Upgrade to Pro — share decks privately, control downloads, hide ads and more …

コンシューマ向けサービスで使われている 認証認可仕様とデジタル署名 / saloff1-ritou

Avatar for ritou ritou
June 19, 2019
Technology
1.5k
1

コンシューマ向けサービスで使われている 認証認可仕様とデジタル署名 / saloff1-ritou

Avatar for ritou

ritou

June 19, 2019

More Decks by ritou

See All by ritou
[PR] はじめてのデジタルアイデンティティという本を書きました
Avatar for ritou ritou
2
1.2k
“パスワードレス認証への道" ユーザー認証の変遷とパスキーの関係
Avatar for ritou ritou
2
6.7k
パスキー導入の課題と ベストプラクティス、今後の展望
Avatar for ritou ritou
12
7.8k
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 + α
Avatar for ritou ritou
1
170
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
Avatar for ritou ritou
4
1.8k
OIDF-J EIWG 振り返り
Avatar for ritou ritou
2
110
そのQRコード、安全ですか? / Cross Device Flow
Avatar for ritou ritou
4
670
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
Avatar for ritou ritou
3
810
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
Avatar for ritou ritou
2
1k

Other Decks in Technology

See All in Technology
Expiration of Secure Boot Certificates for vSphere Virtual Machines
Avatar for MasahiroIrie mirie_sd
0
100
ServiceNow Knowledge 26 の歩き方
Avatar for ServiceNow Japan Meetup manarobot
0
120
MLOps導入のための組織作りの第一歩
Avatar for Daisuke Akagawa (Akasan) akasan
0
340
ARIA Notifyについて
Avatar for ryokatsuse ryokatsuse
1
120
Do Ruby::Box dream of Modular Monolith?
Avatar for Tomohiro Hashidate joker1007
1
350
Oracle AI Database@AWS:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
4
2.4k
社内エンジニア勉強会の醍醐味と苦しみ/tamadev
Avatar for Ichiro Nishiuma nishiuma
0
220
No Types Needed, Just Callable Method Check
Avatar for dak2 dak2
1
1.4k
Microsoft 365 / Microsoft 365 Copilot : 自分の状態を確認する「ラベル」について
Avatar for Taichi Nakamura taichinakamura
0
300
Claude Code を安全に使おう勉強会 / Claude Code Security Basics
Avatar for MasahiroKawahara masahirokawahara
11
35k
Hacobu Tech Deck
Avatar for Hacobu hacobu
PRO
0
120
扱える不確実性を増やしていく - スタートアップEMが考える「任せ方」
Avatar for kadoppe kadoppe
0
310

Featured

See All Featured
The AI Search Optimization Roadmap by Aleyda Solis
Avatar for Aleyda Solis aleyda
1
5.6k
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
170
Applied NLP in the Age of Generative AI
Avatar for Ines Montani inesmontani
PRO
4
2.2k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
5.9k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.9k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
408
66k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1.3k
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
99
Docker and Python
Avatar for Tania Allard trallard
47
3.8k
AI in Enterprises - Java and Open Source to the Rescue
Avatar for ivargrimstad ivargrimstad
0
1.2k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.4k
Fireside Chat
Avatar for paigeccino paigeccino
42
3.9k

Transcript

  1. ίϯγϡʔϚ޲͚αʔϏεͰ࢖ΘΕ͍ͯΔ ೝূೝՄ࢓༷ͱσδλϧॺ໊ ͍ͱ͏Γΐ͏!SJUPV  αϧΦϑॺ໊ϒλ໺࿠͸ೝূઌഐͷເΛݟͳ͍

  2. ͍ͱ͏Γΐ͏ • (ג)ϛΫγΟ ΤϯδχΞ - Identity / Platform • OpenID

    ϑΝ΢ϯσʔγϣϯɾδϟύϯ ΤόϯδΣϦετ(2߸ػ) • Blog : ritou.hatenablog.com • Twitter : @ritou (ळాͷೣ) • ˌidcon, #iddance !2

  3. ຊ೔ͷ಺༰ • ೝূपΓͰ࢖ΘΕ͍ͯΔ/͜Ε͔Β࢖ΘΕͦ͏ͳ࢓༷ Λ঺հ • σδλϧॺ໊ͷ࢖ΘΕͲ͜Ζʢ͞ΘΓ͚ͩʣ !3

  4. ೝূೝՄपΓͷΩʔϫʔυ • OAuth 2.0 & OpenID Connect • WebAuthn /

    FIDO !4

  5. OAuth 2.0 & OpenID Connect

  6. OAuth 2.0 RFC 6749/6750 (2012/10~) • RFC 6749 : τʔΫϯϕʔεͷϦιʔεΞΫηεͷ͘͠Έ

    • ొ৔ਓ෺͸Client, Server, Resource Owner ͷ3ऀ • Client͕Resource OwnerͷύεϫʔυͳͲΛѻΘͳ͍(※) • RFC 6750 : Bearer TokenͰAPIΞΫηε͢Δํ๏ • ΞΫηετʔΫϯͷऔಘํ๏ • ΞΫηετʔΫϯΛ༻͍ͨAPIΞΫηεํ๏ !6

