$30 off During Our Annual Pro Sale. View Details »

IETF 107 Report Session: OAuth/TxAuth

sylph01
April 22, 2020

IETF 107 Report Session: OAuth/TxAuth

sylph01

April 22, 2020
Tweet

More Decks by sylph01

Other Decks in Technology

Transcript

  1. OAuth, TxAuth
    @ IETF 107
    Ryo Kajiwara @ lepidum

    View Slide

  2. ؆୯ʹഎܠ঺հ
    OAuthͦͷ΋ͷͷenhancementsͷ΄͔ɺ
    OAuthͷεϖοΫ஍ࠈʢਤ͸Justin Richer
    ࢯͷXYZ঺հεϥΠυΑΓ࠶ߏ੒ͨ͠΋
    ͷʣʹରԠ͢ΔͨΊʹҎԼͷಈ͖͕ग़ͯ
    ͖ͨ:
    • OAuth 2.0ͱՄೳͳݶΓޓ׵ੑΛอͬ
    ͨ··ෆཁͳ࢓༷Λ੾Γࣺͯͯ৽͘͠
    υΩϡϝϯτΛ࡞Δ OAuth 2.1
    • ޓ׵ੑΛؾʹͤͣ৽͍͠Ϣʔεέʔε
    ΋ΧόʔͰ͖ΔΑ͏ʹ͢Δ XYZ

    View Slide

  3. ؆୯ʹഎܠ঺հ
    • OAuthͷ4ͭͷGrant(Flow)ͷ͏ͪɺResource Owner Password
    Credentials͸MUST NOT implementɺImplicit Grant͸SHOULD
    NOT useͱͳͬͨ
    • ͨͩ͠Implicit Grant͸Sender-Constrained Access TokenΛ༻͍ͳ
    ͍ݶΓͱ͍͏ୠ͠ॻ͖͕͍͍ͭͯΔ
    • Sender-Constrainedͱ͸: ΞΫηετʔΫϯͷൃߦઌͱར༻ऀͷ
    ҰகΛద੾ʹอূͰ͖Δੑ࣭Λ࣋ͭΞΫηετʔΫϯͷ͜ͱ
    • ݱࡏҰൠతͳͷ͸ͦͷ۠ผͷͳ͍BearerτʔΫϯ

    View Slide

  4. ৄ͘͠͸લճͷεϥΠ
    υݟͯ
    https:/
    /speakerdeck.com/sylph01/
    oauth-transactional-authorization-
    at-ietf106

    View Slide

  5. OAuth

    View Slide

  6. ओͳupdate
    • OAuth 2.0 Token Exchange -> RFC 8693 (2020/1)
    • OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound
    Access Tokens -> RFC 8705 (2020/2)
    • Resource Indicators for OAuth 2.0 -> RFC 8707 (2020/2)
    • JSON Web Token Best Current Practices -> RFC 8725 (2020/2)

    View Slide

  7. ओͳupdate
    • OAuth 2.0 Security Best Current Practice: ߋ৽தɻݱࡏdraft-15
    • OAuth 2.0 Pushed Authorization Requests͕WG documentԽ
    • OAuth 2.0 Rich Authorization Requests͕WG documentԽ
    • DPoP (Demonstration of Proof-of-Possession at the Application
    Layer)͕WG documentԽ
    • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens͕WGLC

    View Slide

  8. ਐߦதͷI-D
    (IETF 106͔Βͷࠩ෼)
    • The OAuth 2.1 Authorization Framework (draft-parecki-oauth-
    v2-1-01)
    • OAuth 2.0 DPoP for the Implicit Flow (draft-jones-oauth-dpop-
    implicit-00)
    • The OAuth 2.0 Authorization Framework: Claims (draft-spencer-
    oauth-claims-01)

