Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
コンシューマ向けサービスで使われている 認証認可仕様とデジタル署名 / saloff1-ritou
ritou
June 19, 2019
Technology
1
780
コンシューマ向けサービスで使われている 認証認可仕様とデジタル署名 / saloff1-ritou
ritou
June 19, 2019
Tweet
Share
More Decks by ritou
See All by ritou
ritou
1
4.2k
ritou
1
3.1k
ritou
3
680
ritou
11
3.9k
ritou
1
230
ritou
5
2.2k
ritou
0
270
ritou
12
11k
ritou
0
410
Other Decks in Technology
See All in Technology
free_world21
0
110
go5paopao
9
1.5k
akitok_
2
770
dena_tech
0
170
mahito
0
230
hayatan
0
200
shirayanagiryuji
1
280
tricknotes
0
120
soracom
0
180
lancers_pr
4
1.5k
viva_tweet_x
1
430
pg0084
1
140
Featured
See All Featured
roundedbygravity
84
7.9k
samanthasiow
56
6.4k
malarkey
392
61k
tenderlove
53
3.5k
nonsquared
81
3.4k
morganepeng
93
14k
imathis
479
150k
holman
461
280k
cherdarchuk
71
260k
yeseniaperezcruz
302
31k
jensimmons
207
10k
mongodb
23
3.9k
Transcript
ίϯγϡʔϚ͚αʔϏεͰΘΕ͍ͯΔ ೝূೝՄ༷ͱσδλϧॺ໊ ͍ͱ͏Γΐ͏!SJUPV αϧΦϑॺ໊ϒλೝূઌഐͷເΛݟͳ͍
͍ͱ͏Γΐ͏ • (ג)ϛΫγΟ ΤϯδχΞ - Identity / Platform • OpenID
ϑΝϯσʔγϣϯɾδϟύϯ ΤόϯδΣϦετ(2߸ػ) • Blog : ritou.hatenablog.com • Twitter : @ritou (ळాͷೣ) • ˌidcon, #iddance !2
ຊͷ༰ • ೝূपΓͰΘΕ͍ͯΔ/͜Ε͔ΒΘΕͦ͏ͳ༷ Λհ • σδλϧॺ໊ͷΘΕͲ͜Ζʢ͞ΘΓ͚ͩʣ !3
ೝূೝՄपΓͷΩʔϫʔυ • OAuth 2.0 & OpenID Connect • WebAuthn /
FIDO !4
OAuth 2.0 & OpenID Connect
OAuth 2.0 RFC 6749/6750 (2012/10~) • RFC 6749 : τʔΫϯϕʔεͷϦιʔεΞΫηεͷ͘͠Έ
• ొਓClient, Server, Resource Owner ͷ3ऀ • Client͕Resource OwnerͷύεϫʔυͳͲΛѻΘͳ͍(※) • RFC 6750 : Bearer TokenͰAPIΞΫηε͢Δํ๏ • ΞΫηετʔΫϯͷऔಘํ๏ • ΞΫηετʔΫϯΛ༻͍ͨAPIΞΫηεํ๏ !6
OAuth 2.0ར༻ྫ ͯͳϒϩάͷInstagram࿈ܞ !7
