Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth, Transactional Authorization @ IETF106

sylph01
January 09, 2020
Technology
1
480

OAuth, Transactional Authorization @ IETF106

presented at https://isocjp.doorkeeper.jp/events/101939

----

Revision 2:
* removed image taken from XYZ slide
* fixed page 15: URLs are also encrypted under HTTPS

sylph01

January 09, 2020
Tweet

More Decks by sylph01

See All by sylph01
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
140
Build and Learn Rails Authentication
sylph01
8
1.4k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
0
DNS Encryption and Its Controversies
sylph01
0
520
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1k
Action Mailbox in Action
sylph01
1
2.7k
Keebs-n-Kaigi
sylph01
1
190
Email, Messaging, and SSI/DID
sylph01
0
720
IETF 107 Report Session: OAuth/TxAuth
sylph01
0
66

Other Decks in Technology

See All in Technology
Predictive back transition Animation on Android 14
line_developers
PRO
1
360
分散トレーシングとOpenTelemetryのススメ 超入門編
k6s4i53rx
2
420
プロデュ―サーさん、今日も安全運転でよろしくね☆~OBD2を用いた速度・回転数検知ツールの開発~
hato3isfriend
0
150
IaCのCI/CDを考えよう / JAWS-UG_Okayama_IaC_CICD
taishin
1
180
Blueskyちゃん作った話
kojira
0
100
Spotify API を使ったアイマス楽曲の楽しみ方
takemikami
0
120
Semantic Kernel を使って ChatGPT Plugins をアプリに組み込んでみよう
okazuki
0
150
組込みRustでも でかい?JSONを扱いたい!
ciniml
0
200
Go1.20からサポートされるtree構造のerrの紹介と、treeを考慮した複数マッチができるライブラリを作った話/introduction of tree structure err added since go 1_20
convto
0
210
少しずつでも出来るようになりたいもの、なに? / What do you want to be able to do step by step?
banjun
PRO
1
210
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k
Blueskyの「今」がわかる!Bot
lamrongol
0
130

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
3
550
Build your cross-platform service in a week with App Engine
jlugia
222
17k
Building Adaptive Systems
keathley
29
1.5k
Learning to Love Humans: Emotional Interface Design
aarron
264
38k
Designing for humans not robots
tammielis
245
24k
Code Review Best Practice
trishagee
53
12k
GitHub's CSS Performance
jonrohan
1022
430k
The Invisible Side of Design
smashingmag
292
49k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.5k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Automating Front-end Workflow
addyosmani
1352
200k
Why Our Code Smells
bkeepers
PRO
327
55k

Transcript

  1. OAuth, Transactional
    Authorization, and
    other security related
    stuff
    Ryo Kajiwara @ lepidum
    IETF106 Report Session, ISOC-JP

    View Slide

  2. View Slide

  3. Why OAuth Now?

    View Slide

  4. View Slide

  5. ͍͍ͩͨ͜ͷهࣄͷԆ
    ௕ͷ࿩Λ͠·͢
    https:/
    /lepidum.co.jp/blog/
    2019-12-03/future-of-oauth/

    View Slide

  6. OAuth 2.0ɺਓྨʹ͸ૣ
    ͗ͨ͢ͷͰ͸ʁ
    ͱ͸ݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢
    ໰୊

    View Slide

  7. OAuth 2.0ͷ͓͞Β͍
    OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ͸
    • Authorization Code Grant
    • Implicit Grant
    • Resource Owner Password Credentials Grant
    • Client Credentials Grant
    ͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)

    View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. ௚ײతʹ͸ҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷ΋ͷͱͷܾఆతͳҧ͍͸
    ʮΫϥΠΞϯτࣗ਎͕ϦιʔεΦʔφʔͰ͋Δʯέʔεʹ࢖͏΋
    ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization Server͸Ξ
    ΫηετʔΫϯΛฦ͍ͯ͠Δɻ

    View Slide

  15. Կ͕Ϛζ͍ͷ(1)
    • Implicit GrantͰ͸ϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ΋
    ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕໰୊ɻ
    • ϦΫΤετɾϨεϙϯεͷheader/body͸HTTPSͳΒ҉߸Խ͞
    ΕΔ͕…
    • ྫ: ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩά
    ʹΞΫηετʔΫϯ͕࢒ͬͯ…
    • ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…

