Upgrade to Pro — share decks privately, control downloads, hide ads and more …

コンシューマ向けサービスで使われている 認証認可仕様とデジタル署名 / saloff1-ritou

658c29959d8a9fd352afa440a5813137?s=47 ritou
June 19, 2019
Technology
1
930

コンシューマ向けサービスで使われている 認証認可仕様とデジタル署名 / saloff1-ritou

658c29959d8a9fd352afa440a5813137?s=128

ritou

June 19, 2019
Tweet

More Decks by ritou

See All by ritou
GNAP超入門 ~ IW2021 C15
658c29959d8a9fd352afa440a5813137?s=48 ritou
1
1.9k
OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3
658c29959d8a9fd352afa440a5813137?s=48 ritou
1
630
ID連携の標準化仕様紹介とセキュアな実装のためのアプローチ 2021 / Identity Federation Protocols 2021
658c29959d8a9fd352afa440a5813137?s=48 ritou
3
5.8k
JWT Boot Camp 2020
658c29959d8a9fd352afa440a5813137?s=48 ritou
1
5.6k
iddance2_ritou.pdf
658c29959d8a9fd352afa440a5813137?s=48 ritou
1
3.4k
webauthn_study_ritou.pdf
658c29959d8a9fd352afa440a5813137?s=48 ritou
3
810
WebAuthn/FIDOのUX徹底解説 ~実サービスへの導入イメージを添えて~ / builderscon tokyo 2019 ritou
658c29959d8a9fd352afa440a5813137?s=48 ritou
11
5.4k
Identity Dance School Lesson.1 / iddance_1_ritou
658c29959d8a9fd352afa440a5813137?s=48 ritou
1
280
WebAuthn @ DroidKaigi 2019
658c29959d8a9fd352afa440a5813137?s=48 ritou
5
3.4k

Other Decks in Technology

See All in Technology
220521_SFN_品質文化試論と『LEADING QUALITY』/220521_SFN_Essay_of_Quality_Culture_and_LEADING_QUALITY
C8cde92274f0ca1ff9b046673d4f2d29?s=48 mkwrd
0
120
信頼性の階層の一段目を積み上げる/Monitoring Dashboard
0b238801605070def81a98cfe8061aee?s=48 shonansurvivors
0
140
toilを解消した話
632368cb0b90fa711cec36a082a7e24e?s=48 asumaywy
0
170
Devに力を授けたいSREのあゆみ / SRE that wants to empower developers
E12b5afe5b4e6552019c09d6ac4128c3?s=48 tocyuki
3
470
AWS Control TowerとAWS Organizationsを活用した組織におけるセキュリティ設定
F2ccc400e285972d80feab0e4e57b5f7?s=48 fu3ak1
2
630
実験!カオスエンジニアリング / How to Chaos Engineering
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
0
140
20220510_簡単にできるコスト異常検出(Cost Anomaly Detection) /jaws-ug-asa-cost-anomaly-detection-20220510
97b3cca999b52cb5296675ac0a5c12cd?s=48 emiki
2
320
Team building programs for Engineering Team at Torana, Inc
218473ff7abad0fcd72865da2b23bb5b?s=48 memory1994
PRO
0
110
How We Foster Reliability in Diversity
Ed424b1e857828ce69b0fdf4c3291d2e?s=48 nari_ex
PRO
9
2.5k
我々はなぜテストをするのか?
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
PRO
0
250
Building smarter apps with machine learning, from magic to reality
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
3.1k
2022年度ロボットフロンティア第1回
114d1b33c50cdc86c4c641682190407f?s=48 ryuichiueda
0
140

