Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth, Transactional Authorization @ IETF106

sylph01
January 09, 2020

OAuth, Transactional Authorization @ IETF106

presented at https://isocjp.doorkeeper.jp/events/101939

----

Revision 2:
* removed image taken from XYZ slide
* fixed page 15: URLs are also encrypted under HTTPS

sylph01

January 09, 2020
Tweet

More Decks by sylph01

Other Decks in Technology

Transcript

  1. OAuth, Transactional
    Authorization, and
    other security related
    stuff
    Ryo Kajiwara @ lepidum
    IETF106 Report Session, ISOC-JP

    View full-size slide

  2. Why OAuth Now?

    View full-size slide

  3. ͍͍ͩͨ͜ͷهࣄͷԆ
    ௕ͷ࿩Λ͠·͢
    https:/
    /lepidum.co.jp/blog/
    2019-12-03/future-of-oauth/

    View full-size slide

  4. OAuth 2.0ɺਓྨʹ͸ૣ
    ͗ͨ͢ͷͰ͸ʁ
    ͱ͸ݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢
    ໰୊

    View full-size slide

  5. OAuth 2.0ͷ͓͞Β͍
    OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ͸
    • Authorization Code Grant
    • Implicit Grant
    • Resource Owner Password Credentials Grant
    • Client Credentials Grant
    ͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)

    View full-size slide

  6. ௚ײతʹ͸ҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷ΋ͷͱͷܾఆతͳҧ͍͸
    ʮΫϥΠΞϯτࣗ਎͕ϦιʔεΦʔφʔͰ͋Δʯέʔεʹ࢖͏΋
    ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization Server͸Ξ
    ΫηετʔΫϯΛฦ͍ͯ͠Δɻ

    View full-size slide

  7. Կ͕Ϛζ͍ͷ(1)
    • Implicit GrantͰ͸ϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ΋
    ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕໰୊ɻ
    • ϦΫΤετɾϨεϙϯεͷheader/body͸HTTPSͳΒ҉߸Խ͞
    ΕΔ͕…
    • ྫ: ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩά
    ʹΞΫηετʔΫϯ͕࢒ͬͯ…
    • ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…

    View full-size slide

  8. Կ͕Ϛζ͍ͷ(2)
    • Resource Owner Password Credentials Grant͸ը૾ͷ஫ऍͷ௨
    Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ
    ஌Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ
    • ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯ
    Ͱݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ
    • ͳͷͰɺ΋ͱ΋ͱ͔Βͯ͠Ҡߦ໨తΛҙਤ͞Ε͍ͯͨɻ͕ɺ
    ࠓͰ΋࢖༻͠ଓ͚͍ͯΔ࣮૷͕ଘࡏ͢Δ…
    • ࠷৽ͷSecurity BCPʹ͸MUST NOT useͱॻ͔Ε͍ͯΔɻ

    View full-size slide

  9. ฏͨ͘ݴ͏ͱ
    • RFC6749͚ͩಡΉͷͰෆे෼ʹͳͬͯ͠·ͬͨ
    • ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ
    • ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ

    View full-size slide

  10. ͜Ε͸Կ
    ࠓճͷձ߹Ͱॳొ৔ͷఏҊͰɺʮOAuthؔ܎ͷυΩϡϝϯτͱͬͪ
    Β͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊ͹ؒҧ͍ͷͳ͍OAuth͕࣮
    ૷Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏΋ͷɻ
    ۩ମతʹ͸ɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security-
    topics-13(OAuth Security BCP) + RFC 8628(Device Flow)ͷ͍͍ͱ͜औ
    Γ("OAuth: the Good Parts")ͱͯ͠ఏҊ͞Εͨɻ

    View full-size slide

  11. OAuth 2.0Ͱ͸͜͏ͩͬͨ
    • Authorization Code Grant
    • Implicit Grant
    • Resource Owner Password Credentials Grant
    • Client Credentials Grant

    View full-size slide

  12. OAuth 2.1Ͱ͸͜͏ͳΔ
    • Authorization Code Grant
    • ͨͩ͠ɺPKCE(Proof Key for Code Exchange; RFC7636)ͷར༻͕
    ඞਢɺΑͬͯݫີʹ͸AuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓ
    ׵ੑ͕͋ΔΘ͚Ͱ͸ͳ͍
    • Implicit Grant
    • Resource Owner Password Credentials Grant
    • Client Credentials Grant
    • Device Grant

    View full-size slide

  13. PKCE
    URLͷҰ෦͔ΒImplicitͰ͸ΞΫηετʔΫϯ͕औΕΔͱઆ໌ͨ͠
    ͕ɺAuthorization Code GrantͰ͸ΞΫηετʔΫϯʹҾ͖׵͑Մೳ
    ͳAuthorization Code͕URLதʹฦ͖ͬͯͯɺ߈ܸऀ͸͜ΕΛಘΔ͜
    ͱ͕ՄೳɻεϚʔτϑΥϯͳͲͷΤϯυσόΠεʹਖ਼౰ͳΫϥΠΞ
    ϯτͱಉډ͢Δѱҙͷ͋ΔΞϓϦέʔγϣϯ͕͜ͷ஋Λར༻ͯ͠
    ΞΫηετʔΫϯΛ৐ͬऔΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻ
    Authorization Codeͷ৐ͬऔΓʹΑΔ߈ܸΛchallenge-responseʹ
    Αͬͯ๷͙ͷ͕PKCEͷ໾໨ɻ

