IETF 107 Report Session: OAuth/TxAuth

Transcript

1. OAuth, TxAuth
   @ IETF 107
   Ryo Kajiwara @ lepidum
   

   View Slide

2. ؆୯ʹഎܠ঺հ
   OAuthͦͷ΋ͷͷenhancementsͷ΄͔ɺ
   OAuthͷεϖοΫ஍ࠈʢਤ͸Justin Richer
   ࢯͷXYZ঺հεϥΠυΑΓ࠶ߏ੒ͨ͠΋
   ͷʣʹରԠ͢ΔͨΊʹҎԼͷಈ͖͕ग़ͯ
   ͖ͨ:
   • OAuth 2.0ͱՄೳͳݶΓޓ׵ੑΛอͬ
   ͨ··ෆཁͳ࢓༷Λ੾Γࣺͯͯ৽͘͠
   υΩϡϝϯτΛ࡞Δ OAuth 2.1
   • ޓ׵ੑΛؾʹͤͣ৽͍͠Ϣʔεέʔε
   ΋ΧόʔͰ͖ΔΑ͏ʹ͢Δ XYZ
   

   View Slide

3. ؆୯ʹഎܠ঺հ
   • OAuthͷ4ͭͷGrant(Flow)ͷ͏ͪɺResource Owner Password
   Credentials͸MUST NOT implementɺImplicit Grant͸SHOULD
   NOT useͱͳͬͨ
   • ͨͩ͠Implicit Grant͸Sender-Constrained Access TokenΛ༻͍ͳ
   ͍ݶΓͱ͍͏ୠ͠ॻ͖͕͍͍ͭͯΔ
   • Sender-Constrainedͱ͸: ΞΫηετʔΫϯͷൃߦઌͱར༻ऀͷ
   ҰகΛద੾ʹอূͰ͖Δੑ࣭Λ࣋ͭΞΫηετʔΫϯͷ͜ͱ
   • ݱࡏҰൠతͳͷ͸ͦͷ۠ผͷͳ͍BearerτʔΫϯ
   

   View Slide

4. ৄ͘͠͸લճͷεϥΠ
   υݟͯ
   https:/
   /speakerdeck.com/sylph01/
   oauth-transactional-authorization-
   at-ietf106
   

   View Slide

5. OAuth
   

   View Slide

6. ओͳupdate
   • OAuth 2.0 Token Exchange -> RFC 8693 (2020/1)
   • OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound
   Access Tokens -> RFC 8705 (2020/2)
   • Resource Indicators for OAuth 2.0 -> RFC 8707 (2020/2)
   • JSON Web Token Best Current Practices -> RFC 8725 (2020/2)
   

   View Slide

7. ओͳupdate
   • OAuth 2.0 Security Best Current Practice: ߋ৽தɻݱࡏdraft-15
   • OAuth 2.0 Pushed Authorization Requests͕WG documentԽ
   • OAuth 2.0 Rich Authorization Requests͕WG documentԽ
   • DPoP (Demonstration of Proof-of-Possession at the Application
   Layer)͕WG documentԽ
   • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens͕WGLC
   

   View Slide

8. ਐߦதͷI-D
   (IETF 106͔Βͷࠩ෼)
   • The OAuth 2.1 Authorization Framework (draft-parecki-oauth-
   v2-1-01)
   • OAuth 2.0 DPoP for the Implicit Flow (draft-jones-oauth-dpop-
   implicit-00)
   • The OAuth 2.0 Authorization Framework: Claims (draft-spencer-
   oauth-claims-01)
   

