presented at https://isocjp.doorkeeper.jp/events/101939
----
Revision 2: * removed image taken from XYZ slide * fixed page 15: URLs are also encrypted under HTTPS
OAuth, TransactionalAuthorization, andother security relatedstuffRyo Kajiwara @ lepidumIETF106 Report Session, ISOC-JP
View Slide
Why OAuth Now?
͍͍ͩͨ͜ͷهࣄͷԆͷΛ͠·͢https://lepidum.co.jp/blog/2019-12-03/future-of-oauth/
OAuth 2.0ɺਓྨʹૣ͗ͨ͢ͷͰʁͱݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢
OAuth 2.0ͷ͓͞Β͍OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)
ײతʹҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷͷͱͷܾఆతͳҧ͍ʮΫϥΠΞϯτ͕ࣗϦιʔεΦʔφʔͰ͋Δʯέʔεʹ͏ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization ServerΞΫηετʔΫϯΛฦ͍ͯ͠Δɻ
Կ͕Ϛζ͍ͷ(1)• Implicit GrantͰϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕ɻ• ϦΫΤετɾϨεϙϯεͷheader/bodyHTTPSͳΒ҉߸Խ͞ΕΔ͕…• ྫ: ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩάʹΞΫηετʔΫϯ͕ͬͯ…• ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…
Կ͕Ϛζ͍ͷ(2)• Resource Owner Password Credentials Grantը૾ͷऍͷ௨Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻ• ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯͰݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ• ͳͷͰɺͱͱ͔Βͯ͠ҠߦతΛҙਤ͞Ε͍ͯͨɻ͕ɺࠓͰ༻͠ଓ͚͍ͯΔ࣮͕ଘࡏ͢Δ…• ࠷৽ͷSecurity BCPʹMUST NOT useͱॻ͔Ε͍ͯΔɻ
ฏͨ͘ݴ͏ͱ• RFC6749͚ͩಡΉͷͰෆेʹͳͬͯ͠·ͬͨ• ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ• ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ
OAuth 2.1
͜ΕԿࠓճͷձ߹ͰॳొͷఏҊͰɺʮOAuthؔͷυΩϡϝϯτͱͬͪΒ͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊؒҧ͍ͷͳ͍OAuth͕࣮Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏ͷɻ۩ମతʹɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security-topics-13(OAuth Security BCP) + RFC 8628(Device Flow)ͷ͍͍ͱ͜औΓ("OAuth: the Good Parts")ͱͯ͠ఏҊ͞Εͨɻ
OAuth 2.0Ͱ͜͏ͩͬͨ• Authorization Code Grant• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant
OAuth 2.1Ͱ͜͏ͳΔ• Authorization Code Grant• ͨͩ͠ɺPKCE(Proof Key for Code Exchange; RFC7636)ͷར༻͕ඞਢɺΑͬͯݫີʹAuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓੑ͕͋ΔΘ͚Ͱͳ͍• Implicit Grant• Resource Owner Password Credentials Grant• Client Credentials Grant• Device Grant
PKCEURLͷҰ෦͔ΒImplicitͰΞΫηετʔΫϯ͕औΕΔͱઆ໌͕ͨ͠ɺAuthorization Code GrantͰΞΫηετʔΫϯʹҾ͖͑ՄೳͳAuthorization Code͕URLதʹฦ͖ͬͯͯɺ߈ܸऀ͜ΕΛಘΔ͜ͱ͕ՄೳɻεϚʔτϑΥϯͳͲͷΤϯυσόΠεʹਖ਼ͳΫϥΠΞϯτͱಉډ͢Δѱҙͷ͋ΔΞϓϦέʔγϣϯ͕͜ͷΛར༻ͯ͠ΞΫηετʔΫϯΛͬऔΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻAuthorization CodeͷͬऔΓʹΑΔ߈ܸΛchallenge-responseʹΑ͙ͬͯͷ͕PKCEͷɻ
ࠓޙͲ͏ͳΔͷʁIETF 106ͰࠓޙͲ͏ͬͯਐΊΔ͖͔Λٞ͢ΔαΠυϛʔςΟϯάཱ͕ͬͨɻେଟͷࢀՃऀOAuthͦͷͷͷෳࡶੑͱRFC6749ͱ͍͏େຊͷυΩϡϝϯτʹݱࡏ͑ͳ͍߲͕͋Δͱ͍͏͜ͱʹݒ೦͍͕ࣔͯͨ͠ɺҰํͰ(࣍ʹઆ໌͢Δ)txauthͷworkͱOAuth WGͷworkͱฒߦͯ͠ਐΊΔ͜ͱͷࠔ͞ͷݒ೦Λ͍ࣔͯͨ͠ɻ
txauthTransactional Authorization andDelegation
ͦͦ transactional ͱhttps://datatracker.ietf.org/meeting/106/materials/slides-106-txauth-annabelle ʹ͋Δఏ͕ٞඇৗʹΘ͔Γ͍͢ɻʮΤϯυϢʔβʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋͬͯ͘͠ΔʹͲ͏ͨ͠ΒΑ͍͔ʁʯ(ྫ) εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷΈͰߪೖͷݪҼʹͳ͍ͬͯΔΛղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕ΕΒΕͯ͠·͍ͬͯͨɻ
