Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth, Transactional Authorization @ IETF106

404139d782ec666acea93dffc86e089f?s=47 sylph01
January 09, 2020
Technology
1
230

OAuth, Transactional Authorization @ IETF106

presented at https://isocjp.doorkeeper.jp/events/101939

----

Revision 2:
* removed image taken from XYZ slide
* fixed page 15: URLs are also encrypted under HTTPS

404139d782ec666acea93dffc86e089f?s=128

sylph01

January 09, 2020
Tweet

More Decks by sylph01

See All by sylph01
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
170
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
350
404139d782ec666acea93dffc86e089f?s=48 sylph01
1
1.6k
404139d782ec666acea93dffc86e089f?s=48 sylph01
1
39
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
300
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
40
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
330
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
200
404139d782ec666acea93dffc86e089f?s=48 sylph01
0
330

Other Decks in Technology

See All in Technology
4649f3418cb4e7b951ca28e65003c7ac?s=48 sumi
0
560
36bb9dcd778d2a9621d44e92425d0907?s=48 hhiroshell
8
480
9df0566fad9c9ca3bf669917848878fe?s=48 i35_267
0
190
4365312f9f662ab058e50d1459165e5f?s=48 y0hgi
1
400
79c9f45e8a3cd4bfa9d7292adb3a6dc0?s=48 kraj
0
2.8k
979f8815a9d4604d87f54b8394c503bd?s=48 bufferings
2
3.4k
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
350
1062ced7020a42219b8f668e14963746?s=48 asaju7142501
0
360
71c9ebde850996d2533c5df4df2c93c6?s=48 opdavies
0
1.6k
405fe9ab689473f267e2cfbd95f78c75?s=48 kyonmm
1
2.3k
8284465a94bbdf1ea82cf1a67d55f447?s=48 kilometer
0
140
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
210

Featured

See All Featured
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
4
550
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
294
39k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
66
3k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
200
20k
9128d500301ae51524e887bb680f471d?s=48 caitiem20
308
17k
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
156
6.4k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1348
190k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
100
11k
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
652
110k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
192
8.8k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
216
16k
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
609
54k

Transcript

  1. OAuth, Transactional Authorization, and other security related stuff Ryo Kajiwara

    @ lepidum IETF106 Report Session, ISOC-JP
  2. None

  3. Why OAuth Now?

  4. None

  5. ͍͍ͩͨ͜ͷهࣄͷԆ ௕ͷ࿩Λ͠·͢ https:/ /lepidum.co.jp/blog/ 2019-12-03/future-of-oauth/

  6. OAuth 2.0ɺਓྨʹ͸ૣ ͗ͨ͢ͷͰ͸ʁ ͱ͸ݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢ ໰୊

  7. OAuth 2.0ͷ͓͞Β͍ OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ͸ • Authorization Code Grant •

    Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant ͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None

  14. ௚ײతʹ͸ҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷ΋ͷͱͷܾఆతͳҧ͍͸ ʮΫϥΠΞϯτࣗ਎͕ϦιʔεΦʔφʔͰ͋Δʯέʔεʹ࢖͏΋ ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization Server͸Ξ ΫηετʔΫϯΛฦ͍ͯ͠Δɻ

  15. Կ͕Ϛζ͍ͷ(1) • Implicit GrantͰ͸ϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ΋ ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕໰୊ɻ • ϦΫΤετɾϨεϙϯεͷheader/body͸HTTPSͳΒ҉߸Խ͞ ΕΔ͕… • ྫ:

    ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩά ʹΞΫηετʔΫϯ͕࢒ͬͯ… • ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…

  16. Կ͕Ϛζ͍ͷ(2) • Resource Owner Password Credentials Grant͸ը૾ͷ஫ऍͷ௨ Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ ஌Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ •

    ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯ Ͱݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ • ͳͷͰɺ΋ͱ΋ͱ͔Βͯ͠Ҡߦ໨తΛҙਤ͞Ε͍ͯͨɻ͕ɺ ࠓͰ΋࢖༻͠ଓ͚͍ͯΔ࣮૷͕ଘࡏ͢Δ… • ࠷৽ͷSecurity BCPʹ͸MUST NOT useͱॻ͔Ε͍ͯΔɻ

  17. ฏͨ͘ݴ͏ͱ • RFC6749͚ͩಡΉͷͰෆे෼ʹͳͬͯ͠·ͬͨ • ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ • ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ

  18. None

  19. OAuth 2.1

  20. ͜Ε͸Կ ࠓճͷձ߹Ͱॳొ৔ͷఏҊͰɺʮOAuthؔ܎ͷυΩϡϝϯτͱͬͪ Β͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊ͹ؒҧ͍ͷͳ͍OAuth͕࣮ ૷Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏΋ͷɻ ۩ମతʹ͸ɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security- topics-13(OAuth Security

