Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
IETF 107 Report Session: OAuth/TxAuth
Search
sylph01
April 22, 2020
Technology
0
78
IETF 107 Report Session: OAuth/TxAuth
sylph01
April 22, 2020
Tweet
Share
More Decks by sylph01
See All by sylph01
Adding Security to Microcontroller Ruby
sylph01
0
4
Secure Messaging at IETF 118
sylph01
0
34
Adventures in the Dungeons of OpenSSL
sylph01
0
300
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
190
Build and Learn Rails Authentication
sylph01
8
1.8k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
180
DNS Encryption and Its Controversies
sylph01
0
620
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1.2k
Action Mailbox in Action
sylph01
1
3k
Other Decks in Technology
See All in Technology
How to Lead? Testimonial of a Lead Android Engineer
oleur
1
120
今日からできる!簡単 .NET 高速化 Tips -2024 edition-
xin9le
7
4.9k
高専で制御を、大学でセンシングを学び、次は脳みそ
satoshirobatofujimoto
0
120
Secrets of a PowerShell "Guru"
guyrleech
1
110
Dungeons and Dragons and Rails
joelq
0
120
実例で紹介するRAG導入時の知見と精度向上の勘所
yamahiro
7
2.4k
Babylon.js JAPAN活動紹介 (2024/4)
limes2018
1
130
今さら聞けないDocker入門 〜 Dockerfileのベストプラクティス編
devops_vtj
21
6.3k
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
5
790
20分で完全に理解するGrafanaダッシュボード
hamadakoji
5
990
MixIT 2024 - Pulumi : Gérer son infra avec son langage de programmation préféré
ju_hnny5
1
120
コードや知識を組み込む / Incorporate Code and knowledge
ks91
PRO
0
160
Featured
See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
7k
Docker and Python
trallard
35
2.7k
Building Adaptive Systems
keathley
32
1.9k
Statistics for Hackers
jakevdp
790
220k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
34
6.1k
YesSQL, Process and Tooling at Scale
rocio
165
13k
Fireside Chat
paigeccino
22
2.6k
Infographics Made Easy
chrislema
238
18k
From Idea to $5000 a Month in 5 Months
shpigford
378
45k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
358
22k