ͦͦ transactional ͱ• γϣοϓͷαΠτͰߦ͏͜ͱ• ຊͷߪೖΛ͍ͨ͠• ͔͠͠ߴ͕Γͳ͍• ܾࡁखஈͷαΠτͰߦ͏͜ͱ• ೝূɺߴͷิॆ• γϣοϓͷαΠτʹͬͯߦ͏͜ͱ• τϥϯβΫγϣϯͷ࠶։ → ߴ͕͋ΔͷͰߪೖ
ͦͦ transactional ͱࣗͷࡶͳղऍͱͯ͠ɺ͋ΔߦҝΛߦ͏ೝՄΛಘΔखଓ͖ΛҰ࿈ͷτϥϯβΫγϣϯͱΈͳ͠ɺτϥϯβΫγϣϯʹೝՄʹඞཁͳഎܠใʢΞΫηετʔΫϯɺΞΫηετʔΫϯΛಘΔͨΊͷଐੑใɺ·ͨϦιʔεΦʔφʔͷೝূͷͨΊͷূ໌ʣΛؔ࿈͚͍ͯ͘͜ͱͱ͍͏ղऍɻ
XYZ
XYZͱTransactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊऀOAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ͋ΔɻIETFతʹdraft-richer-transactional-authz-04ɻOAuth 2.0ͱͷޓੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭͨ͠͠ΒͲ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻtxauth BoFલճOAuth WGͰߦͬͨ͜ͷఏҊΛͱʹɺ৽͘͠WGΛܗ͢ΔͨΊʹ։͔Εͨɻ
ղܾ͍ͨ͠ओཁͳ• ϑϩϯτνϟϯωϧͷอޢ• ϒϥβͱαʔόʔͷؒͰใΛ͢ํ๏ͷอޢͷͨΊʹͨ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ• dynamic registration• OAuthΫϥΠΞϯτͷ੩తͳొΛҙਤͯ͠࡞ΒΕ͕ͨɺ࣮ࡍಈతʹՃ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ͍redirect URIͷݕূͳͲͰηΩϡϦςΟ͕ੜ͍ͯ͡Δ
ղܾ͍ͨ͠ओཁͳ• scope ͷఆٛ• ΞΫηε͍ͨ͠ʁ• Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ)• ͲͷϦιʔεαʔόʔʁ• ...https://datatracker.ietf.org/meeting/106/materials/slides-106-txauth-limitations-of-oauth-2
ಛ(1)εϥΠυ https://datatracker.ietf.org/meeting/106/materials/slides-106-txauth-xyz Λͱʹઆ໌͢Δͱɺ• ΫϥΠΞϯτͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗࣗͷೝࣝํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝• ͜ΕͰใ͕Γͳ͚Εαʔόʔ͕࣍ʹ͜ͷใ͕΄͍͠ɺͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)
ಛ(2)• ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰΓͱΓΛ͢Δ(p.24)• Ϣʔβʔ͕αʔόʔͱΓͱΓΛͨ͋͠ͱɺAuthorization Server"interaction handle"ͱͦͷϋογϡΛੜ(p.27-29)͠ɺͦΕΛΫϥΠΞϯτʹฦ͢• ΫϥΠΞϯτ"transaction handle"ͱ"interaction handle"Λར༻ͯ͠τϥϯβΫγϣϯΛ࠶։(p.32)• handleաڈͷͷࢀর
XYZҎ֎ͷఏҊ: Rich andPushed AuthorizationRequests• https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/• https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/
Rich Authorization Requestsۚ༥ܥܥͳͲͷڧ͍ηΩϡϦςΟ͕ٻΊΒΕΔྖҬͰOAuthΛ͏͜ͱΛҙਤͯ͠ఏҊ͞ΕͨOAuth 2.0ͷ֦ுɻڧ͍ηΩϡϦςΟΛٻΊΒΕΔϢʔεέʔεͰݖݶ͕ͷ͘͢͝ࡉཻ͔͍Ͱઃఆ͞Ε͍ͯΔ͕ɺݱঢ়ͷOAuthͷscopeͰ͜ΕΛ͖͑Εͳ͍͠ɺݱঢ়ͷOAuthͰαʔόʔݻ༗ͷΞΫηετʔΫϯΛ͍ग़͢ͳͲͷࡉ੍͔͍ޚ͕Ͱ͖ͳ͍ɻ
Rich Authorization Requestsੈͷதʹଘࡏ͢Δղ๏ͱͯ͠• scope_detailsύϥϝʔλ֦ு (PolishAPI)• ผͷϦιʔεΛͬͯڐ༰Λදݱ (UK OB, NextGenPSD2,yes.com)͕͋Δ͕͜ΕΛҰൠԽ͍ͨ͠ɻ
Pushed AuthorizationRequestsAuthorization RequestͷใΛࣄલʹAuthorization Serverʹpush͢Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔΈɻΫϥΠΞϯτೝূʹඞཁͳใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜ͱͰΑΓڧྗͳೝূ͕ՄೳɻPOSTϦΫΤετͰࣄલʹURLΛಘΔΈͰ͋Δͷॏཁ(bodyHTTPSͰอޢ͞ΕΔ)ɻ
Other WG Business• Security BCPͷupdate• ϒϥβϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ• DPoP(Demonstration of Proof-of-Possession at the ApplicationLayer)• εϥΠυ಄ʹSender-Constrained Access TokenͷͨΊͷPoPͷྺ࢙Λ·ͱΊ͍ͯΔ
Sender-Constrained AccessTokenͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠Γಘͳ͍ใΛͬͯɺΞΫηετʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈͚Δํ๏(<-> BearerτʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ༩͢Δ)ɻToken Binding (draft-ietf-oauth-token-binding-08) Mutual TLSClient Authentication (draft-ietf-oauth-mtls-17) ͳͲͷํ๏͕ఏҊ͞Ε͍ͯΔ͕ͲͪΒwork in progressɻ
એ:ٕज़ॻయ8 1(2/29)ຊޠ࠷XYZղઆຊɺग़·͢https://cryptic-command.net/