    BCP) + RFC 8628(Device Flow)ͷ͍͍ͱ͜औ Γ("OAuth: the Good Parts")ͱͯ͠ఏҊ͞Εͨɻ

  21. OAuth 2.0Ͱ͸͜͏ͩͬͨ • Authorization Code Grant • Implicit Grant •

    Resource Owner Password Credentials Grant • Client Credentials Grant

  22. OAuth 2.1Ͱ͸͜͏ͳΔ • Authorization Code Grant • ͨͩ͠ɺPKCE(Proof Key for

    Code Exchange; RFC7636)ͷར༻͕ ඞਢɺΑͬͯݫີʹ͸AuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓ ׵ੑ͕͋ΔΘ͚Ͱ͸ͳ͍ • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Device Grant

  23. PKCE URLͷҰ෦͔ΒImplicitͰ͸ΞΫηετʔΫϯ͕औΕΔͱઆ໌ͨ͠ ͕ɺAuthorization Code GrantͰ͸ΞΫηετʔΫϯʹҾ͖׵͑Մೳ ͳAuthorization Code͕URLதʹฦ͖ͬͯͯɺ߈ܸऀ͸͜ΕΛಘΔ͜ ͱ͕ՄೳɻεϚʔτϑΥϯͳͲͷΤϯυσόΠεʹਖ਼౰ͳΫϥΠΞ ϯτͱಉډ͢Δѱҙͷ͋ΔΞϓϦέʔγϣϯ͕͜ͷ஋Λར༻ͯ͠ ΞΫηετʔΫϯΛ৐ͬऔΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻ

    Authorization Codeͷ৐ͬऔΓʹΑΔ߈ܸΛchallenge-responseʹ Αͬͯ๷͙ͷ͕PKCEͷ໾໨ɻ
  24. None

  25. ࠓޙͲ͏ͳΔͷʁ IETF 106Ͱ͸ࠓޙͲ͏΍ͬͯਐΊΔ΂͖͔Λٞ࿦͢ΔαΠυϛʔ ςΟϯάཱ͕ͬͨɻ େଟ਺ͷࢀՃऀ͸OAuthͦͷ΋ͷͷෳࡶੑͱRFC6749ͱ͍͏େຊͷ υΩϡϝϯτʹݱࡏ࢖͑ͳ͍߲໨͕͋Δͱ͍͏͜ͱʹݒ೦͸ࣔ͠ ͍͕ͯͨɺҰํͰ(࣍ʹઆ໌͢Δ)txauthͷworkͱOAuth WGͷwork ͱฒߦͯ͠ਐΊΔ͜ͱͷࠔ೉͞΁ͷݒ೦Λ͍ࣔͯͨ͠ɻ

  26. None

  27. txauth Transactional Authorization and Delegation

  28. ͦ΋ͦ΋ transactional ͱ͸ https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- annabelle ʹ͋Δ໰୊ఏ͕ٞඇৗʹΘ͔Γ΍͍͢ɻʮΤϯυϢʔ βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋ͠໭ͬͯ ͘Δʹ͸Ͳ͏ͨ͠ΒΑ͍͔ʁʯ (ྫ)

    εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷ࢓૊ΈͰ͸ߪೖͷݪҼʹ ͳ͍ͬͯΔ໰୊Λղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕๨ ΕΒΕͯ͠·͍ͬͯͨɻ

  29. ͦ΋ͦ΋ transactional ͱ͸ • γϣοϓͷαΠτͰߦ͏͜ͱ • ຊͷߪೖΛ͍ͨ͠ • ͔͠͠࢒ߴ͕଍Γͳ͍ •

    ܾࡁखஈͷαΠτͰߦ͏͜ͱ • ೝূɺ࢒ߴͷิॆ • γϣοϓͷαΠτʹ໭ͬͯߦ͏͜ͱ • τϥϯβΫγϣϯͷ࠶։ → ࢒ߴ͕͋ΔͷͰߪೖ

  30. ͦ΋ͦ΋ transactional ͱ͸ ࣗ෼ͷࡶͳղऍͱͯ͠͸ɺ ͋ΔߦҝΛߦ͏ೝՄΛಘΔखଓ͖ΛҰ࿈ͷτϥϯβΫγϣϯͱΈ ͳ͠ɺτϥϯβΫγϣϯʹೝՄʹඞཁͳഎܠ৘ใʢΞΫηετʔ ΫϯɺΞΫηετʔΫϯΛಘΔͨΊͷଐੑ৘ใɺ·ͨϦιʔε ΦʔφʔͷೝূͷͨΊͷূ໌ʣΛؔ࿈෇͚͍ͯ͘͜ͱ ͱ͍͏ղऍɻ

  31. XYZ

  32. XYZͱ͸ Transactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊ ऀ͸OAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ΋͋ΔɻIETFతʹ͸draft- richer-transactional-authz-04ɻ OAuth 2.0ͱͷޓ׵ੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭ͠௚ͨ͠Β Ͳ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻ txauth

    BoF͸લճOAuth WG಺Ͱߦͬͨ͜ͷఏҊΛ΋ͱʹɺ৽͘͠ WGΛܗ੒͢ΔͨΊʹ։͔Εͨɻ

  33. ղܾ͍ͨ͠ओཁͳ໰୊ • ϑϩϯτνϟϯωϧͷอޢ • ϒϥ΢βͱαʔόʔͷؒͰ৘ใΛ౉͢ํ๏ͷอޢͷͨΊʹͨ ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ • dynamic registration •

