Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
OAuth1.0 / OAuth2 / Opened Connect
OAuth 1.0 OAuth 2.0 OpenID Connect
Web
Web 

- URL 

https://webgame.link/auths/

- Github Ruby on Rails 

https://github.com/ngzm/auths-demo
OAuth 1.0 OAuth 2.0 OpenID Connect


RFC 





Naoki Nagazumi

Johnny Depp 





vue.js 

Ruby 

SIer 



Twitter: @nk_ngzm

GitHub: https://github.com/ngzm/

Blog: http...
Authorization
• 

•
→
Authentication
• 

• ID
OAuth 1.0
OAuth 2.0
OpenID Connect
ok
XX
ID PWD
Resource endpoint
ok
XX
ID PWD
Authorization endpoint
Access
Token
Token endpoint
Resource Owner OAuth Client
OAuth Server...
OK!
ID PWD
OK!
ID PWD
End-User Relying Party
(RP)
Identity Provider
(IdP)
Authorization endpoint
ID Token
Token endpoint
OpenID Conne...
OAuth 1.0
OAuth 1.0
• RFC5849 - The OAuth 1.0 Protocol

https://openid-foundation-japan.github.io/rfc5849.ja.html

https://tools.iet...
OAuth 1.0
•


•
OAuth 1.0
Flow
App
App
Request token
endpoint
Authorization
endpoint
Token
endpoint
Resource
endpoint
Redirect
Redirect
Oauth Token
OAuth...
OAuth 1.0


Web
‣


‣
OAuth OAuth
Twitter 

I. consumer_key consumer_secret

II. request token request token secret

III. access token access to...
Signature
OAuth 

• 

• 

• HMAC-SHA1
1.
• access token token 

• timestamp nonce 

• 

2.
• OAuth 

3. HMAC-SHA1
• 2
https://syncer.jp/Web/API/OAuth/
Authorization Header
OAuth 

Authorization 

OAuth
Authorization Header
Authorization: OAuth

oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",

oauth_nonce="kYjzVBB8Y0ZFabxSWbWo...
TSL SSL
TSL SSL 

- 

-


- timestamp nonce
OAuth 1.0
• Twitter OAuth
1. OAuth 1.0 

2. OAuth 2.0 Client Credentials Flow   

( OAuth 2.0 )
OAuth 1.0
App
App
Request token
Endpoint
Authorization
Endpoint
Token
Endpoint
Resource
Endpoint
#2. Request token
#1. Request toke
...
#0
Twitter Application Management
https://apps.twitter.com/

•
1. Name 

2. Description 

3. Website URL

4. Callback URL ...
#1
Request token
POST https://api.twitter.com/oauth/request_token HTTP/1.1
…
…
Content-Type: application/x-www-form-urlenc...
#2
Request token
oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI"
&oauth_token_secret="4dW4gGLic6oItvd0YySWRU5aLjB...
#3
https://api.twitter.com/oauth/authorize?oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI"
oauth_token : #2 Reque...
#4
OK
https://my-callback-host/my-callback/path/
?oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM"
&oauth_verifier...
#5
Access token
POST https://api.twitter.com/oauth/access_token HTTP/1.1
…
…
Content-Type: application/x-www-form-urlencod...
#6
Access token
oauth_token="1528352858-UUCjYDVcLC4V34xHob5XTxboEgJWLwp9aIGSrBC"
&oauth_token_secret="VNhCQye7rX4P4u2OIuDH...
#7
GET https://api.twitter.com/1.1/users/show.json?user_id=12345678901
…
…
Authorization: OAuth
oauth_consumer_key="xvz1ev...
#0 calback #1
- 

token 

#1 #5 #7 timestamp nonce
- access token Replay Attack
OAuth 1.0
i.
ii.
OAuth 2.0
OpenID Connect


OAuth 2.0
OAuth 2.0
OAuth 2.0
• RFC6749 - The OAuth 2.0 Authorization Framework

https://openid-foundation-japan.github.io/rfc6749.ja.html

ht...
OAuth 2.0
• OAuth 1.0


• OAuth 1.0 OAuth 2.0 



• 

…
OAuth 2.0


‣ SPA JS


‣
OAuth 2.0
1. Authorization Code Flow Client Type Confidential
2. Implicit Flow Client Type Public
3. Client Credentials Flo...
Client Type
Client Type "Confidential" "Public"
1. Confidential ... Web
‣ OAuth Client 

‣ Authorization code Flow 

2. Publ...
TSL
TSL
OAuth 2.0
TSL 



HTTP message
OAuth 1.0 

… TSL 

‣ Client Type Confidential OAuth Client
‣ Public OAuth Client 

→
OAuth 2.0
OAuth OAuth
Facebook 

• client_id client_secret

OAuth OAuth
Authorization Header
Token Authorization Header 

Bearer 

RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token U...
Access token
• Implicit Grant Flow access token
- token 