   View Slide

9. TxAuth
   Transactional Authorization and
   Delegation
   

   View Slide

10. charterͷٞ࿦
    ࣄલͷconsensus callͰWGܗ੒ʹ͍ͭͯ20ਓ͔Βࢍ੒ɺ1ਓ͔Β൓
    ରɻ
    Agenda BashingʹͯCharterʹ͓͚Δ"Identity"ͷ༻๏ʹ͍ͭͯࢦఠ
    ͕͋ΓɺAgenda Bashingͷ࣌ؒ͸΄΅͜ͷٞ࿦Ͱ઎ΊΔ͜ͱͱ
    ͳͬͨɻ۩ମతʹ͸ɺOAuthʹ͓͍ͯ͸Identity֓೦͸ѻ͓ͬͯΒ
    ͣɺOpenID ConnectͰॳΊͯೝূͷ֓೦͕ਖ਼ࣜʹొ৔͢Δ΋ͷͷɺ
    ͜ΕΒΛ࠶ར༻͢Δͱͨ͠Charterͷείʔϓ͕Ͳ͜·ͰΛѻ͏͔
    ʹ͍ͭͯ໌֬Խ͢Δඞཁ͕͋Δɺͱͷࢦఠɻ
    

    View Slide

11. Identityʹ͍ͭͯɺิ଍
    ޙʹѻ͏XYZͱXAuthͰ͸OpenID ConnectͰొ৔ͨ͠Identity Claims
    ֓೦Λ࠷ॳ͔ΒϓϩτίϧϨϕϧͰαϙʔτ͍ͯ͠Δʹʮ࠶ར༻
    ͍ͯ͠Δʯɻ
    ͜Ε͕ʮ୯ͳΔೝՄ͞Ε͏Δ৘ใͷҰछʯͳͷ͔ɺʮIdentityʹؔ
    ΘΔ΋ͷͱͯ͠ಛผѻ͍͢΂͖΋ͷʯͳͷ͔ʹҙݟͷ૬ҧ͕͋
    Δɺͱ͍͏ೝࣝɻ
    OpenID Connectͱ͍͏ଞͷSDOͰٞ࿦͞Ε͍ͯΔωλΛઆ໌φγʹ
    IETFʹ࣋ͪࠐΉͳɺͱ͍͏࿩΋͋Δɻ
    

    View Slide

12. XYZ
    ΄΅લճઆ໌ͨ͠௨ΓͳͷͰུɻ
    

    View Slide

13. XAuth
    2020೥ʹͳͬͯର߅അͱͯ͠৽ͨʹొ৔ͨ͠ఏҊن֨ɻ
    ฏͨ͘ݴ͏ͳΒ͹ɺGrant֓೦Λத৺ʹɺClient͕GrantΛੜ੒͠ૢ
    ࡞͢ΔRESTful APIͱͯ͠ೝՄͷ࢓૊ΈΛ੔උ͠௚ͨ͠ن֨ɻXYZ͕
    TransactionʢೝՄΛΊ͙ΔऔҾʣΛத৺ʹ͍ͯ͠Δͷʹର͠ɺ
    XAuth͸ೝՄͷत༩(Grant)ΛΊ͙ͬͯClient͕Grant Serverʹରͯ͠
    ૢ࡞Λߦ͏ɺͱ͍͏த৺֓೦ͷҧ͍͕͋Δɻ
    

    View Slide

14. XYZ vs XAuth
    Interaction
    • XYZ: redirect, user_code, didcomm ͱ͍ͬͨՄೳͳΠϯλϥΫ
    γϣϯΛ͢΂ͯྻڍ͢ΔɻAS͸Մೳͳinteraction capabilityͰԠ
    ౴ɺϙϦγʔʹج͍ͮͯཁٻ͢Δ
    • XAuth: Client͸redirectΛߦ͏͜ͱ͕Ͱ͖Δ͔ɺͦΕͱ΋indirect
    ͳinteractionΛඞਢͱ͢Δ͔Λࢦఆ͢ΔɻGS͸ར༻͢΂͖ύϥ
    ϝʔλͰԠ౴͠ɺαϙʔτ͞Ε͍ͯͳ͚Ε͹Τϥʔ
    

