Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth, Transactional Authorization @ IETF106

sylph01
January 09, 2020

OAuth, Transactional Authorization @ IETF106

presented at https://isocjp.doorkeeper.jp/events/101939

----

Revision 2:
* removed image taken from XYZ slide
* fixed page 15: URLs are also encrypted under HTTPS

sylph01

January 09, 2020
Tweet

More Decks by sylph01

Other Decks in Technology

Transcript

  1. OAuth, Transactional
    Authorization, and
    other security related
    stuff
    Ryo Kajiwara @ lepidum
    IETF106 Report Session, ISOC-JP

    View Slide

  2. View Slide

  3. Why OAuth Now?

    View Slide

  4. View Slide

  5. ͍͍ͩͨ͜ͷهࣄͷԆ
    ௕ͷ࿩Λ͠·͢
    https:/
    /lepidum.co.jp/blog/
    2019-12-03/future-of-oauth/

    View Slide

  6. OAuth 2.0ɺਓྨʹ͸ૣ
    ͗ͨ͢ͷͰ͸ʁ
    ͱ͸ݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢
    ໰୊

    View Slide

  7. OAuth 2.0ͷ͓͞Β͍
    OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ͸
    • Authorization Code Grant
    • Implicit Grant
    • Resource Owner Password Credentials Grant
    • Client Credentials Grant
    ͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)

    View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. ௚ײతʹ͸ҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷ΋ͷͱͷܾఆతͳҧ͍͸
    ʮΫϥΠΞϯτࣗ਎͕ϦιʔεΦʔφʔͰ͋Δʯέʔεʹ࢖͏΋
    ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization Server͸Ξ
    ΫηετʔΫϯΛฦ͍ͯ͠Δɻ

    View Slide

  15. Կ͕Ϛζ͍ͷ(1)
    • Implicit GrantͰ͸ϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ΋
    ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕໰୊ɻ
    • ϦΫΤετɾϨεϙϯεͷheader/body͸HTTPSͳΒ҉߸Խ͞
    ΕΔ͕…
    • ྫ: ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩά
    ʹΞΫηετʔΫϯ͕࢒ͬͯ…
    • ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…

    View Slide

  16. Կ͕Ϛζ͍ͷ(2)
    • Resource Owner Password Credentials Grant͸ը૾ͷ஫ऍͷ௨
    Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ
    ஌Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ
    • ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯ
    Ͱݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ
    • ͳͷͰɺ΋ͱ΋ͱ͔Βͯ͠Ҡߦ໨తΛҙਤ͞Ε͍ͯͨɻ͕ɺ
    ࠓͰ΋࢖༻͠ଓ͚͍ͯΔ࣮૷͕ଘࡏ͢Δ…
    • ࠷৽ͷSecurity BCPʹ͸MUST NOT useͱॻ͔Ε͍ͯΔɻ

    View Slide

  17. ฏͨ͘ݴ͏ͱ
    • RFC6749͚ͩಡΉͷͰෆे෼ʹͳͬͯ͠·ͬͨ
    • ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ
    • ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ

    View Slide

  18. View Slide

  19. OAuth 2.1

    View Slide

  20. ͜Ε͸Կ
    ࠓճͷձ߹Ͱॳొ৔ͷఏҊͰɺʮOAuthؔ܎ͷυΩϡϝϯτͱͬͪ
    Β͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊ͹ؒҧ͍ͷͳ͍OAuth͕࣮
    ૷Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏΋ͷɻ
    ۩ମతʹ͸ɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security-
    topics-13(OAuth Security BCP) + RFC 8628(Device Flow)ͷ͍͍ͱ͜औ
    Γ("OAuth: the Good Parts")ͱͯ͠ఏҊ͞Εͨɻ

    View Slide

  21. OAuth 2.0Ͱ͸͜͏ͩͬͨ
    • Authorization Code Grant
    • Implicit Grant
    • Resource Owner Password Credentials Grant
    • Client Credentials Grant

    View Slide

  22. OAuth 2.1Ͱ͸͜͏ͳΔ
    • Authorization Code Grant
    • ͨͩ͠ɺPKCE(Proof Key for Code Exchange; RFC7636)ͷར༻͕
    ඞਢɺΑͬͯݫີʹ͸AuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓ
    ׵ੑ͕͋ΔΘ͚Ͱ͸ͳ͍
    • Implicit Grant
    • Resource Owner Password Credentials Grant
    • Client Credentials Grant
    • Device Grant

    View Slide

  23. PKCE
    URLͷҰ෦͔ΒImplicitͰ͸ΞΫηετʔΫϯ͕औΕΔͱઆ໌ͨ͠
    ͕ɺAuthorization Code GrantͰ͸ΞΫηετʔΫϯʹҾ͖׵͑Մೳ
    ͳAuthorization Code͕URLதʹฦ͖ͬͯͯɺ߈ܸऀ͸͜ΕΛಘΔ͜
    ͱ͕ՄೳɻεϚʔτϑΥϯͳͲͷΤϯυσόΠεʹਖ਼౰ͳΫϥΠΞ
    ϯτͱಉډ͢Δѱҙͷ͋ΔΞϓϦέʔγϣϯ͕͜ͷ஋Λར༻ͯ͠
    ΞΫηετʔΫϯΛ৐ͬऔΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻ
    Authorization Codeͷ৐ͬऔΓʹΑΔ߈ܸΛchallenge-responseʹ
    Αͬͯ๷͙ͷ͕PKCEͷ໾໨ɻ

