ΫϥΠΞϯτʹఏڙͨ͠ request_uri ύϥϝʔλΛࢦఆ  31 ಺෦ͰAuthorization RequestΛࢀরʹߦ͘ͷͰɺ ωοτϫʔΫ্ΛRequest Object͕ૹΒΕΔ෦෼͸ͳ͍

32. RFC 9126 OAuth 2.0 Pushed Authorization Requests  32

33. ֓ཁ • RFC6749ͷೝՄϦΫΤετͷಛ௃͸JARͰઆ໌ͨ͠௨Γ • ֦ு࢓༷Λར༻ͨ͠ೝՄϦΫΤετ΍ JAR ͷ Request Object Λར༻

    ͢Δ৔߹ɺϦΫΤετͷαΠζ͕େ͖͘ͳΔՄೳੑ͕͋Δ • ΫϥΠΞϯτ͕ೝՄαʔόʔʹೝՄϦΫΤετΛૹ৴ͯͦ͠ͷޙͷॲ ཧʹར༻͢Δ request_uri ͷ஋Λఏڙ͢Δํ๏Λఆٛ  33

34. (࠶ܝࡌ) ೝՄαʔόʔ͕ΫϥΠΞϯτʹ ఏڙͨ͠ request_uri ύϥϝʔλΛࢦఆ  34 ͜ΕΛඪ४Խͨ͠΋ͷ͕PAR

35. 1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ  35 PARΤϯυϙΠϯτΛ৽ઃ

36. 1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ  36 ΫϥΠΞϯτೝূ + ೝՄϦΫΤετͷύϥϝʔλ

37. 1. PARΤϯυϙΠϯτ΁ͷϦΫΤετ  37 Request Object ΋ PARΤϯυϙΠϯτʹૹ৴Ͱ͖Δɻ = 3rd

    Party͕ݕূͨ͠ೝՄϦΫΤετ΋ ࢦఆՄೳ

38. 2. PARΤϯυϙΠϯτ͔ΒͷϨεϙϯε  38

39. 2. PARΤϯυϙΠϯτ͔ΒͷϨεϙϯε  39 request_uri ͱ ༗ޮظݶ

40. 3. ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετ  40

41. 3. ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετ  41

42. ಛ௃ • ؆୯ͳखॱͰػີੑͱ੔߹ੑͷอޢͱ൱ೝ๷ࢭΛ࣮ݱՄೳ • ΫϥΠΞϯτೝূ • ೝՄΤϯυϙΠϯτ΁ͷϦΫΤετΛൿಗ • ϦιʔεΦʔφʔͱͷର࿩ͷલʹΫϥΠΞϯτΛೝূ͢Δ͜ͱͰɺૣ ͍ஈ֊ͰͷͳΓ͢·͠΍ೝՄϦΫΤετͷվ᜵ɺޡ༻Λ๷ࢭՄೳ

     42

43. OAuth 2.0 + JAR + PAR vs OAuth 1.0 

    43 ྲྀΕ͸͍͍ͩͨҰॹ

44. OAuth 2.0 Rich Authorization Requests (2021/10/27࣌఺Ͱ͸Draft08)  44

45. ֓ཁ • ೝՄϦΫΤετʹࢦఆ͞ΕΔϦιʔεΞΫηεͷର৅͸ͬ͘͟Γͯ͠ ͍Δ • OAuth 2.0 ͷೝՄϦΫΤετͰఆٛ͞Ε͍ͯΔ scope •

    RFC8707 Resource Indicators for OAuth 2.0 Ͱఆٛ͞Ε͍ͯΔ resource • ֹۚΛؚΉܾࡁϦΫΤετ΍ࡉ͔͍ϑΝΠϧ୯ҐͷಡΈॻ͖ΛදݱͰ ͖ΔΑ͏ͳύϥϝʔλΛఆٛ͢Δ  45

46. authorization_details ύϥϝʔλ  46 ܾࡁཁٻɺࢀরɺΩϟϯηϧ ΞΧ΢ϯτ৘ใࢀরͱܾࡁཁٻɺࢀরɺΩϟϯηϧ

47. authorization_details ύϥϝʔλ • type : ϦιʔεΞΫηεͷछྨ(ඞਢ) • locations : Ϧιʔε΋͘͠͸Ϧιʔεαʔόʔ

    (Ͳ͜Ͱ) • actions : ϦιʔεͰ࣮ߦ͞ΕΔΞΫγϣϯ • datatypes : Ϧιʔε͔Βཁٻ͞Ε͍ͯΔσʔλͷछྨ • identi fi er : APIͰར༻ՄೳͳϦιʔεͷࣝผࢠ • privileges : ϦιʔεͰཁٻ͞ΕΔݖݶͷछྨ΍Ϩϕϧ  47

48. OIDC ͷ scope Λ authorization_details Ͱදݱ  48 • scope

    “openid email pro fi le” • claims • max_age • acr_values

49. OIDC ͷ scope Λ authorization_details Ͱදݱ  49

50. ೝՄϦΫΤετ • URLΤϯίʔυͨ͠஋Λࢦఆ(௕͍)  50

51. PAR / RAR ͱͷ਌࿨ੑ • ύϥϝʔλͷ௕͞ • ηΩϡϦςΟ • վ᜵๷ࢭͷͨΊ…

    • ϓϥΠόγʔ • ࿙Ӯ๷ࢭͷͨΊ…  51

52. ·ͱΊ • ೝՄϦΫΤετʹؔ͢Δ3ͭͷ࢓༷Λ঺հͨ͠ • User-AgentΛར༻͢Δσʔλͷ΍ΓऔΓΛ҆શʹ͢Δ࢓૊ΈΛҙࣝ ͠ͳ͕Β֤࢓༷Λཧղ͠Α͏ • ΑΓࡉ͔͍ϦιʔεΞΫηεཁٻͷදݱํ๏ΛϢʔεέʔεͱ૊Έ߹ Θͤͯཧղ͠Α͏ 

    52

53. ࠷ޙʹ • Advent Calendar ࠓ೥΋΍Γ·͠ΐ͏ • ࢀՃํ๏ • ࢀՃද໌Λ͢Δ (ଟ෼ࠓ೥΋Qiita)

    • 12݄தʹެ։Ͱ͖ͦ͏ͳهࣄΛ༻ҙ͓ͯ͘͠(Qiita͡Όͳͯ͘΋ok)  53