More Related Content
Similar to アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect - (20)
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
- 3. Web
- URL
https://webgame.link/auths/
- Github Ruby on Rails
https://github.com/ngzm/auths-demo
- 13. OK!
ID PWD
End-User Relying Party
(RP)
Identity Provider
(IdP)
Authorization endpoint
ID Token
Token endpoint
OpenID Connect
OpenID Provider
(OP)
- 15. OAuth 1.0
• RFC5849 - The OAuth 1.0 Protocol
https://openid-foundation-japan.github.io/rfc5849.ja.html
https://tools.ietf.org/html/rfc5849
• 2010 4 RFC 8
- 22. OAuth OAuth
Twitter
I. consumer_key consumer_secret
II. request token request token secret
III. access token access token secret
OAuth 1.0
OAuth OAuth
Ⅰ
- 24. 1.
• access token token
• timestamp nonce
•
2.
• OAuth
3. HMAC-SHA1
• 2
https://syncer.jp/Web/API/OAuth/
- 30. • Twitter OAuth
1. OAuth 1.0
2. OAuth 2.0 Client Credentials Flow
( OAuth 2.0 )
OAuth 1.0
- 33. #1
Request token
POST https://api.twitter.com/oauth/request_token HTTP/1.1
…
…
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth
oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",
oauth_callback="https://my-callback-host/my-callback/path/",
oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg",
oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1318622958",
oauth_version="1.0"
…
1. consumer_key :
#0 "Consumer Key"
2. callback :
"callback uri"
3. nonce :
Replay Attack
4. signature :
#0 "Consumer Secret"
5. signature_method :
twitter HMAC-SHA1
6. timestamp :
Replay Attack
POST URL of Twitter Request Token Endpoint
- 37. #5
Access token
POST https://api.twitter.com/oauth/access_token HTTP/1.1
…
…
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth
oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",
oauth_nonce="BB8Y0ZFuYSe4vQ2pTgmZbxSWbWovY3",
oauth_signature="Hq4gCs1rx4Kkj06cOStnnAW%2FjLY%3D",
oauth_signature_method="HMAC-SHA1",
oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM",
oauth_verifier="TGUMMyQWCSJGKiXlUlQmgRQEYMv8mkIt5cHPERUgvw",
oauth_timestamp="1318623847",
oauth_version="1.0"
…
1. consumer_key :
#0 ”Consumer Key”
2. nonce :
Replay Attack
3. signature :
#0 Consumer Secret #2
request_token_secret
4. signature_method :
twitter HMAC-SHA1
5. token :
#4 oauth token
6. verifier :
#4 oath verifier
7. timestamp :
Replay Attack
POST URL of Twitter Token Endpoint
- 40. #0 calback #1
-
token
#1 #5 #7 timestamp nonce
- access token Replay Attack
- 45. OAuth 2.0
• RFC6749 - The OAuth 2.0 Authorization Framework
https://openid-foundation-japan.github.io/rfc6749.ja.html
https://tools.ietf.org/html/rfc6749
• 2012 10 RFC
• Oauth 1.0
- 49. OAuth 2.0
1. Authorization Code Flow Client Type Confidential
2. Implicit Flow Client Type Public
3. Client Credentials Flow
4. Resource Owner Password Credentials Flow
5. Refreshing an Access Token token
- 50. Client Type
Client Type "Confidential" "Public"
