$30 off During Our Annual Pro Sale. View Details »

OAuth, Transactional Authorization @ IETF106

sylph01
January 09, 2020

OAuth, Transactional Authorization @ IETF106

presented at https://isocjp.doorkeeper.jp/events/101939

----

Revision 2:
* removed image taken from XYZ slide
* fixed page 15: URLs are also encrypted under HTTPS

sylph01

January 09, 2020
Tweet

More Decks by sylph01

Other Decks in Technology

Transcript

  1. OAuth, Transactional Authorization, and other security related stuff Ryo Kajiwara

    @ lepidum IETF106 Report Session, ISOC-JP
  2. None
  3. Why OAuth Now?

  4. None
  5. ͍͍ͩͨ͜ͷهࣄͷԆ ௕ͷ࿩Λ͠·͢ https:/ /lepidum.co.jp/blog/ 2019-12-03/future-of-oauth/

  6. OAuth 2.0ɺਓྨʹ͸ૣ ͗ͨ͢ͷͰ͸ʁ ͱ͸ݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢ ໰୊

  7. OAuth 2.0ͷ͓͞Β͍ OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ͸ • Authorization Code Grant •

    Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant ͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. ௚ײతʹ͸ҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷ΋ͷͱͷܾఆతͳҧ͍͸ ʮΫϥΠΞϯτࣗ਎͕ϦιʔεΦʔφʔͰ͋Δʯέʔεʹ࢖͏΋ ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization Server͸Ξ ΫηετʔΫϯΛฦ͍ͯ͠Δɻ

  15. Կ͕Ϛζ͍ͷ(1) • Implicit GrantͰ͸ϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ΋ ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕໰୊ɻ • ϦΫΤετɾϨεϙϯεͷheader/body͸HTTPSͳΒ҉߸Խ͞ ΕΔ͕… • ྫ:

    ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩά ʹΞΫηετʔΫϯ͕࢒ͬͯ… • ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…
  16. Կ͕Ϛζ͍ͷ(2) • Resource Owner Password Credentials Grant͸ը૾ͷ஫ऍͷ௨ Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ ஌Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ •

    ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯ Ͱݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ • ͳͷͰɺ΋ͱ΋ͱ͔Βͯ͠Ҡߦ໨తΛҙਤ͞Ε͍ͯͨɻ͕ɺ ࠓͰ΋࢖༻͠ଓ͚͍ͯΔ࣮૷͕ଘࡏ͢Δ… • ࠷৽ͷSecurity BCPʹ͸MUST NOT useͱॻ͔Ε͍ͯΔɻ
  17. ฏͨ͘ݴ͏ͱ • RFC6749͚ͩಡΉͷͰෆे෼ʹͳͬͯ͠·ͬͨ • ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ • ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ

  18. None
  19. OAuth 2.1

  20. ͜Ε͸Կ ࠓճͷձ߹Ͱॳొ৔ͷఏҊͰɺʮOAuthؔ܎ͷυΩϡϝϯτͱͬͪ Β͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊ͹ؒҧ͍ͷͳ͍OAuth͕࣮ ૷Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏΋ͷɻ ۩ମతʹ͸ɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security- topics-13(OAuth Security

    BCP) + RFC 8628(Device Flow)ͷ͍͍ͱ͜औ Γ("OAuth: the Good Parts")ͱͯ͠ఏҊ͞Εͨɻ
  21. OAuth 2.0Ͱ͸͜͏ͩͬͨ • Authorization Code Grant • Implicit Grant •

    Resource Owner Password Credentials Grant • Client Credentials Grant
  22. OAuth 2.1Ͱ͸͜͏ͳΔ • Authorization Code Grant • ͨͩ͠ɺPKCE(Proof Key for

    Code Exchange; RFC7636)ͷར༻͕ ඞਢɺΑͬͯݫີʹ͸AuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓ ׵ੑ͕͋ΔΘ͚Ͱ͸ͳ͍ • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Device Grant
  23. PKCE URLͷҰ෦͔ΒImplicitͰ͸ΞΫηετʔΫϯ͕औΕΔͱઆ໌ͨ͠ ͕ɺAuthorization Code GrantͰ͸ΞΫηετʔΫϯʹҾ͖׵͑Մೳ ͳAuthorization Code͕URLதʹฦ͖ͬͯͯɺ߈ܸऀ͸͜ΕΛಘΔ͜ ͱ͕ՄೳɻεϚʔτϑΥϯͳͲͷΤϯυσόΠεʹਖ਼౰ͳΫϥΠΞ ϯτͱಉډ͢Δѱҙͷ͋ΔΞϓϦέʔγϣϯ͕͜ͷ஋Λར༻ͯ͠ ΞΫηετʔΫϯΛ৐ͬऔΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻ

