アプリケーション開発エンジニアが、OAuth 1.0 や OAuth 2.0、および OpenID Connect を活用したユーザ認可と認証機能を実装するにあたって、いろいろ調べた情報をベースに作成したものです。 これから認可・認証技術を学びたいという、特にアプリ開発エンジニアの助けになれば幸いです。

1. OAuth1.0 / OAuth2 / Opened Connect

2. OAuth 1.0 OAuth 2.0 OpenID Connect
Web

3. Web
- URL
https://webgame.link/auths/
- Github Ruby on Rails
https://github.com/ngzm/auths-demo

4. OAuth 1.0 OAuth 2.0 OpenID Connect
RFC

5. Naoki Nagazumi
Johnny Depp
vue.js
Ruby
SIer
Twitter: @nk_ngzm
GitHub: https://github.com/ngzm/
Blog: http://ngzm.hateblo.jp/

7. Authorization
•
•
→

8. Authentication
•
• ID

9. OAuth 1.0
OAuth 2.0
OpenID Connect

10. ok
XX
ID PWD

11. Resource endpoint
ok
XX
ID PWD
Authorization endpoint
Access
Token
Token endpoint
Resource Owner OAuth Client
OAuth Server
OAuth

12. OK!
ID PWD

13. OK!
ID PWD
End-User Relying Party
(RP)
Identity Provider
(IdP)
Authorization endpoint
ID Token
Token endpoint
OpenID Connect
OpenID Provider
(OP)

14. OAuth 1.0

15. OAuth 1.0
• RFC5849 - The OAuth 1.0 Protocol
https://openid-foundation-japan.github.io/rfc5849.ja.html
https://tools.ietf.org/html/rfc5849
• 2010 4 RFC 8

16. OAuth 1.0
•
•

17. OAuth 1.0
Flow

18. App
App
Request token
endpoint
Authorization
endpoint
Token
endpoint
Resource
endpoint
Redirect
Redirect
Oauth Token
OAuth
Client
Resource
Owner
OAuth
Server
Access Token
OAuth
START
OK
Client
User Information
login
token
token
request
token
client
access
token
oauth
token
request
token
Access token
client

19. OAuth 1.0

20.
Web
‣

21.
‣

22. OAuth OAuth
Twitter
I. consumer_key consumer_secret
II. request token request token secret
III. access token access token secret
OAuth 1.0
OAuth OAuth
Ⅰ

23. Signature
OAuth
•
•
• HMAC-SHA1

24. 1.
• access token token
• timestamp nonce
•
2.
• OAuth
3. HMAC-SHA1
• 2
https://syncer.jp/Web/API/OAuth/

25. Authorization Header
OAuth
Authorization
OAuth

26. Authorization Header
Authorization: OAuth
oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",
oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg",
oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1318622958",
oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb",
oauth_version="1.0"
customer_key
nonce
token
(access token )

27. TSL SSL
TSL SSL
-
-
- timestamp nonce

28. OAuth 1.0

30. • Twitter OAuth
1. OAuth 1.0
2. OAuth 2.0 Client Credentials Flow
( OAuth 2.0 )
OAuth 1.0

31. App
App
Request token
Endpoint
Authorization
Endpoint
Token
Endpoint
Resource
Endpoint
#2. Request token
#1. Request toke
#3.
Redirect
Redirect
#5. Access token
OAuth
Client
Resource
Owner
OAuth
Server
#4. OK
#6. Access token
#7.
AuthDemo
START
OK
Access token
Client
User Information
login
token
token
token
client
access
token
oauth
token
request
token
Twitter

32. #0
Twitter Application Management
https://apps.twitter.com/
•
1. Name
2. Description
3. Website URL
4. Callback URL OAuth URL
•
1. Consumer Key (API Key) OAuth Client ID
2. Consumer Secret (API Secret) OAuth Client Secret
Redirect URI
Callback URL
ON
Consumer Secret

