下記イベントの発表資料です。 https://openid.connpass.com/event/249281/
!"#$%&'(#)*+,-/01'-#2345678/9%:01.;%<=>[email protected]=A.BCDEFG.H$%&'(.IJ?ACK.LMLLNONLF.
View Slide
• https://ritou.hatenablog.com• FedCMೖ ͦͷ1 ~ ID࿈ܞͷ՝ͱFedCMͷΞϓϩʔν• FedCMೖ ͦͷ2 ~ ݱঢ়ͷFedCM࣮ղઆ• FedCMೖ ͦͷ3 ~ OIDCͱͷࠩղઆ (·ͩԼॻ͖)$%&'(5678#PQ2
• FedCMͷID࿈ܞϑϩʔ• OIDCͱͷࠩ• ࠩղফͷͨΊͷΞϓϩʔνRSTU3
• IdP : Identity Provider. ଞαʔϏεʹରͯ͠ϢʔβʔใΛఏڙ͢Δ αʔϏε• RP : Relying Party. IdPͷϢʔβʔใΛ༻͍ͯೝূػೳΛ࣮ݱ͢Δ αʔϏε• Ϣʔβʔ : IdP/RPͦΕͧΕΛར༻͢ΔϢʔβʔ• ϒϥβ : FedCMʹରԠͨ͠ϒϥβVWXY4
1. ϢʔβʔIdPʹϩάΠϯ͍ͯ͠Δલఏ2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRPFedCMͷAPIΛݺͼग़͢3. ϒϥβIdPʹରͯ͠ϩάΠϯதͷΞΧϯτใ(Ϧετ)Λཁٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ4. ϒϥβϢʔβʔ͕બ/ڐՄͨ͠ΞΧϯτใʹඥͮ͘ೝূ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠ͷΛRPʹ͢ɻRPͦΕΛೝূػೳʹར༻͢Δɻ01Z[\]5
VWXY-01Z[\]6
1. ϢʔβʔIdPʹϩάΠϯ͍ͯ͠Δલఏ2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRPFedCMͷAPIΛݺͼग़͢3. ϒϥβIdPʹରͯ͠ϩάΠϯதͷΞΧϯτใ(Ϧετ)Λཁٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ4. ϒϥβϢʔβʔ͕બ/ڐՄͨ͠ΞΧϯτใʹඥͮ͘ೝূ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠ͷΛRPʹ͢ɻRPͦΕΛೝূػೳʹར༻͢Δɻ01Z[\]7
^_`abcdefghigj8
01Z[#klmin9
opqr#01Z[]s10
opqr#01Z[]s11• FedCM͕༗ޮ͔Ͳ͏͔ͷఆ• ID࿈ܞཁٻ
0&p.t%Au&uAuv]s12
0&p.t%Au&uAuv]s13• Top level domain manifest• IdP manifestfile
'D?%:A.t%Au&uAu.v]s14
'D?%:A.t%Au&uAu.v]s15• Client metadata Endpoint
hwxiy#z{`ij|njv]s16
hwxiy#z{`ij|njv]s17• Client metadata Endpoint
}~•lal#01;C€%:v]s18
}~•lal#01;C€%:v]s19• Accounts list endpoint
01;C€%:v•78‚ƒNV„…†20
01;C€%:v•78‚ƒNV„…†21• ID Token Endpoint
PC/Android ͷ Chrome Canary Ͱಈ࡞֬ೝͰ͖·͢ɻ• IdP : https://ex-fedcm-idp.herokuapp.com/• RP : https://ex-fedcm-rp.herokuapp.com/‡ˆ‰Š22
• FedCMͷID࿈ܞϑϩʔ• OIDCͱͷࠩ• ࠩղফͷͨΊͷΞϓϩʔνRSTU23
• ݱঢ়ͷFedCMͰͰ͖Δ͜ͱʮϑϩϯτνϟϯωϧͰͷIDTokenͷΓͱΓʯ$%&'(24
• Authorization Code Flow• ϑϩϯτνϟϯωϧ : Authorization Code (+ ID Token)• όοΫνϟϯωϧ : ID Token / AT / RT• Implicit Flow <- ͜Εʹ͍ۙ• ϑϩϯτνϟϯωϧ : ID Token (+ α)• Hybrid Flow (ུ)/01'.$DC‹Œ25
/01'.0t9D?26
• IdP metadata : OpenID Provider Configuration ͰٵऩՄೳ• Clientใཁٻ : ະఆٛ• ΞΧϯτϦετཁٻ : ະఆٛ• ID Tokenཁٻ -> Implicit Flowʹ͍ۙ• ϒϥβʹAuthN Response͕͞ΕΔ• ະఆٛ/লུ͞Εͨύϥϝʔλ$%&'(.BŒ./01'27
• ༻్ : ιʔγϟϧϩάΠϯػೳ(ϦιʔεΞΫηεͳ͠)ͷγϣʔτΧοτͱͯ͠ͷΈར༻Ͱ͖Δ• ϦιʔεΞΫηε·Ͱαϙʔτͯ͠΄͍͠ਓ͑ͳ͍• ID Token ʹؚ·ΕΔ• IdPʹґଘ/01'.op28
• ༻్ʹ͍ͭͯRPͱಉ༷• ࣮ : FedCMରԠͷͨΊͷಠ֦ࣗு͕ඞཁ• Authorization Endpointͷ֦ுʁ• OIDCະఆٛͷΤϯυϙΠϯτ• ID Token ʹؚ·ΕΔ• ݱঢ়ͰύϥϝʔλҎ֎ͰܾΊΔඞཁ͕͋Δ/01'.0&p29
• FedCMͷID࿈ܞϑϩʔ• OIDCͱͷࠩ• ࠩղফͷͨΊͷΞϓϩʔνRSTU30
FedCM - OIDC ؒͷࠩղফͷͨΊʹ1. FedCM ͕ OIDC ʹدͤΔ2. FedCM ͷͨΊʹOIDCΛ֦ு͢Δ1 Ͱ Implicit Flow ʹدͤΑ͏ͱͯ͠OIDCະఆٛͷϦΫΤετ/Ϩεϙϯε͋ΔͷͰ 1, 2 ͷ྆ํ͕ඞཁͦ͏ɻSAML֦ுେมͳΜ͡Όͳ͍ͷʁ•Ž+•#•‘#zghl’31
• id_token_endpoint = Authorization Endpoint• Authentication Request• “response_type=id_token”• “prompt=none”• “login_hint” + Cookie Ͱఆ• “scope”, “claims” ύϥϝʔλΛαϙʔτ$%&'(b/01'5“”f32
• FedCMಠࣗͷϦΫΤετ• Client Metadata Request• Account List Request• JSONܗࣜͰID TokenΛཁٻ• response_mode: body # body Ͱ Authentication ResponseΛཁٻ• redirect_uri: “urn…” # fedcm ༻ͷͱ͔/01'.•–A%:Œ?C:.—CJ.$%&'(33
• ݱঢ়ͷFedCMͰߦΘΕ͍ͯΔϦΫΤετ/ϨεϙϯεΛઆ໌ͨ͠• FedCM ͱ OIDC ͷϓϩτίϧͱͯ͠ͷҧ͍Λઆ໌ͨ͠• OIDC Implicit Flow ૬ͷγϣʔτΧοτతͳཱͪҐஔʹͳ͍ͬͯΔ• IdPͷՃରԠͷίετ͕͋ΔҹͳͷͰɺࠩղফͷΞϓϩʔνʹࠓޙ˜-‘34
™š›35