- OAuth 1.0 access token 1
Access token 

‣ OAuth 2.0 RFC6749
OAuth 2.0
Flow
Flow


1. Authorization Code Flow
Client Type Confidential 

2. Implicit Flow
Client Type Public
https://qiita.com/Takahiko...
Authorization Code Flow
Confidential Client Type
OAuth 2.0
App
App
Authorization
endpoint
Token
endpoint
Resource
endpoint
Redirect
Redirect
OAuth
Client
Resource
Owner
Authorizatio...
Implicit Flow
Public Client Type
‣
OAuth Client access token 

token
Authorization
endpoint
Resource
endpoint
Redirect
User Information
App
Redirect
Authorization Server
Resource Server
App
l...
OAuth 2.0
• Facebook OAuth 2.0
1. Authorization code Flow

2. Implicit Flow

3. Hybrid Flow

( Hybrid Flow OpenID Connect )
Authoriz...
• Facebook access token
#5 #6 

access token
•
"Graph API Endpoint"
App
App
Authorization Endpoint
Redirect
Redirect
OAuth
Client
Resource
Owner
#1
START
User Information
OK
Access token
OAu...
#0
Facebook for Developers
https://developers.facebook.com/

•
1. 

2. Valid OAuth Redirect URIs OAuth URL

•
1. ID OAuth ...
#1
Location:
https://www.facebook.com/v2.12/dialog/oauth
?client_id="245678901234567"
&request_type="code"
&scope="email p...
#2
OK
https://my-callback-uri
?code="AQBORpgp-sdRaLAo-xR_assef-lpZiG6W"
&state="random_text_data_agaist_csrf"
1. code :

c...
#3
Access token
GET https://graph.facebook.com/v2.12/oauth/access_token
?client_id="245678901234567"
&client_secret="60abc...
#4
Access token
{
"access_token": "CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD",
"token_type": "bearer",
"expires_in": 5180974
}
1....
#5
Access token
GET https://graph.facebook.com/debug_token
?input_token="CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD"
&access_token...
#6
Access token
{
"data": {
"app_id": 245678901234567,
"type": "USER",
"application": "MyApplication",
"expires_at": 13862...
#7
GET https://graph.facebook.com/1234567?fields="id,first_name,name,picture,email"
…
…
…
Authorization: Bearer "CAWx8Qv2E...
#0 redirect_uri #1
- code
token
2018 3 Facebook
1. redirect_uri
2. redirect_uri TSL
#1 state #2
#1
- CSRF code token
OAuth 2.0
”Access Token ” ”OAuth ”
- Access token


- Access token 

- token
OpenID Connect
Implicit Flow
- token (token replace attack)
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html...
- Authorization Code Flow Web Implicit
Flow 

-
OpenID Connect
OAuth2.0
OpenID Connect
OpenID Connect
• OpenID Connect Core 1.0 incorporating errata set 1

https://openid-foundation-japan.github.io/openid-conn...
OpenID Connect
• OAuth 2.0 

- OAuth Access token
ID token 

- token
OpenID Connect
OAuth 2.0
OAuth 2.0 

OAuth 2.0
• TSL
•
• Access token Authorization Bearer
• Access token
Hybrid Flow


Hybrid Flow
‣ token 

‣
Flow
1. Authorization Code Flow
2. Implicit Flow
3. Hybrid Flow
Hybrid Flow OpenID Connect
OAuth 2.0
response_type & Flow
No response_type Flow
1 code
Authorization
Code Flow
OAuth 2.0 Authorization Code Flow 

Authorizatio...
ID
”ID ” 

ID token
‣ ID token IdP "ID"
‣ ID token IdP "ID" RP
ID 74387592 ngzm IdP
ID token
• "ID" IdP RP
•
• JWT JSON Web Token 

RFC7519 JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519
Access to...
JWT
JSON Header Claim (Payload)
SIgnature URL Safe
1. Header Claim BASE64urlEncode 

2. 1 Header Claim '.' 

3. 2 HMAC SHA...
JWT
Google ID token JWT
Header
{
"alg":"RS256",
"kid":"7158dc8572 {略} 20a35b073447"
}
Claim
{
"iss":"accounts.google.com",...
JWT js
// JWT Header
let header = {};
header.alg = 'HS256'; // 署名アルゴリズム:HMAC SHA256 による署名の場合は'HS256'
header.typ = 'JWT'; /...
Userinfo Endpoint 

‣ OAuth 2.0 Access token 

‣ OpenID Connect Access token Userinfo Endpoint
OpenID Connect
Flow
Flow


1. Authorization Code Flow 

2. Implicit Flow 

3. Hybrid Flow
https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f...
Authorization Code Flow
response_type=code
• OAuth 2.0 Authorization Code Flow
•
App
Authorization
endpoint
Token
endpoint
UserInfo endpoint
Redirect
Redirect
Relying PartyEnd-User
START
User Information...
Implicit Flow
response_type=token
response_type=id_token
response_type=token id_token
SPA JS
response_type = token id_token
Authorization
endpoint
Resource
endpoint
Redirect
User Information
App
Redirect
App
login
t...
Hybrid Flow
response_type=code token
response_type=code id_token
response_type=code token id_token
• OAuth 2.0 Implicit Fl...
code token
Authorization
endpoint
Redirect
End-User
App
Redirect
START
App
login
Relying Party
App
Identity Provider
respo...
code access token, id_token
Authorization
endpoint
Redirect
End-User
App
Redirect
START
App
login
Relying Party
App
Identi...
OpenID Connect
• Google Openid Connect
1. Authorization code Flow

2. Implicit Flow

( Hybrid Flow )
Authorization Code Flow
App
Authorization
endpoint
Token
endpoint
UserInfo endpoint
Redirect
Redirect
Relying PartyEnd-User
START
User Information...
#0
Google API Console
https://console.developers.google.com/

•
1. 