    View Slide

  16. Կ͕Ϛζ͍ͷ(2)
    • Resource Owner Password Credentials Grant͸ը૾ͷ஫ऍͷ௨
    Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ
    ஌Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ
    • ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯ
    Ͱݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ
    • ͳͷͰɺ΋ͱ΋ͱ͔Βͯ͠Ҡߦ໨తΛҙਤ͞Ε͍ͯͨɻ͕ɺ
    ࠓͰ΋࢖༻͠ଓ͚͍ͯΔ࣮૷͕ଘࡏ͢Δ…
    • ࠷৽ͷSecurity BCPʹ͸MUST NOT useͱॻ͔Ε͍ͯΔɻ

    View Slide

  17. ฏͨ͘ݴ͏ͱ
    • RFC6749͚ͩಡΉͷͰෆे෼ʹͳͬͯ͠·ͬͨ
    • ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ
    • ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ

    View Slide

  18. View Slide

  19. OAuth 2.1

    View Slide

  20. ͜Ε͸Կ
    ࠓճͷձ߹Ͱॳొ৔ͷఏҊͰɺʮOAuthؔ܎ͷυΩϡϝϯτͱͬͪ
    Β͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊ͹ؒҧ͍ͷͳ͍OAuth͕࣮
    ૷Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏΋ͷɻ
    ۩ମతʹ͸ɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security-
    topics-13(OAuth Security BCP) + RFC 8628(Device Flow)ͷ͍͍ͱ͜औ
    Γ("OAuth: the Good Parts")ͱͯ͠ఏҊ͞Εͨɻ

    View Slide

  21. OAuth 2.0Ͱ͸͜͏ͩͬͨ
    • Authorization Code Grant
    • Implicit Grant
    • Resource Owner Password Credentials Grant
    • Client Credentials Grant

    View Slide

  22. OAuth 2.1Ͱ͸͜͏ͳΔ
    • Authorization Code Grant
    • ͨͩ͠ɺPKCE(Proof Key for Code Exchange; RFC7636)ͷར༻͕
    ඞਢɺΑͬͯݫີʹ͸AuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓ
    ׵ੑ͕͋ΔΘ͚Ͱ͸ͳ͍
    • Implicit Grant
    • Resource Owner Password Credentials Grant
    • Client Credentials Grant
    • Device Grant

    View Slide

  23. PKCE
    URLͷҰ෦͔ΒImplicitͰ͸ΞΫηετʔΫϯ͕औΕΔͱઆ໌ͨ͠
    ͕ɺAuthorization Code GrantͰ͸ΞΫηετʔΫϯʹҾ͖׵͑Մೳ
    ͳAuthorization Code͕URLதʹฦ͖ͬͯͯɺ߈ܸऀ͸͜ΕΛಘΔ͜
    ͱ͕ՄೳɻεϚʔτϑΥϯͳͲͷΤϯυσόΠεʹਖ਼౰ͳΫϥΠΞ
    ϯτͱಉډ͢Δѱҙͷ͋ΔΞϓϦέʔγϣϯ͕͜ͷ஋Λར༻ͯ͠
    ΞΫηετʔΫϯΛ৐ͬऔΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻ
    Authorization Codeͷ৐ͬऔΓʹΑΔ߈ܸΛchallenge-responseʹ
    Αͬͯ๷͙ͷ͕PKCEͷ໾໨ɻ

    View Slide

  24. View Slide

  25. ࠓޙͲ͏ͳΔͷʁ
    IETF 106Ͱ͸ࠓޙͲ͏΍ͬͯਐΊΔ΂͖͔Λٞ࿦͢ΔαΠυϛʔ
    ςΟϯάཱ͕ͬͨɻ
    େଟ਺ͷࢀՃऀ͸OAuthͦͷ΋ͷͷෳࡶੑͱRFC6749ͱ͍͏େຊͷ
    υΩϡϝϯτʹݱࡏ࢖͑ͳ͍߲໨͕͋Δͱ͍͏͜ͱʹݒ೦͸ࣔ͠
    ͍͕ͯͨɺҰํͰ(࣍ʹઆ໌͢Δ)txauthͷworkͱOAuth WGͷwork
    ͱฒߦͯ͠ਐΊΔ͜ͱͷࠔ೉͞΁ͷݒ೦Λ͍ࣔͯͨ͠ɻ

