SlideShare ist ein Scribd-Unternehmen logo

Ritou idcon7

Ryo Ito
Ryo Ito
1 von 24
Downloaden Sie, um offline zu lesen
OAuth 2.0 仕様紹介 伊東 諒 ヤフー株式会社 2010/6/25 idcon #7
自己紹介 • 伊東 諒 (=ritou,@ritou) – ヤフー株式会社R&D統括本部 プラットフォーム開発本部 • 担当業務 – ユーザー認証PF – ↑に関係する不正利用対策系のプロダクト • ログイン3兄弟 – 外部パートナーとのサービス連携PF • OAuth,OpenID,もっと前のしくみ • Contributor : OpenID Artifact Binding WG 2
本資料について • 2010年6月15日に更新されたOAuth 2.0 draft 8時点のSpecを紹介するものである • Yahoo! JAPANがOAuth 2.0を早期にサポー トするという表明ではない • 現在も関係者間で議論が重ねられ、今後仕様 が変更になる可能性は十二分に考えられる 3
History • 2007/12/4 OAuth Core 1.0 • 2009/6/24 OAuth Core 1.0 Revision A • 2009/7/10 Yahoo! JAPAN SP start!!! • 2009/12 OAuth WRAP • 2010/4 OAuth 1.0 RFC 5849 • 2010-2011? OAuth 2.0 4
OAuth 1.0系の課題 by Eran • Authentication and Signatures – 署名が複雑、ライブラリが必要 • User Experience and Alternative Token Issuance Options – Flowを1つにまとめたらWeb App以外のUXが・・・ – Facebook Connectって使いやすいよね • Performance at Scale – 2種類のToken、Client Credentialの管理が必要 – APIアクセス時にClient Credential, TokenCredentialの両方を確認必須 5
OAuth 2.0 Spec • IETF OAuth WG – based OAuth WRAP • Abstruct – Client type and profile •アクセス権の委譲までの流れ – Endpoint •2つのエンドポイントの処理 – Resource access •bearer tokenを用いたAPIアクセス 6
Client Type and Profile • 4 Client types – Web Servers – User-Agents – Native Applications – Autonomous Clients 7
Web Server Profile • Client Credential – Client ID – Client Secret • Facebook User-Agent AuthZ Server • Diff with OAuth 1.0a – No Request Token – No Signature Web Client Protected Resource – No Token Secret 8
9 9
User-Agent Profile • Client on User-Agent – Twitter : @anywhere – Facebook : JavaScript-Based User-Agent AuthZ Server Authentication • Client Credential – Client ID Client in Browser Protected • Access Token as URI Resource Fragment Identifier 10
11
Native Applications iPhone/Android App, Desktop App • External User-Agent – Use custom URI scheme – Polling UA window and looking for a title change • Embedded User-Agent – Check URL Redirection • Prompt for user credential – ID/PW to Access Token (discouraged) 12
Autonomous Clients • Clients = Resource Owner ≒ OAuth Consumer Request • Exsisting Trust Relationship / Framework – SAML etc... 13
Client credential • Client credential – client identifier – client secret(option) • AuthN schemes – Request parameters – HTTP Basic authN ← 必要なのかな・・・ 14
Endpoint • End-user authZ endpoint : Indirect Communication – Obtaining End-User Authorization • Token Endpoint : Direct Communication – TLS 1.2 必須 – Authrorized Code2Access Token – Resource Owner Credentials2Access Token – Assertion2Access Token – Refresh Token 15
End-user authZ endpoint • Request format – HTTP GET • Request Params – type,client_id,redirect_uri,state,scope •URL長い疑惑 – Extensionきたらモバイルやばくない?↓ – Proposal to use request_url parameter •Request by Reference ver.1.0 for OAuth 2.0 draft-sakimura-oauth-requrl-00 16
End-user authZ endpoint • Response format – type = web_server : query parameters – type = user_agent : URI fragment identifier • Response params – type = web_server : code,state – type = user_agent : access_token,expired_in,state 17
Token endpoint • Request format – HTTP POST • Request params – Client credential – Specific params •grant_type, scope – code, redirect_uri – username, password – assertion_type, assertion – refresh_token 18
Token Refresh ≒OAuth Session Extension(Y!Inc,Y!J) • Tokens – Refresh Token : Long live – Access Token : Short live • Request – grant_type : refresh_token – client_id,client_secret,refresh_token • Response – access_token 19
Token endpoint • Response format – JSONのみ • Response params – access_token, expires_in, refresh_token, scope 20
Accessing a Protected Resource • Param – Access Tokenのみ •ブラウザとHTTP Cookieのような位置づけ by Allen • Method – The Authorization Request Header Field – URI Query Parameter – Form-Encoded Body Parameter 21
まとめ • Profileが細かく定義される • Endpoint2つ • 実装簡略化 – NoSignature – BearerToken • Basic認証の呪い? 22
気になること • Level Of Assuarance – これ使って決済系のAPI出しても良いですか? • AuthZ Server initiated – StateやExtensionで工夫すればできる • User-Centric OAuth – Discovery – Asymmetric Signature – User Identifier Extension •渡すタイミング、フォーマット決めとけば良い →あれ?これってOpenID ABじゃないですか! 23
終わりです • これからもSpec追っていきます • 質問はWGまで!? Open Stack FTW! 24