2. 

3. URL

4. JavaScript 

5. URI OAuth URL

•
1. I...
#1
Location:
https://accounts.google.com/o/oauth2/v2/auth
?client_id="3456789012.apps.google.com"
&response_type="code"
&s...
#2
OK
https://my-callback-uri
?state="random_text_data_agaist_csrf"
&code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7"
1. state:

#1 s...
#3
Access token, ID token
POST https://www.googleapis.com/oauth2/v4/token HTTP/1.1
Content-Type: application/x-www-form-ur...
#4
Access token, ID token
{
"access_token": "df7773dbc8b7d-{..省略..}-8a91ae2372e1",
"id_token": "eyJhbGJSLKDFJKLSzI1NiJ9
.e...
#5
ID token
{
"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350...
#7
GET https://www.googleapis.com/oauth2/v3/userinfo
…
…
Authorization: Bearer "df7773dbc8b7d-{..省略..}-8a91ae2372e1"
…
…
G...
#0 redirect_uri #1
- code
token 

state #1 #2
#1
- CSRF code token
Google
nonce #1 #5
Replay Attack
- Replay Attack


nonce Replay Attack 

Implicit Flow Hybrid Flow nonce
OpenID Connect
•


• OAuth 1.0 OAuth 2.0 OpenID
OpenID Connect 

...
OpenID Connect
• 

• OAuth 1.0 OAuth 2.0 

• OpenID Connect
• OAuth 1.0 → OAuth 2.0 → OpenID Connect 

• OAuth 1.0 OAuth 2.0 

• OpenID Connect OAuth 2.0
ID token
• OAuth 1.0

‣ 

‣ TSL 

‣ 

‣ Replay Attack
• OAuth 2.0

‣ TSL 

‣ 

‣ 

‣ token 

‣ CSRF Redirect URI
• OpenID Connect

‣ TSL OAuth 2.0 

‣ 

‣ ID token IdP ID
ID 

‣ ID token Access token 

‣ CSRF Redirect URI Replay Attack
• RFC and OpenID Foundation

- https://tools.ietf.org/html/rfc5849 (5849: OAuth 1.0)

- https://tools.ietf.org/html/rfc674...
• OAuth 1.0 on Twitter

- https://developer.twitter.com/en/docs/basics/authentication/overview/oauth

- https://dev.twitte...
• OpenID Connect 

- https://www.slideshare.net/kura_lab/openid-connect-id

- https://www.slideshare.net/matake/connect-in...
• 

- https://tools.ietf.org/html/rfc6819 (RFC)

- http://www.thread-safe.com/2012/01/problem-with-oauth-for-authenticatio...
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Nächste SlideShare
Wird geladen in …5
×

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

アプリケーション開発エンジニアが、OAuth 1.0 や OAuth 2.0、および OpenID Connect を活用したユーザ認可と認証機能を実装するにあたって、いろいろ調べた情報をベースに作成したものです。
これから認可・認証技術を学びたいという、特にアプリ開発エンジニアの助けになれば幸いです。

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen
  • Als Erste(r) kommentieren

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

  1. 1. OAuth1.0 / OAuth2 / Opened Connect
  2. 2. OAuth 1.0 OAuth 2.0 OpenID Connect Web
  3. 3. Web - URL 
 https://webgame.link/auths/ - Github Ruby on Rails 
 https://github.com/ngzm/auths-demo
  4. 4. OAuth 1.0 OAuth 2.0 OpenID Connect 
 RFC 