    View Slide

  26. View Slide

  27. txauth
    Transactional Authorization and
    Delegation

    View Slide

  28. ͦ΋ͦ΋ transactional ͱ͸
    https:/
    /datatracker.ietf.org/meeting/106/materials/slides-106-txauth-
    annabelle ʹ͋Δ໰୊ఏ͕ٞඇৗʹΘ͔Γ΍͍͢ɻʮΤϯυϢʔ
    βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋ͠໭ͬͯ
    ͘Δʹ͸Ͳ͏ͨ͠ΒΑ͍͔ʁʯ
    (ྫ) εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ
    ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷ࢓૊ΈͰ͸ߪೖͷݪҼʹ
    ͳ͍ͬͯΔ໰୊Λղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕๨
    ΕΒΕͯ͠·͍ͬͯͨɻ

    View Slide

  29. ͦ΋ͦ΋ transactional ͱ͸
    • γϣοϓͷαΠτͰߦ͏͜ͱ
    • ຊͷߪೖΛ͍ͨ͠
    • ͔͠͠࢒ߴ͕଍Γͳ͍
    • ܾࡁखஈͷαΠτͰߦ͏͜ͱ
    • ೝূɺ࢒ߴͷิॆ
    • γϣοϓͷαΠτʹ໭ͬͯߦ͏͜ͱ
    • τϥϯβΫγϣϯͷ࠶։ → ࢒ߴ͕͋ΔͷͰߪೖ

    View Slide

  30. ͦ΋ͦ΋ transactional ͱ͸
    ࣗ෼ͷࡶͳղऍͱͯ͠͸ɺ
    ͋ΔߦҝΛߦ͏ೝՄΛಘΔखଓ͖ΛҰ࿈ͷτϥϯβΫγϣϯͱΈ
    ͳ͠ɺτϥϯβΫγϣϯʹೝՄʹඞཁͳഎܠ৘ใʢΞΫηετʔ
    ΫϯɺΞΫηετʔΫϯΛಘΔͨΊͷଐੑ৘ใɺ·ͨϦιʔε
    ΦʔφʔͷೝূͷͨΊͷূ໌ʣΛؔ࿈෇͚͍ͯ͘͜ͱ
    ͱ͍͏ղऍɻ

    View Slide

  31. XYZ

    View Slide

  32. XYZͱ͸
    Transactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊ
    ऀ͸OAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ΋͋ΔɻIETFతʹ͸draft-
    richer-transactional-authz-04ɻ
    OAuth 2.0ͱͷޓ׵ੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭ͠௚ͨ͠Β
    Ͳ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻ
    txauth BoF͸લճOAuth WG಺Ͱߦͬͨ͜ͷఏҊΛ΋ͱʹɺ৽͘͠
    WGΛܗ੒͢ΔͨΊʹ։͔Εͨɻ

    View Slide

  33. ղܾ͍ͨ͠ओཁͳ໰୊
    • ϑϩϯτνϟϯωϧͷอޢ
    • ϒϥ΢βͱαʔόʔͷؒͰ৘ใΛ౉͢ํ๏ͷอޢͷͨΊʹͨ
    ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ
    • dynamic registration
    • OAuth͸ΫϥΠΞϯτͷ੩తͳొ࿥Λҙਤͯ͠࡞ΒΕ͕ͨɺ
    ࣮ࡍ͸ಈతʹ௥Ճ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ൐͍redirect URI
    ͷݕূͳͲͰηΩϡϦςΟ໰୊͕ੜ͍ͯ͡Δ

    View Slide

  34. ղܾ͍ͨ͠ओཁͳ໰୊
    • scope ͷఆٛ
    • ΞΫηε͍ͨ͠஋ʁ
    • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ)
    • ͲͷϦιʔεαʔόʔʁ
    • ...
    https:/
    /datatracker.ietf.org/meeting/106/materials/slides-106-txauth-
    limitations-of-oauth-2

    View Slide

  35. ಛ௃(1)
    εϥΠυ https:/
    /datatracker.ietf.org/meeting/106/materials/
    slides-106-txauth-xyz Λ΋ͱʹઆ໌͢Δͱɺ
    • ΫϥΠΞϯτ͸ͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗ෼ࣗ਎ͷೝࣝ
    ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ
    ϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝
    • ͜ΕͰ৘ใ͕଍Γͳ͚Ε͹αʔόʔ͕࣍ʹ͜ͷ৘ใ͕΄͍͠ɺ
    ͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)

