Upgrade to Pro — share decks privately, control downloads, hide ads and more …

現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19

ritou
June 21, 2022
Technology
2
680

現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19

下記イベントの発表資料です。
https://openid.connpass.com/event/249281/

ritou

June 21, 2022
Tweet

More Decks by ritou

See All by ritou
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
7k
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022
ritou
2
3.1k
C向けサービスで 使われている認証方式と安全な使い方
ritou
13
2.6k
GNAP超入門 ~ IW2021 C15
ritou
2
4.4k
OAuth 2.0仕様紹介 JAR, PAR, RAR @ iddance Lesson3
ritou
1
1.2k
ID連携の標準化仕様紹介とセキュアな実装のためのアプローチ 2021 / Identity Federation Protocols 2021
ritou
3
7.9k
JWT Boot Camp 2020
ritou
1
6.3k
iddance2_ritou.pdf
ritou
1
3.9k
webauthn_study_ritou.pdf
ritou
3
910

Other Decks in Technology

See All in Technology
Predictive back transition Animation on Android 14
line_developers
PRO
1
550
Microsoft Startup Tech Meetup #0 : Kikuchi
hikiroku
1
130
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.7k
プロデュ―サーさん、今日も安全運転でよろしくね☆~OBD2を用いた速度・回転数検知ツールの開発~
hato3isfriend
0
160
組織の立ち上げと体制変更の1年
tarappo
2
940
Spring Boot 2 から 3 へバージョンアップしてみた
red_frasco
1
190
Princess APIのAPIクライアントをTypeScriptで作ってnpmで公開してみた
ohmori_yusuke
1
550
Evolving ML Platform with OSS Upstream Community
y_iwai
0
260
バクラクのAI-OCR機能の体験を支える良質なデータセット作成の仕組み / data-centric-ai-bakuraku-dataset
yuya4
1
550
What to talk about when you have nothing to talk about
moyheen
0
110
無理なく始めるGoでのユニットテストの並行化戦略
shohata
1
600
GitHub最新情報キャッチアップ 2023年6月
dzeyelid
1
210

Featured

See All Featured
WebSockets: Embracing the real-time Web
robhawkes
58
6.2k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
25
5.3k
In The Pink: A Labor of Love
frogandcode
133
21k
Building Applications with DynamoDB
mza
86
5.1k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Building Adaptive Systems
keathley
29
1.5k
Robots, Beer and Maslow
schacon
154
7.5k
Optimising Largest Contentful Paint
csswizardry
2
790
Teambox: Starting and Learning
jrom
124
8k
Support Driven Design
roundedbygravity
88
9k
What the flash - Photography Introduction
edds
64
10k
Done Done
chrislema
178
15k

Transcript

  1. !"#$%&'(#)*+,-


    /01'-#2345678
    /9%:01.;%<=>[email protected]=A.BCDEFG.H$%&'(.I
    J?ACK.LMLLNONLF.

    View Slide

  2. • https://ritou.hatenablog.com


    • FedCMೖ໳ ͦͷ1 ~ ID࿈ܞͷ՝୊ͱFedCMͷΞϓϩʔν


    • FedCMೖ໳ ͦͷ2 ~ ݱঢ়ͷFedCM࣮૷ղઆ


    • FedCMೖ໳ ͦͷ3 ~ OIDCͱͷࠩ෼ղઆ (·ͩԼॻ͖)
    $%&'(5678#PQ

    2

    View Slide

  3. • FedCMͷID࿈ܞϑϩʔ


    • OIDCͱͷࠩ෼


    • ࠩ෼ղফͷͨΊͷΞϓϩʔν
    RSTU

    3

    View Slide

  4. • IdP : Identity Provider. ଞαʔϏεʹରͯ͠Ϣʔβʔ৘ใΛ
    ఏڙ͢Δ αʔϏε


    • RP : Relying Party. IdPͷϢʔβʔ৘ใΛ༻͍ͯೝূػೳΛ࣮
    ݱ͢Δ αʔϏε


    • Ϣʔβʔ : IdP/RPͦΕͧΕΛར༻͢ΔϢʔβʔ


    • ϒϥ΢β : FedCMʹରԠͨ͠ϒϥ΢β
    VWXY

    4

    View Slide

  5. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ


    2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸
    FedCMͷAPIΛݺͼग़͢


    3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ
    ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ


    4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ
    ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ
    ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ
    01Z[\]

    5

    View Slide

  6. VWXY-01Z[\]

    6

    View Slide

  7. 1. Ϣʔβʔ͸IdPʹϩάΠϯ͍ͯ͠Δલఏ


    2. Ϣʔβʔ͕RPͰ "IdPͰϩάΠϯ" Λར༻͠Α͏ͱͯ͠ɺRP͸
    FedCMͷAPIΛݺͼग़͢


    3. ϒϥ΢β͸IdPʹରͯ͠ϩάΠϯதͷΞΧ΢ϯτ৘ใ(Ϧετ)Λཁ
    ٻ͠ɺID࿈ܞͷͨΊͷϓϩϯϓτΛRPυϝΠϯ্Ͱදࣔ͢Δ


    4. ϒϥ΢β͸Ϣʔβʔ͕બ୒/ڐՄͨ͠ΞΧ΢ϯτ৘ใʹඥͮ͘ೝূ
    ༻τʔΫϯ(OIDCͷIDToken)ΛIdPʹཁٻ͠ɺऔಘͨ͠΋ͷΛRPʹ
    ౉͢ɻRP͸ͦΕΛೝূػೳʹར༻͢Δɻ
    01Z[\]

    7

    View Slide

  8. ^_`abcdefghigj

    8

    View Slide

  9. 01Z[#klmin

    9

    View Slide

  10. opqr#01Z[]s

    10

    View Slide

  11. opqr#01Z[]s

    11
    • FedCM͕༗ޮ͔Ͳ͏͔ͷ൑ఆ


    • ID࿈ܞཁٻ

    View Slide

  12. 0&p.t%Au&uAuv]s

    12

    View Slide

  13. 0&p.t%Au&uAuv]s

    13
    • Top level domain manifest


    • IdP manifest
    f
    ile

    View Slide

  14. 'D?%:A.t%Au&uAu.v]s

    14

    View Slide

  15. 'D?%:A.t%Au&uAu.v]s

    15
    • Client metadata Endpoint

    View Slide

  16. hwxiy#z{`ij|njv]s

    16

    View Slide

  17. hwxiy#z{`ij|njv]s

    17
    • Client metadata Endpoint

    View Slide

  18. }~•lal#01;C€%:v]s

    18

    View Slide

  19. }~•lal#01;C€%:v]s

    19
    • Accounts list endpoint

    View Slide

  20. 01;C€%:v•78‚ƒNV„…†

    20

    View Slide

  21. 01;C€%:v•78‚ƒNV„…†

    21
    • ID Token Endpoint

    View Slide

  22. PC/Android ͷ Chrome Canary Ͱಈ࡞֬ೝͰ͖·͢ɻ


    • IdP : https://ex-fedcm-idp.herokuapp.com/


    • RP : https://ex-fedcm-rp.herokuapp.com/
    ‡ˆ‰Š

    22

    View Slide

  23. • FedCMͷID࿈ܞϑϩʔ


    • OIDCͱͷࠩ෼


    • ࠩ෼ղফͷͨΊͷΞϓϩʔν
    RSTU

    23

    View Slide

  24. • ݱঢ়ͷFedCMͰͰ͖Δ͜ͱ͸ʮϑϩϯτνϟϯωϧͰͷ
    IDTokenͷ΍ΓͱΓʯ
    $%&'(

    24

    View Slide

  25. • Authorization Code Flow


    • ϑϩϯτνϟϯωϧ : Authorization Code (+ ID Token)


    • όοΫνϟϯωϧ : ID Token / AT / RT


    • Implicit Flow <- ͜Εʹ͍ۙ


    • ϑϩϯτνϟϯωϧ : ID Token (+ α)


