ίϯγϡʔϚ͚αʔϏεͰΘΕ͍ͯΔೝূೝՄ༷ͱσδλϧॺ໊͍ͱ͏Γΐ͏!SJUPVαϧΦϑॺ໊ϒλೝূઌഐͷເΛݟͳ͍
View Slide
͍ͱ͏Γΐ͏• (ג)ϛΫγΟ ΤϯδχΞ - Identity / Platform• OpenID ϑΝϯσʔγϣϯɾδϟύϯ ΤόϯδΣϦετ(2߸ػ)• Blog : ritou.hatenablog.com• Twitter : @ritou (ळాͷೣ)• ˌidcon, #iddance!2
ຊͷ༰• ೝূपΓͰΘΕ͍ͯΔ/͜Ε͔ΒΘΕͦ͏ͳ༷Λհ• σδλϧॺ໊ͷΘΕͲ͜Ζʢ͞ΘΓ͚ͩʣ!3
ೝূೝՄपΓͷΩʔϫʔυ• OAuth 2.0 & OpenID Connect• WebAuthn / FIDO!4
OAuth 2.0&OpenID Connect
OAuth 2.0RFC 6749/6750 (2012/10~)• RFC 6749 : τʔΫϯϕʔεͷϦιʔεΞΫηεͷ͘͠Έ• ొਓClient, Server, Resource Owner ͷ3ऀ• Client͕Resource OwnerͷύεϫʔυͳͲΛѻΘͳ͍(※)• RFC 6750 : Bearer TokenͰAPIΞΫηε͢Δํ๏• ΞΫηετʔΫϯͷऔಘํ๏• ΞΫηετʔΫϯΛ༻͍ͨAPIΞΫηεํ๏!6
OAuth 2.0ར༻ྫͯͳϒϩάͷInstagram࿈ܞ!7
OAuth 2.0ར༻ྫͯͳϒϩάͷInstagram࿈ܞ!8
Կ͕ߦΘΕͨͷ͔ʁ!93FTPVSDF0XOFS$MJFOU4FSWFS *OTUBHSBN࿈ܞΛ༗ޮԽ͢Δ*OTUBHSBNͷը૾ͷΞΫηεݖݶΛཁٻΞΫηε͕ڐՄ͞Εͨ͜ͱΛ௨̏ ͯͳϒϩάʹΑΔ*OTUBHSBNͷը૾ͷΞΫηεΛϢʔβʔ͕ڐՄ
!10[email protected]"VUIPSJ[BUJPO$PEF'MPX*NQMJDJU'MPX
OAuth 2.0ͷτʔΫϯͱ༻్!12• Access Token - APIΞΫηε• Refresh Token - Access Tokenߋ৽• Authorization Code - Access Token /Refresh Tokenऔಘ
͍ΘΏΔOAuthೝূ(OAuth as a Authentication)!13• OAuth 2.0ͰϓϩϑΟʔϧAPI͔ΒϢʔβʔࣝผࢠΛऔಘ͠ɺೝূػೳʹར༻• ౷Ұ͞Ε͍ͯͳ͍ϓϩϑΟʔϧAPI• Native ApplicationͱόοΫΤϯυαʔόʔؒͷΞΫηετʔΫϯͷϋϯυϦϯά
OpenID Connect (2014/2~)!14• ʮʙͰϩάΠϯʯ(ID࿈ܞ)ͷͨΊͷ༷• OAuth 2.0Λ֦ு• ID Token - ೝূΠϕϯτͷใΛΓऔΓ• Userinfo Endpoint - ඪ४తͳϓϩϑΟʔϧAPI• Self-Issued OP - ্Ͱಈ࡞͢ΔOpenID Provider
!15
OpenID Connect - ID Token!16• ೝূΠϕϯτͷใΛ֨ೲ• JSON Web Signatureܗࣜ• ϢʔβʔɺRPɺೝূཁٻͷใΛ֨ೲ• OP͕࣋ͭൿີ伴Ͱॺ໊• RPެ։伴ͰݕূՄೳ
OAuth 2.0/OIDCੜޙͷมԽ!17• Ϣʔεέʔε• Client : Web App -> Native App(Hybrid) -> Single PageApp etc…• Server : monolith -> microservices• ྖҬ• SNS࿈ܞɺιʔγϟϧϩάΠϯ -> ܾࡁɺۚ༥ɺϔϧεέΞجຊػೳ͚ͩͰཁ͕݅ຬͨͤͳ͍߹
!18
Security Considerations• RFCs• 6819 : OAuth 2.0 Threat Model and SecurityConsiderations• 8252 : OAuth 2.0 for Native Apps• Draft• OAuth 2.0 Security Best Current Practice• OAuth 2.0 for Browser-Based Apps!19
