Upgrade to Pro — share decks privately, control downloads, hide ads and more …

現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19

ritou
June 21, 2022

現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19

下記イベントの発表資料です。
https://openid.connpass.com/event/249281/

ritou

June 21, 2022
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. !"#$%&'(#)*+,-


    /01'-#2345678
    /9%:01.;%<=>[email protected]=A.BCDEFG.H$%&'(.I
    J?ACK.LMLLNONLF.

    View Slide

  2. • https://ritou.hatenablog.com


    • FedCMೖ໳ ͦͷ1 ~ ID࿈ܞͷ՝୊ͱFedCMͷΞϓϩʔν


    • FedCMೖ໳ ͦͷ2 ~ ݱঢ়ͷFedCM࣮૷ղઆ


    • FedCMೖ໳ ͦͷ3 ~ OIDCͱͷࠩ෼ղઆ (·ͩԼॻ͖)
    $%&'(5678#PQ

    2

    View Slide

  3. • FedCMͷID࿈ܞϑϩʔ


    • OIDCͱͷࠩ෼


    • ࠩ෼ղফͷͨΊͷΞϓϩʔν
    RSTU

    3

    View Slide

  4. • IdP : Identity Provider. ଞαʔϏεʹରͯ͠Ϣʔβʔ৘ใΛ
    ఏڙ͢Δ αʔϏε


    • RP : Relying Party. IdPͷϢʔβʔ৘ใΛ༻͍ͯೝূػೳΛ࣮
    ݱ͢Δ αʔϏε


    • Ϣʔβʔ : IdP/RPͦΕͧΕΛར༻͢ΔϢʔβʔ


    • ϒϥ΢β : FedCMʹରԠͨ͠ϒϥ΢β
    VWXY

    4

    View Slide

  5. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ


    2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸
    FedCMͷAPIΛݺͼग़͢


    3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ
    ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ


    4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ
    ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ
    ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ
    01Z[\]

    5

    View Slide

  6. VWXY-01Z[\]

    6

    View Slide

  7. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ


    2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸
    FedCMͷAPIΛݺͼग़͢


    3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ
    ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ


    4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ
    ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ
    ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ
    01Z[\]

    7

    View Slide

  8. ^_`abcdefghigj

    8

    View Slide

  9. 01Z[#klmin

    9

    View Slide

  10. opqr#01Z[]s

    10

    View Slide

  11. opqr#01Z[]s

    11
    • FedCM͕༗ޮ͔Ͳ͏͔ͷ൑ఆ


    • ID࿈ܞཁٻ

    View Slide

  12. 0&p.t%Au&uAuv]s

    12

    View Slide

  13. 0&p.t%Au&uAuv]s

    13
    • Top level domain manifest


    • IdP manifest
    f
    ile

    View Slide

  14. 'D?%:A.t%Au&uAu.v]s

    14

    View Slide

  15. 'D?%:A.t%Au&uAu.v]s

    15
    • Client metadata Endpoint

    View Slide

  16. hwxiy#z{`ij|njv]s

    16

    View Slide

  17. hwxiy#z{`ij|njv]s

    17
    • Client metadata Endpoint

    View Slide

  18. }~•lal#01;C€%:v]s

    18

    View Slide

  19. }~•lal#01;C€%:v]s

    19
    • Accounts list endpoint

    View Slide

  20. 01;C€%:v•78‚ƒNV„…†

    20

    View Slide

  21. 01;C€%:v•78‚ƒNV„…†

    21
    • ID Token Endpoint

    View Slide

  22. PC/Android ͷ Chrome Canary Ͱಈ࡞֬ೝͰ͖·͢ɻ


    • IdP : https://ex-fedcm-idp.herokuapp.com/


    • RP : https://ex-fedcm-rp.herokuapp.com/
    ‡ˆ‰Š

    22

    View Slide

  23. • FedCMͷID࿈ܞϑϩʔ


    • OIDCͱͷࠩ෼


    • ࠩ෼ղফͷͨΊͷΞϓϩʔν
    RSTU

    23

    View Slide

  24. • ݱঢ়ͷFedCMͰͰ͖Δ͜ͱ͸ʮϑϩϯτνϟϯωϧͰͷ
    IDTokenͷ΍ΓͱΓʯ
    $%&'(

    24

    View Slide

  25. • Authorization Code Flow


    • ϑϩϯτνϟϯωϧ : Authorization Code (+ ID Token)