  5. 5. Naoki Nagazumi Johnny Depp vue.js Ruby SIer Twitter: @nk_ngzm GitHub: https://github.com/ngzm/ Blog: http://ngzm.hateblo.jp/
  6. 6. Authorization • • →
  7. 7. Authentication • • ID
  8. 8. OAuth 1.0 OAuth 2.0 OpenID Connect
  9. 9. ok XX ID PWD
  10. 10. Resource endpoint ok XX ID PWD Authorization endpoint Access Token Token endpoint Resource Owner OAuth Client OAuth Server OAuth
  11. 11. OK! ID PWD
  12. 12. OK! ID PWD End-User Relying Party (RP) Identity Provider (IdP) Authorization endpoint ID Token Token endpoint OpenID Connect OpenID Provider (OP)
  13. 13. OAuth 1.0
  14. 14. OAuth 1.0 • RFC5849 - The OAuth 1.0 Protocol
 https://openid-foundation-japan.github.io/rfc5849.ja.html
 https://tools.ietf.org/html/rfc5849 • 2010 4 RFC 8
  15. 15. OAuth 1.0 • •
  16. 16. OAuth 1.0 Flow
  17. 17. App App Request token endpoint Authorization endpoint Token endpoint Resource endpoint Redirect Redirect Oauth Token OAuth Client Resource Owner OAuth Server Access Token OAuth START OK Client User Information login token token request token client access token oauth token request token Access token client
  18. 18. OAuth 1.0
  19. 19. 
 Web ‣
  20. 20. 
 ‣
  21. 21. OAuth OAuth Twitter I. consumer_key consumer_secret II. request token request token secret III. access token access token secret OAuth 1.0 OAuth OAuth Ⅰ
  22. 22. Signature OAuth 
 • • • HMAC-SHA1
  23. 23. 1. • access token token • timestamp nonce • 2. • OAuth 3. HMAC-SHA1 • 2 https://syncer.jp/Web/API/OAuth/
  24. 24. Authorization Header OAuth 
 Authorization 
 OAuth
  25. 25. Authorization Header Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1318622958", oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb", oauth_version="1.0" 
 customer_key nonce token (access token )
  26. 26. TSL SSL TSL SSL 
 - - - timestamp nonce
  27. 27. OAuth 1.0
  28. 28. • Twitter OAuth 1. OAuth 1.0 2. OAuth 2.0 Client Credentials Flow   ( OAuth 2.0 ) OAuth 1.0
  29. 29. App App Request token Endpoint Authorization Endpoint Token Endpoint Resource Endpoint #2. Request token #1. Request toke #3. Redirect Redirect #5. Access token OAuth Client Resource Owner OAuth Server #4. OK #6. Access token #7. AuthDemo START OK Access token Client User Information login token token token client access token oauth token request token Twitter
  30. 30. #0 Twitter Application Management https://apps.twitter.com/ • 1. Name 2. Description 3. Website URL 4. Callback URL OAuth URL • 1. Consumer Key (API Key) OAuth Client ID 2. Consumer Secret (API Secret) OAuth Client Secret Redirect URI Callback URL ON Consumer Secret
  31. 31. #1 Request token POST https://api.twitter.com/oauth/request_token HTTP/1.1 … … Content-Type: application/x-www-form-urlencoded Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_callback="https://my-callback-host/my-callback/path/", oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1318622958", oauth_version="1.0" … 1. consumer_key :
 #0 "Consumer Key" 2. callback :
 "callback uri" 3. nonce :
 
 Replay Attack 4. signature :
 
 #0 "Consumer Secret" 5. signature_method :
 twitter HMAC-SHA1 6. timestamp :
 
 Replay Attack POST URL of Twitter Request Token Endpoint
  32. 32. #2 Request token oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI" &oauth_token_secret="4dW4gGLic6oItvd0YySWRU5aLjBQsw1N9xDC3Wkqw" &oauth_callback_confirmed="true" 1. oauth_token :
 Request token 
 token 2. oauth_token_secret :
 Request token secret 
 
 access token 3. oauth_callback_confirmed :
 oauth_callback 
 true Response body from Twitter Request Token Endpoint
  33. 33. #3 https://api.twitter.com/oauth/authorize?oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI" oauth_token : #2 Request token Redirect to Twitter Authorization Endpoint
  34. 34. #4 OK https://my-callback-host/my-callback/path/ ?oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM" &oauth_verifier="TGUMMyQWCSJGKiXlUlQmgRQEYMv8mkIt5cHPERUgvw" 1. oauth_token :
 oauth token 
 token 2. oauth_verifier:
 oath token 
 access token Redirect from Twitter Authorization Endpoint #1 callback
  35. 35. #5 Access token POST https://api.twitter.com/oauth/access_token HTTP/1.1 … … Content-Type: application/x-www-form-urlencoded Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="BB8Y0ZFuYSe4vQ2pTgmZbxSWbWovY3", oauth_signature="Hq4gCs1rx4Kkj06cOStnnAW%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM", oauth_verifier="TGUMMyQWCSJGKiXlUlQmgRQEYMv8mkIt5cHPERUgvw", oauth_timestamp="1318623847", oauth_version="1.0" … 1. consumer_key :
 #0 ”Consumer Key” 2. nonce :
 
 Replay Attack 3. signature :
 
 #0 Consumer Secret #2 request_token_secret 4. signature_method :
 twitter HMAC-SHA1 5. token :
 #4 oauth token 6. verifier :
 #4 oath verifier 7. timestamp :
 
 Replay Attack POST URL of Twitter Token Endpoint
  36. 36. #6 Access token oauth_token="1528352858-UUCjYDVcLC4V34xHob5XTxboEgJWLwp9aIGSrBC" &oauth_token_secret="VNhCQye7rX4P4u2OIuDHOgdSBATgZV3qWvJ8uSLkXqP25" &user_id="12345678901" &screen_name="nk_ngzm" 1. oauth_token :
 access token 2. oauth_token_secret :
 access token secret
 
 3. user_id :
 Twitter user_id 4. screen_name 
 Twitter Response body from Twitter Token Endpoint
  37. 37. #7 GET https://api.twitter.com/1.1/users/show.json?user_id=12345678901 … … Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="FabxSWbkYjzBB8Y0ZWVovY3uu2pTgmZeN", oauth_signature="CStnHscOx4Kkj06q4gn1rAW%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_token="1528352858-UUCjYDVcLC4V34xHob5XTxboEgJWLwp9aIGSrBC", oauth_timestamp=“13186248263", oauth_version="1.0" … 1. consumer_key :
 #0 Consumer Key 2. nonce :
 