    View Slide

  24. View Slide

  25. ࠓޙͲ͏ͳΔͷʁ
    IETF 106Ͱ͸ࠓޙͲ͏΍ͬͯਐΊΔ΂͖͔Λٞ࿦͢ΔαΠυϛʔ
    ςΟϯάཱ͕ͬͨɻ
    େଟ਺ͷࢀՃऀ͸OAuthͦͷ΋ͷͷෳࡶੑͱRFC6749ͱ͍͏େຊͷ
    υΩϡϝϯτʹݱࡏ࢖͑ͳ͍߲໨͕͋Δͱ͍͏͜ͱʹݒ೦͸ࣔ͠
    ͍͕ͯͨɺҰํͰ(࣍ʹઆ໌͢Δ)txauthͷworkͱOAuth WGͷwork
    ͱฒߦͯ͠ਐΊΔ͜ͱͷࠔ೉͞΁ͷݒ೦Λ͍ࣔͯͨ͠ɻ

    View Slide

  26. View Slide

  27. txauth
    Transactional Authorization and
    Delegation

    View Slide

  28. ͦ΋ͦ΋ transactional ͱ͸
    https:/
    /datatracker.ietf.org/meeting/106/materials/slides-106-txauth-
    annabelle ʹ͋Δ໰୊ఏ͕ٞඇৗʹΘ͔Γ΍͍͢ɻʮΤϯυϢʔ
    βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋ͠໭ͬͯ
    ͘Δʹ͸Ͳ͏ͨ͠ΒΑ͍͔ʁʯ
    (ྫ) εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ
    ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷ࢓૊ΈͰ͸ߪೖͷݪҼʹ
    ͳ͍ͬͯΔ໰୊Λղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕๨
    ΕΒΕͯ͠·͍ͬͯͨɻ

    View Slide

  29. ͦ΋ͦ΋ transactional ͱ͸
    • γϣοϓͷαΠτͰߦ͏͜ͱ
    • ຊͷߪೖΛ͍ͨ͠
    • ͔͠͠࢒ߴ͕଍Γͳ͍
    • ܾࡁखஈͷαΠτͰߦ͏͜ͱ
    • ೝূɺ࢒ߴͷิॆ
    • γϣοϓͷαΠτʹ໭ͬͯߦ͏͜ͱ
    • τϥϯβΫγϣϯͷ࠶։ → ࢒ߴ͕͋ΔͷͰߪೖ

    View Slide

  30. ͦ΋ͦ΋ transactional ͱ͸
    ࣗ෼ͷࡶͳղऍͱͯ͠͸ɺ
    ͋ΔߦҝΛߦ͏ೝՄΛಘΔखଓ͖ΛҰ࿈ͷτϥϯβΫγϣϯͱΈ
    ͳ͠ɺτϥϯβΫγϣϯʹೝՄʹඞཁͳഎܠ৘ใʢΞΫηετʔ
    ΫϯɺΞΫηετʔΫϯΛಘΔͨΊͷଐੑ৘ใɺ·ͨϦιʔε
    ΦʔφʔͷೝূͷͨΊͷূ໌ʣΛؔ࿈෇͚͍ͯ͘͜ͱ
    ͱ͍͏ղऍɻ

    View Slide

  31. XYZ

    View Slide

  32. XYZͱ͸
    Transactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊ
    ऀ͸OAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ΋͋ΔɻIETFతʹ͸draft-
    richer-transactional-authz-04ɻ
    OAuth 2.0ͱͷޓ׵ੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭ͠௚ͨ͠Β
    Ͳ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻ
    txauth BoF͸લճOAuth WG಺Ͱߦͬͨ͜ͷఏҊΛ΋ͱʹɺ৽͘͠
    WGΛܗ੒͢ΔͨΊʹ։͔Εͨɻ

    View Slide

  33. ղܾ͍ͨ͠ओཁͳ໰୊
    • ϑϩϯτνϟϯωϧͷอޢ
    • ϒϥ΢βͱαʔόʔͷؒͰ৘ใΛ౉͢ํ๏ͷอޢͷͨΊʹͨ
    ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ
    • dynamic registration
    • OAuth͸ΫϥΠΞϯτͷ੩తͳొ࿥Λҙਤͯ͠࡞ΒΕ͕ͨɺ
    ࣮ࡍ͸ಈతʹ௥Ճ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ൐͍redirect URI
    ͷݕূͳͲͰηΩϡϦςΟ໰୊͕ੜ͍ͯ͡Δ