33. #1
Request token
POST https://api.twitter.com/oauth/request_token HTTP/1.1
…
…
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth
oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",
oauth_callback="https://my-callback-host/my-callback/path/",
oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg",
oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1318622958",
oauth_version="1.0"
…
1. consumer_key :
#0 "Consumer Key"
2. callback :
"callback uri"
3. nonce :
Replay Attack
4. signature :
#0 "Consumer Secret"
5. signature_method :
twitter HMAC-SHA1
6. timestamp :
Replay Attack
POST URL of Twitter Request Token Endpoint

34. #2
Request token
oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI"
&oauth_token_secret="4dW4gGLic6oItvd0YySWRU5aLjBQsw1N9xDC3Wkqw"
&oauth_callback_confirmed="true"
1. oauth_token :
Request token
token
2. oauth_token_secret :
Request token secret
access token
3. oauth_callback_confirmed :
oauth_callback
true
Response body from Twitter Request Token Endpoint

35. #3
https://api.twitter.com/oauth/authorize?oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI"
oauth_token : #2 Request token
Redirect to Twitter Authorization Endpoint

36. #4
OK
https://my-callback-host/my-callback/path/
?oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM"
&oauth_verifier="TGUMMyQWCSJGKiXlUlQmgRQEYMv8mkIt5cHPERUgvw"
1. oauth_token :
oauth token
token
2. oauth_verifier:
oath token
access token
Redirect from Twitter Authorization Endpoint
#1 callback

37. #5
Access token
POST https://api.twitter.com/oauth/access_token HTTP/1.1
…
…
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth
oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",
oauth_nonce="BB8Y0ZFuYSe4vQ2pTgmZbxSWbWovY3",
oauth_signature="Hq4gCs1rx4Kkj06cOStnnAW%2FjLY%3D",
oauth_signature_method="HMAC-SHA1",
oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM",
oauth_verifier="TGUMMyQWCSJGKiXlUlQmgRQEYMv8mkIt5cHPERUgvw",
oauth_timestamp="1318623847",
oauth_version="1.0"
…
1. consumer_key :
#0 ”Consumer Key”
2. nonce :
Replay Attack
3. signature :
#0 Consumer Secret #2
request_token_secret
4. signature_method :
twitter HMAC-SHA1
5. token :
#4 oauth token
6. verifier :
#4 oath verifier
7. timestamp :
Replay Attack
POST URL of Twitter Token Endpoint

38. #6
Access token
oauth_token="1528352858-UUCjYDVcLC4V34xHob5XTxboEgJWLwp9aIGSrBC"
&oauth_token_secret="VNhCQye7rX4P4u2OIuDHOgdSBATgZV3qWvJ8uSLkXqP25"
&user_id="12345678901"
&screen_name="nk_ngzm"
1. oauth_token :
access token
2. oauth_token_secret :
access token secret
3. user_id :
Twitter user_id
4. screen_name
Twitter
Response body from Twitter Token Endpoint

39. #7
GET https://api.twitter.com/1.1/users/show.json?user_id=12345678901
…
…
Authorization: OAuth
oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",
oauth_nonce="FabxSWbkYjzBB8Y0ZWVovY3uu2pTgmZeN",
oauth_signature="CStnHscOx4Kkj06q4gn1rAW%2FjLY%3D",
oauth_signature_method="HMAC-SHA1",
oauth_token="1528352858-UUCjYDVcLC4V34xHob5XTxboEgJWLwp9aIGSrBC",
oauth_timestamp=“13186248263",
oauth_version="1.0"
…
1. consumer_key :
#0 Consumer Key
2. nonce :
Replay Attack
3. signature :
#0 Consumer Secret
#6 access_token_secret
4. signature_method :
twitter HMAC-SHA1
5. token :
#6 access token
6. timestamp :
Replay Attack
URL of Twitter Resource Endpoint ( )GET
#6 Twitter user_id