 Replay Attack 3. signature :
 
 #0 Consumer Secret 
 #6 access_token_secret 4. signature_method :
 twitter HMAC-SHA1 5. token :
 #6 access token 6. timestamp :
 
 Replay Attack URL of Twitter Resource Endpoint ( )GET #6 Twitter user_id
  38. 38. #0 calback #1 - 
 token #1 #5 #7 timestamp nonce - access token Replay Attack
  39. 39. OAuth 1.0
  40. 40. i. ii. OAuth 2.0 OpenID Connect
  41. 41. 
 OAuth 2.0
  42. 42. OAuth 2.0
  43. 43. OAuth 2.0 • RFC6749 - The OAuth 2.0 Authorization Framework
 https://openid-foundation-japan.github.io/rfc6749.ja.html
 https://tools.ietf.org/html/rfc6749 • 2012 10 RFC • Oauth 1.0
  44. 44. OAuth 2.0 • OAuth 1.0 • OAuth 1.0 OAuth 2.0 
 • …
  45. 45. OAuth 2.0
  46. 46. 
 ‣ SPA JS ‣
  47. 47. OAuth 2.0 1. Authorization Code Flow Client Type Confidential 2. Implicit Flow Client Type Public 3. Client Credentials Flow 4. Resource Owner Password Credentials Flow 5. Refreshing an Access Token token
  48. 48. Client Type Client Type "Confidential" "Public" 1. Confidential ... Web ‣ OAuth Client ‣ Authorization code Flow 2. Public ... ‣ OAuth Client ‣ Implicit Flow
  49. 49. TSL TSL OAuth 2.0
  50. 50. TSL 

  51. 51. 
 HTTP message OAuth 1.0 
 … TSL ‣ Client Type Confidential OAuth Client ‣ Public OAuth Client 
 →
  52. 52. OAuth 2.0 OAuth OAuth Facebook • client_id client_secret OAuth OAuth
  53. 53. Authorization Header Token Authorization Header 
 Bearer 
 RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
 https://tools.ietf.org/html/rfc6750
 https://openid-foundation-japan.github.io/rfc6750.ja.html Authorization: Bearer mF_9.B5f-4.1JqM Authorization header access token
  54. 54. Access token • Implicit Grant Flow access token - token - OAuth 1.0 access token 1
  55. 55. Access token 
 ‣ OAuth 2.0 RFC6749
  56. 56. OAuth 2.0 Flow
  57. 57. Flow 1. Authorization Code Flow Client Type Confidential 2. Implicit Flow Client Type Public https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f
  58. 58. Authorization Code Flow Confidential Client Type OAuth 2.0
  59. 59. App App Authorization endpoint Token endpoint Resource endpoint Redirect Redirect OAuth Client Resource Owner Authorization ServerSTART User Information OAuth 2.0 Resource Server OK Access token OAuth Server login token client client code access token Client code Client client_id client_secret
  60. 60. Implicit Flow Public Client Type ‣ OAuth Client access token 
 token
  61. 61. Authorization endpoint Resource endpoint Redirect User Information App Redirect Authorization Server Resource Server App login token client_secret OAuth Client Resource Owner OAuth Server Token endpoint START client access token Client client_id OAuth Client access token token
  62. 62. OAuth 2.0
  63. 63. • Facebook OAuth 2.0 1. Authorization code Flow 2. Implicit Flow 3. Hybrid Flow ( Hybrid Flow OpenID Connect ) Authorization Code Flow
  64. 64. • Facebook access token #5 #6 access token • "Graph API Endpoint"
  65. 65. App App Authorization Endpoint Redirect Redirect OAuth Client Resource Owner #1 START User Information OK Access token OAuth Server login Client token access token Graph API Endpoint API API #2 OK #3 Access token #4 Access token #5 Access token #6 Access token #7 code client client code access token Facebook Facebook
  66. 66. #0 Facebook for Developers https://developers.facebook.com/ • 1. 2. Valid OAuth Redirect URIs OAuth URL • 1. ID OAuth Client ID 2. Secret OAuth Client Secret Redirect URI URI Redirect URL ON Secret
  67. 67. #1 Location: https://www.facebook.com/v2.12/dialog/oauth ?client_id="245678901234567" &request_type="code" &scope="email public_profile" &redirect_uri="https://my-redirect-uri" &state="random_text_data_agaist_csrf" redirect to Facebook Authorization Endpoint 1. client_id :
 #0 " ID"
 client 2. request_type ”code” 
 "code" Authorization Code Flow
 "token" Implicit Flow
 "code token" Hybrid Flow 3. scope 
 
