Upgrade to Pro — share decks privately, control downloads, hide ads and more …

現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19

658c29959d8a9fd352afa440a5813137?s=47 ritou
June 21, 2022

現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19

下記イベントの発表資料です。
https://openid.connpass.com/event/249281/

658c29959d8a9fd352afa440a5813137?s=128

ritou

June 21, 2022
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. !"#$%&'(#)*+,- /01'-#2345678 /9%:01.;%<=>?@=A.BCDEFG.H$%&'(.I J?ACK.LMLLNONLF.

  2. • https://ritou.hatenablog.com • FedCMೖ໳ ͦͷ1 ~ ID࿈ܞͷ՝୊ͱFedCMͷΞϓϩʔν • FedCMೖ໳ ͦͷ2

    ~ ݱঢ়ͷFedCM࣮૷ղઆ • FedCMೖ໳ ͦͷ3 ~ OIDCͱͷࠩ෼ղઆ (·ͩԼॻ͖) $%&'(5678#PQ  2
  3. • FedCMͷID࿈ܞϑϩʔ • OIDCͱͷࠩ෼ • ࠩ෼ղফͷͨΊͷΞϓϩʔν RSTU  3

  4. • IdP : Identity Provider. ଞαʔϏεʹରͯ͠Ϣʔβʔ৘ใΛ ఏڙ͢Δ αʔϏε • RP

    : Relying Party. IdPͷϢʔβʔ৘ใΛ༻͍ͯೝূػೳΛ࣮ ݱ͢Δ αʔϏε • Ϣʔβʔ : IdP/RPͦΕͧΕΛར༻͢ΔϢʔβʔ • ϒϥ΢β : FedCMʹରԠͨ͠ϒϥ΢β VWXY  4
  5. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ 2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸ FedCMͷAPIΛݺͼग़͢ 3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ

    4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ 01Z[\]  5
  6. VWXY-01Z[\]  6

  7. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ 2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸ FedCMͷAPIΛݺͼग़͢ 3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ

    4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ 01Z[\]  7
  8. ^_`abcdefghigj  8

  9. 01Z[#klmin  9

  10. opqr#01Z[]s  10

  11. opqr#01Z[]s  11 • FedCM͕༗ޮ͔Ͳ͏͔ͷ൑ఆ • ID࿈ܞཁٻ

  12. 0&p.t%Au&uAuv]s  12

  13. 0&p.t%Au&uAuv]s  13 • Top level domain manifest • IdP

    manifest f ile
  14. 'D?%:A.t%Au&uAu.v]s  14

  15. 'D?%:A.t%Au&uAu.v]s  15 • Client metadata Endpoint

  16. hwxiy#z{`ij|njv]s  16

  17. hwxiy#z{`ij|njv]s  17 • Client metadata Endpoint

  18. }~•lal#01;C€%:v]s  18

  19. }~•lal#01;C€%:v]s  19 • Accounts list endpoint

  20. 01;C€%:v•78‚ƒNV„…†  20

  21. 01;C€%:v•78‚ƒNV„…†  21 • ID Token Endpoint

  22. PC/Android ͷ Chrome Canary Ͱಈ࡞֬ೝͰ͖·͢ɻ • IdP : https://ex-fedcm-idp.herokuapp.com/ •

    RP : https://ex-fedcm-rp.herokuapp.com/ ‡ˆ‰Š  22
  23. • FedCMͷID࿈ܞϑϩʔ • OIDCͱͷࠩ෼ • ࠩ෼ղফͷͨΊͷΞϓϩʔν RSTU  23

  24. • ݱঢ়ͷFedCMͰͰ͖Δ͜ͱ͸ʮϑϩϯτνϟϯωϧͰͷ IDTokenͷ΍ΓͱΓʯ $%&'(  24

  25. • Authorization Code Flow • ϑϩϯτνϟϯωϧ : Authorization Code (+

    ID Token) • όοΫνϟϯωϧ : ID Token / AT / RT • Implicit Flow <- ͜Εʹ͍ۙ • ϑϩϯτνϟϯωϧ : ID Token (+ α) • Hybrid Flow (ུ) /01'.$DC‹Œ  25
  26. /01'.0t9D?<?A.$DC‹  26