OAuth 2.0ར༻ྫ ͯͳϒϩάͷInstagram࿈ܞ !8
Կ͕ߦΘΕͨͷ͔ʁ !9 3FTPVSDF0XOFS $MJFOU 4FSWFS *OTUBHSBN࿈ܞΛ ༗ޮԽ͢Δ *OTUBHSBNͷը૾ ͷΞΫηεݖݶΛཁٻ
ΞΫηε͕ڐՄ͞Εͨ͜ͱΛ௨ ̏ ͯͳϒϩάʹΑΔ *OTUBHSBNͷը૾ͷΞΫηεΛ Ϣʔβʔ͕ڐՄ
!10 IUUQTUXJUUFSDPNLVSB@MBCTUBUVT "VUIPSJ[BUJPO$PEF 'MPX *NQMJDJU'MPX
None
OAuth 2.0ͷτʔΫϯͱ༻్ !12 • Access Token - APIΞΫηε • Refresh
Token - Access Tokenߋ৽ • Authorization Code - Access Token / Refresh Tokenऔಘ
͍ΘΏΔOAuthೝূ (OAuth as a Authentication) !13 • OAuth 2.0ͰϓϩϑΟʔϧAPI͔ΒϢʔβʔࣝผࢠ Λऔಘ͠ɺೝূػೳʹར༻
• ౷Ұ͞Ε͍ͯͳ͍ϓϩϑΟʔϧAPI • Native ApplicationͱόοΫΤϯυαʔόʔؒͷΞΫηετʔ ΫϯͷϋϯυϦϯά
OpenID Connect (2014/2~) !14 • ʮʙͰϩάΠϯʯ(ID࿈ܞ)ͷͨΊͷ༷ • OAuth 2.0Λ֦ு •
ID Token - ೝূΠϕϯτͷใΛΓऔΓ • Userinfo Endpoint - ඪ४తͳϓϩϑΟʔϧAPI • Self-Issued OP - ্Ͱಈ࡞͢ΔOpenID Provider
!15
OpenID Connect - ID Token !16 • ೝূΠϕϯτͷใΛ֨ೲ • JSON
Web Signatureܗࣜ • ϢʔβʔɺRPɺೝূཁٻͷใΛ֨ೲ • OP͕࣋ͭൿີ伴Ͱॺ໊ • RPެ։伴ͰݕূՄೳ
OAuth 2.0/OIDCੜޙͷมԽ !17 • Ϣʔεέʔε • Client : Web App
-> Native App(Hybrid) -> Single Page App etc… • Server : monolith -> microservices • ྖҬ • SNS࿈ܞɺιʔγϟϧϩάΠϯ -> ܾࡁɺۚ༥ɺϔϧεέΞ جຊػೳ͚ͩͰཁ͕݅ຬͨͤͳ͍߹
!18
Security Considerations • RFCs • 6819 : OAuth 2.0 Threat
Model and Security Considerations • 8252 : OAuth 2.0 for Native Apps • Draft • OAuth 2.0 Security Best Current Practice • OAuth 2.0 for Browser-Based Apps !19
Financial-grade API (FAPI) • ΦϯϥΠϯͷۚ༥αʔϏεʹ͓͚ΔOAuth 2.0/OIDC ͷ࣮ΨΠυϥΠϯ • Part 1:
Read-Only API Security Profile - ࢀরܥ • Part 2: Read and Write API Security Profile - ߋ৽ܥ • Client Initiated Backchannel Authentication Profile (CIBA) - ClientڥͱೝূσόΠεͷ !20