 "email" 
 "public_profile" 4. redirect_uri:
 #0 "redirect_uri" 5. state 
 
 CSRF state CSRF code client
  68. 68. #2 OK https://my-callback-uri ?code="AQBORpgp-sdRaLAo-xR_assef-lpZiG6W" &state="random_text_data_agaist_csrf" 1. code :
 code
 3 4 code access token 2. state:
 #1 state
 CSRF #1 #1 redirect_uri state #1
  69. 69. #3 Access token GET https://graph.facebook.com/v2.12/oauth/access_token ?client_id="245678901234567" &client_secret="60abc01dab6ae4b0f8acf2abaf1" &redirect_uri="https://my-redirect-uri/" &code="AQBORpgp-sdRaLAo-xR_assef-lpZiG6W" 1. client_id :
 #0 " ID"
 client 2. client_secret 
 #0 " Secret"
 client 3. redirect_uri:
 #0 "redirect_uri" 4. code 
 #2 code GET URL of Facebook Token Endpoint client_secret
  70. 70. #4 Access token { "access_token": "CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD", "token_type": "bearer", "expires_in": 5180974 } 1. access_token :
 Access token 2. token_type :
 token 
 OK 3. expired_in :
 Response body from Facebook Token Endpoint Json Access token
  71. 71. #5 Access token GET https://graph.facebook.com/debug_token ?input_token="CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD" &access_token="245678901234567|60abc01dab6ae4b0f8acf2abaf1" 1. input_token :
 token
 #4 access token 2. access_token 
 