    • όοΫνϟϯωϧ : ID Token / AT / RT


    • Implicit Flow <- ͜Εʹ͍ۙ


    • ϑϩϯτνϟϯωϧ : ID Token (+ α)


    • Hybrid Flow (ུ)
    /01'.$DC‹Œ

    25

    View Slide

  26. /01'.0t9D?
    26

    View Slide

  27. • IdP metadata : OpenID Provider Con
    f
    iguration ͰٵऩՄೳ


    • Client৘ใཁٻ : ະఆٛ


    • ΞΧ΢ϯτϦετཁٻ : ະఆٛ


    • ID Tokenཁٻ -> Implicit Flowʹ͍ۙ


    • ϒϥ΢βʹAuthN Response͕౉͞ΕΔ


    • ະఆٛ/লུ͞Εͨύϥϝʔλ
    $%&'(.BŒ./01'

    27

    View Slide

  28. • ༻్ : ιʔγϟϧϩάΠϯػೳ(ϦιʔεΞΫηεͳ͠)ͷ
    γϣʔτΧοτͱͯ͠ͷΈར༻Ͱ͖Δ


    • ϦιʔεΞΫηε·Ͱαϙʔτͯ͠΄͍͠ਓ͸࢖͑ͳ͍


    • ID Token ʹؚ·ΕΔ஋


    • IdPʹґଘ
    /01'.op

    28

    View Slide

  29. • ༻్ʹ͍ͭͯ͸RPͱಉ༷


    • ࣮૷ : FedCMରԠͷͨΊͷಠ֦ࣗு͕ඞཁ


    • Authorization Endpointͷ֦ுʁ


    • OIDCະఆٛͷΤϯυϙΠϯτ


    • ID Token ʹؚ·ΕΔ஋


    • ݱঢ়Ͱ͸ύϥϝʔλҎ֎ͰܾΊΔඞཁ͕͋Δ
    /01'.0&p

    29

    View Slide

  30. • FedCMͷID࿈ܞϑϩʔ


    • OIDCͱͷࠩ෼


    • ࠩ෼ղফͷͨΊͷΞϓϩʔν
    RSTU

    30

    View Slide

  31. FedCM - OIDC ؒͷࠩ෼ղফͷͨΊʹ


    1. FedCM ͕ OIDC ʹدͤΔ


    2. FedCM ͷͨΊʹOIDCΛ֦ு͢Δ


    1 Ͱ Implicit Flow ʹدͤΑ͏ͱͯ͠΋OIDCະఆٛͷϦΫΤε
    τ/Ϩεϙϯε΋͋ΔͷͰ 1, 2 ͷ྆ํ͕ඞཁͦ͏ɻ


    SAML͸֦ுେมͳΜ͡Όͳ͍ͷʁ
    •Ž+•#•‘#zghl’

    31

    View Slide

  32. • id_token_endpoint = Authorization Endpoint


    • Authentication Request


    • “response_type=id_token”


    • “prompt=none”


    • “login_hint” + Cookie Ͱ൑ఆ


    • “scope”, “claims” ύϥϝʔλΛαϙʔτ
    $%&'(b/01'5“”f

    32

    View Slide

  33. • FedCMಠࣗͷϦΫΤετ


    • Client Metadata Request


    • Account List Request


    • JSONܗࣜͰID TokenΛཁٻ


    • response_mode: body # body Ͱ Authentication Response
    Λཁٻ


    • redirect_uri: “urn…” # fedcm ༻ͷ஋ͱ͔
    /01'.•–A%:Œ?C:.—CJ.$%&'(

    33

    View Slide

  34. • ݱঢ়ͷFedCMͰߦΘΕ͍ͯΔϦΫΤετ/ϨεϙϯεΛઆ໌
    ͨ͠


    • FedCM ͱ OIDC ͷϓϩτίϧͱͯ͠ͷҧ͍Λઆ໌ͨ͠


    • OIDC Implicit Flow ૬౰ͷγϣʔτΧοτతͳཱͪҐஔʹ
    ͳ͍ͬͯΔ


    • IdPͷ௥ՃରԠͷίετ͕͋Δҹ৅ͳͷͰɺࠩ෼ղফͷΞϓ
    ϩʔνʹࠓޙ͸஫໨
    ˜-‘

    34

    View Slide

  35. ™š›

    35

    View Slide