Upgrade to Pro — share decks privately, control downloads, hide ads and more …

コンシューマ向けサービスで使われている 認証認可仕様とデジタル署名 / saloff1-ritou

ritou
June 19, 2019

コンシューマ向けサービスで使われている 認証認可仕様とデジタル署名 / saloff1-ritou

ritou

June 19, 2019
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. ίϯγϡʔϚ޲͚αʔϏεͰ࢖ΘΕ͍ͯΔ
    ೝূೝՄ࢓༷ͱσδλϧॺ໊
    ͍ͱ͏Γΐ͏!SJUPV

    αϧΦϑॺ໊ϒλ໺࿠͸ೝূઌഐͷເΛݟͳ͍

    View Slide

  2. ͍ͱ͏Γΐ͏
    • (ג)ϛΫγΟ ΤϯδχΞ - Identity / Platform
    • OpenID ϑΝ΢ϯσʔγϣϯɾδϟύϯ ΤόϯδΣϦετ(2߸ػ)
    • Blog : ritou.hatenablog.com
    • Twitter : @ritou (ळాͷೣ)
    • ˌidcon, #iddance
    !2

    View Slide

  3. ຊ೔ͷ಺༰
    • ೝূपΓͰ࢖ΘΕ͍ͯΔ/͜Ε͔Β࢖ΘΕͦ͏ͳ࢓༷
    Λ঺հ
    • σδλϧॺ໊ͷ࢖ΘΕͲ͜Ζʢ͞ΘΓ͚ͩʣ
    !3

    View Slide

  4. ೝূೝՄपΓͷΩʔϫʔυ
    • OAuth 2.0 & OpenID Connect
    • WebAuthn / FIDO
    !4

    View Slide

  5. OAuth 2.0
    &
    OpenID Connect

    View Slide

  6. OAuth 2.0
    RFC 6749/6750 (2012/10~)
    • RFC 6749 : τʔΫϯϕʔεͷϦιʔεΞΫηεͷ͘͠Έ
    • ొ৔ਓ෺͸Client, Server, Resource Owner ͷ3ऀ
    • Client͕Resource OwnerͷύεϫʔυͳͲΛѻΘͳ͍(※)
    • RFC 6750 : Bearer TokenͰAPIΞΫηε͢Δํ๏
    • ΞΫηετʔΫϯͷऔಘํ๏
    • ΞΫηετʔΫϯΛ༻͍ͨAPIΞΫηεํ๏
    !6

    View Slide

  7. OAuth 2.0ར༻ྫ
    ͸ͯͳϒϩάͷInstagram࿈ܞ
    !7

    View Slide

  8. OAuth 2.0ར༻ྫ
    ͸ͯͳϒϩάͷInstagram࿈ܞ
    !8

    View Slide

  9. Կ͕ߦΘΕͨͷ͔ʁ
    !9
    3FTPVSDF0XOFS
    $MJFOU
    4FSWFS
    *OTUBHSBN࿈ܞΛ
    ༗ޮԽ͢Δ
    *OTUBHSBNͷը૾
    ΁ͷΞΫηεݖݶΛཁٻ
    ΞΫηε͕ڐՄ͞Εͨ͜ͱΛ௨஌
    ̏ ͸ͯͳϒϩάʹΑΔ
    *OTUBHSBNͷը૾΁ͷΞΫηεΛ
    Ϣʔβʔ͕ڐՄ

    View Slide

  10. !10
    [email protected]
    "VUIPSJ[BUJPO$PEF
    'MPX
    *NQMJDJU'MPX

    View Slide

  11. View Slide

  12. OAuth 2.0ͷτʔΫϯͱ༻్
    !12
    • Access Token - APIΞΫηε
    • Refresh Token - Access Tokenߋ৽
    • Authorization Code - Access Token /
    Refresh Tokenऔಘ

    View Slide

  13. ͍ΘΏΔOAuthೝূ
    (OAuth as a Authentication)
    !13
    • OAuth 2.0ͰϓϩϑΟʔϧAPI͔ΒϢʔβʔࣝผࢠ
    Λऔಘ͠ɺೝূػೳʹར༻
    • ౷Ұ͞Ε͍ͯͳ͍ϓϩϑΟʔϧAPI
    • Native ApplicationͱόοΫΤϯυαʔόʔؒͷΞΫηετʔ
    ΫϯͷϋϯυϦϯά