    Authorization Codeͷ৐ͬऔΓʹΑΔ߈ܸΛchallenge-responseʹ Αͬͯ๷͙ͷ͕PKCEͷ໾໨ɻ
  24. None
  25. ࠓޙͲ͏ͳΔͷʁ IETF 106Ͱ͸ࠓޙͲ͏΍ͬͯਐΊΔ΂͖͔Λٞ࿦͢ΔαΠυϛʔ ςΟϯάཱ͕ͬͨɻ େଟ਺ͷࢀՃऀ͸OAuthͦͷ΋ͷͷෳࡶੑͱRFC6749ͱ͍͏େຊͷ υΩϡϝϯτʹݱࡏ࢖͑ͳ͍߲໨͕͋Δͱ͍͏͜ͱʹݒ೦͸ࣔ͠ ͍͕ͯͨɺҰํͰ(࣍ʹઆ໌͢Δ)txauthͷworkͱOAuth WGͷwork ͱฒߦͯ͠ਐΊΔ͜ͱͷࠔ೉͞΁ͷݒ೦Λ͍ࣔͯͨ͠ɻ

  26. None
  27. txauth Transactional Authorization and Delegation

  28. ͦ΋ͦ΋ transactional ͱ͸ https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- annabelle ʹ͋Δ໰୊ఏ͕ٞඇৗʹΘ͔Γ΍͍͢ɻʮΤϯυϢʔ βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋ͠໭ͬͯ ͘Δʹ͸Ͳ͏ͨ͠ΒΑ͍͔ʁʯ (ྫ)

    εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷ࢓૊ΈͰ͸ߪೖͷݪҼʹ ͳ͍ͬͯΔ໰୊Λղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕๨ ΕΒΕͯ͠·͍ͬͯͨɻ
  29. ͦ΋ͦ΋ transactional ͱ͸ • γϣοϓͷαΠτͰߦ͏͜ͱ • ຊͷߪೖΛ͍ͨ͠ • ͔͠͠࢒ߴ͕଍Γͳ͍ •

    ܾࡁखஈͷαΠτͰߦ͏͜ͱ • ೝূɺ࢒ߴͷิॆ • γϣοϓͷαΠτʹ໭ͬͯߦ͏͜ͱ • τϥϯβΫγϣϯͷ࠶։ → ࢒ߴ͕͋ΔͷͰߪೖ
  30. ͦ΋ͦ΋ transactional ͱ͸ ࣗ෼ͷࡶͳղऍͱͯ͠͸ɺ ͋ΔߦҝΛߦ͏ೝՄΛಘΔखଓ͖ΛҰ࿈ͷτϥϯβΫγϣϯͱΈ ͳ͠ɺτϥϯβΫγϣϯʹೝՄʹඞཁͳഎܠ৘ใʢΞΫηετʔ ΫϯɺΞΫηετʔΫϯΛಘΔͨΊͷଐੑ৘ใɺ·ͨϦιʔε ΦʔφʔͷೝূͷͨΊͷূ໌ʣΛؔ࿈෇͚͍ͯ͘͜ͱ ͱ͍͏ղऍɻ

  31. XYZ

  32. XYZͱ͸ Transactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊ ऀ͸OAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ΋͋ΔɻIETFతʹ͸draft- richer-transactional-authz-04ɻ OAuth 2.0ͱͷޓ׵ੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭ͠௚ͨ͠Β Ͳ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻ txauth

    BoF͸લճOAuth WG಺Ͱߦͬͨ͜ͷఏҊΛ΋ͱʹɺ৽͘͠ WGΛܗ੒͢ΔͨΊʹ։͔Εͨɻ
  33. ղܾ͍ͨ͠ओཁͳ໰୊ • ϑϩϯτνϟϯωϧͷอޢ • ϒϥ΢βͱαʔόʔͷؒͰ৘ใΛ౉͢ํ๏ͷอޢͷͨΊʹͨ ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ • dynamic registration •

    OAuth͸ΫϥΠΞϯτͷ੩తͳొ࿥Λҙਤͯ͠࡞ΒΕ͕ͨɺ ࣮ࡍ͸ಈతʹ௥Ճ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ൐͍redirect URI ͷݕূͳͲͰηΩϡϦςΟ໰୊͕ੜ͍ͯ͡Δ
  34. ղܾ͍ͨ͠ओཁͳ໰୊ • scope ͷఆٛ • ΞΫηε͍ͨ͠஋ʁ • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ)