40. #0 calback #1
-
token
#1 #5 #7 timestamp nonce
- access token Replay Attack

41. OAuth 1.0

42. i.
ii.
OAuth 2.0
OpenID Connect

43.
OAuth 2.0

44. OAuth 2.0

45. OAuth 2.0
• RFC6749 - The OAuth 2.0 Authorization Framework
https://openid-foundation-japan.github.io/rfc6749.ja.html
https://tools.ietf.org/html/rfc6749
• 2012 10 RFC
• Oauth 1.0

46. OAuth 2.0
• OAuth 1.0
• OAuth 1.0 OAuth 2.0
•
…

47. OAuth 2.0

48.
‣ SPA JS
‣

49. OAuth 2.0
1. Authorization Code Flow Client Type Confidential
2. Implicit Flow Client Type Public
3. Client Credentials Flow
4. Resource Owner Password Credentials Flow
5. Refreshing an Access Token token

50. Client Type
Client Type "Confidential" "Public"
1. Confidential ... Web
‣ OAuth Client
‣ Authorization code Flow
2. Public ...
‣
OAuth Client
‣ Implicit Flow

51. TSL
TSL
OAuth 2.0

52. TSL

53.
HTTP message
OAuth 1.0
… TSL
‣ Client Type Confidential OAuth Client
‣ Public OAuth Client
→

54. OAuth 2.0
OAuth OAuth
Facebook
• client_id client_secret
OAuth OAuth

55. Authorization Header
Token Authorization Header
Bearer
RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
https://tools.ietf.org/html/rfc6750
https://openid-foundation-japan.github.io/rfc6750.ja.html
Authorization: Bearer mF_9.B5f-4.1JqM
Authorization header
access token

56. Access token
• Implicit Grant Flow access token
- token
- OAuth 1.0 access token 1

57. Access token
‣ OAuth 2.0 RFC6749

58. OAuth 2.0
Flow

59. Flow
1. Authorization Code Flow
Client Type Confidential
2. Implicit Flow
Client Type Public
https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f

60. Authorization Code Flow
Confidential Client Type
OAuth 2.0

61. App
App
Authorization
endpoint
Token
endpoint
Resource
endpoint
Redirect
Redirect
OAuth
Client
Resource
Owner
Authorization ServerSTART
User Information
OAuth 2.0
Resource Server
OK
Access token
OAuth
Server
login
token
client
client
code
access
token
Client
code
Client client_id
client_secret

62. Implicit Flow
Public Client Type
‣
OAuth Client access token
token

63. Authorization
endpoint
Resource
endpoint
Redirect
User Information
App
Redirect
Authorization Server
Resource Server
App
login
token
client_secret
OAuth
Client
Resource
Owner
OAuth Server
Token endpoint
START
client access token
Client client_id
OAuth Client
access token
token

64. OAuth 2.0

66. • Facebook OAuth 2.0
1. Authorization code Flow
2. Implicit Flow
3. Hybrid Flow
( Hybrid Flow OpenID Connect )
Authorization Code Flow

67. • Facebook access token
#5 #6
access token
•
"Graph API Endpoint"

68. App
App
Authorization Endpoint
Redirect
Redirect
OAuth
Client
Resource
Owner
#1
START
User Information
OK
Access token
OAuth
Server
login
Client
token
access
token
Graph API Endpoint
API
API
#2 OK
#3 Access token
#4 Access token
#5 Access token
#6 Access token
#7
code
client
client
code
access
token
Facebook
Facebook

69. #0
Facebook for Developers
https://developers.facebook.com/
•
1.
2. Valid OAuth Redirect URIs OAuth URL
•
1. ID OAuth Client ID
2. Secret OAuth Client Secret
Redirect URI
URI
Redirect URL
ON
Secret

70. #1
Location:
https://www.facebook.com/v2.12/dialog/oauth
?client_id="245678901234567"
&request_type="code"
&scope="email public_profile"
&redirect_uri="https://my-redirect-uri"
&state="random_text_data_agaist_csrf"
redirect to Facebook Authorization Endpoint
1. client_id :
#0 " ID"
client
2. request_type ”code”
"code" Authorization Code Flow
"token" Implicit Flow
"code token" Hybrid Flow
3. scope
"email"
"public_profile"
4. redirect_uri:
#0 "redirect_uri"
5. state
CSRF
state CSRF
code
client