1. Confidential ... Web
‣ OAuth Client
‣ Authorization code Flow
2. Public ...
‣
OAuth Client
‣ Implicit Flow
- 55. Authorization Header
Token Authorization Header
Bearer
RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
https://tools.ietf.org/html/rfc6750
https://openid-foundation-japan.github.io/rfc6750.ja.html
Authorization: Bearer mF_9.B5f-4.1JqM
Authorization header
access token
- 59. Flow
1. Authorization Code Flow
Client Type Confidential
2. Implicit Flow
Client Type Public
https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f
- 66. • Facebook OAuth 2.0
1. Authorization code Flow
2. Implicit Flow
3. Hybrid Flow
( Hybrid Flow OpenID Connect )
Authorization Code Flow
- 75. #6
Access token
{
"data": {
"app_id": 245678901234567,
"type": "USER",
"application": "MyApplication",
"expires_at": 1386248263,
"is_valid": true,
"issued_at": 1386251863,
"metadata": {
"sso": "iphone-safari"
},
"scopes": [
"email",
"publish_actions"
],
"user_id": "1234567"
}
}
1. app_id :
#0 client_id
token
2. user_id :
user_id
Response body from Facebook Token Debug Endpoint
Json
- 80. ”Access Token ” ”OAuth ”
- Access token
- Access token
- token
OpenID Connect
- 81. Implicit Flow
- token (token replace attack)
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
https://www.sakimura.org/2012/02/1487/
OpenID Connect
- 84. OpenID Connect
• OpenID Connect Core 1.0 incorporating errata set 1
https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html
http://openid.net/specs/openid-connect-core-1_0.html
• OpenID Foundation RFC
•
- 90. response_type & Flow
No response_type Flow
1 code
Authorization
Code Flow
OAuth 2.0 Authorization Code Flow
Authorization Endpoint code
Token Endpoint code access token ID token
2 token Implicit Flow
OAuth 2.0 Implicit Flow
Authorization Endpoint access token ID token
3 id_token Implicit Flow Authorization Endpoint ID token access token
4 id_token token Implicit Flow Authorization Endpoint ID token access token
5 code id_token Hybrid Flow
Authorization Code Flow
Authorization Endpoint code ID token
Token Endpoint code access token ID token
6 code token Hybrid Flow
Authorization Code Flow
Authorization Endpoint code access token
Token Endpoint code access token ID token
7 code token id_token Hybrid Flow
Authorization Code Flow
Authorization Endpoint code access token ID token
Token Endpoint code access token ID token
8 none - ID token access token
‣ response_type
- 91. ID
”ID ”
ID token
‣ ID token IdP "ID"
‣ ID token IdP "ID" RP
ID 74387592 ngzm IdP
- 92. ID token
• "ID" IdP RP
•
• JWT JSON Web Token
RFC7519 JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519
Access token
- 93. JWT
JSON Header Claim (Payload)
SIgnature URL Safe
1. Header Claim BASE64urlEncode
2. 1 Header Claim '.'
3. 2 HMAC SHA256 RS256 ES256 PS256
JWS Signature
4. 3 BASE64urlEncode
5. 2 Header Claim '.' 4
JWT
BASE64urlEncode(Header) + '.' + BASE64urlEncode(Claim) + '.' + BASE64urlEncode(JWS Signature)
- 94. JWT
Google ID token JWT
Header
{
"alg":"RS256",
"kid":"7158dc8572 {略} 20a35b073447"
}
Claim
{
"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"3456789012.apps.google.com",
"email":"jsmith@example.com",
"aud":"3456789012.apps.google.com",
"iat":1353601026,
"exp":1353604926,
"nonce": "0394852-3190485-2490358",
}
1.iss: IdPのID
2.at_hash: 同時生成のaccess tokenハッシュ値
3.email_verified: email検証結果
4.sub: End Userのgoogle内部ID
5.azp: RPのclient_id
6.email: End Userのemail
7.aud: RPのID
8.iat: token発行時刻
9.exp: token有効期限時刻
10.nonce: nonce
1.alg: 署名アルゴリズム RS256形式
2.kid: RS256公開鍵を探すためのID
access token
- 95. JWT js
// JWT Header
let header = {};
header.alg = 'HS256'; // 署名アルゴリズム:HMAC SHA256 による署名の場合は'HS256'
header.typ = 'JWT'; // JWT形式を明示
// JWT Payload(Claim Set)
let claim = {};
claim.iss = 'Identity Party ID'; // JWT発行者の識別子 → IdP の ID
claim.sub = 'End User ID'; // エンドユーザ識別子 → end user ID
claim.nbf = 'current time'; // JWTが有効になる日時
claim.iat = 'issue time'; // JWTを発行した日時
claim.exp = 'expire time'; // JWTの有効期限日時
claim.jti = 'unique ID'; // JWT自体を一意に識別する任意の文字列
claim.aud = 'Relying Party ID'; // JWT利用者の識別子 → RP の ID
// Secret Key
const secret_key = 'XXXXXXXXXX' ; // HMAC SHA256 署名の秘密鍵 → client_secret
// Generate JWT(jsrsasign というJSライブラリを使用した例)
const jwt = KJUR.jws.JWS.sign('HS256', JSON.stringify(header), JSON.stringify(claim), secret_key);
- 102. response_type = token id_token
Authorization
endpoint
Resource
endpoint
Redirect
User Information
App
Redirect
App
login
token
Token endpoint
START
client access token
access token id_token
Relying
Party
End-User
Identiy Provider
ID token at_hash
claim
access token
client_secret
Client client_id
- 105. code access token, id_token
Authorization
endpoint
Redirect
End-User
App
Redirect
START
App
login
Relying Party
App
Identity Provider
response_type = code token id_token
Relying Party
Token
endpoint
UserInfo endpoint
token
User Information
access token
ID token
client
access
token
ID
token
client
code
client
code
access
token
access token
- 108. • Google Openid Connect
1. Authorization code Flow
2. Implicit Flow
( Hybrid Flow )
Authorization Code Flow
- 113. #3
Access token, ID token
POST https://www.googleapis.com/oauth2/v4/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
...