  7. OAuth 2.0ར༻ྫ ͸ͯͳϒϩάͷInstagram࿈ܞ !7

  8. OAuth 2.0ར༻ྫ ͸ͯͳϒϩάͷInstagram࿈ܞ !8

  9. Կ͕ߦΘΕͨͷ͔ʁ !9 3FTPVSDF0XOFS $MJFOU 4FSWFS  *OTUBHSBN࿈ܞΛ ༗ޮԽ͢Δ *OTUBHSBNͷը૾ ΁ͷΞΫηεݖݶΛཁٻ

    ΞΫηε͕ڐՄ͞Εͨ͜ͱΛ௨஌ ̏ ͸ͯͳϒϩάʹΑΔ *OTUBHSBNͷը૾΁ͷΞΫηεΛ Ϣʔβʔ͕ڐՄ

  10. !10 IUUQTUXJUUFSDPNLVSB@MBCTUBUVT "VUIPSJ[BUJPO$PEF 'MPX *NQMJDJU'MPX

  11. None

  12. OAuth 2.0ͷτʔΫϯͱ༻్ !12 • Access Token - APIΞΫηε • Refresh

    Token - Access Tokenߋ৽ • Authorization Code - Access Token / Refresh Tokenऔಘ

  13. ͍ΘΏΔOAuthೝূ (OAuth as a Authentication) !13 • OAuth 2.0ͰϓϩϑΟʔϧAPI͔ΒϢʔβʔࣝผࢠ Λऔಘ͠ɺೝূػೳʹར༻

    • ౷Ұ͞Ε͍ͯͳ͍ϓϩϑΟʔϧAPI • Native ApplicationͱόοΫΤϯυαʔόʔؒͷΞΫηετʔ ΫϯͷϋϯυϦϯά

  14. OpenID Connect (2014/2~) !14 • ʮʙͰϩάΠϯʯ(ID࿈ܞ)ͷͨΊͷ࢓༷ • OAuth 2.0Λ֦ு •

    ID Token - ೝূΠϕϯτͷ৘ใΛ΍ΓऔΓ • Userinfo Endpoint - ඪ४తͳϓϩϑΟʔϧAPI • Self-Issued OP - ୺຤্Ͱಈ࡞͢ΔOpenID Provider

  15. !15

  16. OpenID Connect - ID Token !16 • ೝূΠϕϯτͷ৘ใΛ֨ೲ • JSON

    Web Signatureܗࣜ • ϢʔβʔɺRPɺೝূཁٻͷ৘ใΛ֨ೲ • OP͕࣋ͭൿີ伴Ͱॺ໊ • RP͸ެ։伴ͰݕূՄೳ

  17. OAuth 2.0/OIDC஀ੜޙͷมԽ !17 • Ϣʔεέʔε • Client : Web App

    -> Native App(Hybrid) -> Single Page App etc… • Server : monolith -> microservices • ྖҬ • SNS࿈ܞɺιʔγϟϧϩάΠϯ -> ܾࡁɺۚ༥ɺϔϧεέΞ جຊػೳ͚ͩͰ͸ཁ͕݅ຬͨͤͳ͍৔߹΋

  18. !18

  19. Security Considerations • RFCs • 6819 : OAuth 2.0 Threat

    Model and Security Considerations • 8252 : OAuth 2.0 for Native Apps • Draft • OAuth 2.0 Security Best Current Practice • OAuth 2.0 for Browser-Based Apps !19

  20. Financial-grade API (FAPI) • ΦϯϥΠϯͷۚ༥αʔϏεʹ͓͚ΔOAuth 2.0/OIDC ͷ࣮૷ΨΠυϥΠϯ • Part 1:

    Read-Only API Security Profile - ࢀরܥ • Part 2: Read and Write API Security Profile - ߋ৽ܥ • Client Initiated Backchannel Authentication Profile (CIBA) - Client؀ڥͱೝূσόΠεͷ෼཭ !20

  21. OAuth/OIDCͱσδλϧॺ໊ • ίΞͳ࢓༷ • ID Tokenͷੜ੒ɺݕূ • ͦͷଞɺ֤छϦΫΤετ/ϨεϙϯεͷอޢʹJWSͳͲΛ ར༻͢Δ֦ு͕͋Δ •

    Clientೝূ • ೝূ(ೝՄཁٻ) !21

  22. WebAuthn / FIDO Ϣʔβʔೝূͷ͓࿩

  23. ύεϫʔυೝূ !23 • ཁ͕݅ຬͨ͞ΕΔͳΒ͹ࢸߴͷೝূํࣜ • هԱετϨʔδͷར༻ʹΑΔՄൖੑ • αʔϏε͝ͱʹҟͳΔɺਪଌࠔ೉ͳจࣈྻ • ϑΟογϯάରࡦ