Featured

See All Featured
Atom: Resistance is Futile
7fa6101cd43067653cf4ac6c7ca54305?s=48 akmur
255
20k
Building an army of robots
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
299
40k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
29
4.3k
Six Lessons from altMBA
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
14
1.3k
Put a Button on it: Removing Barriers to Going Fast.
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
56
2.3k
Docker and Python
Ecdea9b9714877b86cee08458f085481?s=48 trallard
27
1.5k
Web Components: a chance to create the future
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
303
40k
Easily Structure & Communicate Ideas using Wireframe
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
181
15k
jQuery: Nuts, Bolts and Bling
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
6.4k
StorybookのUI Testing Handbookを読んだ
50fc0fdc2327ecbe7350645812de52e3?s=48 zakiyama
4
2k
Why You Should Never Use an ORM
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
47
5.5k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
103
16k

Transcript

  1. ίϯγϡʔϚ޲͚αʔϏεͰ࢖ΘΕ͍ͯΔ ೝূೝՄ࢓༷ͱσδλϧॺ໊ ͍ͱ͏Γΐ͏!SJUPV  αϧΦϑॺ໊ϒλ໺࿠͸ೝূઌഐͷເΛݟͳ͍

  2. ͍ͱ͏Γΐ͏ • (ג)ϛΫγΟ ΤϯδχΞ - Identity / Platform • OpenID

    ϑΝ΢ϯσʔγϣϯɾδϟύϯ ΤόϯδΣϦετ(2߸ػ) • Blog : ritou.hatenablog.com • Twitter : @ritou (ळాͷೣ) • ˌidcon, #iddance !2

  3. ຊ೔ͷ಺༰ • ೝূपΓͰ࢖ΘΕ͍ͯΔ/͜Ε͔Β࢖ΘΕͦ͏ͳ࢓༷ Λ঺հ • σδλϧॺ໊ͷ࢖ΘΕͲ͜Ζʢ͞ΘΓ͚ͩʣ !3

  4. ೝূೝՄपΓͷΩʔϫʔυ • OAuth 2.0 & OpenID Connect • WebAuthn /

    FIDO !4

  5. OAuth 2.0 & OpenID Connect

  6. OAuth 2.0 RFC 6749/6750 (2012/10~) • RFC 6749 : τʔΫϯϕʔεͷϦιʔεΞΫηεͷ͘͠Έ

    • ొ৔ਓ෺͸Client, Server, Resource Owner ͷ3ऀ • Client͕Resource OwnerͷύεϫʔυͳͲΛѻΘͳ͍(※) • RFC 6750 : Bearer TokenͰAPIΞΫηε͢Δํ๏ • ΞΫηετʔΫϯͷऔಘํ๏ • ΞΫηετʔΫϯΛ༻͍ͨAPIΞΫηεํ๏ !6

  7. OAuth 2.0ར༻ྫ ͸ͯͳϒϩάͷInstagram࿈ܞ !7

  8. OAuth 2.0ར༻ྫ ͸ͯͳϒϩάͷInstagram࿈ܞ !8

  9. Կ͕ߦΘΕͨͷ͔ʁ !9 3FTPVSDF0XOFS $MJFOU 4FSWFS  *OTUBHSBN࿈ܞΛ ༗ޮԽ͢Δ *OTUBHSBNͷը૾ ΁ͷΞΫηεݖݶΛཁٻ

    ΞΫηε͕ڐՄ͞Εͨ͜ͱΛ௨஌ ̏ ͸ͯͳϒϩάʹΑΔ *OTUBHSBNͷը૾΁ͷΞΫηεΛ Ϣʔβʔ͕ڐՄ

  10. !10 IUUQTUXJUUFSDPNLVSB@MBCTUBUVT "VUIPSJ[BUJPO$PEF 'MPX *NQMJDJU'MPX

  11. None

  12. OAuth 2.0ͷτʔΫϯͱ༻్ !12 • Access Token - APIΞΫηε • Refresh

    Token - Access Tokenߋ৽ • Authorization Code - Access Token / Refresh Tokenऔಘ

  13. ͍ΘΏΔOAuthೝূ (OAuth as a Authentication) !13 • OAuth 2.0ͰϓϩϑΟʔϧAPI͔ΒϢʔβʔࣝผࢠ Λऔಘ͠ɺೝূػೳʹར༻

