Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
IETF 107 Report Session: OAuth/TxAuth
Search
sylph01
April 22, 2020
Technology
0
100
IETF 107 Report Session: OAuth/TxAuth
sylph01
April 22, 2020
Tweet
Share
More Decks by sylph01
See All by sylph01
The Definitive? Guide To Locally Organizing RubyKaigi
sylph01
6
1.5k
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too
sylph01
1
100
End-to-End Encryption Saves Lives. You Can Start Saving Lives With Ruby, Too (JP subtitles)
sylph01
2
470
Introduction to C Extensions
sylph01
3
200
"Actual" Security in Microcontroller Ruby!?
sylph01
0
140
Everyone Now Understands AuthZ/AuthN and Encryption Perfectly and I'm Gonna Lose My Job
sylph01
1
63
Updates on PicoRuby Networking, HPKE (and maybe more)
sylph01
1
300
Adding Security to Microcontroller Ruby
sylph01
3
3.6k
Secure Messaging at IETF 118
sylph01
0
110
Other Decks in Technology
See All in Technology
推し書籍📚 / Books and a QA Engineer
ak1210
0
120
関数型プログラミングで 「脳がバグる」を乗り越える
manabeai
2
220
Four Keysから始める信頼性の改善 - SRE NEXT 2025
ozakikota
0
160
DatabricksにOLTPデータベース『Lakebase』がやってきた!
inoutk
0
150
インフラ寄りSREの生存戦略
sansantech
PRO
8
3.3k
american aa airlines®️ USA Contact Numbers: Complete 2025 Support Guide
aaguide
0
470
AWS CDK 入門ガイド これだけは知っておきたいヒント集
anank
4
500
Sansanのデータプロダクトマネジメントのアプローチ
sansantech
PRO
0
220
全部AI、全員Cursor、ドキュメント駆動開発 〜DevinやGeminiも添えて〜
rinchsan
2
640
ゼロからはじめる採用広報
yutadayo
3
1k
VS CodeとGitHub Copilotで爆速開発!アップデートの波に乗るおさらい会 / Rapid Development with VS Code and GitHub Copilot: Catch the Latest Wave
yamachu
2
300
20250707-AI活用の個人差を埋めるチームづくり
shnjtk
6
4.1k
Featured
See All Featured
Documentation Writing (for coders)
carmenintech
72
4.9k
The Pragmatic Product Professional
lauravandoore
35
6.7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.4k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
Being A Developer After 40
akosma
90
590k
Writing Fast Ruby
sferik
628
62k
Producing Creativity
orderedlist
PRO
346
40k
Designing for Performance