    • ࿙Ӯηʔϑͳ؅ཧ • ݱঢ় : ཁ݅Λຬͨͤͳ͍Ϣʔβʔ/αʔϏε……

  24. FIDO !24 • ϩʔΧϧೝূΛར༻ • ύεϫʔυΛૹΒͳ͍ • (ੜମೝূʹݶΒͣ)༷ʑͳೝূํࣜͱͷ૊Έ߹Θ͕ͤՄೳ • ެ։伴҉߸ํࣜ

    • ొ࿥ : ॺ໊ͱެ։伴৘ใΛૹ৴ • ೝূ : ॺ໊Λૹ৴

  25. WebAuthn !25 • FIDO2 : WebΞϓϦέʔγϣϯ͔Β΋FIDO • WebAuthn (Web Authentication

    API) • FIDOΛར༻͢ΔαʔϏε͕ݺͼग़͢JavaScript API • CTAP • ηΩϡϦςΟΩʔͱ΍ΓͱΓ͢ΔͨΊͷ࢓༷ɺϒϥ΢β͕࣮૷

  26. WebAuthn - ొ৔ਓ෺ !26 • Relying Party : WebΞϓϦ •

    Authenticator : ηΩϡϦςΟΩʔɺσόΠε • Client : Webϒϥ΢β

  27. WebAuthn - ొ࿥ϑϩʔ !27 1. ొ࿥༻ύϥϝʔλ࡞੒
 (RP৘ใ,Ϣʔβʔ৘ใ, ϩʔΧϧೝূͷ༗ແͳͲ) 3. Authenticator/Platform

    ͷػೳΛݺͼग़͢ 2. JS APIͷݺͼग़͠ 4.ϩʔΧϧೝূ 伴ϖΞੜ੒ ॺ໊࡞੒ 5. ৽͍͠ެ։伴ͱॺ໊ 6. JS API͔Βͷ໭Γ஋ 7.֤छݕূ ެ։伴ͷอଘ Authenticator (SecurityKey etc…) Client (ϒϥ΢β) Relying Party

  28. WebAuthn - ೝূϑϩʔ !28 1. ೝূ༻ύϥϝʔλ࡞੒
 (ެ։伴৘ใ,ϩʔΧϧೝ ূͷ༗ແͳͲ) 3. Authenticator/Platform

    ͷػೳΛݺͼग़͢ 2. JS APIͷݺͼग़͠ 4.ϩʔΧϧೝূ ॺ໊࡞੒ 5. ॺ໊ 6. JS API͔Βͷ໭Γ஋ 7.֤छݕূ ೝূ׬ྃॲཧ Authenticator (SecurityKey etc…) Client (ϒϥ΢β) Relying Party

  29. FIDOͷϢʔεέʔε !29 • ύεϫʔυϨεͳೝূํࣜͱͯ͠ (ॴ࣋+ϩʔΧϧೝূ) • 2ஈ֊/2ཁૉ໨ͷೝূํࣜͱͯ͠ (ॴ࣋) • ॏཁͳॲཧͷલͷຊਓ֬ೝͱͯ͠

  30. ̎ஈ֊(ཁૉ)ೝূͱϑΟογϯά !30 ϑΟογϯάϝʔϧɺ ϝοηʔδ ϑΟογϯάαΠτ ʢFYBNQMFJOGPʣ ਖ਼نͷαΠτ FYBNQMFDPN *%ύεϫʔυ 

    ϫϯλΠϜ ύεϫʔυ औಘͨ͠ *%ύεϫʔυ  ϫϯλΠϜ ύεϫʔυ !30

  31. FIDOͷϑΟογϯά଱ੑ !31 ϑΟογϯάϝʔϧɺ ϝοηʔδ ϑΟογϯάαΠτ ʢFYBNQMFJOGPʣ ਖ਼نͷαΠτ FYBNQMFDPN *%ύεϫʔυ 

    Ξαʔγϣϯ ॺ໊ͳͲ औಘͨ͠ *%ύεϫʔυ  Ξαʔγϣϯ !31 PSJHJO୯ҐͰ伴ϖΞΛ ੜ੒͍ͯ͠ΔͷͰ ϑΟογϯάαΠτʹ ϩάΠϯͰ͖ͳ͍ ϑΟογϯάαΠτ޲͚ͷ ΞαʔγϣϯΛਖ਼نͷαΠτʹ ૹͬͯ΋ݕূࣦഊ͢Δ

  32. WebAuthn/FIDOͱσδλϧॺ໊ !32 • ొ࿥/ೝূϑϩʔͷνϟϨϯδ/Ϩεϙϯεͷݕূ • ެ։伴৘ใΛ༻͍ͯॺ໊ݕূ • Authenticator ͷਅਖ਼ੑͷݕূ •

    ূ໌ॻνΣʔϯͷݕূ