Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
IETF 107 Report Session: OAuth/TxAuth
Search
sylph01
April 22, 2020
Technology
0
88
IETF 107 Report Session: OAuth/TxAuth
sylph01
April 22, 2020
Tweet
Share
More Decks by sylph01
See All by sylph01
"Actual" Security in Microcontroller Ruby!?
sylph01
0
66
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
13
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
210
Adding Security to Microcontroller Ruby
sylph01
2
3.2k
Secure Messaging at IETF 118
sylph01
0
74
Adventures in the Dungeons of OpenSSL
sylph01
0
480
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
300
Build and Learn Rails Authentication
sylph01
8
2k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
280
Other Decks in Technology
See All in Technology
能動的ドメイン名ライフサイクル管理のすゝめ / Practice on Active Domain Name Lifecycle Management
nttcom
0
200
APIとはなにか
mikanichinose
0
110
多領域インシデントマネジメントへの挑戦:ハードウェアとソフトウェアの融合が生む課題/Challenge to multidisciplinary incident management: Issues created by the fusion of hardware and software
bitkey
PRO
2
110
20241220_S3 tablesの使い方を検証してみた
handy
4
680
多様なメトリックとシステムの健全性維持
masaaki_k
0
110
スタートアップで取り組んでいるAzureとMicrosoft 365のセキュリティ対策/How to Improve Azure and Microsoft 365 Security at Startup
yuj1osm
0
230
10分で学ぶKubernetesコンテナセキュリティ/10min-k8s-container-sec
mochizuki875
3
380
OCI技術資料 : ファイル・ストレージ 概要
ocise
3
11k
Work as an App Engineer
lycorp_recruit_jp
0
340
事業貢献を考えるための技術改善の目標設計と改善実績 / Targeted design of technical improvements to consider business contribution and improvement performance
oomatomo
0
150
DevFest 2024 Incheon / Songdo - Compose UI 조합 심화
wisemuji
0
140
私なりのAIのご紹介 [2024年版]
qt_luigi
1
120
Featured
See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
347
20k
GitHub's CSS Performance
jonrohan
1031
460k
We Have a Design System, Now What?
morganepeng
51
7.3k
Six Lessons from altMBA
skipperchong
27
3.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.9k
Making the Leap to Tech Lead
cromwellryan
133