OAuth/OIDCͱσδλϧॺ໊ • ίΞͳ༷ • ID Tokenͷੜɺݕূ • ͦͷଞɺ֤छϦΫΤετ/ϨεϙϯεͷอޢʹJWSͳͲΛ ར༻͢Δ֦ு͕͋Δ •
Clientೝূ • ೝূ(ೝՄཁٻ) !21
WebAuthn / FIDO Ϣʔβʔೝূͷ͓
ύεϫʔυೝূ !23 • ཁ͕݅ຬͨ͞ΕΔͳΒࢸߴͷೝূํࣜ • هԱετϨʔδͷར༻ʹΑΔՄൖੑ • αʔϏε͝ͱʹҟͳΔɺਪଌࠔͳจࣈྻ • ϑΟογϯάରࡦ
• ࿙Ӯηʔϑͳཧ • ݱঢ় : ཁ݅Λຬͨͤͳ͍Ϣʔβʔ/αʔϏε……
FIDO !24 • ϩʔΧϧೝূΛར༻ • ύεϫʔυΛૹΒͳ͍ • (ੜମೝূʹݶΒͣ)༷ʑͳೝূํࣜͱͷΈ߹Θ͕ͤՄೳ • ެ։伴҉߸ํࣜ
• ొ : ॺ໊ͱެ։伴ใΛૹ৴ • ೝূ : ॺ໊Λૹ৴
WebAuthn !25 • FIDO2 : WebΞϓϦέʔγϣϯ͔ΒFIDO • WebAuthn (Web Authentication
API) • FIDOΛར༻͢ΔαʔϏε͕ݺͼग़͢JavaScript API • CTAP • ηΩϡϦςΟΩʔͱΓͱΓ͢ΔͨΊͷ༷ɺϒϥβ͕࣮
WebAuthn - ొਓ !26 • Relying Party : WebΞϓϦ •
Authenticator : ηΩϡϦςΟΩʔɺσόΠε • Client : Webϒϥβ
WebAuthn - ొϑϩʔ !27 1. ొ༻ύϥϝʔλ࡞ (RPใ,Ϣʔβʔใ, ϩʔΧϧೝূͷ༗ແͳͲ) 3. Authenticator/Platform
ͷػೳΛݺͼग़͢ 2. JS APIͷݺͼग़͠ 4.ϩʔΧϧೝূ 伴ϖΞੜ ॺ໊࡞ 5. ৽͍͠ެ։伴ͱॺ໊ 6. JS API͔ΒͷΓ 7.֤छݕূ ެ։伴ͷอଘ Authenticator (SecurityKey etc…) Client (ϒϥβ) Relying Party
WebAuthn - ೝূϑϩʔ !28 1. ೝূ༻ύϥϝʔλ࡞ (ެ։伴ใ,ϩʔΧϧೝ ূͷ༗ແͳͲ) 3. Authenticator/Platform
ͷػೳΛݺͼग़͢ 2. JS APIͷݺͼग़͠ 4.ϩʔΧϧೝূ ॺ໊࡞ 5. ॺ໊ 6. JS API͔ΒͷΓ 7.֤छݕূ ೝূྃॲཧ Authenticator (SecurityKey etc…) Client (ϒϥβ) Relying Party
FIDOͷϢʔεέʔε !29 • ύεϫʔυϨεͳೝূํࣜͱͯ͠ (ॴ࣋+ϩʔΧϧೝূ) • 2ஈ֊/2ཁૉͷೝূํࣜͱͯ͠ (ॴ࣋) • ॏཁͳॲཧͷલͷຊਓ֬ೝͱͯ͠
̎ஈ֊(ཁૉ)ೝূͱϑΟογϯά !30 ϑΟογϯάϝʔϧɺ ϝοηʔδ ϑΟογϯάαΠτ ʢFYBNQMFJOGPʣ ਖ਼نͷαΠτ FYBNQMFDPN *%ύεϫʔυ
ϫϯλΠϜ ύεϫʔυ औಘͨ͠ *%ύεϫʔυ ϫϯλΠϜ ύεϫʔυ !30
FIDOͷϑΟογϯάੑ !31 ϑΟογϯάϝʔϧɺ ϝοηʔδ ϑΟογϯάαΠτ ʢFYBNQMFJOGPʣ ਖ਼نͷαΠτ FYBNQMFDPN *%ύεϫʔυ
Ξαʔγϣϯ ॺ໊ͳͲ औಘͨ͠ *%ύεϫʔυ Ξαʔγϣϯ !31 PSJHJO୯ҐͰ伴ϖΞΛ ੜ͍ͯ͠ΔͷͰ ϑΟογϯάαΠτʹ ϩάΠϯͰ͖ͳ͍ ϑΟογϯάαΠτ͚ͷ ΞαʔγϣϯΛਖ਼نͷαΠτʹ ૹͬͯݕূࣦഊ͢Δ
WebAuthn/FIDOͱσδλϧॺ໊ !32 • ొ/ೝূϑϩʔͷνϟϨϯδ/Ϩεϙϯεͷݕূ • ެ։伴ใΛ༻͍ͯॺ໊ݕূ • Authenticator ͷਅਖ਼ੑͷݕূ •
ূ໌ॻνΣʔϯͷݕূ