lara
610
69k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Gamification - CAS2011
davidbonilla
81
5.4k
Raft: Consensus for Rubyists
vanstee
140
7k
Transcript
OAuth, TxAuth @ IETF 107 Ryo Kajiwara @ lepidum
؆୯ʹഎܠհ OAuthͦͷͷͷenhancementsͷ΄͔ɺ OAuthͷεϖοΫࠈʢਤJustin Richer ࢯͷXYZհεϥΠυΑΓ࠶ߏͨ͠ ͷʣʹରԠ͢ΔͨΊʹҎԼͷಈ͖͕ग़ͯ ͖ͨ: • OAuth 2.0ͱՄೳͳݶΓޓੑΛอͬ
ͨ··ෆཁͳ༷ΛΓࣺͯͯ৽͘͠ υΩϡϝϯτΛ࡞Δ OAuth 2.1 • ޓੑΛؾʹͤͣ৽͍͠Ϣʔεέʔε ΧόʔͰ͖ΔΑ͏ʹ͢Δ XYZ
؆୯ʹഎܠհ • OAuthͷ4ͭͷGrant(Flow)ͷ͏ͪɺResource Owner Password CredentialsMUST NOT implementɺImplicit GrantSHOULD NOT
useͱͳͬͨ • ͨͩ͠Implicit GrantSender-Constrained Access TokenΛ༻͍ͳ ͍ݶΓͱ͍͏ୠ͠ॻ͖͕͍͍ͭͯΔ • Sender-Constrainedͱ: ΞΫηετʔΫϯͷൃߦઌͱར༻ऀͷ ҰகΛదʹอূͰ͖Δੑ࣭Λ࣋ͭΞΫηετʔΫϯͷ͜ͱ • ݱࡏҰൠతͳͷͦͷ۠ผͷͳ͍BearerτʔΫϯ
ৄ͘͠લճͷεϥΠ υݟͯ https:/ /speakerdeck.com/sylph01/ oauth-transactional-authorization- at-ietf106
OAuth
ओͳupdate • OAuth 2.0 Token Exchange -> RFC 8693 (2020/1)
• OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens -> RFC 8705 (2020/2) • Resource Indicators for OAuth 2.0 -> RFC 8707 (2020/2) • JSON Web Token Best Current Practices -> RFC 8725 (2020/2)
ओͳupdate • OAuth 2.0 Security Best Current Practice: ߋ৽தɻݱࡏdraft-15 •
OAuth 2.0 Pushed Authorization Requests͕WG documentԽ • OAuth 2.0 Rich Authorization Requests͕WG documentԽ • DPoP (Demonstration of Proof-of-Possession at the Application Layer)͕WG documentԽ • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens͕WGLC
ਐߦதͷI-D (IETF 106͔Βͷࠩ) • The OAuth 2.1 Authorization Framework (draft-parecki-oauth-
v2-1-01) • OAuth 2.0 DPoP for the Implicit Flow (draft-jones-oauth-dpop- implicit-00) • The OAuth 2.0 Authorization Framework: Claims (draft-spencer- oauth-claims-01)
TxAuth Transactional Authorization and Delegation
charterͷٞ ࣄલͷconsensus callͰWGܗʹ͍ͭͯ20ਓ͔Βࢍɺ1ਓ͔Β ରɻ Agenda BashingʹͯCharterʹ͓͚Δ"Identity"ͷ༻๏ʹ͍ͭͯࢦఠ ͕͋ΓɺAgenda Bashingͷ࣌ؒ΄΅͜ͷٞͰΊΔ͜ͱͱ ͳͬͨɻ۩ମతʹɺOAuthʹ͓͍ͯIdentity֓೦ѻ͓ͬͯΒ ͣɺOpenID
ConnectͰॳΊͯೝূͷ֓೦͕ਖ਼ࣜʹొ͢Δͷͷɺ ͜ΕΒΛ࠶ར༻͢Δͱͨ͠Charterͷείʔϓ͕Ͳ͜·ͰΛѻ͏͔ ʹ͍ͭͯ໌֬Խ͢Δඞཁ͕͋Δɺͱͷࢦఠɻ