Empfohlen

OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoRyo Ito
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 

Empfohlen

OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoRyo Ito
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladoresLuis Ruiz Pavón
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Brand Innovation for dummies (& busy people)
Brand Innovation for dummies (& busy people)Brand Innovation for dummies (& busy people)
Brand Innovation for dummies (& busy people)Sean Hazell
 
Epicpoetry
EpicpoetryEpicpoetry
EpicpoetrySohoSandy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladoresLuis Ruiz Pavón
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 

Was ist angesagt? (20)

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 

Andere mochten auch

Brand Innovation for dummies (& busy people)
Brand Innovation for dummies (& busy people)Brand Innovation for dummies (& busy people)
Brand Innovation for dummies (& busy people)Sean Hazell
 
UserManagedAccess_idcon13
UserManagedAccess_idcon13UserManagedAccess_idcon13
UserManagedAccess_idcon13Ryo Ito
 
OpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoOpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoRyo Ito
 
091009 Identity Conference #6 ritou
091009 Identity Conference #6 ritou091009 Identity Conference #6 ritou
091009 Identity Conference #6 ritouRyo Ito
 
BackplaneProtocol超入門
BackplaneProtocol超入門BackplaneProtocol超入門
BackplaneProtocol超入門Ryo Ito
 
The Return on Empathy (ROE)
The Return on Empathy (ROE)The Return on Empathy (ROE)
The Return on Empathy (ROE)Sean Hazell
 

Andere mochten auch (9)

Brand Innovation for dummies (& busy people)
Brand Innovation for dummies (& busy people)Brand Innovation for dummies (& busy people)
Brand Innovation for dummies (& busy people)
 
Epicpoetry
EpicpoetryEpicpoetry
Epicpoetry
 
Epicpoetry
EpicpoetryEpicpoetry
Epicpoetry
 
UserManagedAccess_idcon13
UserManagedAccess_idcon13UserManagedAccess_idcon13
UserManagedAccess_idcon13
 
Forskning 2.0
Forskning 2.0Forskning 2.0
Forskning 2.0
 
OpenID_Connect_Spec_Demo
OpenID_Connect_Spec_DemoOpenID_Connect_Spec_Demo
OpenID_Connect_Spec_Demo
 
091009 Identity Conference #6 ritou
091009 Identity Conference #6 ritou091009 Identity Conference #6 ritou
091009 Identity Conference #6 ritou
 
BackplaneProtocol超入門
BackplaneProtocol超入門BackplaneProtocol超入門
BackplaneProtocol超入門
 
The Return on Empathy (ROE)
The Return on Empathy (ROE)The Return on Empathy (ROE)
The Return on Empathy (ROE)
 

Ähnlich wie Ritou idcon7

Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
Spring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing PeopleSpring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing PeopleGordon Dickens
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardtapidays
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudOrkhan Gasimov
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil Saldanha
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
Globus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformGlobus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformIan Foster
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 

Ähnlich wie Ritou idcon7 (20)

Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
Spring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing PeopleSpring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing People
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
 
Anil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpracticesAnil saldhana cloudidentitybestpractices
Anil saldhana cloudidentitybestpractices
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
Api security
Api security Api security
Api security
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Globus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformGlobus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management Platform
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 

Mehr von Ryo Ito

安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1Ryo Ito
 
idcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirectidcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirectRyo Ito
 
OpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiOpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiRyo Ito
 
Idcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF ProtectionIdcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF ProtectionRyo Ito
 
YAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectYAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectRyo Ito
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いRyo Ito
 
#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor authRyo Ito
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Ryo Ito
 
OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1Ryo Ito
 
Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1Ryo Ito
 
WebIntents × SNS
WebIntents × SNSWebIntents × SNS
WebIntents × SNSRyo Ito
 
Idcon11 implicit demo
Idcon11 implicit demoIdcon11 implicit demo
Idcon11 implicit demoRyo Ito
 
The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9Ryo Ito
 
OAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationOAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationRyo Ito
 
OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj Ryo Ito
 
Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1Ryo Ito
 
0905xx Hybrid Memo
0905xx Hybrid Memo0905xx Hybrid Memo
0905xx Hybrid MemoRyo Ito
 
Anonymous OAuth Test
Anonymous OAuth TestAnonymous OAuth Test
Anonymous OAuth TestRyo Ito
 

Mehr von Ryo Ito (18)

安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1安全な"○○でログイン"の作り方 @ NDS in Niigata #1
安全な"○○でログイン"の作り方 @ NDS in Niigata #1
 
idcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirectidcon mini vol3 CovertRedirect
idcon mini vol3 CovertRedirect
 
OpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixiOpenID-TechNight-11-LT-mixi
OpenID-TechNight-11-LT-mixi
 
Idcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF ProtectionIdcon 17th ritou OAuth 2.0 CSRF Protection
Idcon 17th ritou OAuth 2.0 CSRF Protection
 
YAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID ConnectYAPC::Tokyo 2013 ritou OpenID Connect
YAPC::Tokyo 2013 ritou OpenID Connect
 
なんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来いなんとなくOAuth怖いって思ってるやつちょっと来い
なんとなくOAuth怖いって思ってるやつちょっと来い
 
#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth#idcon 15th ritou 2factor auth
#idcon 15th ritou 2factor auth
 
Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1Open id connect claims idcon mini vol1
Open id connect claims idcon mini vol1
 
OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1OID to OIDC idcon mini vol1
OID to OIDC idcon mini vol1
 
Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1Account Chooser idcon mini Vol.1
Account Chooser idcon mini Vol.1
 
WebIntents × SNS
WebIntents × SNSWebIntents × SNS
WebIntents × SNS
 
Idcon11 implicit demo
Idcon11 implicit demoIdcon11 implicit demo
Idcon11 implicit demo
 
The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9The Latest Specs of OpenID Connect at #idcon 9
The Latest Specs of OpenID Connect at #idcon 9
 
OAuth 2.0 MAC Authentication
OAuth 2.0 MAC AuthenticationOAuth 2.0 MAC Authentication
OAuth 2.0 MAC Authentication
 
OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj OAuth 2.0 Dance School #swj
OAuth 2.0 Dance School #swj
 
Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1Introduction of OAuth 2.0 vol.1
Introduction of OAuth 2.0 vol.1
 
0905xx Hybrid Memo
0905xx Hybrid Memo0905xx Hybrid Memo
0905xx Hybrid Memo
 
Anonymous OAuth Test
Anonymous OAuth TestAnonymous OAuth Test
Anonymous OAuth Test
 