    View Slide

  14. OpenID Connect (2014/2~)
    !14
    • ʮʙͰϩάΠϯʯ(ID࿈ܞ)ͷͨΊͷ࢓༷
    • OAuth 2.0Λ֦ு
    • ID Token - ೝূΠϕϯτͷ৘ใΛ΍ΓऔΓ
    • Userinfo Endpoint - ඪ४తͳϓϩϑΟʔϧAPI
    • Self-Issued OP - ୺຤্Ͱಈ࡞͢ΔOpenID Provider

    View Slide

  15. !15

    View Slide

  16. OpenID Connect - ID Token
    !16
    • ೝূΠϕϯτͷ৘ใΛ֨ೲ
    • JSON Web Signatureܗࣜ
    • ϢʔβʔɺRPɺೝূཁٻͷ৘ใΛ֨ೲ
    • OP͕࣋ͭൿີ伴Ͱॺ໊
    • RP͸ެ։伴ͰݕূՄೳ

    View Slide

  17. OAuth 2.0/OIDC஀ੜޙͷมԽ
    !17
    • Ϣʔεέʔε
    • Client : Web App -> Native App(Hybrid) -> Single Page
    App etc…
    • Server : monolith -> microservices
    • ྖҬ
    • SNS࿈ܞɺιʔγϟϧϩάΠϯ -> ܾࡁɺۚ༥ɺϔϧεέΞ
    جຊػೳ͚ͩͰ͸ཁ͕݅ຬͨͤͳ͍৔߹΋

    View Slide

  18. !18

    View Slide

  19. Security Considerations
    • RFCs
    • 6819 : OAuth 2.0 Threat Model and Security
    Considerations
    • 8252 : OAuth 2.0 for Native Apps
    • Draft
    • OAuth 2.0 Security Best Current Practice
    • OAuth 2.0 for Browser-Based Apps
    !19

    View Slide

  20. Financial-grade API (FAPI)
    • ΦϯϥΠϯͷۚ༥αʔϏεʹ͓͚ΔOAuth 2.0/OIDC
    ͷ࣮૷ΨΠυϥΠϯ
    • Part 1: Read-Only API Security Profile - ࢀরܥ
    • Part 2: Read and Write API Security Profile - ߋ৽ܥ
    • Client Initiated Backchannel Authentication Profile
    (CIBA) - Client؀ڥͱೝূσόΠεͷ෼཭
    !20

    View Slide

  21. OAuth/OIDCͱσδλϧॺ໊
    • ίΞͳ࢓༷
    • ID Tokenͷੜ੒ɺݕূ
    • ͦͷଞɺ֤छϦΫΤετ/ϨεϙϯεͷอޢʹJWSͳͲΛ
    ར༻͢Δ֦ு͕͋Δ
    • Clientೝূ
    • ೝূ(ೝՄཁٻ)
    !21

    View Slide

  22. WebAuthn / FIDO
    Ϣʔβʔೝূͷ͓࿩

    View Slide

  23. ύεϫʔυೝূ
    !23
    • ཁ͕݅ຬͨ͞ΕΔͳΒ͹ࢸߴͷೝূํࣜ
    • هԱετϨʔδͷར༻ʹΑΔՄൖੑ
    • αʔϏε͝ͱʹҟͳΔɺਪଌࠔ೉ͳจࣈྻ
    • ϑΟογϯάରࡦ
    • ࿙Ӯηʔϑͳ؅ཧ
    • ݱঢ় : ཁ݅Λຬͨͤͳ͍Ϣʔβʔ/αʔϏε……

    View Slide

  24. FIDO
    !24
    • ϩʔΧϧೝূΛར༻
    • ύεϫʔυΛૹΒͳ͍
    • (ੜମೝূʹݶΒͣ)༷ʑͳೝূํࣜͱͷ૊Έ߹Θ͕ͤՄೳ
    • ެ։伴҉߸ํࣜ
    • ొ࿥ : ॺ໊ͱެ։伴৘ใΛૹ৴
    • ೝূ : ॺ໊Λૹ৴