 GET URL of Facebook Debug Token Endpoint
  72. 72. #6 Access token { "data": { "app_id": 245678901234567, "type": "USER", "application": "MyApplication", "expires_at": 1386248263, "is_valid": true, "issued_at": 1386251863, "metadata": { "sso": "iphone-safari" }, "scopes": [ "email", "publish_actions" ], "user_id": "1234567" } } 1. app_id :
 #0 client_id 
 token 2. user_id :
 user_id Response body from Facebook Token Debug Endpoint Json
  73. 73. #7 GET https://graph.facebook.com/1234567?fields="id,first_name,name,picture,email" … … … Authorization: Bearer "CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD" … … GET URL of Facebook Resource Endpoint Authorization Bearer #4 access token 1. fields :
#6 user_id
  74. 74. #0 redirect_uri #1 - code token 2018 3 Facebook 1. redirect_uri 2. redirect_uri TSL
  75. 75. #1 state #2 #1 - CSRF code token
  76. 76. OAuth 2.0
  77. 77. ”Access Token ” ”OAuth ” - Access token - Access token - token OpenID Connect
  78. 78. Implicit Flow - token (token replace attack) http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
 https://www.sakimura.org/2012/02/1487/ OpenID Connect
  79. 79. - Authorization Code Flow Web Implicit Flow - OpenID Connect OAuth2.0
  80. 80. OpenID Connect
  81. 81. OpenID Connect • OpenID Connect Core 1.0 incorporating errata set 1
 https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html
 http://openid.net/specs/openid-connect-core-1_0.html • OpenID Foundation RFC •
  82. 82. OpenID Connect • OAuth 2.0 - OAuth Access token ID token - token
  83. 83. OpenID Connect
  84. 84. OAuth 2.0 OAuth 2.0 
 OAuth 2.0 • TSL • • Access token Authorization Bearer • Access token
  85. 85. Hybrid Flow 
 Hybrid Flow ‣ token ‣
  86. 86. Flow 1. Authorization Code Flow 2. Implicit Flow 3. Hybrid Flow Hybrid Flow OpenID Connect OAuth 2.0
  87. 87. response_type & Flow No response_type Flow 1 code Authorization Code Flow OAuth 2.0 Authorization Code Flow Authorization Endpoint code Token Endpoint code access token ID token 2 token Implicit Flow OAuth 2.0 Implicit Flow Authorization Endpoint access token ID token 3 id_token Implicit Flow Authorization Endpoint ID token access token 4 id_token token Implicit Flow Authorization Endpoint ID token access token 5 code id_token Hybrid Flow Authorization Code Flow Authorization Endpoint code ID token Token Endpoint code access token ID token 6 code token Hybrid Flow Authorization Code Flow Authorization Endpoint code access token Token Endpoint code access token ID token 7 code token id_token Hybrid Flow Authorization Code Flow Authorization Endpoint code access token ID token Token Endpoint code access token ID token 8 none - ID token access token ‣ response_type
  88. 88. ID ”ID ” 
 ID token ‣ ID token IdP "ID" ‣ ID token IdP "ID" RP ID 74387592 ngzm IdP
  89. 89. ID token • "ID" IdP RP • • JWT JSON Web Token 
 RFC7519 JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519 Access token
  90. 90. JWT JSON Header Claim (Payload) SIgnature URL Safe 1. Header Claim BASE64urlEncode 2. 1 Header Claim '.' 3. 2 HMAC SHA256 RS256 ES256 PS256 JWS Signature 4. 3 BASE64urlEncode 5. 2 Header Claim '.' 4 JWT BASE64urlEncode(Header) + '.' + BASE64urlEncode(Claim) + '.' + BASE64urlEncode(JWS Signature)
  91. 91. JWT Google ID token JWT Header { "alg":"RS256", "kid":"7158dc8572 {略} 20a35b073447" } Claim { "iss":"accounts.google.com", "at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q", "email_verified":"true", "sub":"10769150350006150715113082367", "azp":"3456789012.apps.google.com", "email":"jsmith@example.com", "aud":"3456789012.apps.google.com", "iat":1353601026, "exp":1353604926, "nonce": "0394852-3190485-2490358", } 1.iss: IdPのID 2.at_hash: 同時生成のaccess tokenハッシュ値 3.email_verified: email検証結果 4.sub: End Userのgoogle内部ID 5.azp: RPのclient_id 6.email: End Userのemail 7.aud: RPのID 8.iat: token発行時刻 9.exp: token有効期限時刻 10.nonce: nonce 1.alg: 署名アルゴリズム RS256形式 2.kid: RS256公開鍵を探すためのID access token
  92. 92. JWT js // JWT Header let header = {}; header.alg = 'HS256'; // 署名アルゴリズム:HMAC SHA256 による署名の場合は'HS256' header.typ = 'JWT'; // JWT形式を明示 // JWT Payload(Claim Set) let claim = {}; claim.iss = 'Identity Party ID'; // JWT発行者の識別子 → IdP の ID claim.sub = 'End User ID'; // エンドユーザ識別子 → end user ID claim.nbf = 'current time'; // JWTが有効になる日時 claim.iat = 'issue time'; // JWTを発行した日時 claim.exp = 'expire time'; // JWTの有効期限日時 claim.jti = 'unique ID'; // JWT自体を一意に識別する任意の文字列 claim.aud = 'Relying Party ID'; // JWT利用者の識別子 → RP の ID // Secret Key const secret_key = 'XXXXXXXXXX' ; // HMAC SHA256 署名の秘密鍵 → client_secret // Generate JWT(jsrsasign というJSライブラリを使用した例) const jwt = KJUR.jws.JWS.sign('HS256', JSON.stringify(header), JSON.stringify(claim), secret_key);
  93. 93. Userinfo Endpoint 
 ‣ OAuth 2.0 Access token ‣ OpenID Connect Access token Userinfo Endpoint
  94. 94. OpenID Connect Flow
  95. 95. Flow 1. Authorization Code Flow 2. Implicit Flow 3. Hybrid Flow https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f7ef352b47
  96. 96. Authorization Code Flow response_type=code • OAuth 2.0 Authorization Code Flow •
  97. 97. App Authorization endpoint Token endpoint UserInfo endpoint Redirect Redirect Relying PartyEnd-User START User Information OK OK ID token Identiy Provider login client token response_type = code ID token App client access token ID token client code code ID token Access token ID token at_hash claim access token ID token IdP RP Client client_id client_secret
  98. 98. Implicit Flow response_type=token response_type=id_token response_type=token id_token SPA JS
  99. 99. response_type = token id_token Authorization endpoint Resource endpoint Redirect User Information App Redirect App login token Token endpoint START client access token access token id_token Relying Party End-User Identiy Provider ID token at_hash claim access token client_secret Client client_id
  100. 100. Hybrid Flow response_type=code token response_type=code id_token response_type=code token id_token • OAuth 2.0 Implicit Flow Authorization Code Flow - Implicit Flow Access token ID token - Authorization code Flow code Access token ID token
  101. 101. code token Authorization endpoint Redirect End-User App Redirect START App login Relying Party App Identity Provider response_type = code token Relying Party Token endpoint UserInfo endpoint token User Information access token client access token ID token client code client code access token access token access token
  102. 102. code access token, id_token Authorization endpoint Redirect End-User App Redirect START App login Relying Party App Identity Provider response_type = code token id_token Relying Party Token endpoint UserInfo endpoint token User Information access token ID token client access token ID token client code client code access token access token
  103. 103. OpenID Connect
  104. 104. • Google Openid Connect 1. Authorization code Flow 2. Implicit Flow ( Hybrid Flow ) Authorization Code Flow
  105. 105. App Authorization endpoint Token endpoint UserInfo endpoint Redirect Redirect Relying PartyEnd-User START User Information OK OK ID token Identity Provider login client token App client access token ID token client code code Google Google #1 #2 OK #3 Access token + ID token #4 Access token + ID token #5 ID token #6
  106. 106. #0 Google API Console https://console.developers.google.com/ • 1. 2. 3. URL 4. JavaScript 5. URI OAuth URL • 1. ID OAuth Client ID 2. Secret OAuth Client Secret Google URI Secret
  107. 107. #1 Location: https://accounts.google.com/o/oauth2/v2/auth ?client_id="3456789012.apps.google.com" &response_type="code" &scope="openid email profile" &redirect_uri="https://my-redirect-uri" &state="random_text_data_agaist_csrf" &nonce="0394852-3190485-2490358" redirect to Google Authorization Endpoint 1. client_id :
 #0 " ID" 2. request_type 
 "code" Authorization Code Flow
 "token id_token" Implicit Flow 3. scope 
 
 "openid" OpenID Connect 
 "email" 
 "profile" 4. redirect_uri:
 #0 redirect_uri 5. state 
 CSRF 6. nonce 
 