The MySQL Ecosystem @ GitHub 2015
samlambert
244
12k
Ruby is Unlike a Banana
tanoku
96
10k
Transcript
OAuth, TxAuth @ IETF 107 Ryo Kajiwara @ lepidum
؆୯ʹഎܠհ OAuthͦͷͷͷenhancementsͷ΄͔ɺ OAuthͷεϖοΫࠈʢਤJustin Richer ࢯͷXYZհεϥΠυΑΓ࠶ߏͨ͠ ͷʣʹରԠ͢ΔͨΊʹҎԼͷಈ͖͕ग़ͯ ͖ͨ: • OAuth 2.0ͱՄೳͳݶΓޓੑΛอͬ
ͨ··ෆཁͳ༷ΛΓࣺͯͯ৽͘͠ υΩϡϝϯτΛ࡞Δ OAuth 2.1 • ޓੑΛؾʹͤͣ৽͍͠Ϣʔεέʔε ΧόʔͰ͖ΔΑ͏ʹ͢Δ XYZ
؆୯ʹഎܠհ • OAuthͷ4ͭͷGrant(Flow)ͷ͏ͪɺResource Owner Password CredentialsMUST NOT implementɺImplicit GrantSHOULD NOT
useͱͳͬͨ • ͨͩ͠Implicit GrantSender-Constrained Access TokenΛ༻͍ͳ ͍ݶΓͱ͍͏ୠ͠ॻ͖͕͍͍ͭͯΔ • Sender-Constrainedͱ: ΞΫηετʔΫϯͷൃߦઌͱར༻ऀͷ ҰகΛదʹอূͰ͖Δੑ࣭Λ࣋ͭΞΫηετʔΫϯͷ͜ͱ • ݱࡏҰൠతͳͷͦͷ۠ผͷͳ͍BearerτʔΫϯ
ৄ͘͠લճͷεϥΠ υݟͯ https:/ /speakerdeck.com/sylph01/ oauth-transactional-authorization- at-ietf106
OAuth
ओͳupdate • OAuth 2.0 Token Exchange -> RFC 8693 (2020/1)
• OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens -> RFC 8705 (2020/2) • Resource Indicators for OAuth 2.0 -> RFC 8707 (2020/2) • JSON Web Token Best Current Practices -> RFC 8725 (2020/2)
ओͳupdate • OAuth 2.0 Security Best Current Practice: ߋ৽தɻݱࡏdraft-15 •
OAuth 2.0 Pushed Authorization Requests͕WG documentԽ • OAuth 2.0 Rich Authorization Requests͕WG documentԽ • DPoP (Demonstration of Proof-of-Possession at the Application Layer)͕WG documentԽ • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens͕WGLC
ਐߦதͷI-D (IETF 106͔Βͷࠩ) • The OAuth 2.1 Authorization Framework (draft-parecki-oauth-
v2-1-01) • OAuth 2.0 DPoP for the Implicit Flow (draft-jones-oauth-dpop- implicit-00) • The OAuth 2.0 Authorization Framework: Claims (draft-spencer- oauth-claims-01)
TxAuth Transactional Authorization and Delegation
charterͷٞ ࣄલͷconsensus callͰWGܗʹ͍ͭͯ20ਓ͔Βࢍɺ1ਓ͔Β ରɻ Agenda BashingʹͯCharterʹ͓͚Δ"Identity"ͷ༻๏ʹ͍ͭͯࢦఠ ͕͋ΓɺAgenda Bashingͷ࣌ؒ΄΅͜ͷٞͰΊΔ͜ͱͱ ͳͬͨɻ۩ମతʹɺOAuthʹ͓͍ͯIdentity֓೦ѻ͓ͬͯΒ ͣɺOpenID
ConnectͰॳΊͯೝূͷ֓೦͕ਖ਼ࣜʹొ͢Δͷͷɺ ͜ΕΒΛ࠶ར༻͢Δͱͨ͠Charterͷείʔϓ͕Ͳ͜·ͰΛѻ͏͔ ʹ͍ͭͯ໌֬Խ͢Δඞཁ͕͋Δɺͱͷࢦఠɻ
