Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP 也有 Day #48:我是誰?我在哪?

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Star Rocket Star Rocket
October 01, 2019
Technology
0
59

PHP 也有 Day #48:我是誰?我在哪?

PHP 也有 Day #48:我是誰?我在哪?

Avatar for Star Rocket

Star Rocket

October 01, 2019
Tweet

More Decks by Star Rocket

See All by Star Rocket
PHP 也有 Day #51:高效能框架的曙光 - 以 Laravel 經驗開發 Hyperf 應用
Avatar for Star Rocket starrocket
1
330
PHP 也有 Day #50:處理前人的遺產—聊 legacy code
Avatar for Star Rocket starrocket
0
85
PHP 也有 Day #49:邊緣人救星!用 Laravel 打造私人定製的聊天機器人
Avatar for Star Rocket starrocket
0
410
PHP 也有 Day #48:我是誰?我在哪?
Avatar for Star Rocket starrocket
0
62
API-整合測試
Avatar for Star Rocket starrocket
0
110
How we talk about Engineering Culture at Phase
Avatar for Star Rocket starrocket
0
39
PHP 也有 Day #47:打造好維護的 PHP 程式碼專案
Avatar for Star Rocket starrocket
0
360
全端起手就用 Laravel+Vue.js 現場實作給你看
Avatar for Star Rocket starrocket
0
200
PHP 也有 Day #45: VS Code 實戰料理 PHP 套件網站佐 Azure Pipelines
Avatar for Star Rocket starrocket
0
100

Other Decks in Technology

See All in Technology
インフラエンジニア必見!Kubernetesを用いたクラウドネイティブ設計ポイント大全
Avatar for 高棹大樹 daitak
1
390
Oracle Base Database Service 技術詳細
Avatar for oracle4engineer oracle4engineer
PRO
15
93k
生成AIと余白 〜開発スピードが向上した今、何に向き合う?〜
Avatar for KAKEHASHI kakehashi
PRO
0
160
Amazon Bedrock Knowledge Basesチャンキング解説!
Avatar for 野口碧生 aoinoguchi
0
160
AWS Network Firewall Proxyを触ってみた
Avatar for nagisa_53 nagisa53
1
240
ファインディの横断SREがTakumi byGMOと取り組む、セキュリティと開発スピードの両立
Avatar for adachi.ryo rvirus0817
1
1.6k
登壇駆動学習のすすめ — CfPのネタの見つけ方と書くときに意識していること
Avatar for おおいし bicstone
3
130
SRE Enabling戦記 - 急成長する組織にSREを浸透させる戦いの歴史
Avatar for Masaki Ishigaki markie1009
0
170
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
15
400k
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
Avatar for 小笠原理久 riku_423
2
610
茨城の思い出を振り返る ~CDKのセキュリティを添えて~ / 20260201 Mitsutoshi Matsuo
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
410
ブロックテーマ、WordPress でウェブサイトをつくるということ / 2026.02.07 Gifu WordPress Meetup
Avatar for Toro_Unit (Hiroshi Urabe) torounit
0
200

Featured

See All Featured
Evolving SEO for Evolving Search Engines
Avatar for Ryan Jones ryanjones
0
130
From π to Pie charts
Avatar for Rasagy Sharma rasagy
0
130
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
0
160
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
1
440
Unlocking the hidden potential of vector embeddings in international SEO
Avatar for Frank van Dijk frankvandijk
0
170
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
70
A Guide to Academic Writing Using Generative AI - A Workshop
Avatar for Kenji Saito ks91
PRO
0
210
Leadership Guide Workshop - DevTernity 2021
Avatar for David Neal reverentgeek
1
200
AI: The stuff that nobody shows you
Avatar for John Nunemaker jnunemaker
PRO
2
270
Prompt Engineering for Job Search
Avatar for Mfonobong Umondia mfonobong
0
160
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
698
190k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
Avatar for David Carrasco davidcarrasco
0
68

Transcript

  1. 我是誰︖我在哪︖ 聊聊 Web 的身分驗證

  2. ABOUT MILES CURRENT Senior Developer @ 104 Corp. Volunteer @

    DevOps Taiwan TAG PHP, Docker, DevOps [email protected] MilesChou
  3. None

  4. 今天將會聊些什麼 Terminology Scenario Native App Security Topic

  5. Terminology Authentication Entity Identifier

  6. Server User

  7. Server User Entity

  8. Server User Entity Identifier

  9. Server User Entity Identifier Miles Miles

  10. Server User Entity Identifier Authentication Miles Miles

  11. 基本的安全問題 請求真的是該使⽤者本身的意願所發出的請求嗎︖ 有沒有可能被竄改︖有沒有機會造假︖ 回應真的是伺服器的回應嗎︖ 有沒有可能被竄改︖有沒有機會造假︖

  12. Scenario 從前從前,有個網站提供了很多服務

  13. 安安你好,第⼀一次來來嗎? 第⼀一次來來的都是絕緣⼈人哦! 為了了讓你不再絕緣, 你先跟我講好,要怎麼驗證你是誰!