    View Slide

  9. TxAuth
    Transactional Authorization and
    Delegation

    View Slide

  10. charterͷٞ࿦
    ࣄલͷconsensus callͰWGܗ੒ʹ͍ͭͯ20ਓ͔Βࢍ੒ɺ1ਓ͔Β൓
    ରɻ
    Agenda BashingʹͯCharterʹ͓͚Δ"Identity"ͷ༻๏ʹ͍ͭͯࢦఠ
    ͕͋ΓɺAgenda Bashingͷ࣌ؒ͸΄΅͜ͷٞ࿦Ͱ઎ΊΔ͜ͱͱ
    ͳͬͨɻ۩ମతʹ͸ɺOAuthʹ͓͍ͯ͸Identity֓೦͸ѻ͓ͬͯΒ
    ͣɺOpenID ConnectͰॳΊͯೝূͷ֓೦͕ਖ਼ࣜʹొ৔͢Δ΋ͷͷɺ
    ͜ΕΒΛ࠶ར༻͢Δͱͨ͠Charterͷείʔϓ͕Ͳ͜·ͰΛѻ͏͔
    ʹ͍ͭͯ໌֬Խ͢Δඞཁ͕͋Δɺͱͷࢦఠɻ

    View Slide

  11. Identityʹ͍ͭͯɺิ଍
    ޙʹѻ͏XYZͱXAuthͰ͸OpenID ConnectͰొ৔ͨ͠Identity Claims
    ֓೦Λ࠷ॳ͔ΒϓϩτίϧϨϕϧͰαϙʔτ͍ͯ͠Δʹʮ࠶ར༻
    ͍ͯ͠Δʯɻ
    ͜Ε͕ʮ୯ͳΔೝՄ͞Ε͏Δ৘ใͷҰछʯͳͷ͔ɺʮIdentityʹؔ
    ΘΔ΋ͷͱͯ͠ಛผѻ͍͢΂͖΋ͷʯͳͷ͔ʹҙݟͷ૬ҧ͕͋
    Δɺͱ͍͏ೝࣝɻ
    OpenID Connectͱ͍͏ଞͷSDOͰٞ࿦͞Ε͍ͯΔωλΛઆ໌φγʹ
    IETFʹ࣋ͪࠐΉͳɺͱ͍͏࿩΋͋Δɻ

    View Slide

  12. XYZ
    ΄΅લճઆ໌ͨ͠௨ΓͳͷͰུɻ

    View Slide

  13. XAuth
    2020೥ʹͳͬͯର߅അͱͯ͠৽ͨʹొ৔ͨ͠ఏҊن֨ɻ
    ฏͨ͘ݴ͏ͳΒ͹ɺGrant֓೦Λத৺ʹɺClient͕GrantΛੜ੒͠ૢ
    ࡞͢ΔRESTful APIͱͯ͠ೝՄͷ࢓૊ΈΛ੔උ͠௚ͨ͠ن֨ɻXYZ͕
    TransactionʢೝՄΛΊ͙ΔऔҾʣΛத৺ʹ͍ͯ͠Δͷʹର͠ɺ
    XAuth͸ೝՄͷत༩(Grant)ΛΊ͙ͬͯClient͕Grant Serverʹରͯ͠
    ૢ࡞Λߦ͏ɺͱ͍͏த৺֓೦ͷҧ͍͕͋Δɻ

    View Slide

  14. XYZ vs XAuth
    Interaction
    • XYZ: redirect, user_code, didcomm ͱ͍ͬͨՄೳͳΠϯλϥΫ
    γϣϯΛ͢΂ͯྻڍ͢ΔɻAS͸Մೳͳinteraction capabilityͰԠ
    ౴ɺϙϦγʔʹج͍ͮͯཁٻ͢Δ
    • XAuth: Client͸redirectΛߦ͏͜ͱ͕Ͱ͖Δ͔ɺͦΕͱ΋indirect
    ͳinteractionΛඞਢͱ͢Δ͔Λࢦఆ͢ΔɻGS͸ར༻͢΂͖ύϥ
    ϝʔλͰԠ౴͠ɺαϙʔτ͞Ε͍ͯͳ͚Ε͹Τϥʔ