    • ౷Ұ͞Ε͍ͯͳ͍ϓϩϑΟʔϧAPI • Native ApplicationͱόοΫΤϯυαʔόʔؒͷΞΫηετʔ ΫϯͷϋϯυϦϯά

  14. OpenID Connect (2014/2~) !14 • ʮʙͰϩάΠϯʯ(ID࿈ܞ)ͷͨΊͷ࢓༷ • OAuth 2.0Λ֦ு •

    ID Token - ೝূΠϕϯτͷ৘ใΛ΍ΓऔΓ • Userinfo Endpoint - ඪ४తͳϓϩϑΟʔϧAPI • Self-Issued OP - ୺຤্Ͱಈ࡞͢ΔOpenID Provider

  15. !15

  16. OpenID Connect - ID Token !16 • ೝূΠϕϯτͷ৘ใΛ֨ೲ • JSON

    Web Signatureܗࣜ • ϢʔβʔɺRPɺೝূཁٻͷ৘ใΛ֨ೲ • OP͕࣋ͭൿີ伴Ͱॺ໊ • RP͸ެ։伴ͰݕূՄೳ

  17. OAuth 2.0/OIDC஀ੜޙͷมԽ !17 • Ϣʔεέʔε • Client : Web App

    -> Native App(Hybrid) -> Single Page App etc… • Server : monolith -> microservices • ྖҬ • SNS࿈ܞɺιʔγϟϧϩάΠϯ -> ܾࡁɺۚ༥ɺϔϧεέΞ جຊػೳ͚ͩͰ͸ཁ͕݅ຬͨͤͳ͍৔߹΋

  18. !18

  19. Security Considerations • RFCs • 6819 : OAuth 2.0 Threat

    Model and Security Considerations • 8252 : OAuth 2.0 for Native Apps • Draft • OAuth 2.0 Security Best Current Practice • OAuth 2.0 for Browser-Based Apps !19

  20. Financial-grade API (FAPI) • ΦϯϥΠϯͷۚ༥αʔϏεʹ͓͚ΔOAuth 2.0/OIDC ͷ࣮૷ΨΠυϥΠϯ • Part 1:

    Read-Only API Security Profile - ࢀরܥ • Part 2: Read and Write API Security Profile - ߋ৽ܥ • Client Initiated Backchannel Authentication Profile (CIBA) - Client؀ڥͱೝূσόΠεͷ෼཭ !20

  21. OAuth/OIDCͱσδλϧॺ໊ • ίΞͳ࢓༷ • ID Tokenͷੜ੒ɺݕূ • ͦͷଞɺ֤छϦΫΤετ/ϨεϙϯεͷอޢʹJWSͳͲΛ ར༻͢Δ֦ு͕͋Δ •

    Clientೝূ • ೝূ(ೝՄཁٻ) !21

  22. WebAuthn / FIDO Ϣʔβʔೝূͷ͓࿩

  23. ύεϫʔυೝূ !23 • ཁ͕݅ຬͨ͞ΕΔͳΒ͹ࢸߴͷೝূํࣜ • هԱετϨʔδͷར༻ʹΑΔՄൖੑ • αʔϏε͝ͱʹҟͳΔɺਪଌࠔ೉ͳจࣈྻ • ϑΟογϯάରࡦ

