Upgrade to Pro — share decks privately, control downloads, hide ads and more …

サーバーレスなユーザー認証認可の考慮事項と実践的プラクティス紹介 / slsdays-toky...

Serverless Operations
September 21, 2024
2.5k

サーバーレスなユーザー認証認可の考慮事項と実践的プラクティス紹介 / slsdays-tokyo-2024

Serverless Operations

September 21, 2024
Tweet

More Decks by Serverless Operations

Transcript

  1. *%1SPWJFSબఆ $MPVE'SPOU 4 "1*(BUFXBZ -BNCEB %ZOBNP%# 41" 8FC"1* #SPXTFS 8FC$MJFOU

    "NB[PO$PHOJUP "VUI .JDSPTPGU&OUSB*% چ"[VSF"% (PPHMF ଞʹ΋ɺ,FZDMPBL "VUIMFUF "LBNBJ&""*%1ͳͲɾɾɾ
  2. *%1SPWJEFS౷߹ͷྫ #SPXTFS 8FC$MJFOU $MPVE'SPOU 4 "1*(BUFXBZ -BNCEB %ZOBNP%# 41" 8FC"1*

    *%1SPWJEFS "NB[PO$PHOJUP "VUIPSJ[BUJPO4FSWFS ʢೝՄαʔόʔʣ IUUQTBQJFYBNQMFDPN IUUQTXFCFYBNQMFDPN IUUQTDPHOJUPJEQBQ OPSUIFBTUBNB[POBXTDPN
  3. *%1SPWJEFS౷߹ͷྲྀΕʢ0*%$"VUIPSJ[BUJPO$PEFGMPXʣ #SPXTFS 8FC$MJFOU $MPVE'SPOU 4 41" *%1SPWJEFS "NB[PO$PHOJUP Ϣʔβʔೝূʢ*%1"44 FUDʣ

    0, -PDBUJPODBMMCBDL DPEFTUBUF (&5DBMMCBDL DPEFTUBUF 0, 1045UPLFO XDPEF "VUIPSJ[BUJPO4FSWFS *%1SPWJEFS "NB[PO$PHOJUP 0, X"DDFTT5PLFO 3FGSFTI5PLFO *%5PLFO ˞*%1SPWJEFS͕ΞϓϦೝՄαʔόʔͷ ػೳ΋݉Ͷͯఏڙ͍ͯ͠Δ͜ͱ͕ଟ͍
  4. *%1SPWJEFS౷߹ͷྲྀΕʢ0*%$"VUIPSJ[BUJPO$PEFGMPXʣ #SPXTFS 8FC$MJFOU 1045UPLFO XDPEF "VUIPSJ[BUJPO4FSWFS "NB[PO$PHOJUP "1*(BUFXBZ -BNCEB %ZOBNP%#

    3FTPVSDF4FSWFS 8FC"1* (&5VTFSTNF "VUIPSJ[BUJPO#FBSFS\"DDFTT5PLFO^ 200 OK { “userId”: “…” } 200 OK { “accessToken”: “…”, “refreshToken”: “…”, “idToken”: “…” }
  5. $PHOJUPΛར༻͢Δͱ͖ʹ೰·͍͜͠ͱ #SPXTFS 8FC$MJFOU 1045UPLFO XDPEF "VUIPSJ[BUJPO4FSWFS "NB[PO$PHOJUP "1*(BUFXBZ -BNCEB %ZOBNP%#

    3FTPVSDF4FSWFS 8FC"1* (&5VTFSTNF "VUIPSJ[BUJPO#FBSFS\"DDFTT5PLFO^ 200 OK { “userId”: “…” } 200 OK { “accessToken”: “…”, “refreshToken”: “…”, “idToken”: “…” }
  6. ఻౷తͳηογϣϯػߏ͔ΒͷมԽ #SPXTFS $PPLJF 8FC4FSWFS "VUIPSJ[BUJPO 4FSWFS 3FTPVSDF 4FSWFS #SPXTFS 4FTTJPO

    "DDFTTUPLFO Set-Cookie: session={session}; httponly; Cookie: session={session} 200 OK { “accessToken”: “…”, “refreshToken”: “…”, “idToken”: “…” } 200 OK { “orderId”: “…”, “time”: “…”, “items”: [ … ] } POST /token code={code} GET /orders Authorization: Bearer {access_token}
  7. %JTDPWFSZ&OEQPJOU XFMMLOPXO { "issuer": "https://accounts.google.com", "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth", "token_endpoint": "https://oauth2.googleapis.com/token", "userinfo_endpoint":

    "https://openidconnect.googleapis.com/v1/userinfo", "revocation_endpoint": "https://oauth2.googleapis.com/revoke", "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs", "response_types_supported": [ “code", "token", "id_token", ... ], "id_token_signing_alg_values_supported": [ "RS256" ], "scopes_supported": [ "openid", "email", "profile", ... ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ], "claims_supported": [ "aud", "iat", "sub", ... ], "code_challenge_methods_supported": [ "plain", "S256" ], "grant_types_supported": [ "authorization_code", "refresh_token", ... ] } { "keys": [ { "kid": "d7b939771a7800c413f90051012d975981916d71", "n": "...", "e": "AQAB", "use": "sig", "alg": "RS256", "kty": "RSA" }, { "kid": "b2620d5e7f132b52afe8875cdf3776c064249d04", "n": "...", "e": "AQAB", "alg": "RS256", "use": "sig", "kty": "RSA" } ] } IUUQTBDDPVOUTHPPHMFDPNXFMMLOPXOPQFOJEDPO fi HVSBUJPO KXLT@VSJ
  8. τʔΫϯϥΠϑαΠΫϧ؅ཧઓུ ύλʔϯ ΞΫηε τʔΫϯͷར༻ ϦϑϨογϡ τʔΫϯͷར༻ ϦϑϨογϡτʔΫϯͷ ϩʔςʔγϣϯ Ϣʔεέʔεͷྫ ߟྀࣄ߲