    View Slide

  36. ಛ௃(2)
    • ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰ΍ΓͱΓΛ͢Δ
    (p.24)
    • Ϣʔβʔ͕αʔόʔͱ΍ΓͱΓΛͨ͋͠ͱɺAuthorization Server
    ͸"interaction handle"ͱͦͷϋογϡΛੜ੒(p.27-29)͠ɺͦΕΛ
    ΫϥΠΞϯτʹฦ͢
    • ΫϥΠΞϯτ͸"transaction handle"ͱ"interaction handle"Λར༻
    ͯ͠τϥϯβΫγϣϯΛ࠶։(p.32)
    • handle͸աڈͷ஋΁ͷࢀর

    View Slide

  37. XYZҎ֎ͷఏҊ: Rich and
    Pushed Authorization
    Requests
    • https:/
    /datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/
    • https:/
    /datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/

    View Slide

  38. Rich Authorization Requests
    ۚ༥ܥ΍੓෎ܥͳͲͷڧ͍ηΩϡϦςΟ͕ٻΊΒΕΔྖҬͰOAuth
    Λ࢖͏͜ͱΛҙਤͯ͠ఏҊ͞ΕͨOAuth 2.0ͷ֦ுɻ
    ڧ͍ηΩϡϦςΟΛٻΊΒΕΔϢʔεέʔεͰ͸ݖݶ͕΋ͷ͘͢͝
    ࡉཻ͔͍౓Ͱઃఆ͞Ε͍ͯΔ͕ɺݱঢ়ͷOAuthͷscopeͰ͸͜ΕΛ
    ఻͖͑Εͳ͍͠ɺݱঢ়ͷOAuthͰ͸αʔόʔݻ༗ͷΞΫηετʔΫ
    ϯΛ෷͍ग़͢ͳͲͷࡉ੍͔͍ޚ͕Ͱ͖ͳ͍ɻ

    View Slide

  39. Rich Authorization Requests
    ੈͷதʹଘࡏ͢Δղ๏ͱͯ͠͸
    • scope_detailsύϥϝʔλ֦ு (PolishAPI)
    • ผͷϦιʔεΛ࢖ͬͯڐ୚಺༰Λදݱ (UK OB, NextGenPSD2,
    yes.com)
    ͕͋Δ͕͜ΕΛҰൠԽ͍ͨ͠ɻ

    View Slide

  40. Pushed Authorization
    Requests
    Authorization Requestͷ৘ใΛࣄલʹAuthorization Serverʹpush͢
    Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔ࢓૊Έɻ
    ΫϥΠΞϯτೝূʹඞཁͳ৘ใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜
    ͱͰΑΓڧྗͳೝূ͕Մೳɻ
    POSTϦΫΤετͰࣄલʹURLΛಘΔ࢓૊ΈͰ͋Δͷ΋ॏཁ(body͸
    HTTPSͰอޢ͞ΕΔ)ɻ

    View Slide

  41. Other WG Business
    • Security BCPͷupdate
    • ϒϥ΢βϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ
    • DPoP(Demonstration of Proof-of-Possession at the Application
    Layer)
    • εϥΠυ๯಄ʹSender-Constrained Access TokenͷͨΊͷPoP
    ͷྺ࢙Λ·ͱΊ͍ͯΔ

    View Slide

  42. Sender-Constrained Access
    Token
    ͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠஌Γಘͳ͍৘ใΛ࢖ͬͯɺΞΫηε
    τʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈෇͚Δํ๏(<-> Bearer
    τʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ෇༩͢Δ)ɻ
    Token Binding (draft-ietf-oauth-token-binding-08) ΍ Mutual TLS
    Client Authentication (draft-ietf-oauth-mtls-17) ͳͲͷํ๏͕ఏҊ͞
    Ε͍ͯΔ͕ͲͪΒ΋work in progressɻ

    View Slide

  43. View Slide

  44. એ఻:
    ٕज़ॻయ8 1೔໨(2/29)
    ೔ຊޠ࠷଎XYZղઆຊɺ
    ग़·͢
    https:/
    /cryptic-command.net/

    View Slide