    OAuth͸ΫϥΠΞϯτͷ੩తͳొ࿥Λҙਤͯ͠࡞ΒΕ͕ͨɺ ࣮ࡍ͸ಈతʹ௥Ճ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ൐͍redirect URI ͷݕূͳͲͰηΩϡϦςΟ໰୊͕ੜ͍ͯ͡Δ

  34. ղܾ͍ͨ͠ओཁͳ໰୊ • scope ͷఆٛ • ΞΫηε͍ͨ͠஋ʁ • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ)

    • ͲͷϦιʔεαʔόʔʁ • ... https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- limitations-of-oauth-2

  35. ಛ௃(1) εϥΠυ https:/ /datatracker.ietf.org/meeting/106/materials/ slides-106-txauth-xyz Λ΋ͱʹઆ໌͢Δͱɺ • ΫϥΠΞϯτ͸ͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗ෼ࣗ਎ͷೝࣝ ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ

    ϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝ • ͜ΕͰ৘ใ͕଍Γͳ͚Ε͹αʔόʔ͕࣍ʹ͜ͷ৘ใ͕΄͍͠ɺ ͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)

  36. ಛ௃(2) • ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰ΍ΓͱΓΛ͢Δ (p.24) • Ϣʔβʔ͕αʔόʔͱ΍ΓͱΓΛͨ͋͠ͱɺAuthorization Server ͸"interaction handle"ͱͦͷϋογϡΛੜ੒(p.27-29)͠ɺͦΕΛ ΫϥΠΞϯτʹฦ͢

    • ΫϥΠΞϯτ͸"transaction handle"ͱ"interaction handle"Λར༻ ͯ͠τϥϯβΫγϣϯΛ࠶։(p.32) • handle͸աڈͷ஋΁ͷࢀর

  37. XYZҎ֎ͷఏҊ: Rich and Pushed Authorization Requests • https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ •

    https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/

  38. Rich Authorization Requests ۚ༥ܥ΍੓෎ܥͳͲͷڧ͍ηΩϡϦςΟ͕ٻΊΒΕΔྖҬͰOAuth Λ࢖͏͜ͱΛҙਤͯ͠ఏҊ͞ΕͨOAuth 2.0ͷ֦ுɻ ڧ͍ηΩϡϦςΟΛٻΊΒΕΔϢʔεέʔεͰ͸ݖݶ͕΋ͷ͘͢͝ ࡉཻ͔͍౓Ͱઃఆ͞Ε͍ͯΔ͕ɺݱঢ়ͷOAuthͷscopeͰ͸͜ΕΛ ఻͖͑Εͳ͍͠ɺݱঢ়ͷOAuthͰ͸αʔόʔݻ༗ͷΞΫηετʔΫ ϯΛ෷͍ग़͢ͳͲͷࡉ੍͔͍ޚ͕Ͱ͖ͳ͍ɻ

  39. Rich Authorization Requests ੈͷதʹଘࡏ͢Δղ๏ͱͯ͠͸ • scope_detailsύϥϝʔλ֦ு (PolishAPI) • ผͷϦιʔεΛ࢖ͬͯڐ୚಺༰Λදݱ (UK

    OB, NextGenPSD2, yes.com) ͕͋Δ͕͜ΕΛҰൠԽ͍ͨ͠ɻ

  40. Pushed Authorization Requests Authorization Requestͷ৘ใΛࣄલʹAuthorization Serverʹpush͢ Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔ࢓૊Έɻ ΫϥΠΞϯτೝূʹඞཁͳ৘ใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜

    ͱͰΑΓڧྗͳೝূ͕Մೳɻ POSTϦΫΤετͰࣄલʹURLΛಘΔ࢓૊ΈͰ͋Δͷ΋ॏཁ(body͸ HTTPSͰอޢ͞ΕΔ)ɻ

  41. Other WG Business • Security BCPͷupdate • ϒϥ΢βϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ •

    DPoP(Demonstration of Proof-of-Possession at the Application Layer) • εϥΠυ๯಄ʹSender-Constrained Access TokenͷͨΊͷPoP ͷྺ࢙Λ·ͱΊ͍ͯΔ

  42. Sender-Constrained Access Token ͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠஌Γಘͳ͍৘ใΛ࢖ͬͯɺΞΫηε τʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈෇͚Δํ๏(<-> Bearer τʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ෇༩͢Δ)ɻ Token Binding

    (draft-ietf-oauth-token-binding-08) ΍ Mutual TLS Client Authentication (draft-ietf-oauth-mtls-17) ͳͲͷํ๏͕ఏҊ͞ Ε͍ͯΔ͕ͲͪΒ΋work in progressɻ
  43. None

  44. એ఻: ٕज़ॻయ8 1೔໨(2/29) ೔ຊޠ࠷଎XYZղઆຊɺ ग़·͢ https:/ /cryptic-command.net/