    ᶃΞΫηετʔΫͷΈར༻ ᶄΞΫηετʔΫϯͱϦϑ ϨογϡτʔΫϯΛར༻ ʢϩʔςʔγϣϯͳ͠ʣ ᶅΞΫηετʔΫϯͱϦϑ ϨογϡτʔΫϯΛར༻ ʢϩʔςʔγϣϯ͋Γʣ ̋ ̋ ̋ ʷ ̋ ̋ ʷ ʷ ̋ গ த ଟ w ϒϥ΢βΛ։ͨ͘ͼʹ࠶ϩάΠϯ͕ ٻΊΒΕΔ w ར༻ස౓͸݄ʹճఔ౓ w Ұ౓ϩάΠϯͨ͠ޙɺ࠶ϩάΠϯͤͣ ར༻Ͱ͖Δ͕ɺ݄ʹճ͸ඞͣ࠶ϩά Πϯ͕ඞཁ w ར༻ස౓͸݄ʹ਺ճఔ౓ w Ұ౓ϩάΠϯͨ͠ޙɺ࠶ϩάΠϯͤͣ ར༻Ͱ͖Δ͕ɺҰఆظؒʢʙ਺ϲ ݄ʣա͗ͨΒ࠶ϩάΠϯ͕ඞཁ w جຊతʹຖ೔ʗຖि࢖͍ͬͯΕ͹࠶ϩ άΠϯΛٻΊͳ͍
  9. τʔΫϯͷอଘ৔ॴ #SPXTFS *O.FNPSZ4UPSF 8FC4UPSBHF $PPLJF MPDBM4UPSBHF TFTTJPO4UPSBHF )UUQ0OMZͳ͠ )UUQ0OMZ͋Γ "DDFTTUPLFO

    "DDFTTUPLFO 3FGSFTIUPLFO "DDFTTUPLFO "DDFTTUPLFO 3FGSFTIUPLFO "DDFTTUPLFO 3FGSFTIUPLFO
  10. $PPLJFʹ͍ͭͯ஌͓͖͍ͬͯͨ͜ͱ $PPLJFଐੑ ಺༰ &YQJSFT .BY"HF %PNBJO 1BUI 4FDVSF )UUQ0OMZ 4BNF4JUF

    w ༗ޮظݶ w ༗ޮظݶ·Ͱͷඵ਺ w ૹ৴ର৅ͷυϝΠϯ໊ w ૹ৴ର৅ͷύε w )5514௨৴࣌ͷΈૹ৴ w +BWB4DSJQUͰऔಘͰ͖ͳ͍Α͏ʹ͢Δ w ΫϩεαΠτͰͷૹ৴Մ൱ͱൣғΛࢦఆ
  11. 41" 8FC"1*Ͱ$PPLJFΛѻ͏৔߹ͷߏ੒ྫ #SPXTFS ˞"VUIؚΉҰ෦ͷ*%1SPWJEFSΛআ͘ 41" 8FC"1* *%1SPWJEFS IUUQTXFCFYBNQMFDPN IUUQTBQJFYBNQMFDPN IUUQTDPHOJUPJEQBQOPSUIFBTUBNB[POBXTDPN

    )UUQ0OMZଐੑͷ$PPLJFΛΫϩεΦϦδϯͰѻ͏ʹ͸ɺݫ֨ͳ$034ϙϦγʔͷରԠ͕ඞཁ IUUQTBVUIFYBNQMFDPN Set-Cookie: token={token}; Domain=.example.com; httponly; secure; SameSite=Lax; Cookie: token={token} Cookie: token={token}
  12. $034ͷجຊΛཧղ͢Δ #SPXTFS $PSF 4FSWFS  ϦΫΤετ  1SFGMJHIU3FRVFTU 015*0/4 "DDFTT$POUSPM"MMPX0SJHJOb

    ` 0SJHJObFYBNQMFDPN`  ࣮ࡍͷϦΫΤετ "DDFTT$POUSPM"MMPX0SJHJOb `  Ϩεϙϯε $MJFOU ʢ+4ʣ
  13. )UUQ0OMZଐੑ෇͖$PPLJFΛѻ͏ͨΊͷ$034ߏ੒ #SPXTFS $PSF 4FSWFS  1SFGMJHIU3FRVFTU 015*0/4 "DDFTT$POUSPM"MMPX0SJHJO\PSJHJO^ 0SJHJObFYBNQMFDPN` 

    ࣮ࡍͷϦΫΤετ  Ϩεϙϯε $MJFOU ʢ+4ʣ "DDFTT$POUSPM"MMPX$SFEFOUJBMTUSVF  ϦΫΤετ "DDFTT$POUSPM"MMPX$SFEFOUJBMTUSVF "DDFTT$POUSPM"MMPX$SFEFOUJBMTUSVF "DDFTT$POUSPM"MMPX0SJHJO\PSJHJO^