  27. • IdP metadata : OpenID Provider Con f iguration ͰٵऩՄೳ

    • Client৘ใཁٻ : ະఆٛ • ΞΧ΢ϯτϦετཁٻ : ະఆٛ • ID Tokenཁٻ -> Implicit Flowʹ͍ۙ • ϒϥ΢βʹAuthN Response͕౉͞ΕΔ • ະఆٛ/লུ͞Εͨύϥϝʔλ $%&'(.BŒ./01'  27
  28. • ༻్ : ιʔγϟϧϩάΠϯػೳ(ϦιʔεΞΫηεͳ͠)ͷ γϣʔτΧοτͱͯ͠ͷΈར༻Ͱ͖Δ • ϦιʔεΞΫηε·Ͱαϙʔτͯ͠΄͍͠ਓ͸࢖͑ͳ͍ • ID Token

    ʹؚ·ΕΔ஋ • IdPʹґଘ /01'.op  28
  29. • ༻్ʹ͍ͭͯ͸RPͱಉ༷ • ࣮૷ : FedCMରԠͷͨΊͷಠ֦ࣗு͕ඞཁ • Authorization Endpointͷ֦ுʁ •

    OIDCະఆٛͷΤϯυϙΠϯτ • ID Token ʹؚ·ΕΔ஋ • ݱঢ়Ͱ͸ύϥϝʔλҎ֎ͰܾΊΔඞཁ͕͋Δ /01'.0&p  29
  30. • FedCMͷID࿈ܞϑϩʔ • OIDCͱͷࠩ෼ • ࠩ෼ղফͷͨΊͷΞϓϩʔν RSTU  30

  31. FedCM - OIDC ؒͷࠩ෼ղফͷͨΊʹ 1. FedCM ͕ OIDC ʹدͤΔ 2.

    FedCM ͷͨΊʹOIDCΛ֦ு͢Δ 1 Ͱ Implicit Flow ʹدͤΑ͏ͱͯ͠΋OIDCະఆٛͷϦΫΤε τ/Ϩεϙϯε΋͋ΔͷͰ 1, 2 ͷ྆ํ͕ඞཁͦ͏ɻ SAML͸֦ுେมͳΜ͡Όͳ͍ͷʁ •Ž+•#•‘#zghl’  31
  32. • id_token_endpoint = Authorization Endpoint • Authentication Request • “response_type=id_token”

    • “prompt=none” • “login_hint” + Cookie Ͱ൑ఆ • “scope”, “claims” ύϥϝʔλΛαϙʔτ $%&'(b/01'5“”f  32
  33. • FedCMಠࣗͷϦΫΤετ • Client Metadata Request • Account List Request

    • JSONܗࣜͰID TokenΛཁٻ • response_mode: body # body Ͱ Authentication Response Λཁٻ • redirect_uri: “urn…” # fedcm ༻ͷ஋ͱ͔ /01'.•–A%:Œ?C:.—CJ.$%&'(  33
  34. • ݱঢ়ͷFedCMͰߦΘΕ͍ͯΔϦΫΤετ/ϨεϙϯεΛઆ໌ ͨ͠ • FedCM ͱ OIDC ͷϓϩτίϧͱͯ͠ͷҧ͍Λઆ໌ͨ͠ • OIDC

    Implicit Flow ૬౰ͷγϣʔτΧοτతͳཱͪҐஔʹ ͳ͍ͬͯΔ • IdPͷ௥ՃରԠͷίετ͕͋Δҹ৅ͳͷͰɺࠩ෼ղফͷΞϓ ϩʔνʹࠓޙ͸஫໨ ˜-‘  34
  35. ™š›  35