    View full-size slide

  14. ࠓޙͲ͏ͳΔͷʁ
    IETF 106Ͱ͸ࠓޙͲ͏΍ͬͯਐΊΔ΂͖͔Λٞ࿦͢ΔαΠυϛʔ
    ςΟϯάཱ͕ͬͨɻ
    େଟ਺ͷࢀՃऀ͸OAuthͦͷ΋ͷͷෳࡶੑͱRFC6749ͱ͍͏େຊͷ
    υΩϡϝϯτʹݱࡏ࢖͑ͳ͍߲໨͕͋Δͱ͍͏͜ͱʹݒ೦͸ࣔ͠
    ͍͕ͯͨɺҰํͰ(࣍ʹઆ໌͢Δ)txauthͷworkͱOAuth WGͷwork
    ͱฒߦͯ͠ਐΊΔ͜ͱͷࠔ೉͞΁ͷݒ೦Λ͍ࣔͯͨ͠ɻ

    View full-size slide

  15. txauth
    Transactional Authorization and
    Delegation

    View full-size slide

  16. ͦ΋ͦ΋ transactional ͱ͸
    https:/
    /datatracker.ietf.org/meeting/106/materials/slides-106-txauth-
    annabelle ʹ͋Δ໰୊ఏ͕ٞඇৗʹΘ͔Γ΍͍͢ɻʮΤϯυϢʔ
    βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋ͠໭ͬͯ
    ͘Δʹ͸Ͳ͏ͨ͠ΒΑ͍͔ʁʯ
    (ྫ) εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ
    ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷ࢓૊ΈͰ͸ߪೖͷݪҼʹ
    ͳ͍ͬͯΔ໰୊Λղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕๨
    ΕΒΕͯ͠·͍ͬͯͨɻ

    View full-size slide

  17. ͦ΋ͦ΋ transactional ͱ͸
    • γϣοϓͷαΠτͰߦ͏͜ͱ
    • ຊͷߪೖΛ͍ͨ͠
    • ͔͠͠࢒ߴ͕଍Γͳ͍
    • ܾࡁखஈͷαΠτͰߦ͏͜ͱ
    • ೝূɺ࢒ߴͷิॆ
    • γϣοϓͷαΠτʹ໭ͬͯߦ͏͜ͱ
    • τϥϯβΫγϣϯͷ࠶։ → ࢒ߴ͕͋ΔͷͰߪೖ

    View full-size slide

  18. ͦ΋ͦ΋ transactional ͱ͸
    ࣗ෼ͷࡶͳղऍͱͯ͠͸ɺ
    ͋ΔߦҝΛߦ͏ೝՄΛಘΔखଓ͖ΛҰ࿈ͷτϥϯβΫγϣϯͱΈ
    ͳ͠ɺτϥϯβΫγϣϯʹೝՄʹඞཁͳഎܠ৘ใʢΞΫηετʔ
    ΫϯɺΞΫηετʔΫϯΛಘΔͨΊͷଐੑ৘ใɺ·ͨϦιʔε
    ΦʔφʔͷೝূͷͨΊͷূ໌ʣΛؔ࿈෇͚͍ͯ͘͜ͱ
    ͱ͍͏ղऍɻ

    View full-size slide

  19. XYZͱ͸
    Transactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊ
    ऀ͸OAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ΋͋ΔɻIETFతʹ͸draft-
    richer-transactional-authz-04ɻ
    OAuth 2.0ͱͷޓ׵ੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭ͠௚ͨ͠Β
    Ͳ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻ
    txauth BoF͸લճOAuth WG಺Ͱߦͬͨ͜ͷఏҊΛ΋ͱʹɺ৽͘͠
    WGΛܗ੒͢ΔͨΊʹ։͔Εͨɻ

    View full-size slide

  20. ղܾ͍ͨ͠ओཁͳ໰୊
    • ϑϩϯτνϟϯωϧͷอޢ
    • ϒϥ΢βͱαʔόʔͷؒͰ৘ใΛ౉͢ํ๏ͷอޢͷͨΊʹͨ
    ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ
    • dynamic registration
    • OAuth͸ΫϥΠΞϯτͷ੩తͳొ࿥Λҙਤͯ͠࡞ΒΕ͕ͨɺ
    ࣮ࡍ͸ಈతʹ௥Ճ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ൐͍redirect URI
    ͷݕূͳͲͰηΩϡϦςΟ໰୊͕ੜ͍ͯ͡Δ

