Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth, Transactional Authorization @ IETF106

Avatar for sylph01 sylph01
January 09, 2020

OAuth, Transactional Authorization @ IETF106

presented at https://isocjp.doorkeeper.jp/events/101939

----

Revision 2:
* removed image taken from XYZ slide
* fixed page 15: URLs are also encrypted under HTTPS

Avatar for sylph01

sylph01

January 09, 2020
Tweet

More Decks by sylph01

Other Decks in Technology

Transcript

  1. OAuth 2.0ͷ͓͞Β͍ OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ͸ • Authorization Code Grant •

    Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant ͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)
  2. Կ͕Ϛζ͍ͷ(1) • Implicit GrantͰ͸ϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ΋ ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕໰୊ɻ • ϦΫΤετɾϨεϙϯεͷheader/body͸HTTPSͳΒ҉߸Խ͞ ΕΔ͕… • ྫ:

    ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩά ʹΞΫηετʔΫϯ͕࢒ͬͯ… • ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…
  3. Կ͕Ϛζ͍ͷ(2) • Resource Owner Password Credentials Grant͸ը૾ͷ஫ऍͷ௨ Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ ஌Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ •

    ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯ Ͱݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ • ͳͷͰɺ΋ͱ΋ͱ͔Βͯ͠Ҡߦ໨తΛҙਤ͞Ε͍ͯͨɻ͕ɺ ࠓͰ΋࢖༻͠ଓ͚͍ͯΔ࣮૷͕ଘࡏ͢Δ… • ࠷৽ͷSecurity BCPʹ͸MUST NOT useͱॻ͔Ε͍ͯΔɻ
  4. OAuth 2.0Ͱ͸͜͏ͩͬͨ • Authorization Code Grant • Implicit Grant •

    Resource Owner Password Credentials Grant • Client Credentials Grant
  5. OAuth 2.1Ͱ͸͜͏ͳΔ • Authorization Code Grant • ͨͩ͠ɺPKCE(Proof Key for

    Code Exchange; RFC7636)ͷར༻͕ ඞਢɺΑͬͯݫີʹ͸AuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓ ׵ੑ͕͋ΔΘ͚Ͱ͸ͳ͍ • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Device Grant
  6. ͦ΋ͦ΋ transactional ͱ͸ https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- annabelle ʹ͋Δ໰୊ఏ͕ٞඇৗʹΘ͔Γ΍͍͢ɻʮΤϯυϢʔ βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋ͠໭ͬͯ ͘Δʹ͸Ͳ͏ͨ͠ΒΑ͍͔ʁʯ (ྫ)

    εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷ࢓૊ΈͰ͸ߪೖͷݪҼʹ ͳ͍ͬͯΔ໰୊Λղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕๨ ΕΒΕͯ͠·͍ͬͯͨɻ
  7. ͦ΋ͦ΋ transactional ͱ͸ • γϣοϓͷαΠτͰߦ͏͜ͱ • ຊͷߪೖΛ͍ͨ͠ • ͔͠͠࢒ߴ͕଍Γͳ͍ •

    ܾࡁखஈͷαΠτͰߦ͏͜ͱ • ೝূɺ࢒ߴͷิॆ • γϣοϓͷαΠτʹ໭ͬͯߦ͏͜ͱ • τϥϯβΫγϣϯͷ࠶։ → ࢒ߴ͕͋ΔͷͰߪೖ
  8. XYZ

  9. ղܾ͍ͨ͠ओཁͳ໰୊ • ϑϩϯτνϟϯωϧͷอޢ • ϒϥ΢βͱαʔόʔͷؒͰ৘ใΛ౉͢ํ๏ͷอޢͷͨΊʹͨ ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ • dynamic registration •

    OAuth͸ΫϥΠΞϯτͷ੩తͳొ࿥Λҙਤͯ͠࡞ΒΕ͕ͨɺ ࣮ࡍ͸ಈతʹ௥Ճ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ൐͍redirect URI ͷݕূͳͲͰηΩϡϦςΟ໰୊͕ੜ͍ͯ͡Δ
  10. ղܾ͍ͨ͠ओཁͳ໰୊ • scope ͷఆٛ • ΞΫηε͍ͨ͠஋ʁ • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ)

    • ͲͷϦιʔεαʔόʔʁ • ... https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- limitations-of-oauth-2
  11. ಛ௃(1) εϥΠυ https:/ /datatracker.ietf.org/meeting/106/materials/ slides-106-txauth-xyz Λ΋ͱʹઆ໌͢Δͱɺ • ΫϥΠΞϯτ͸ͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗ෼ࣗ਎ͷೝࣝ ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ

    ϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝ • ͜ΕͰ৘ใ͕଍Γͳ͚Ε͹αʔόʔ͕࣍ʹ͜ͷ৘ใ͕΄͍͠ɺ ͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)
  12. Other WG Business • Security BCPͷupdate • ϒϥ΢βϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ •

    DPoP(Demonstration of Proof-of-Possession at the Application Layer) • εϥΠυ๯಄ʹSender-Constrained Access TokenͷͨΊͷPoP ͷྺ࢙Λ·ͱΊ͍ͯΔ