Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
IETF 107 Report Session: OAuth/TxAuth
Search
sylph01
April 22, 2020
Technology
0
100
IETF 107 Report Session: OAuth/TxAuth
sylph01
April 22, 2020
Tweet
Share
More Decks by sylph01
See All by sylph01
The Definitive? Guide To Locally Organizing RubyKaigi
sylph01
6
1.5k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
sylph01
1
100
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
sylph01
2
470
Introduction to C Extensions
sylph01
3
200
"Actual" Security in Microcontroller Ruby!?
sylph01
0
140
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
63
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
300
Adding Security to Microcontroller Ruby
sylph01
3
3.6k
Secure Messaging at IETF 118
sylph01
0
110
Other Decks in Technology
See All in Technology
ポストコロナ時代の SaaS におけるコスト削減の意義
izzii
1
260
SRE不在の開発チームが障害対応と 向き合った100日間 / 100 days dealing with issues without SREs
shin1988
2
1.5k
How to Quickly Call American Airlines®️ U.S. Customer Care : Full Guide
flyaahelpguide
0
240
Copilot coding agentにベットしたいCTOが開発組織で取り組んだこと / GitHub Copilot coding agent in Team
tnir
0
150
AIの全社活用を推進するための安全なレールを敷いた話
shoheimitani
2
640
SEQUENCE object comparison - db tech showcase 2025 LT2
nori_shinoda
0
280
データ基盤からデータベースまで?広がるユースケースのDatabricksについて教えるよ!
akuwano
3
160
ABEMAの本番環境負荷試験への挑戦
mk2taiga
5
810
american airlines®️ USA Contact Numbers: Complete 2025 Support Guide
supportflight
1
120
OpenTelemetryセマンティック規約の恩恵とMackerel APMにおける活用例 / SRE NEXT 2025
mackerelio
3
1.6k
全部AI、全員Cursor、ドキュメント駆動開発 〜DevinやGeminiも添えて〜
rinchsan
2
2.2k
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
990
Featured
See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Writing Fast Ruby
sferik
628
62k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
RailsConf 2023
tenderlove
30
1.1k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
Balancing Empowerment & Direction
lara
1
440