9k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Automating Front-end Workflow
addyosmani
1366
200k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
32
2.7k
Designing for humans not robots
tammielis
250
25k
Transcript
OAuth, TxAuth @ IETF 107 Ryo Kajiwara @ lepidum
؆୯ʹഎܠհ OAuthͦͷͷͷenhancementsͷ΄͔ɺ OAuthͷεϖοΫࠈʢਤJustin Richer ࢯͷXYZհεϥΠυΑΓ࠶ߏͨ͠ ͷʣʹରԠ͢ΔͨΊʹҎԼͷಈ͖͕ग़ͯ ͖ͨ: • OAuth 2.0ͱՄೳͳݶΓޓੑΛอͬ
ͨ··ෆཁͳ༷ΛΓࣺͯͯ৽͘͠ υΩϡϝϯτΛ࡞Δ OAuth 2.1 • ޓੑΛؾʹͤͣ৽͍͠Ϣʔεέʔε ΧόʔͰ͖ΔΑ͏ʹ͢Δ XYZ
؆୯ʹഎܠհ • OAuthͷ4ͭͷGrant(Flow)ͷ͏ͪɺResource Owner Password CredentialsMUST NOT implementɺImplicit GrantSHOULD NOT
useͱͳͬͨ • ͨͩ͠Implicit GrantSender-Constrained Access TokenΛ༻͍ͳ ͍ݶΓͱ͍͏ୠ͠ॻ͖͕͍͍ͭͯΔ • Sender-Constrainedͱ: ΞΫηετʔΫϯͷൃߦઌͱར༻ऀͷ ҰகΛదʹอূͰ͖Δੑ࣭Λ࣋ͭΞΫηετʔΫϯͷ͜ͱ • ݱࡏҰൠతͳͷͦͷ۠ผͷͳ͍BearerτʔΫϯ
ৄ͘͠લճͷεϥΠ υݟͯ https:/ /speakerdeck.com/sylph01/ oauth-transactional-authorization- at-ietf106
OAuth
ओͳupdate • OAuth 2.0 Token Exchange -> RFC 8693 (2020/1)
• OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens -> RFC 8705 (2020/2) • Resource Indicators for OAuth 2.0 -> RFC 8707 (2020/2) • JSON Web Token Best Current Practices -> RFC 8725 (2020/2)
ओͳupdate • OAuth 2.0 Security Best Current Practice: ߋ৽தɻݱࡏdraft-15 •
OAuth 2.0 Pushed Authorization Requests͕WG documentԽ • OAuth 2.0 Rich Authorization Requests͕WG documentԽ • DPoP (Demonstration of Proof-of-Possession at the Application Layer)͕WG documentԽ • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens͕WGLC
ਐߦதͷI-D (IETF 106͔Βͷࠩ) • The OAuth 2.1 Authorization Framework (draft-parecki-oauth-
v2-1-01) • OAuth 2.0 DPoP for the Implicit Flow (draft-jones-oauth-dpop- implicit-00) • The OAuth 2.0 Authorization Framework: Claims (draft-spencer- oauth-claims-01)
TxAuth Transactional Authorization and Delegation
charterͷٞ ࣄલͷconsensus callͰWGܗʹ͍ͭͯ20ਓ͔Βࢍɺ1ਓ͔Β ରɻ Agenda BashingʹͯCharterʹ͓͚Δ"Identity"ͷ༻๏ʹ͍ͭͯࢦఠ ͕͋ΓɺAgenda Bashingͷ࣌ؒ΄΅͜ͷٞͰΊΔ͜ͱͱ ͳͬͨɻ۩ମతʹɺOAuthʹ͓͍ͯIdentity֓೦ѻ͓ͬͯΒ ͣɺOpenID
ConnectͰॳΊͯೝূͷ֓೦͕ਖ਼ࣜʹొ͢Δͷͷɺ ͜ΕΒΛ࠶ར༻͢Δͱͨ͠Charterͷείʔϓ͕Ͳ͜·ͰΛѻ͏͔ ʹ͍ͭͯ໌֬Խ͢Δඞཁ͕͋Δɺͱͷࢦఠɻ