Identityʹ͍ͭͯɺิ ޙʹѻ͏XYZͱXAuthͰOpenID ConnectͰొͨ͠Identity Claims ֓೦Λ࠷ॳ͔ΒϓϩτίϧϨϕϧͰαϙʔτ͍ͯ͠Δʹʮ࠶ར༻ ͍ͯ͠Δʯɻ ͜Ε͕ʮ୯ͳΔೝՄ͞Ε͏ΔใͷҰछʯͳͷ͔ɺʮIdentityʹؔ ΘΔͷͱͯ͠ಛผѻ͍͖͢ͷʯͳͷ͔ʹҙݟͷ૬ҧ͕͋ Δɺͱ͍͏ೝࣝɻ OpenID
Connectͱ͍͏ଞͷSDOͰٞ͞Ε͍ͯΔωλΛઆ໌φγʹ IETFʹ࣋ͪࠐΉͳɺͱ͍͏͋Δɻ
XYZ ΄΅લճઆ໌ͨ͠௨ΓͳͷͰུɻ
XAuth 2020ʹͳͬͯର߅അͱͯ͠৽ͨʹొͨ͠ఏҊن֨ɻ ฏͨ͘ݴ͏ͳΒɺGrant֓೦Λத৺ʹɺClient͕GrantΛੜ͠ૢ ࡞͢ΔRESTful APIͱͯ͠ೝՄͷΈΛඋͨ͠͠ن֨ɻXYZ͕ TransactionʢೝՄΛΊ͙ΔऔҾʣΛத৺ʹ͍ͯ͠Δͷʹର͠ɺ XAuthೝՄͷत༩(Grant)ΛΊ͙ͬͯClient͕Grant Serverʹରͯ͠ ૢ࡞Λߦ͏ɺͱ͍͏த৺֓೦ͷҧ͍͕͋Δɻ
XYZ vs XAuth Interaction • XYZ: redirect, user_code, didcomm ͱ͍ͬͨՄೳͳΠϯλϥΫ
γϣϯΛͯ͢ྻڍ͢ΔɻASՄೳͳinteraction capabilityͰԠ ɺϙϦγʔʹج͍ͮͯཁٻ͢Δ • XAuth: ClientredirectΛߦ͏͜ͱ͕Ͱ͖Δ͔ɺͦΕͱindirect ͳinteractionΛඞਢͱ͢Δ͔Λࢦఆ͢ΔɻGSར༻͖͢ύϥ ϝʔλͰԠ͠ɺαϙʔτ͞Ε͍ͯͳ͚ΕΤϥʔ
XYZ vs XAuth Data Representation • XYZ: TransactionΛத৺֓೦ͱ͢ΔɻTransactionΛͱΓ·͘ InteractionͷͨΊʹ୯ҰͷURLΛར༻͢ΔɻhandleΛͬͯϦΫ Τετؒͷܧଓੑ(≒Transactionͷܧଓ)Λද͢ɻ
• XAuth: RESTfulͳϓϩτίϧɻGS URI͕GSͷࣝผࢠͰ͋Γɺ GrantΛੜ͢ΔͨΊͷURIɻURIΛ௨ͯ͠GrantAuthorizationͱ ରԠ͢ΔΞΫηετʔΫϯΛؔ࿈͚ͮΔɻ
XYZ vs XAuth Client Authentication • XYZ: Clientdetached JWS, DPoP,
OAuth PoP, HTTP Sig, MTLSͳͲ ͷʮҰൠతͳʯํ๏Λͬͯbound keysͷuseΛূ໌͢ΔɻRSʹ ͍ͭͯಉ༷ʹରԠ͍ͯ͠Δkey binding mechanismΛར༻͢ Δɻ • XAuth: ClientXYZͱಉ༷ʹbound keysͷuseΛGSͷauth mechanismͰূ໌͢Δ͕ɺσϑΥϧτJOSEΛ༻͍Δ ɻRSͷΞΫηεOAuth 2.0ಉ༷Bearer tokenɻ֦ுՄ
XYZ vs XAuth OAuth / OIDC Compatibility • XYZ: ClientͷࣝผʹKey
HandleΛ༻͍ΔɻID Token claimsͷα ϙʔτ͕͋Δɻresource handleΛ༻͍ͨscopeʹΑΔRich Resource Requestɻtransaction handleΛ༻͍ͨaccess token refreshɻOIDC UserInfo Endpointͷར༻͕Մೳɻ • XAuth: OAuth 2.0ಉ༷Client IDͰClientΛࣝผɻDynamic Client public key valueͰࣝผ(XYZಉ༷)ɻOAuth scopeͷͦͷ··ͷར ༻ɻRAR͕ͦͷ··ར༻ԽɻOIDC ClaimΛͦͷ··ར༻Մɻ
XYZ vs XAuth Discovery • XYZ: Transaction EndpointͰͯ͢ͷૢ࡞Λ։࢝͢ΔɻClientՄ ೳͳCapabilityͷϦετΛASʹૹ৴ɺASͦͷத͔Βαϙʔτ͠ ͍ͯΔͷͷҰཡΛฦ͢ɻ
• XAuth: ClientGS URI/Grant URI/AuthZ URIʹOPTIONS callΛ͢Δ ͜ͱͰGSͷcapabilityΛΔ
None
·ͱΊɺࢲݟ • ݱOAuthͷେ͖ͳ՝Sender-Constrainedੑͱͷಆ͍ • oauth WGͷworkͷ͏ͪɺMutual-TLS Client Authentication(RFC 8705)ͦͷ࣮ݱͷͨΊͷେ͖ͳҰาͰ͋ΓɺDPoPͷWG itemԽ
ͦͷྲྀΕΛΜͰ͍Δͱ͍͑Δ • XYZɺXAuthτʔΫϯͷSender-ConstrainedੑΛ৫ΓࠐΜ্ͩ Ͱ৽ͨͳϢʔεέʔεΛαϙʔτ͢Δ͜ͱΛతͱ͍ͯ͠Δ • ͔͠͠ͲͬͪͰ·ͱ·ΔΜͩΖ͏…