  14. 註冊的⽬的 使⽤者提供憑證資訊,如帳號、密碼、etc 伺服器提供 metadata

  15. 註冊的⽅法 線上註冊 私訊註冊 線下註冊

  16. User Login 身為⼀個使⽤者,我希望能使⽤網站提供的服務

  17. 安安你好,第⼆二次來來嗎? 站著!⼝口令?誰? 我知道你是麥爾斯了了,可是我⾦金金⿂魚腦! 24 分鐘內記得過來來刷新⼀一下!

  18. User Login Challenge State Management Mechanism

  19. 實作 Laravel Auth Zend Authentication

  20. Server-side Authentication 身為⼀個伺服器,我希望能呼叫網站提供的 API

  21. How about Authorization?

  22. Server-side Authentication Trusted Server VPN、鎖 IP、發 token、etc. OAuth 2.0 Facebook、Google、GitHub、AWS、etc.

  23. Terminology - OAuth 2.0 Authorization Resource Owner Resource Server Client

    Authorization Server

  24. Authorization Server Resource Owner Resource Server Client Authorization Request

  25. Authorization Server Resource Owner Resource Server Client Authorization Grant

  26. Authorization Server Resource Owner Resource Server Client Authorization Grant

  27. Authorization Server Resource Owner Resource Server Client Access Token

  28. Authorization Server Resource Owner Resource Server Client Access Token

  29. Authorization Server Resource Owner Resource Server Client Protected Resource

  30. 微信偷連結 Facebook︖ 到底花⽣省魔術︖請看 VCR!

  31. 微信偷連結 Facebook︖ Facebook 實作了 OAuth 2.0 微信 App 為 Client

    授權範圍

  32. Third-party Login 身為⼀個外部網站,我希望能透過貴站做身分驗證

  33. 安安你好,你是麥爾斯的跟班嗎? 有刷過麥爾斯的臉就可以進場了了哦! 但過⼀一回兒後, 我還會再跟麥爾斯確認,你還是不是他的跟班

  34. Third-party Login OAuth 2.0 Facebook, Google, GitHub, etc. OpenID Connect

    AppleID, Line, Google, Auth0, etc. SAML GitHub, Google, etc.

  35. Server User Provider Authentication Check

  36. OpenID Connect

  37. OpenID Connect Based-on OAuth 2.0 Use JWT on ID token

    Discovery Dynamic Client Registration

  38. Authorization Server Client End User Login

  39. Authorization Server Client End User Redirect to Authorization Server scope=openid

  40. Authorization Server Client End User Authorization Request

  41. GET / POST

  42. Authorization Server Client End User Challenge

  43. Authorization Server Client End User User Credentials

  44. Authorization Server Client End User Authorization Request

  45. Authorization Server Client End User Authorization Grant

  46. Authorization Server Client End User Redirect to Client with Code

  47. Authorization Server Client End User Use Code to get Access

    Token ID Token

  48. ID token

  49. 簽章 圖⽚來源:https://en.wikipedia.org/wiki/File:Private_key_signing.svg

  50. 簽章演算法 HS256 - HMVC using SHA-256 Line RS256 - RSASSA-PKCS1-v1_5

    using SHA-256 AppleID, Google ES256 - ECDSA using P-256 and SHA-256 AppleID

  51. Discovery AppleID Line Google

  52. ⽤用講的不就很會? 做⼀一個來來看看啊!

  53. Demo

  54. Native App

  55. 先講結論 不要⽤嵌入式 User Agent,即麻煩又危險 可使⽤ PKCE 來解決這個問題

  56. Chrome on Mobile 圖⽚來源:https://www.ory.sh/oauth2-for-mobile-app-spa-browser/

  57. App on Mobile 圖⽚來源:https://www.ory.sh/oauth2-for-mobile-app-spa-browser/

  58. Security Topic

  59. 基本 TLS CSRF XSS CSP Same-origin Policy

  60. HTML 登入 無標準協定 網路釣⿂

  61. Covert Redirect Redirect url 驗證

  62. 清除登入狀態 Token Revoke 的時機 OpenID Session Management Front-Channel Logout Back-Channel

    Logout

  63. Extra - Password 千萬不要存明碼 MD5 與 SHA1 已被認為是不安全的演算法 建議使⽤ SHA256

  64. Extra - Cookie 問題核⼼在於過度依賴 Cookie 作為身分驗證的⼿段 CSRF Session Hijacking Session

    Fixation Weak Confidentiality Weak Integrity

  65. Q & A