Ritou idcon7

  • 1. OAuth 2.0 仕様紹介 伊東 諒 ヤフー株式会社 2010/6/25 idcon #7
  • 2. 自己紹介 • 伊東 諒 (=ritou,@ritou) – ヤフー株式会社R&D統括本部 プラットフォーム開発本部 • 担当業務 – ユーザー認証PF – ↑に関係する不正利用対策系のプロダクト • ログイン3兄弟 – 外部パートナーとのサービス連携PF • OAuth,OpenID,もっと前のしくみ • Contributor : OpenID Artifact Binding WG 2
  • 3. 本資料について • 2010年6月15日に更新されたOAuth 2.0 draft 8時点のSpecを紹介するものである • Yahoo! JAPANがOAuth 2.0を早期にサポー トするという表明ではない • 現在も関係者間で議論が重ねられ、今後仕様 が変更になる可能性は十二分に考えられる 3
  • 4. History • 2007/12/4 OAuth Core 1.0 • 2009/6/24 OAuth Core 1.0 Revision A • 2009/7/10 Yahoo! JAPAN SP start!!! • 2009/12 OAuth WRAP • 2010/4 OAuth 1.0 RFC 5849 • 2010-2011? OAuth 2.0 4
  • 5. OAuth 1.0系の課題 by Eran • Authentication and Signatures – 署名が複雑、ライブラリが必要 • User Experience and Alternative Token Issuance Options – Flowを1つにまとめたらWeb App以外のUXが・・・ – Facebook Connectって使いやすいよね • Performance at Scale – 2種類のToken、Client Credentialの管理が必要 – APIアクセス時にClient Credential, TokenCredentialの両方を確認必須 5
  • 6. OAuth 2.0 Spec • IETF OAuth WG – based OAuth WRAP • Abstruct – Client type and profile •アクセス権の委譲までの流れ – Endpoint •2つのエンドポイントの処理 – Resource access •bearer tokenを用いたAPIアクセス 6
  • 7. Client Type and Profile • 4 Client types – Web Servers – User-Agents – Native Applications – Autonomous Clients 7
  • 8. Web Server Profile • Client Credential – Client ID – Client Secret • Facebook User-Agent AuthZ Server • Diff with OAuth 1.0a – No Request Token – No Signature Web Client Protected Resource – No Token Secret 8
  • 9. 9 9
  • 10. User-Agent Profile • Client on User-Agent – Twitter : @anywhere – Facebook : JavaScript-Based User-Agent AuthZ Server Authentication • Client Credential – Client ID Client in Browser Protected • Access Token as URI Resource Fragment Identifier 10
  • 11. 11
  • 12. Native Applications iPhone/Android App, Desktop App • External User-Agent – Use custom URI scheme – Polling UA window and looking for a title change • Embedded User-Agent – Check URL Redirection • Prompt for user credential – ID/PW to Access Token (discouraged) 12
  • 13. Autonomous Clients • Clients = Resource Owner ≒ OAuth Consumer Request • Exsisting Trust Relationship / Framework – SAML etc... 13
  • 14. Client credential • Client credential – client identifier – client secret(option) • AuthN schemes – Request parameters – HTTP Basic authN ← 必要なのかな・・・ 14
  • 15. Endpoint • End-user authZ endpoint : Indirect Communication – Obtaining End-User Authorization • Token Endpoint : Direct Communication – TLS 1.2 必須 – Authrorized Code2Access Token – Resource Owner Credentials2Access Token – Assertion2Access Token – Refresh Token 15
  • 16. End-user authZ endpoint • Request format – HTTP GET • Request Params – type,client_id,redirect_uri,state,scope •URL長い疑惑 – Extensionきたらモバイルやばくない?↓ – Proposal to use request_url parameter •Request by Reference ver.1.0 for OAuth 2.0 draft-sakimura-oauth-requrl-00 16
  • 17. End-user authZ endpoint • Response format – type = web_server : query parameters – type = user_agent : URI fragment identifier • Response params – type = web_server : code,state – type = user_agent : access_token,expired_in,state 17
  • 18. Token endpoint • Request format – HTTP POST • Request params – Client credential – Specific params •grant_type, scope – code, redirect_uri – username, password – assertion_type, assertion – refresh_token 18
  • 19. Token Refresh ≒OAuth Session Extension(Y!Inc,Y!J) • Tokens – Refresh Token : Long live – Access Token : Short live • Request – grant_type : refresh_token – client_id,client_secret,refresh_token • Response – access_token 19
  • 20. Token endpoint • Response format – JSONのみ • Response params – access_token, expires_in, refresh_token, scope 20
  • 21. Accessing a Protected Resource • Param – Access Tokenのみ •ブラウザとHTTP Cookieのような位置づけ by Allen • Method – The Authorization Request Header Field – URI Query Parameter – Form-Encoded Body Parameter 21
  • 22. まとめ • Profileが細かく定義される • Endpoint2つ • 実装簡略化 – NoSignature – BearerToken • Basic認証の呪い? 22
  • 23. 気になること • Level Of Assuarance – これ使って決済系のAPI出しても良いですか? • AuthZ Server initiated – StateやExtensionで工夫すればできる • User-Centric OAuth – Discovery – Asymmetric Signature – User Identifier Extension •渡すタイミング、フォーマット決めとけば良い →あれ?これってOpenID ABじゃないですか! 23
  • 24. 終わりです • これからもSpec追っていきます • 質問はWGまで!? Open Stack FTW! 24