    • Hybrid Flow (ུ)
    /01'.$DC‹Œ

    25

    View Slide

  26. /01'.0t9D?
    26

    View Slide

  27. • IdP metadata : OpenID Provider Con
    f
    iguration ͰٵऩՄೳ


    • Client৘ใཁٻ : ະఆٛ


    • ΞΧ΢ϯτϦετཁٻ : ະఆٛ


    • ID Tokenཁٻ -> Implicit Flowʹ͍ۙ


    • ϒϥ΢βʹAuthN Response͕౉͞ΕΔ


    • ະఆٛ/লུ͞Εͨύϥϝʔλ
    $%&'(.BŒ./01'

    27

    View Slide

  28. • ༻్ : ιʔγϟϧϩάΠϯػೳ(ϦιʔεΞΫηεͳ͠)ͷ
    γϣʔτΧοτͱͯ͠ͷΈར༻Ͱ͖Δ


    • ϦιʔεΞΫηε·Ͱαϙʔτͯ͠΄͍͠ਓ͸࢖͑ͳ͍


    • ID Token ʹؚ·ΕΔ஋


    • IdPʹґଘ
    /01'.op

    28

    View Slide

  29. • ༻్ʹ͍ͭͯ͸RPͱಉ༷


    • ࣮૷ : FedCMରԠͷͨΊͷಠ֦ࣗு͕ඞཁ


    • Authorization Endpointͷ֦ுʁ


    • OIDCະఆٛͷΤϯυϙΠϯτ


    • ID Token ʹؚ·ΕΔ஋


    • ݱঢ়Ͱ͸ύϥϝʔλҎ֎ͰܾΊΔඞཁ͕͋Δ
    /01'.0&p

    29

    View Slide

  30. • FedCMͷID࿈ܞϑϩʔ


    • OIDCͱͷࠩ෼


    • ࠩ෼ղফͷͨΊͷΞϓϩʔν
    RSTU

    30

    View Slide

  31. FedCM - OIDC ؒͷࠩ෼ղফͷͨΊʹ


    1. FedCM ͕ OIDC ʹدͤΔ


    2. FedCM ͷͨΊʹOIDCΛ֦ு͢Δ


    1 Ͱ Implicit Flow ʹدͤΑ͏ͱͯ͠΋OIDCະఆٛͷϦΫΤε
    τ/Ϩεϙϯε΋͋ΔͷͰ 1, 2 ͷ྆ํ͕ඞཁͦ͏ɻ


    SAML͸֦ுେมͳΜ͡Όͳ͍ͷʁ
    •Ž+•#•‘#zghl’

    31

    View Slide

  32. • id_token_endpoint = Authorization Endpoint


    • Authentication Request


    • “response_type=id_token”


    • “prompt=none”


    • “login_hint” + Cookie Ͱ൑ఆ


    • “scope”, “claims” ύϥϝʔλΛαϙʔτ
    $%&'(b/01'5“”f

    32

    View Slide

  33. • FedCMಠࣗͷϦΫΤετ


    • Client Metadata Request


    • Account List Request


    • JSONܗࣜͰID TokenΛཁٻ


    • response_mode: body # body Ͱ Authentication Response
    Λཁٻ


    • redirect_uri: “urn…” # fedcm ༻ͷ஋ͱ͔
    /01'.•–A%:Œ?C:.—CJ.$%&'(

    33

    View Slide

  34. • ݱঢ়ͷFedCMͰߦΘΕ͍ͯΔϦΫΤετ/ϨεϙϯεΛઆ໌
    ͨ͠


    • FedCM ͱ OIDC ͷϓϩτίϧͱͯ͠ͷҧ͍Λઆ໌ͨ͠


    • OIDC Implicit Flow ૬౰ͷγϣʔτΧοτతͳཱͪҐஔʹ
    ͳ͍ͬͯΔ


    • IdPͷ௥ՃରԠͷίετ͕͋Δҹ৅ͳͷͰɺࠩ෼ղফͷΞϓ
    ϩʔνʹࠓޙ͸஫໨
    ˜-‘

    34

    View Slide

  35. ™š›

    35

    View Slide