    • ͲͷϦιʔεαʔόʔʁ • ... https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- limitations-of-oauth-2
  35. ಛ௃(1) εϥΠυ https:/ /datatracker.ietf.org/meeting/106/materials/ slides-106-txauth-xyz Λ΋ͱʹઆ໌͢Δͱɺ • ΫϥΠΞϯτ͸ͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗ෼ࣗ਎ͷೝࣝ ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ

    ϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝ • ͜ΕͰ৘ใ͕଍Γͳ͚Ε͹αʔόʔ͕࣍ʹ͜ͷ৘ใ͕΄͍͠ɺ ͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)
  36. ಛ௃(2) • ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰ΍ΓͱΓΛ͢Δ (p.24) • Ϣʔβʔ͕αʔόʔͱ΍ΓͱΓΛͨ͋͠ͱɺAuthorization Server ͸"interaction handle"ͱͦͷϋογϡΛੜ੒(p.27-29)͠ɺͦΕΛ ΫϥΠΞϯτʹฦ͢

    • ΫϥΠΞϯτ͸"transaction handle"ͱ"interaction handle"Λར༻ ͯ͠τϥϯβΫγϣϯΛ࠶։(p.32) • handle͸աڈͷ஋΁ͷࢀর
  37. XYZҎ֎ͷఏҊ: Rich and Pushed Authorization Requests • https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ •

    https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/
  38. Rich Authorization Requests ۚ༥ܥ΍੓෎ܥͳͲͷڧ͍ηΩϡϦςΟ͕ٻΊΒΕΔྖҬͰOAuth Λ࢖͏͜ͱΛҙਤͯ͠ఏҊ͞ΕͨOAuth 2.0ͷ֦ுɻ ڧ͍ηΩϡϦςΟΛٻΊΒΕΔϢʔεέʔεͰ͸ݖݶ͕΋ͷ͘͢͝ ࡉཻ͔͍౓Ͱઃఆ͞Ε͍ͯΔ͕ɺݱঢ়ͷOAuthͷscopeͰ͸͜ΕΛ ఻͖͑Εͳ͍͠ɺݱঢ়ͷOAuthͰ͸αʔόʔݻ༗ͷΞΫηετʔΫ ϯΛ෷͍ग़͢ͳͲͷࡉ੍͔͍ޚ͕Ͱ͖ͳ͍ɻ

  39. Rich Authorization Requests ੈͷதʹଘࡏ͢Δղ๏ͱͯ͠͸ • scope_detailsύϥϝʔλ֦ு (PolishAPI) • ผͷϦιʔεΛ࢖ͬͯڐ୚಺༰Λදݱ (UK

    OB, NextGenPSD2, yes.com) ͕͋Δ͕͜ΕΛҰൠԽ͍ͨ͠ɻ
  40. Pushed Authorization Requests Authorization Requestͷ৘ใΛࣄલʹAuthorization Serverʹpush͢ Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔ࢓૊Έɻ ΫϥΠΞϯτೝূʹඞཁͳ৘ใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜

    ͱͰΑΓڧྗͳೝূ͕Մೳɻ POSTϦΫΤετͰࣄલʹURLΛಘΔ࢓૊ΈͰ͋Δͷ΋ॏཁ(body͸ HTTPSͰอޢ͞ΕΔ)ɻ
  41. Other WG Business • Security BCPͷupdate • ϒϥ΢βϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ •

    DPoP(Demonstration of Proof-of-Possession at the Application Layer) • εϥΠυ๯಄ʹSender-Constrained Access TokenͷͨΊͷPoP ͷྺ࢙Λ·ͱΊ͍ͯΔ
  42. Sender-Constrained Access Token ͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠஌Γಘͳ͍৘ใΛ࢖ͬͯɺΞΫηε τʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈෇͚Δํ๏(<-> Bearer τʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ෇༩͢Δ)ɻ Token Binding

    (draft-ietf-oauth-token-binding-08) ΍ Mutual TLS Client Authentication (draft-ietf-oauth-mtls-17) ͳͲͷํ๏͕ఏҊ͞ Ε͍ͯΔ͕ͲͪΒ΋work in progressɻ
  43. None
  44. એ఻: ٕज़ॻయ8 1೔໨(2/29) ೔ຊޠ࠷଎XYZղઆຊɺ ग़·͢ https:/ /cryptic-command.net/