Financial-grade API (FAPI)• ΦϯϥΠϯͷۚ༥αʔϏεʹ͓͚ΔOAuth 2.0/OIDCͷ࣮ΨΠυϥΠϯ• Part 1: Read-Only API Security Profile - ࢀরܥ• Part 2: Read and Write API Security Profile - ߋ৽ܥ• Client Initiated Backchannel Authentication Profile(CIBA) - ClientڥͱೝূσόΠεͷ!20
OAuth/OIDCͱσδλϧॺ໊• ίΞͳ༷• ID Tokenͷੜɺݕূ• ͦͷଞɺ֤छϦΫΤετ/ϨεϙϯεͷอޢʹJWSͳͲΛར༻͢Δ֦ு͕͋Δ• Clientೝূ• ೝূ(ೝՄཁٻ)!21
WebAuthn / FIDOϢʔβʔೝূͷ͓
ύεϫʔυೝূ!23• ཁ͕݅ຬͨ͞ΕΔͳΒࢸߴͷೝূํࣜ• هԱετϨʔδͷར༻ʹΑΔՄൖੑ• αʔϏε͝ͱʹҟͳΔɺਪଌࠔͳจࣈྻ• ϑΟογϯάରࡦ• ࿙Ӯηʔϑͳཧ• ݱঢ় : ཁ݅Λຬͨͤͳ͍Ϣʔβʔ/αʔϏε……
FIDO!24• ϩʔΧϧೝূΛར༻• ύεϫʔυΛૹΒͳ͍• (ੜମೝূʹݶΒͣ)༷ʑͳೝূํࣜͱͷΈ߹Θ͕ͤՄೳ• ެ։伴҉߸ํࣜ• ొ : ॺ໊ͱެ։伴ใΛૹ৴• ೝূ : ॺ໊Λૹ৴
WebAuthn!25• FIDO2 : WebΞϓϦέʔγϣϯ͔ΒFIDO• WebAuthn (Web Authentication API)• FIDOΛར༻͢ΔαʔϏε͕ݺͼग़͢JavaScript API• CTAP• ηΩϡϦςΟΩʔͱΓͱΓ͢ΔͨΊͷ༷ɺϒϥβ͕࣮
WebAuthn - ొਓ!26• Relying Party : WebΞϓϦ• Authenticator : ηΩϡϦςΟΩʔɺσόΠε• Client : Webϒϥβ
WebAuthn - ొϑϩʔ!271. ొ༻ύϥϝʔλ࡞ (RPใ,Ϣʔβʔใ,ϩʔΧϧೝূͷ༗ແͳͲ)3. Authenticator/PlatformͷػೳΛݺͼग़͢2. JS APIͷݺͼग़͠4.ϩʔΧϧೝূ伴ϖΞੜॺ໊࡞5. ৽͍͠ެ։伴ͱॺ໊ 6. JS API͔ΒͷΓ7.֤छݕূެ։伴ͷอଘAuthenticator(SecurityKey etc…)Client(ϒϥβ)Relying Party
WebAuthn - ೝূϑϩʔ!281. ೝূ༻ύϥϝʔλ࡞ (ެ։伴ใ,ϩʔΧϧೝূͷ༗ແͳͲ)3. Authenticator/PlatformͷػೳΛݺͼग़͢2. JS APIͷݺͼग़͠4.ϩʔΧϧೝূॺ໊࡞5. ॺ໊ 6. JS API͔ΒͷΓ7.֤छݕূೝূྃॲཧAuthenticator(SecurityKey etc…)Client(ϒϥβ)Relying Party
FIDOͷϢʔεέʔε!29• ύεϫʔυϨεͳೝূํࣜͱͯ͠ (ॴ࣋+ϩʔΧϧೝূ)• 2ஈ֊/2ཁૉͷೝূํࣜͱͯ͠ (ॴ࣋)• ॏཁͳॲཧͷલͷຊਓ֬ೝͱͯ͠
̎ஈ֊(ཁૉ)ೝূͱϑΟογϯά!30ϑΟογϯάϝʔϧɺϝοηʔδϑΟογϯάαΠτʢFYBNQMFJOGPʣਖ਼نͷαΠτFYBNQMFDPN*%ύεϫʔυϫϯλΠϜύεϫʔυऔಘͨ͠*%ύεϫʔυϫϯλΠϜύεϫʔυ!30
FIDOͷϑΟογϯάੑ!31ϑΟογϯάϝʔϧɺϝοηʔδϑΟογϯάαΠτʢFYBNQMFJOGPʣਖ਼نͷαΠτFYBNQMFDPN*%ύεϫʔυΞαʔγϣϯ ॺ໊ͳͲऔಘͨ͠*%ύεϫʔυΞαʔγϣϯ!31PSJHJO୯ҐͰ伴ϖΞΛੜ͍ͯ͠ΔͷͰϑΟογϯάαΠτʹϩάΠϯͰ͖ͳ͍ ϑΟογϯάαΠτ͚ͷΞαʔγϣϯΛਖ਼نͷαΠτʹૹͬͯݕূࣦഊ͢Δ
WebAuthn/FIDOͱσδλϧॺ໊!32• ొ/ೝূϑϩʔͷνϟϨϯδ/Ϩεϙϯεͷݕূ• ެ։伴ใΛ༻͍ͯॺ໊ݕূ• Authenticator ͷਅਖ਼ੑͷݕূ• ূ໌ॻνΣʔϯͷݕূ