    View full-size slide

  21. ղܾ͍ͨ͠ओཁͳ໰୊
    • scope ͷఆٛ
    • ΞΫηε͍ͨ͠஋ʁ
    • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ)
    • ͲͷϦιʔεαʔόʔʁ
    • ...
    https:/
    /datatracker.ietf.org/meeting/106/materials/slides-106-txauth-
    limitations-of-oauth-2

    View full-size slide

  22. ಛ௃(1)
    εϥΠυ https:/
    /datatracker.ietf.org/meeting/106/materials/
    slides-106-txauth-xyz Λ΋ͱʹઆ໌͢Δͱɺ
    • ΫϥΠΞϯτ͸ͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗ෼ࣗ਎ͷೝࣝ
    ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ
    ϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝
    • ͜ΕͰ৘ใ͕଍Γͳ͚Ε͹αʔόʔ͕࣍ʹ͜ͷ৘ใ͕΄͍͠ɺ
    ͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)

    View full-size slide

  23. ಛ௃(2)
    • ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰ΍ΓͱΓΛ͢Δ
    (p.24)
    • Ϣʔβʔ͕αʔόʔͱ΍ΓͱΓΛͨ͋͠ͱɺAuthorization Server
    ͸"interaction handle"ͱͦͷϋογϡΛੜ੒(p.27-29)͠ɺͦΕΛ
    ΫϥΠΞϯτʹฦ͢
    • ΫϥΠΞϯτ͸"transaction handle"ͱ"interaction handle"Λར༻
    ͯ͠τϥϯβΫγϣϯΛ࠶։(p.32)
    • handle͸աڈͷ஋΁ͷࢀর

    View full-size slide

  24. XYZҎ֎ͷఏҊ: Rich and
    Pushed Authorization
    Requests
    • https:/
    /datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/
    • https:/
    /datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/

    View full-size slide

  25. Rich Authorization Requests
    ۚ༥ܥ΍੓෎ܥͳͲͷڧ͍ηΩϡϦςΟ͕ٻΊΒΕΔྖҬͰOAuth
    Λ࢖͏͜ͱΛҙਤͯ͠ఏҊ͞ΕͨOAuth 2.0ͷ֦ுɻ
    ڧ͍ηΩϡϦςΟΛٻΊΒΕΔϢʔεέʔεͰ͸ݖݶ͕΋ͷ͘͢͝
    ࡉཻ͔͍౓Ͱઃఆ͞Ε͍ͯΔ͕ɺݱঢ়ͷOAuthͷscopeͰ͸͜ΕΛ
    ఻͖͑Εͳ͍͠ɺݱঢ়ͷOAuthͰ͸αʔόʔݻ༗ͷΞΫηετʔΫ
    ϯΛ෷͍ग़͢ͳͲͷࡉ੍͔͍ޚ͕Ͱ͖ͳ͍ɻ

    View full-size slide

  26. Rich Authorization Requests
    ੈͷதʹଘࡏ͢Δղ๏ͱͯ͠͸
    • scope_detailsύϥϝʔλ֦ு (PolishAPI)
    • ผͷϦιʔεΛ࢖ͬͯڐ୚಺༰Λදݱ (UK OB, NextGenPSD2,
    yes.com)
    ͕͋Δ͕͜ΕΛҰൠԽ͍ͨ͠ɻ

    View full-size slide

  27. Pushed Authorization
    Requests
    Authorization Requestͷ৘ใΛࣄલʹAuthorization Serverʹpush͢
    Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔ࢓૊Έɻ
    ΫϥΠΞϯτೝূʹඞཁͳ৘ใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜
    ͱͰΑΓڧྗͳೝূ͕Մೳɻ
    POSTϦΫΤετͰࣄલʹURLΛಘΔ࢓૊ΈͰ͋Δͷ΋ॏཁ(body͸
    HTTPSͰอޢ͞ΕΔ)ɻ

    View full-size slide

  28. Other WG Business
    • Security BCPͷupdate
    • ϒϥ΢βϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ
    • DPoP(Demonstration of Proof-of-Possession at the Application
    Layer)
    • εϥΠυ๯಄ʹSender-Constrained Access TokenͷͨΊͷPoP
    ͷྺ࢙Λ·ͱΊ͍ͯΔ

    View full-size slide

  29. Sender-Constrained Access
    Token
    ͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠஌Γಘͳ͍৘ใΛ࢖ͬͯɺΞΫηε
    τʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈෇͚Δํ๏(<-> Bearer
    τʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ෇༩͢Δ)ɻ
    Token Binding (draft-ietf-oauth-token-binding-08) ΍ Mutual TLS
    Client Authentication (draft-ietf-oauth-mtls-17) ͳͲͷํ๏͕ఏҊ͞
    Ε͍ͯΔ͕ͲͪΒ΋work in progressɻ

    View full-size slide

  30. એ఻:
    ٕज़ॻయ8 1೔໨(2/29)
    ೔ຊޠ࠷଎XYZղઆຊɺ
    ग़·͢
    https:/
    /cryptic-command.net/

    View full-size slide