現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19

Transcript

1. !"#$%&'(#)*+,- /01'-#2345678 /9%:01.;%<=>?@=A.BCDEFG.H$%&'(.I J?ACK.LMLLNONLF.

2. • https://ritou.hatenablog.com • FedCMೖ໳ ͦͷ1 ~ ID࿈ܞͷ՝୊ͱFedCMͷΞϓϩʔν • FedCMೖ໳ ͦͷ2

   ~ ݱঢ়ͷFedCM࣮૷ղઆ • FedCMೖ໳ ͦͷ3 ~ OIDCͱͷࠩ෼ղઆ (·ͩԼॻ͖) $%&'(5678#PQ  2

3. • FedCMͷID࿈ܞϑϩʔ • OIDCͱͷࠩ෼ • ࠩ෼ղফͷͨΊͷΞϓϩʔν RSTU  3

4. • IdP : Identity Provider. ଞαʔϏεʹରͯ͠Ϣʔβʔ৘ใΛ ఏڙ͢Δ αʔϏε • RP

   : Relying Party. IdPͷϢʔβʔ৘ใΛ༻͍ͯೝূػೳΛ࣮ ݱ͢Δ αʔϏε • Ϣʔβʔ : IdP/RPͦΕͧΕΛར༻͢ΔϢʔβʔ • ϒϥ΢β : FedCMʹରԠͨ͠ϒϥ΢β VWXY  4

5. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ 2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸ FedCMͷAPIΛݺͼग़͢ 3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ

   4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ 01Z[\]  5

6. VWXY-01Z[\]  6

7. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ 2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸ FedCMͷAPIΛݺͼग़͢ 3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ

   4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ 01Z[\]  7

8. ^_`abcdefghigj  8

9. 01Z[#klmin  9

10. opqr#01Z[]s  10

11. opqr#01Z[]s  11 • FedCM͕༗ޮ͔Ͳ͏͔ͷ൑ఆ • ID࿈ܞཁٻ

12. 0&p.t%Au&uAuv]s  12

13. 0&p.t%Au&uAuv]s  13 • Top level domain manifest • IdP

    manifest f ile

14. 'D?%:A.t%Au&uAu.v]s  14

15. 'D?%:A.t%Au&uAu.v]s  15 • Client metadata Endpoint

16. hwxiy#z{`ij|njv]s  16

17. hwxiy#z{`ij|njv]s  17 • Client metadata Endpoint

18. }~•lal#01;C€%:v]s  18

19. }~•lal#01;C€%:v]s  19 • Accounts list endpoint

20. 01;C€%:v•78‚ƒNV„…†  20

21. 01;C€%:v•78‚ƒNV„…†  21 • ID Token Endpoint

22. PC/Android ͷ Chrome Canary Ͱಈ࡞֬ೝͰ͖·͢ɻ • IdP : https://ex-fedcm-idp.herokuapp.com/ •

    RP : https://ex-fedcm-rp.herokuapp.com/ ‡ˆ‰Š  22

23. • FedCMͷID࿈ܞϑϩʔ • OIDCͱͷࠩ෼ • ࠩ෼ղফͷͨΊͷΞϓϩʔν RSTU  23

24. • ݱঢ়ͷFedCMͰͰ͖Δ͜ͱ͸ʮϑϩϯτνϟϯωϧͰͷ IDTokenͷ΍ΓͱΓʯ $%&'(  24

25. • Authorization Code Flow • ϑϩϯτνϟϯωϧ : Authorization Code (+

    ID Token) • όοΫνϟϯωϧ : ID Token / AT / RT • Implicit Flow <- ͜Εʹ͍ۙ • ϑϩϯτνϟϯωϧ : ID Token (+ α) • Hybrid Flow (ུ) /01'.$DC‹Œ  25

26. /01'.0t9D?<?A.$DC‹  26

27. • IdP metadata : OpenID Provider Con f iguration ͰٵऩՄೳ

    • Client৘ใཁٻ : ະఆٛ • ΞΧ΢ϯτϦετཁٻ : ະఆٛ • ID Tokenཁٻ -> Implicit Flowʹ͍ۙ • ϒϥ΢βʹAuthN Response͕౉͞ΕΔ • ະఆٛ/লུ͞Εͨύϥϝʔλ $%&'(.BŒ./01'  27

28. • ༻్ : ιʔγϟϧϩάΠϯػೳ(ϦιʔεΞΫηεͳ͠)ͷ γϣʔτΧοτͱͯ͠ͷΈར༻Ͱ͖Δ • ϦιʔεΞΫηε·Ͱαϙʔτͯ͠΄͍͠ਓ͸࢖͑ͳ͍ • ID Token

    ʹؚ·ΕΔ஋ • IdPʹґଘ /01'.op  28

29. • ༻్ʹ͍ͭͯ͸RPͱಉ༷ • ࣮૷ : FedCMରԠͷͨΊͷಠ֦ࣗு͕ඞཁ • Authorization Endpointͷ֦ுʁ •

    OIDCະఆٛͷΤϯυϙΠϯτ • ID Token ʹؚ·ΕΔ஋ • ݱঢ়Ͱ͸ύϥϝʔλҎ֎ͰܾΊΔඞཁ͕͋Δ /01'.0&p  29

30. • FedCMͷID࿈ܞϑϩʔ • OIDCͱͷࠩ෼ • ࠩ෼ղফͷͨΊͷΞϓϩʔν RSTU  30

31. FedCM - OIDC ؒͷࠩ෼ղফͷͨΊʹ 1. FedCM ͕ OIDC ʹدͤΔ 2.

    FedCM ͷͨΊʹOIDCΛ֦ு͢Δ 1 Ͱ Implicit Flow ʹدͤΑ͏ͱͯ͠΋OIDCະఆٛͷϦΫΤε τ/Ϩεϙϯε΋͋ΔͷͰ 1, 2 ͷ྆ํ͕ඞཁͦ͏ɻ SAML͸֦ுେมͳΜ͡Όͳ͍ͷʁ •Ž+•#•‘#zghl’  31

32. • id_token_endpoint = Authorization Endpoint • Authentication Request • “response_type=id_token”

    • “prompt=none” • “login_hint” + Cookie Ͱ൑ఆ • “scope”, “claims” ύϥϝʔλΛαϙʔτ $%&'(b/01'5“”f  32

33. • FedCMಠࣗͷϦΫΤετ • Client Metadata Request • Account List Request

    • JSONܗࣜͰID TokenΛཁٻ • response_mode: body # body Ͱ Authentication Response Λཁٻ • redirect_uri: “urn…” # fedcm ༻ͷ஋ͱ͔ /01'.•–A%:Œ?C:.—CJ.$%&'(  33

34. • ݱঢ়ͷFedCMͰߦΘΕ͍ͯΔϦΫΤετ/ϨεϙϯεΛઆ໌ ͨ͠ • FedCM ͱ OIDC ͷϓϩτίϧͱͯ͠ͷҧ͍Λઆ໌ͨ͠ • OIDC

    Implicit Flow ૬౰ͷγϣʔτΧοτతͳཱͪҐஔʹ ͳ͍ͬͯΔ • IdPͷ௥ՃରԠͷίετ͕͋Δҹ৅ͳͷͰɺࠩ෼ղফͷΞϓ ϩʔνʹࠓޙ͸஫໨ ˜-‘  34

35. ™š›  35