 Replay Attack state CSRF nonce openid code
  108. 108. #2 OK https://my-callback-uri ?state="random_text_data_agaist_csrf" &code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7" 1. state:
 #1 state
 CSRF #1 2. code :
 code
 3 4 code access token #1 redirect_uri state #1
  109. 109. #3 Access token, ID token POST https://www.googleapis.com/oauth2/v4/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded ... ... code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7" &client_id="3456789012.apps.google.com" &client_secret="60abc01dab6ae4b0f8acf2abaf1" &redirect_uri="https://my-redirect-uri" &grant_type="authorization_code" 1. code 
 #2 code 2. client_id :
 #0 " ID" 3. client_secret 
 #0 ” Secret" 4. redirect_uri:
 #0 redirect_uri 5. grant_type 
 ”autorization_code” POST URL of Google Token Endpoint
  110. 110. #4 Access token, ID token { "access_token": "df7773dbc8b7d-{..省略..}-8a91ae2372e1", "id_token": "eyJhbGJSLKDFJKLSzI1NiJ9 .eyJ3MiOit-{..省略..}-81ae2372e1 .jMgjfEYmy-{..省略..}-S5Iv5ZP5ZA", "token_type": "bearer", "expires_in": 5180974 } 1. access_token :
 Access token 2. id_token :
 ID token 3. token_type :
 token 
 OK 4. expired_in :
 Response body from Google Token Endpoint Json Access token ID token
  111. 111. #5 ID token { "iss":"accounts.google.com", "at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q", "email_verified":"true", "sub":"10769150350006150715113082367", "azp":"3456789012.apps.google.com", "email":"jsmith@example.com", "aud":"3456789012.apps.google.com", "iat":1353601026, "exp":1353604926, "nonce": "0394852-3190485-2490358", } 1. iss :
 IdP ID 2. at_hash :
 access token 3. email _verified:
 End User email 4. sub :
 End User google ID 5. azp 
 RP client_id 6. email 
 End User email 7. aud 
 RP ID 8. iat 
 token 9. exp 
 token 10.nonce 
 1 nonce Google ID token 's Payload nonce #1 access token End User ID Idp RP
  112. 112. #7 GET https://www.googleapis.com/oauth2/v3/userinfo … … Authorization: Bearer "df7773dbc8b7d-{..省略..}-8a91ae2372e1" … … GET URL of Google Userinfo Endpoint Authorization Bearer #4 access token
  113. 113. #0 redirect_uri #1 - code token state #1 #2 #1 - CSRF code token Google
  114. 114. nonce #1 #5 Replay Attack - Replay Attack nonce Replay Attack Implicit Flow Hybrid Flow nonce
  115. 115. OpenID Connect
  116. 116. • • OAuth 1.0 OAuth 2.0 OpenID OpenID Connect 
 ... OpenID Connect
  117. 117. • • OAuth 1.0 OAuth 2.0 • OpenID Connect
  118. 118. • OAuth 1.0 → OAuth 2.0 → OpenID Connect • OAuth 1.0 OAuth 2.0 • OpenID Connect OAuth 2.0 ID token
  119. 119. • OAuth 1.0 ‣ ‣ TSL ‣ ‣ Replay Attack
  120. 120. • OAuth 2.0 ‣ TSL ‣ ‣ ‣ token ‣ CSRF Redirect URI
  121. 121. • OpenID Connect ‣ TSL OAuth 2.0 ‣ ‣ ID token IdP ID ID ‣ ID token Access token ‣ CSRF Redirect URI Replay Attack
  122. 122. • RFC and OpenID Foundation - https://tools.ietf.org/html/rfc5849 (5849: OAuth 1.0) - https://tools.ietf.org/html/rfc6749 (6749: OAuth 2.0) - https://tools.ietf.org/html/rfc6750 (6750: Bearer token) - http://openid.net/specs/openid-connect-core-1_0.html (OpenID Connect) • RFC and OpenID Foundation - https://openid-foundation-japan.github.io/rfc5849.ja.html - https://openid-foundation-japan.github.io/rfc6749.ja.html - https://openid-foundation-japan.github.io/rfc6750.ja.html - https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html • OAuth & OpenID Connect RFC - https://qiita.com/TakahikoKawasaki/items/185d34814eb9f7ac7ef3
  123. 123. • OAuth 1.0 on Twitter - https://developer.twitter.com/en/docs/basics/authentication/overview/oauth - https://dev.twitter.com/web/sign-in/implementing - https://syncer.jp/Web/API/Twitter/REST_API/ • OAuth 2.0 - https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f - https://www.buildinsider.net/enterprise/openid/oauth20 - http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html • OAuth 2.0 on Facebook - https://developers.facebook.com/ - https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow - http://tech.vasily.jp/entry/facebook_graph_api
  124. 124. • OpenID Connect - https://www.slideshare.net/kura_lab/openid-connect-id - https://www.slideshare.net/matake/connect-intro-dev-love - https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f7ef352b47 - https://www.buildinsider.net/enterprise/openid/connect - https://tools.ietf.org/html/rfc7519 (RFC) - https://hiyosi.tumblr.com/post/70073770678/ jwt%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6%E7%B0%A1%E5%8D%98%E3%8 1%AB%E3%81%BE%E3%81%A8%E3%82%81%E3%81%A6%E3%81%BF%E3%81%9F • OpenID Connect on Google - https://developers.google.com/identity/protocols/OpenIDConnect
  125. 125. • - https://tools.ietf.org/html/rfc6819 (RFC) - http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html - http://www.atmarkit.co.jp/ait/articles/1710/24/news011.html

×