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Faster Mobile Websites
deanohume
307
31k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Transcript
OAuth, TxAuth @ IETF 107 Ryo Kajiwara @ lepidum
؆୯ʹഎܠհ OAuthͦͷͷͷenhancementsͷ΄͔ɺ OAuthͷεϖοΫࠈʢਤJustin Richer ࢯͷXYZհεϥΠυΑΓ࠶ߏͨ͠ ͷʣʹରԠ͢ΔͨΊʹҎԼͷಈ͖͕ग़ͯ ͖ͨ: • OAuth 2.0ͱՄೳͳݶΓޓੑΛอͬ
ͨ··ෆཁͳ༷ΛΓࣺͯͯ৽͘͠ υΩϡϝϯτΛ࡞Δ OAuth 2.1 • ޓੑΛؾʹͤͣ৽͍͠Ϣʔεέʔε ΧόʔͰ͖ΔΑ͏ʹ͢Δ XYZ
؆୯ʹഎܠհ • OAuthͷ4ͭͷGrant(Flow)ͷ͏ͪɺResource Owner Password CredentialsMUST NOT implementɺImplicit GrantSHOULD NOT
useͱͳͬͨ • ͨͩ͠Implicit GrantSender-Constrained Access TokenΛ༻͍ͳ ͍ݶΓͱ͍͏ୠ͠ॻ͖͕͍͍ͭͯΔ • Sender-Constrainedͱ: ΞΫηετʔΫϯͷൃߦઌͱར༻ऀͷ ҰகΛదʹอূͰ͖Δੑ࣭Λ࣋ͭΞΫηετʔΫϯͷ͜ͱ • ݱࡏҰൠతͳͷͦͷ۠ผͷͳ͍BearerτʔΫϯ
ৄ͘͠લճͷεϥΠ υݟͯ https:/ /speakerdeck.com/sylph01/ oauth-transactional-authorization- at-ietf106
OAuth
ओͳupdate • OAuth 2.0 Token Exchange -> RFC 8693 (2020/1)
• OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens -> RFC 8705 (2020/2) • Resource Indicators for OAuth 2.0 -> RFC 8707 (2020/2) • JSON Web Token Best Current Practices -> RFC 8725 (2020/2)
ओͳupdate • OAuth 2.0 Security Best Current Practice: ߋ৽தɻݱࡏdraft-15 •
OAuth 2.0 Pushed Authorization Requests͕WG documentԽ • OAuth 2.0 Rich Authorization Requests͕WG documentԽ • DPoP (Demonstration of Proof-of-Possession at the Application Layer)͕WG documentԽ • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens͕WGLC
ਐߦதͷI-D (IETF 106͔Βͷࠩ) • The OAuth 2.1 Authorization Framework (draft-parecki-oauth-
v2-1-01) • OAuth 2.0 DPoP for the Implicit Flow (draft-jones-oauth-dpop- implicit-00) • The OAuth 2.0 Authorization Framework: Claims (draft-spencer- oauth-claims-01)
TxAuth Transactional Authorization and Delegation
charterͷٞ ࣄલͷconsensus callͰWGܗʹ͍ͭͯ20ਓ͔Βࢍɺ1ਓ͔Β ରɻ Agenda BashingʹͯCharterʹ͓͚Δ"Identity"ͷ༻๏ʹ͍ͭͯࢦఠ ͕͋ΓɺAgenda Bashingͷ࣌ؒ΄΅͜ͷٞͰΊΔ͜ͱͱ ͳͬͨɻ۩ମతʹɺOAuthʹ͓͍ͯIdentity֓೦ѻ͓ͬͯΒ ͣɺOpenID
ConnectͰॳΊͯೝূͷ֓೦͕ਖ਼ࣜʹొ͢Δͷͷɺ ͜ΕΒΛ࠶ར༻͢Δͱͨ͠Charterͷείʔϓ͕Ͳ͜·ͰΛѻ͏͔ ʹ͍ͭͯ໌֬Խ͢Δඞཁ͕͋Δɺͱͷࢦఠɻ