    View Slide

  15. XYZ vs XAuth
    Data Representation
    • XYZ: TransactionΛத৺֓೦ͱ͢ΔɻTransactionΛͱΓ·͘
    InteractionͷͨΊʹ୯ҰͷURLΛར༻͢ΔɻhandleΛ࢖ͬͯϦΫ
    Τετؒͷܧଓੑ(≒Transactionͷܧଓ)Λද͢ɻ
    • XAuth: RESTfulͳϓϩτίϧɻGS URI͕GSͷࣝผࢠͰ͋Γɺ
    GrantΛੜ੒͢ΔͨΊͷURIɻURIΛ௨ͯ͠Grant΍Authorizationͱ
    ରԠ͢ΔΞΫηετʔΫϯΛؔ࿈͚ͮΔɻ

    View Slide

  16. XYZ vs XAuth
    Client Authentication
    • XYZ: Client͸detached JWS, DPoP, OAuth PoP, HTTP Sig, MTLSͳͲ
    ͷʮҰൠతͳʯํ๏Λ࢖ͬͯbound keysͷuseΛূ໌͢ΔɻRSʹ
    ͍ͭͯ΋ಉ༷ʹରԠ͍ͯ͠Δkey binding mechanismΛར༻͢
    Δɻ
    • XAuth: Client͸XYZͱಉ༷ʹbound keysͷuseΛGSͷauth
    mechanismͰূ໌͢Δ͕ɺσϑΥϧτ͸JOSEΛ༻͍Δ
    ɻRS΁ͷΞΫηε͸OAuth 2.0ಉ༷Bearer tokenɻ֦ு͸Մ

    View Slide

  17. XYZ vs XAuth
    OAuth / OIDC Compatibility
    • XYZ: Clientͷࣝผʹ͸Key HandleΛ༻͍ΔɻID Token claimsͷα
    ϙʔτ͕͋Δɻresource handleΛ༻͍ͨscopeʹΑΔRich
    Resource Requestɻtransaction handleΛ༻͍ͨaccess token
    refreshɻOIDC UserInfo Endpointͷར༻͕Մೳɻ
    • XAuth: OAuth 2.0ಉ༷Client IDͰClientΛࣝผɻDynamic Client͸
    public key valueͰࣝผ(XYZಉ༷)ɻOAuth scopeͷͦͷ··ͷར
    ༻ɻRAR͕ͦͷ··ར༻ԽɻOIDC ClaimΛͦͷ··ར༻Մɻ

    View Slide

  18. XYZ vs XAuth
    Discovery
    • XYZ: Transaction EndpointͰ͢΂ͯͷૢ࡞Λ։࢝͢ΔɻClient͸Մ
    ೳͳCapabilityͷϦετΛASʹૹ৴ɺAS͸ͦͷத͔Βαϙʔτ͠
    ͍ͯΔ΋ͷͷҰཡΛฦ͢ɻ
    • XAuth: Client͸GS URI/Grant URI/AuthZ URIʹOPTIONS callΛ͢Δ
    ͜ͱͰGSͷcapabilityΛ஌Δ

    View Slide

  19. View Slide

  20. ·ͱΊɺࢲݟ
    • ݱ୅OAuthͷେ͖ͳ՝୊͸Sender-Constrainedੑͱͷಆ͍
    • oauth WGͷworkͷ͏ͪɺMutual-TLS Client Authentication(RFC
    8705)͸ͦͷ࣮ݱͷͨΊͷେ͖ͳҰาͰ͋ΓɺDPoPͷWG itemԽ
    ΋ͦͷྲྀΕΛ἞ΜͰ͍Δͱ͍͑Δ
    • XYZɺXAuth͸τʔΫϯͷSender-ConstrainedੑΛ৫ΓࠐΜ্ͩ
    Ͱ৽ͨͳϢʔεέʔεΛαϙʔτ͢Δ͜ͱΛ໨తͱ͍ͯ͠Δ
    • ͔͠͠ͲͬͪͰ·ͱ·ΔΜͩΖ͏…

    View Slide