Identityʹ͍ͭͯɺิ ޙʹѻ͏XYZͱXAuthͰOpenID ConnectͰొͨ͠Identity Claims ֓೦Λ࠷ॳ͔ΒϓϩτίϧϨϕϧͰαϙʔτ͍ͯ͠Δʹʮ࠶ར༻ ͍ͯ͠Δʯɻ ͜Ε͕ʮ୯ͳΔೝՄ͞Ε͏ΔใͷҰछʯͳͷ͔ɺʮIdentityʹؔ ΘΔͷͱͯ͠ಛผѻ͍͖͢ͷʯͳͷ͔ʹҙݟͷ૬ҧ͕͋ Δɺͱ͍͏ೝࣝɻ OpenID
Connectͱ͍͏ଞͷSDOͰٞ͞Ε͍ͯΔωλΛઆ໌φγʹ IETFʹ࣋ͪࠐΉͳɺͱ͍͏͋Δɻ
XYZ ΄΅લճઆ໌ͨ͠௨ΓͳͷͰུɻ
XAuth 2020ʹͳͬͯର߅അͱͯ͠৽ͨʹొͨ͠ఏҊن֨ɻ ฏͨ͘ݴ͏ͳΒɺGrant֓೦Λத৺ʹɺClient͕GrantΛੜ͠ૢ ࡞͢ΔRESTful APIͱͯ͠ೝՄͷΈΛඋͨ͠͠ن֨ɻXYZ͕ TransactionʢೝՄΛΊ͙ΔऔҾʣΛத৺ʹ͍ͯ͠Δͷʹର͠ɺ XAuthೝՄͷत༩(Grant)ΛΊ͙ͬͯClient͕Grant Serverʹରͯ͠ ૢ࡞Λߦ͏ɺͱ͍͏த৺֓೦ͷҧ͍͕͋Δɻ
XYZ vs XAuth Interaction • XYZ: redirect, user_code, didcomm ͱ͍ͬͨՄೳͳΠϯλϥΫ
γϣϯΛͯ͢ྻڍ͢ΔɻASՄೳͳinteraction capabilityͰԠ ɺϙϦγʔʹج͍ͮͯཁٻ͢Δ • XAuth: ClientredirectΛߦ͏͜ͱ͕Ͱ͖Δ͔ɺͦΕͱindirect ͳinteractionΛඞਢͱ͢Δ͔Λࢦఆ͢ΔɻGSར༻͖͢ύϥ ϝʔλͰԠ͠ɺαϙʔτ͞Ε͍ͯͳ͚ΕΤϥʔ
XYZ vs XAuth Data Representation • XYZ: TransactionΛத৺֓೦ͱ͢ΔɻTransactionΛͱΓ·͘ InteractionͷͨΊʹ୯ҰͷURLΛར༻͢ΔɻhandleΛͬͯϦΫ Τετؒͷܧଓੑ(≒Transactionͷܧଓ)Λද͢ɻ
• XAuth: RESTfulͳϓϩτίϧɻGS URI͕GSͷࣝผࢠͰ͋Γɺ GrantΛੜ͢ΔͨΊͷURIɻURIΛ௨ͯ͠GrantAuthorizationͱ ରԠ͢ΔΞΫηετʔΫϯΛؔ࿈͚ͮΔɻ
XYZ vs XAuth Client Authentication • XYZ: Clientdetached JWS, DPoP,
OAuth PoP, HTTP Sig, MTLSͳͲ ͷʮҰൠతͳʯํ๏Λͬͯbound keysͷuseΛূ໌͢ΔɻRSʹ ͍ͭͯಉ༷ʹରԠ͍ͯ͠Δkey binding mechanismΛར༻͢ Δɻ • XAuth: ClientXYZͱಉ༷ʹbound keysͷuseΛGSͷauth mechanismͰূ໌͢Δ͕ɺσϑΥϧτJOSEΛ༻͍Δ ɻRSͷΞΫηεOAuth 2.0ಉ༷Bearer tokenɻ֦ுՄ
XYZ vs XAuth OAuth / OIDC Compatibility • XYZ: ClientͷࣝผʹKey
HandleΛ༻͍ΔɻID Token claimsͷα ϙʔτ͕͋Δɻresource handleΛ༻͍ͨscopeʹΑΔRich Resource Requestɻtransaction handleΛ༻͍ͨaccess token refreshɻOIDC UserInfo Endpointͷར༻͕Մೳɻ • XAuth: OAuth 2.0ಉ༷Client IDͰClientΛࣝผɻDynamic Client public key valueͰࣝผ(XYZಉ༷)ɻOAuth scopeͷͦͷ··ͷར ༻ɻRAR͕ͦͷ··ར༻ԽɻOIDC ClaimΛͦͷ··ར༻Մɻ
XYZ vs XAuth Discovery • XYZ: Transaction EndpointͰͯ͢ͷૢ࡞Λ։࢝͢ΔɻClientՄ ೳͳCapabilityͷϦετΛASʹૹ৴ɺASͦͷத͔Βαϙʔτ͠ ͍ͯΔͷͷҰཡΛฦ͢ɻ
• XAuth: ClientGS URI/Grant URI/AuthZ URIʹOPTIONS callΛ͢Δ ͜ͱͰGSͷcapabilityΛΔ
None
·ͱΊɺࢲݟ • ݱOAuthͷେ͖ͳ՝Sender-Constrainedੑͱͷಆ͍ • oauth WGͷworkͷ͏ͪɺMutual-TLS Client Authentication(RFC 8705)ͦͷ࣮ݱͷͨΊͷେ͖ͳҰาͰ͋ΓɺDPoPͷWG itemԽ
ͦͷྲྀΕΛΜͰ͍Δͱ͍͑Δ • XYZɺXAuthτʔΫϯͷSender-ConstrainedੑΛ৫ΓࠐΜ্ͩ Ͱ৽ͨͳϢʔεέʔεΛαϙʔτ͢Δ͜ͱΛతͱ͍ͯ͠Δ • ͔͠͠ͲͬͪͰ·ͱ·ΔΜͩΖ͏…