    View Slide

  34. ղܾ͍ͨ͠ओཁͳ໰୊
    • scope ͷఆٛ
    • ΞΫηε͍ͨ͠஋ʁ
    • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ)
    • ͲͷϦιʔεαʔόʔʁ
    • ...
    https:/
    /datatracker.ietf.org/meeting/106/materials/slides-106-txauth-
    limitations-of-oauth-2

    View Slide

  35. ಛ௃(1)
    εϥΠυ https:/
    /datatracker.ietf.org/meeting/106/materials/
    slides-106-txauth-xyz Λ΋ͱʹઆ໌͢Δͱɺ
    • ΫϥΠΞϯτ͸ͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗ෼ࣗ਎ͷೝࣝ
    ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ
    ϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝
    • ͜ΕͰ৘ใ͕଍Γͳ͚Ε͹αʔόʔ͕࣍ʹ͜ͷ৘ใ͕΄͍͠ɺ
    ͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)

    View Slide

  36. ಛ௃(2)
    • ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰ΍ΓͱΓΛ͢Δ
    (p.24)
    • Ϣʔβʔ͕αʔόʔͱ΍ΓͱΓΛͨ͋͠ͱɺAuthorization Server
    ͸"interaction handle"ͱͦͷϋογϡΛੜ੒(p.27-29)͠ɺͦΕΛ
    ΫϥΠΞϯτʹฦ͢
    • ΫϥΠΞϯτ͸"transaction handle"ͱ"interaction handle"Λར༻
    ͯ͠τϥϯβΫγϣϯΛ࠶։(p.32)
    • handle͸աڈͷ஋΁ͷࢀর

    View Slide

  37. XYZҎ֎ͷఏҊ: Rich and
    Pushed Authorization
    Requests
    • https:/
    /datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/
    • https:/
    /datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/

    View Slide

  38. Rich Authorization Requests
    ۚ༥ܥ΍੓෎ܥͳͲͷڧ͍ηΩϡϦςΟ͕ٻΊΒΕΔྖҬͰOAuth
    Λ࢖͏͜ͱΛҙਤͯ͠ఏҊ͞ΕͨOAuth 2.0ͷ֦ுɻ
    ڧ͍ηΩϡϦςΟΛٻΊΒΕΔϢʔεέʔεͰ͸ݖݶ͕΋ͷ͘͢͝
    ࡉཻ͔͍౓Ͱઃఆ͞Ε͍ͯΔ͕ɺݱঢ়ͷOAuthͷscopeͰ͸͜ΕΛ
    ఻͖͑Εͳ͍͠ɺݱঢ়ͷOAuthͰ͸αʔόʔݻ༗ͷΞΫηετʔΫ
    ϯΛ෷͍ग़͢ͳͲͷࡉ੍͔͍ޚ͕Ͱ͖ͳ͍ɻ

    View Slide

  39. Rich Authorization Requests
    ੈͷதʹଘࡏ͢Δղ๏ͱͯ͠͸
    • scope_detailsύϥϝʔλ֦ு (PolishAPI)
    • ผͷϦιʔεΛ࢖ͬͯڐ୚಺༰Λදݱ (UK OB, NextGenPSD2,
    yes.com)
    ͕͋Δ͕͜ΕΛҰൠԽ͍ͨ͠ɻ

    View Slide

  40. Pushed Authorization
    Requests
    Authorization Requestͷ৘ใΛࣄલʹAuthorization Serverʹpush͢
    Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔ࢓૊Έɻ
    ΫϥΠΞϯτೝূʹඞཁͳ৘ใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜
    ͱͰΑΓڧྗͳೝূ͕Մೳɻ
    POSTϦΫΤετͰࣄલʹURLΛಘΔ࢓૊ΈͰ͋Δͷ΋ॏཁ(body͸
    HTTPSͰอޢ͞ΕΔ)ɻ

    View Slide

  41. Other WG Business
    • Security BCPͷupdate
    • ϒϥ΢βϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ
    • DPoP(Demonstration of Proof-of-Possession at the Application
    Layer)
    • εϥΠυ๯಄ʹSender-Constrained Access TokenͷͨΊͷPoP
    ͷྺ࢙Λ·ͱΊ͍ͯΔ

    View Slide

  42. Sender-Constrained Access
    Token
    ͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠஌Γಘͳ͍৘ใΛ࢖ͬͯɺΞΫηε
    τʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈෇͚Δํ๏(<-> Bearer
    τʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ෇༩͢Δ)ɻ
    Token Binding (draft-ietf-oauth-token-binding-08) ΍ Mutual TLS
    Client Authentication (draft-ietf-oauth-mtls-17) ͳͲͷํ๏͕ఏҊ͞
    Ε͍ͯΔ͕ͲͪΒ΋work in progressɻ

    View Slide

  43. View Slide

  44. એ఻:
    ٕज़ॻయ8 1೔໨(2/29)
    ೔ຊޠ࠷଎XYZղઆຊɺ
    ग़·͢
    https:/
    /cryptic-command.net/

    View Slide