    • ࿙Ӯηʔϑͳ؅ཧ • ݱঢ় : ཁ݅Λຬͨͤͳ͍Ϣʔβʔ/αʔϏε……

  24. FIDO !24 • ϩʔΧϧೝূΛར༻ • ύεϫʔυΛૹΒͳ͍ • (ੜମೝূʹݶΒͣ)༷ʑͳೝূํࣜͱͷ૊Έ߹Θ͕ͤՄೳ • ެ։伴҉߸ํࣜ

    • ొ࿥ : ॺ໊ͱެ։伴৘ใΛૹ৴ • ೝূ : ॺ໊Λૹ৴

  25. WebAuthn !25 • FIDO2 : WebΞϓϦέʔγϣϯ͔Β΋FIDO • WebAuthn (Web Authentication

    API) • FIDOΛར༻͢ΔαʔϏε͕ݺͼग़͢JavaScript API • CTAP • ηΩϡϦςΟΩʔͱ΍ΓͱΓ͢ΔͨΊͷ࢓༷ɺϒϥ΢β͕࣮૷

  26. WebAuthn - ొ৔ਓ෺ !26 • Relying Party : WebΞϓϦ •

    Authenticator : ηΩϡϦςΟΩʔɺσόΠε • Client : Webϒϥ΢β

  27. WebAuthn - ొ࿥ϑϩʔ !27 1. ొ࿥༻ύϥϝʔλ࡞੒
 (RP৘ใ,Ϣʔβʔ৘ใ, ϩʔΧϧೝূͷ༗ແͳͲ) 3. Authenticator/Platform

    ͷػೳΛݺͼग़͢ 2. JS APIͷݺͼग़͠ 4.ϩʔΧϧೝূ 伴ϖΞੜ੒ ॺ໊࡞੒ 5. ৽͍͠ެ։伴ͱॺ໊ 6. JS API͔Βͷ໭Γ஋ 7.֤छݕূ ެ։伴ͷอଘ Authenticator (SecurityKey etc…) Client (ϒϥ΢β) Relying Party

  28. WebAuthn - ೝূϑϩʔ !28 1. ೝূ༻ύϥϝʔλ࡞੒
 (ެ։伴৘ใ,ϩʔΧϧೝ ূͷ༗ແͳͲ) 3. Authenticator/Platform

    ͷػೳΛݺͼग़͢ 2. JS APIͷݺͼग़͠ 4.ϩʔΧϧೝূ ॺ໊࡞੒ 5. ॺ໊ 6. JS API͔Βͷ໭Γ஋ 7.֤छݕূ ೝূ׬ྃॲཧ Authenticator (SecurityKey etc…) Client (ϒϥ΢β) Relying Party

  29. FIDOͷϢʔεέʔε !29 • ύεϫʔυϨεͳೝূํࣜͱͯ͠ (ॴ࣋+ϩʔΧϧೝূ) • 2ஈ֊/2ཁૉ໨ͷೝূํࣜͱͯ͠ (ॴ࣋) • ॏཁͳॲཧͷલͷຊਓ֬ೝͱͯ͠

  30. ̎ஈ֊(ཁૉ)ೝূͱϑΟογϯά !30 ϑΟογϯάϝʔϧɺ ϝοηʔδ ϑΟογϯάαΠτ ʢFYBNQMFJOGPʣ ਖ਼نͷαΠτ FYBNQMFDPN *%ύεϫʔυ 

    ϫϯλΠϜ ύεϫʔυ औಘͨ͠ *%ύεϫʔυ  ϫϯλΠϜ ύεϫʔυ !30

  31. FIDOͷϑΟογϯά଱ੑ !31 ϑΟογϯάϝʔϧɺ ϝοηʔδ ϑΟογϯάαΠτ ʢFYBNQMFJOGPʣ ਖ਼نͷαΠτ FYBNQMFDPN *%ύεϫʔυ 

    Ξαʔγϣϯ ॺ໊ͳͲ औಘͨ͠ *%ύεϫʔυ  Ξαʔγϣϯ !31 PSJHJO୯ҐͰ伴ϖΞΛ ੜ੒͍ͯ͠ΔͷͰ ϑΟογϯάαΠτʹ ϩάΠϯͰ͖ͳ͍ ϑΟογϯάαΠτ޲͚ͷ ΞαʔγϣϯΛਖ਼نͷαΠτʹ ૹͬͯ΋ݕূࣦഊ͢Δ

  32. WebAuthn/FIDOͱσδλϧॺ໊ !32 • ొ࿥/ೝূϑϩʔͷνϟϨϯδ/Ϩεϙϯεͷݕূ • ެ։伴৘ใΛ༻͍ͯॺ໊ݕূ • Authenticator ͷਅਖ਼ੑͷݕূ •

    ূ໌ॻνΣʔϯͷݕূ