    View Slide

  25. WebAuthn
    !25
    • FIDO2 : WebΞϓϦέʔγϣϯ͔Β΋FIDO
    • WebAuthn (Web Authentication API)
    • FIDOΛར༻͢ΔαʔϏε͕ݺͼग़͢JavaScript API
    • CTAP
    • ηΩϡϦςΟΩʔͱ΍ΓͱΓ͢ΔͨΊͷ࢓༷ɺϒϥ΢β͕࣮૷

    View Slide

  26. WebAuthn - ొ৔ਓ෺
    !26
    • Relying Party : WebΞϓϦ
    • Authenticator : ηΩϡϦςΟΩʔɺσόΠε
    • Client : Webϒϥ΢β

    View Slide

  27. WebAuthn - ొ࿥ϑϩʔ
    !27
    1. ొ࿥༻ύϥϝʔλ࡞੒

    (RP৘ใ,Ϣʔβʔ৘ใ,
    ϩʔΧϧೝূͷ༗ແͳͲ)
    3. Authenticator/Platform
    ͷػೳΛݺͼग़͢
    2. JS APIͷݺͼग़͠
    4.ϩʔΧϧೝূ
    伴ϖΞੜ੒
    ॺ໊࡞੒
    5. ৽͍͠ެ։伴ͱॺ໊ 6. JS API͔Βͷ໭Γ஋
    7.֤छݕূ
    ެ։伴ͷอଘ
    Authenticator
    (SecurityKey etc…)
    Client
    (ϒϥ΢β)
    Relying Party

    View Slide

  28. WebAuthn - ೝূϑϩʔ
    !28
    1. ೝূ༻ύϥϝʔλ࡞੒

    (ެ։伴৘ใ,ϩʔΧϧೝ
    ূͷ༗ແͳͲ)
    3. Authenticator/Platform
    ͷػೳΛݺͼग़͢
    2. JS APIͷݺͼग़͠
    4.ϩʔΧϧೝূ
    ॺ໊࡞੒
    5. ॺ໊ 6. JS API͔Βͷ໭Γ஋
    7.֤छݕূ
    ೝূ׬ྃॲཧ
    Authenticator
    (SecurityKey etc…)
    Client
    (ϒϥ΢β)
    Relying Party

    View Slide

  29. FIDOͷϢʔεέʔε
    !29
    • ύεϫʔυϨεͳೝূํࣜͱͯ͠ (ॴ࣋+ϩʔΧϧೝূ)
    • 2ஈ֊/2ཁૉ໨ͷೝূํࣜͱͯ͠ (ॴ࣋)
    • ॏཁͳॲཧͷલͷຊਓ֬ೝͱͯ͠

    View Slide

  30. ̎ஈ֊(ཁૉ)ೝূͱϑΟογϯά
    !30
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    ϫϯλΠϜ
    ύεϫʔυ
    औಘͨ͠
    *%ύεϫʔυ

    ϫϯλΠϜ
    ύεϫʔυ
    !30

    View Slide

  31. FIDOͷϑΟογϯά଱ੑ
    !31
    ϑΟογϯάϝʔϧɺ
    ϝοηʔδ
    ϑΟογϯάαΠτ
    ʢFYBNQMFJOGPʣ
    ਖ਼نͷαΠτ
    FYBNQMFDPN

    *%ύεϫʔυ

    Ξαʔγϣϯ ॺ໊ͳͲ

    औಘͨ͠
    *%ύεϫʔυ

    Ξαʔγϣϯ
    !31
    PSJHJO୯ҐͰ伴ϖΞΛ
    ੜ੒͍ͯ͠ΔͷͰ
    ϑΟογϯάαΠτʹ
    ϩάΠϯͰ͖ͳ͍ ϑΟογϯάαΠτ޲͚ͷ
    ΞαʔγϣϯΛਖ਼نͷαΠτʹ
    ૹͬͯ΋ݕূࣦഊ͢Δ

    View Slide

  32. WebAuthn/FIDOͱσδλϧॺ໊
    !32
    • ొ࿥/ೝূϑϩʔͷνϟϨϯδ/Ϩεϙϯεͷݕূ
    • ެ։伴৘ใΛ༻͍ͯॺ໊ݕূ
    • Authenticator ͷਅਖ਼ੑͷݕূ
    • ূ໌ॻνΣʔϯͷݕূ

    View Slide