...
code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7"
&client_id="3456789012.apps.google.com"
&client_secret="60abc01dab6ae4b0f8acf2abaf1"
&redirect_uri="https://my-redirect-uri"
&grant_type="authorization_code"
1. code
#2 code
2. client_id :
#0 " ID"
3. client_secret
#0 ” Secret"
4. redirect_uri:
#0 redirect_uri
5. grant_type
”autorization_code”
POST URL of Google Token Endpoint
- 114. #4
Access token, ID token
{
"access_token": "df7773dbc8b7d-{..省略..}-8a91ae2372e1",
"id_token": "eyJhbGJSLKDFJKLSzI1NiJ9
.eyJ3MiOit-{..省略..}-81ae2372e1
.jMgjfEYmy-{..省略..}-S5Iv5ZP5ZA",
"token_type": "bearer",
"expires_in": 5180974
}
1. access_token :
Access token
2. id_token :
ID token
3. token_type :
token
OK
4. expired_in :
Response body from Google Token Endpoint Json
Access token
ID token
- 115. #5
ID token
{
"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"3456789012.apps.google.com",
"email":"jsmith@example.com",
"aud":"3456789012.apps.google.com",
"iat":1353601026,
"exp":1353604926,
"nonce": "0394852-3190485-2490358",
}
1. iss :
IdP ID
2. at_hash :
access token
3. email _verified:
End User email
4. sub :
End User google ID
5. azp
RP client_id
6. email
End User email
7. aud
RP ID
8. iat
token
9. exp
token
10.nonce
1 nonce
Google ID token 's Payload
nonce #1
access token
End User ID
Idp
RP
- 118. nonce #1 #5
Replay Attack
- Replay Attack
nonce Replay Attack
Implicit Flow Hybrid Flow nonce
- 120. •
• OAuth 1.0 OAuth 2.0 OpenID
OpenID Connect
...
OpenID Connect
- 122. •
• OAuth 1.0 OAuth 2.0
• OpenID Connect
- 123. • OAuth 1.0 → OAuth 2.0 → OpenID Connect
• OAuth 1.0 OAuth 2.0
• OpenID Connect OAuth 2.0
ID token
- 126. • OpenID Connect
‣ TSL OAuth 2.0
‣
‣ ID token IdP ID
ID
‣ ID token Access token
‣ CSRF Redirect URI Replay Attack
- 127. • RFC and OpenID Foundation
- https://tools.ietf.org/html/rfc5849 (5849: OAuth 1.0)
- https://tools.ietf.org/html/rfc6749 (6749: OAuth 2.0)
- https://tools.ietf.org/html/rfc6750 (6750: Bearer token)
- http://openid.net/specs/openid-connect-core-1_0.html (OpenID Connect)
• RFC and OpenID Foundation
- https://openid-foundation-japan.github.io/rfc5849.ja.html
- https://openid-foundation-japan.github.io/rfc6749.ja.html
- https://openid-foundation-japan.github.io/rfc6750.ja.html
- https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html
• OAuth & OpenID Connect RFC
- https://qiita.com/TakahikoKawasaki/items/185d34814eb9f7ac7ef3
- 128. • OAuth 1.0 on Twitter
- https://developer.twitter.com/en/docs/basics/authentication/overview/oauth
- https://dev.twitter.com/web/sign-in/implementing
- https://syncer.jp/Web/API/Twitter/REST_API/
• OAuth 2.0
- https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f
- https://www.buildinsider.net/enterprise/openid/oauth20
- http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html
• OAuth 2.0 on Facebook
- https://developers.facebook.com/
- https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow
- http://tech.vasily.jp/entry/facebook_graph_api
- 129. • OpenID Connect
- https://www.slideshare.net/kura_lab/openid-connect-id
- https://www.slideshare.net/matake/connect-intro-dev-love
- https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f7ef352b47
- https://www.buildinsider.net/enterprise/openid/connect
- https://tools.ietf.org/html/rfc7519 (RFC)
- https://hiyosi.tumblr.com/post/70073770678/
jwt%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6%E7%B0%A1%E5%8D%98%E3%8
1%AB%E3%81%BE%E3%81%A8%E3%82%81%E3%81%A6%E3%81%BF%E3%81%9F
• OpenID Connect on Google
- https://developers.google.com/identity/protocols/OpenIDConnect