Identityʹ͍ͭͯɺิ ޙʹѻ͏XYZͱXAuthͰOpenID ConnectͰొͨ͠Identity Claims ֓೦Λ࠷ॳ͔ΒϓϩτίϧϨϕϧͰαϙʔτ͍ͯ͠Δʹʮ࠶ར༻ ͍ͯ͠Δʯɻ ͜Ε͕ʮ୯ͳΔೝՄ͞Ε͏ΔใͷҰछʯͳͷ͔ɺʮIdentityʹؔ ΘΔͷͱͯ͠ಛผѻ͍͖͢ͷʯͳͷ͔ʹҙݟͷ૬ҧ͕͋ Δɺͱ͍͏ೝࣝɻ OpenID
Connectͱ͍͏ଞͷSDOͰٞ͞Ε͍ͯΔωλΛઆ໌φγʹ IETFʹ࣋ͪࠐΉͳɺͱ͍͏͋Δɻ
XYZ ΄΅લճઆ໌ͨ͠௨ΓͳͷͰུɻ
XAuth 2020ʹͳͬͯର߅അͱͯ͠৽ͨʹొͨ͠ఏҊن֨ɻ ฏͨ͘ݴ͏ͳΒɺGrant֓೦Λத৺ʹɺClient͕GrantΛੜ͠ૢ ࡞͢ΔRESTful APIͱͯ͠ೝՄͷΈΛඋͨ͠͠ن֨ɻXYZ͕ TransactionʢೝՄΛΊ͙ΔऔҾʣΛத৺ʹ͍ͯ͠Δͷʹର͠ɺ XAuthೝՄͷत༩(Grant)ΛΊ͙ͬͯClient͕Grant Serverʹରͯ͠ ૢ࡞Λߦ͏ɺͱ͍͏த৺֓೦ͷҧ͍͕͋Δɻ
XYZ vs XAuth Interaction • XYZ: redirect, user_code, didcomm ͱ͍ͬͨՄೳͳΠϯλϥΫ
γϣϯΛͯ͢ྻڍ͢ΔɻASՄೳͳinteraction capabilityͰԠ ɺϙϦγʔʹج͍ͮͯཁٻ͢Δ • XAuth: ClientredirectΛߦ͏͜ͱ͕Ͱ͖Δ͔ɺͦΕͱindirect ͳinteractionΛඞਢͱ͢Δ͔Λࢦఆ͢ΔɻGSར༻͖͢ύϥ ϝʔλͰԠ͠ɺαϙʔτ͞Ε͍ͯͳ͚ΕΤϥʔ
XYZ vs XAuth Data Representation • XYZ: TransactionΛத৺֓೦ͱ͢ΔɻTransactionΛͱΓ·͘ InteractionͷͨΊʹ୯ҰͷURLΛར༻͢ΔɻhandleΛͬͯϦΫ Τετؒͷܧଓੑ(≒Transactionͷܧଓ)Λද͢ɻ
• XAuth: RESTfulͳϓϩτίϧɻGS URI͕GSͷࣝผࢠͰ͋Γɺ GrantΛੜ͢ΔͨΊͷURIɻURIΛ௨ͯ͠GrantAuthorizationͱ ରԠ͢ΔΞΫηετʔΫϯΛؔ࿈͚ͮΔɻ
XYZ vs XAuth Client Authentication • XYZ: Clientdetached JWS, DPoP,
OAuth PoP, HTTP Sig, MTLSͳͲ ͷʮҰൠతͳʯํ๏Λͬͯbound keysͷuseΛূ໌͢ΔɻRSʹ ͍ͭͯಉ༷ʹରԠ͍ͯ͠Δkey binding mechanismΛར༻͢ Δɻ • XAuth: ClientXYZͱಉ༷ʹbound keysͷuseΛGSͷauth mechanismͰূ໌͢Δ͕ɺσϑΥϧτJOSEΛ༻͍Δ ɻRSͷΞΫηεOAuth 2.0ಉ༷Bearer tokenɻ֦ுՄ
XYZ vs XAuth OAuth / OIDC Compatibility • XYZ: ClientͷࣝผʹKey
HandleΛ༻͍ΔɻID Token claimsͷα ϙʔτ͕͋Δɻresource handleΛ༻͍ͨscopeʹΑΔRich Resource Requestɻtransaction handleΛ༻͍ͨaccess token refreshɻOIDC UserInfo Endpointͷར༻͕Մೳɻ • XAuth: OAuth 2.0ಉ༷Client IDͰClientΛࣝผɻDynamic Client public key valueͰࣝผ(XYZಉ༷)ɻOAuth scopeͷͦͷ··ͷར ༻ɻRAR͕ͦͷ··ར༻ԽɻOIDC ClaimΛͦͷ··ར༻Մɻ
XYZ vs XAuth Discovery • XYZ: Transaction EndpointͰͯ͢ͷૢ࡞Λ։࢝͢ΔɻClientՄ ೳͳCapabilityͷϦετΛASʹૹ৴ɺASͦͷத͔Βαϙʔτ͠ ͍ͯΔͷͷҰཡΛฦ͢ɻ
• XAuth: ClientGS URI/Grant URI/AuthZ URIʹOPTIONS callΛ͢Δ ͜ͱͰGSͷcapabilityΛΔ
None
·ͱΊɺࢲݟ • ݱOAuthͷେ͖ͳ՝Sender-Constrainedੑͱͷಆ͍ • oauth WGͷworkͷ͏ͪɺMutual-TLS Client Authentication(RFC 8705)ͦͷ࣮ݱͷͨΊͷେ͖ͳҰาͰ͋ΓɺDPoPͷWG itemԽ
ͦͷྲྀΕΛΜͰ͍Δͱ͍͑Δ • XYZɺXAuthτʔΫϯͷSender-ConstrainedੑΛ৫ΓࠐΜ্ͩ Ͱ৽ͨͳϢʔεέʔεΛαϙʔτ͢Δ͜ͱΛతͱ͍ͯ͠Δ • ͔͠͠ͲͬͪͰ·ͱ·ΔΜͩΖ͏…