    View Slide

15. XYZ vs XAuth
    Data Representation
    • XYZ: TransactionΛத৺֓೦ͱ͢ΔɻTransactionΛͱΓ·͘
    InteractionͷͨΊʹ୯ҰͷURLΛར༻͢ΔɻhandleΛ࢖ͬͯϦΫ
    Τετؒͷܧଓੑ(≒Transactionͷܧଓ)Λද͢ɻ
    • XAuth: RESTfulͳϓϩτίϧɻGS URI͕GSͷࣝผࢠͰ͋Γɺ
    GrantΛੜ੒͢ΔͨΊͷURIɻURIΛ௨ͯ͠Grant΍Authorizationͱ
    ରԠ͢ΔΞΫηετʔΫϯΛؔ࿈͚ͮΔɻ
    

    View Slide

16. XYZ vs XAuth
    Client Authentication
    • XYZ: Client͸detached JWS, DPoP, OAuth PoP, HTTP Sig, MTLSͳͲ
    ͷʮҰൠతͳʯํ๏Λ࢖ͬͯbound keysͷuseΛূ໌͢ΔɻRSʹ
    ͍ͭͯ΋ಉ༷ʹରԠ͍ͯ͠Δkey binding mechanismΛར༻͢
    Δɻ
    • XAuth: Client͸XYZͱಉ༷ʹbound keysͷuseΛGSͷauth
    mechanismͰূ໌͢Δ͕ɺσϑΥϧτ͸JOSEΛ༻͍Δ
    ɻRS΁ͷΞΫηε͸OAuth 2.0ಉ༷Bearer tokenɻ֦ு͸Մ
    

    View Slide

17. XYZ vs XAuth
    OAuth / OIDC Compatibility
    • XYZ: Clientͷࣝผʹ͸Key HandleΛ༻͍ΔɻID Token claimsͷα
    ϙʔτ͕͋Δɻresource handleΛ༻͍ͨscopeʹΑΔRich
    Resource Requestɻtransaction handleΛ༻͍ͨaccess token
    refreshɻOIDC UserInfo Endpointͷར༻͕Մೳɻ
    • XAuth: OAuth 2.0ಉ༷Client IDͰClientΛࣝผɻDynamic Client͸
    public key valueͰࣝผ(XYZಉ༷)ɻOAuth scopeͷͦͷ··ͷར
    ༻ɻRAR͕ͦͷ··ར༻ԽɻOIDC ClaimΛͦͷ··ར༻Մɻ
    

    View Slide

18. XYZ vs XAuth
    Discovery
    • XYZ: Transaction EndpointͰ͢΂ͯͷૢ࡞Λ։࢝͢ΔɻClient͸Մ
    ೳͳCapabilityͷϦετΛASʹૹ৴ɺAS͸ͦͷத͔Βαϙʔτ͠
    ͍ͯΔ΋ͷͷҰཡΛฦ͢ɻ
    • XAuth: Client͸GS URI/Grant URI/AuthZ URIʹOPTIONS callΛ͢Δ
    ͜ͱͰGSͷcapabilityΛ஌Δ
    

    View Slide

19. View Slide

20. ·ͱΊɺࢲݟ
    • ݱ୅OAuthͷେ͖ͳ՝୊͸Sender-Constrainedੑͱͷಆ͍
    • oauth WGͷworkͷ͏ͪɺMutual-TLS Client Authentication(RFC
    8705)͸ͦͷ࣮ݱͷͨΊͷେ͖ͳҰาͰ͋ΓɺDPoPͷWG itemԽ
    ΋ͦͷྲྀΕΛ἞ΜͰ͍Δͱ͍͑Δ
    • XYZɺXAuth͸τʔΫϯͷSender-ConstrainedੑΛ৫ΓࠐΜ্ͩ
    Ͱ৽ͨͳϢʔεέʔεΛαϙʔτ͢Δ͜ͱΛ໨తͱ͍ͯ͠Δ
    • ͔͠͠ͲͬͪͰ·ͱ·ΔΜͩΖ͏…
    

    View Slide