Identityʹ͍ͭͯɺิ ޙʹѻ͏XYZͱXAuthͰOpenID ConnectͰొͨ͠Identity Claims ֓೦Λ࠷ॳ͔ΒϓϩτίϧϨϕϧͰαϙʔτ͍ͯ͠Δʹʮ࠶ར༻ ͍ͯ͠Δʯɻ ͜Ε͕ʮ୯ͳΔೝՄ͞Ε͏ΔใͷҰछʯͳͷ͔ɺʮIdentityʹؔ ΘΔͷͱͯ͠ಛผѻ͍͖͢ͷʯͳͷ͔ʹҙݟͷ૬ҧ͕͋ Δɺͱ͍͏ೝࣝɻ OpenID
Connectͱ͍͏ଞͷSDOͰٞ͞Ε͍ͯΔωλΛઆ໌φγʹ IETFʹ࣋ͪࠐΉͳɺͱ͍͏͋Δɻ
XYZ ΄΅લճઆ໌ͨ͠௨ΓͳͷͰུɻ
XAuth 2020ʹͳͬͯର߅അͱͯ͠৽ͨʹొͨ͠ఏҊن֨ɻ ฏͨ͘ݴ͏ͳΒɺGrant֓೦Λத৺ʹɺClient͕GrantΛੜ͠ૢ ࡞͢ΔRESTful APIͱͯ͠ೝՄͷΈΛඋͨ͠͠ن֨ɻXYZ͕ TransactionʢೝՄΛΊ͙ΔऔҾʣΛத৺ʹ͍ͯ͠Δͷʹର͠ɺ XAuthೝՄͷत༩(Grant)ΛΊ͙ͬͯClient͕Grant Serverʹରͯ͠ ૢ࡞Λߦ͏ɺͱ͍͏த৺֓೦ͷҧ͍͕͋Δɻ
XYZ vs XAuth Interaction • XYZ: redirect, user_code, didcomm ͱ͍ͬͨՄೳͳΠϯλϥΫ
γϣϯΛͯ͢ྻڍ͢ΔɻASՄೳͳinteraction capabilityͰԠ ɺϙϦγʔʹج͍ͮͯཁٻ͢Δ • XAuth: ClientredirectΛߦ͏͜ͱ͕Ͱ͖Δ͔ɺͦΕͱindirect ͳinteractionΛඞਢͱ͢Δ͔Λࢦఆ͢ΔɻGSར༻͖͢ύϥ ϝʔλͰԠ͠ɺαϙʔτ͞Ε͍ͯͳ͚ΕΤϥʔ
XYZ vs XAuth Data Representation • XYZ: TransactionΛத৺֓೦ͱ͢ΔɻTransactionΛͱΓ·͘ InteractionͷͨΊʹ୯ҰͷURLΛར༻͢ΔɻhandleΛͬͯϦΫ Τετؒͷܧଓੑ(≒Transactionͷܧଓ)Λද͢ɻ
• XAuth: RESTfulͳϓϩτίϧɻGS URI͕GSͷࣝผࢠͰ͋Γɺ GrantΛੜ͢ΔͨΊͷURIɻURIΛ௨ͯ͠GrantAuthorizationͱ ରԠ͢ΔΞΫηετʔΫϯΛؔ࿈͚ͮΔɻ
XYZ vs XAuth Client Authentication • XYZ: Clientdetached JWS, DPoP,
OAuth PoP, HTTP Sig, MTLSͳͲ ͷʮҰൠతͳʯํ๏Λͬͯbound keysͷuseΛূ໌͢ΔɻRSʹ ͍ͭͯಉ༷ʹରԠ͍ͯ͠Δkey binding mechanismΛར༻͢ Δɻ • XAuth: ClientXYZͱಉ༷ʹbound keysͷuseΛGSͷauth mechanismͰূ໌͢Δ͕ɺσϑΥϧτJOSEΛ༻͍Δ ɻRSͷΞΫηεOAuth 2.0ಉ༷Bearer tokenɻ֦ுՄ
XYZ vs XAuth OAuth / OIDC Compatibility • XYZ: ClientͷࣝผʹKey
HandleΛ༻͍ΔɻID Token claimsͷα ϙʔτ͕͋Δɻresource handleΛ༻͍ͨscopeʹΑΔRich Resource Requestɻtransaction handleΛ༻͍ͨaccess token refreshɻOIDC UserInfo Endpointͷར༻͕Մೳɻ • XAuth: OAuth 2.0ಉ༷Client IDͰClientΛࣝผɻDynamic Client public key valueͰࣝผ(XYZಉ༷)ɻOAuth scopeͷͦͷ··ͷར ༻ɻRAR͕ͦͷ··ར༻ԽɻOIDC ClaimΛͦͷ··ར༻Մɻ
XYZ vs XAuth Discovery • XYZ: Transaction EndpointͰͯ͢ͷૢ࡞Λ։࢝͢ΔɻClientՄ ೳͳCapabilityͷϦετΛASʹૹ৴ɺASͦͷத͔Βαϙʔτ͠ ͍ͯΔͷͷҰཡΛฦ͢ɻ
• XAuth: ClientGS URI/Grant URI/AuthZ URIʹOPTIONS callΛ͢Δ ͜ͱͰGSͷcapabilityΛΔ
None
·ͱΊɺࢲݟ • ݱOAuthͷେ͖ͳ՝Sender-Constrainedੑͱͷಆ͍ • oauth WGͷworkͷ͏ͪɺMutual-TLS Client Authentication(RFC 8705)ͦͷ࣮ݱͷͨΊͷେ͖ͳҰาͰ͋ΓɺDPoPͷWG itemԽ
ͦͷྲྀΕΛΜͰ͍Δͱ͍͑Δ • XYZɺXAuthτʔΫϯͷSender-ConstrainedੑΛ৫ΓࠐΜ্ͩ Ͱ৽ͨͳϢʔεέʔεΛαϙʔτ͢Δ͜ͱΛతͱ͍ͯ͠Δ • ͔͠͠ͲͬͪͰ·ͱ·ΔΜͩΖ͏…