71. #2
OK
https://my-callback-uri
?code="AQBORpgp-sdRaLAo-xR_assef-lpZiG6W"
&state="random_text_data_agaist_csrf"
1. code :
code
3 4 code access token
2. state:
#1 state
CSRF #1
#1 redirect_uri
state #1

72. #3
Access token
GET https://graph.facebook.com/v2.12/oauth/access_token
?client_id="245678901234567"
&client_secret="60abc01dab6ae4b0f8acf2abaf1"
&redirect_uri="https://my-redirect-uri/"
&code="AQBORpgp-sdRaLAo-xR_assef-lpZiG6W"
1. client_id :
#0 " ID"
client
2. client_secret
#0 " Secret"
client
3. redirect_uri:
#0 "redirect_uri"
4. code
#2 code
GET URL of Facebook Token Endpoint
client_secret

73. #4
Access token
{
"access_token": "CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD",
"token_type": "bearer",
"expires_in": 5180974
}
1. access_token :
Access token
2. token_type :
token
OK
3. expired_in :
Response body from Facebook Token Endpoint
Json
Access token

74. #5
Access token
GET https://graph.facebook.com/debug_token
?input_token="CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD"
&access_token="245678901234567|60abc01dab6ae4b0f8acf2abaf1"
1. input_token :
token
#4 access token
2. access_token
GET URL of Facebook Debug Token Endpoint

75. #6
Access token
{
"data": {
"app_id": 245678901234567,
"type": "USER",
"application": "MyApplication",
"expires_at": 1386248263,
"is_valid": true,
"issued_at": 1386251863,
"metadata": {
"sso": "iphone-safari"
},
"scopes": [
"email",
"publish_actions"
],
"user_id": "1234567"
}
}
1. app_id :
#0 client_id
token
2. user_id :
user_id
Response body from Facebook Token Debug Endpoint
Json

76. #7
GET https://graph.facebook.com/1234567?fields="id,first_name,name,picture,email"
…
…
…
Authorization: Bearer "CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD"
…
…
GET URL of Facebook Resource Endpoint
Authorization Bearer #4 access token
1. fields : #6 user_id

77. #0 redirect_uri #1
- code
token
2018 3 Facebook
1. redirect_uri
2. redirect_uri TSL

78. #1 state #2
#1
- CSRF code token

79. OAuth 2.0

80. ”Access Token ” ”OAuth ”
- Access token
- Access token
- token
OpenID Connect

81. Implicit Flow
- token (token replace attack)
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
https://www.sakimura.org/2012/02/1487/
OpenID Connect

82. - Authorization Code Flow Web Implicit
Flow
-
OpenID Connect
OAuth2.0

83. OpenID Connect

84. OpenID Connect
• OpenID Connect Core 1.0 incorporating errata set 1
https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html
http://openid.net/specs/openid-connect-core-1_0.html
• OpenID Foundation RFC
•

85. OpenID Connect
• OAuth 2.0
- OAuth Access token
ID token
- token

86. OpenID Connect

87. OAuth 2.0
OAuth 2.0
OAuth 2.0
• TSL
•
• Access token Authorization Bearer
• Access token

88. Hybrid Flow
Hybrid Flow
‣ token
‣

89. Flow
1. Authorization Code Flow
2. Implicit Flow
3. Hybrid Flow
Hybrid Flow OpenID Connect
OAuth 2.0

90. response_type & Flow
No response_type Flow
1 code
Authorization
Code Flow
OAuth 2.0 Authorization Code Flow
Authorization Endpoint code
Token Endpoint code access token ID token
2 token Implicit Flow
OAuth 2.0 Implicit Flow
Authorization Endpoint access token ID token
3 id_token Implicit Flow Authorization Endpoint ID token access token
4 id_token token Implicit Flow Authorization Endpoint ID token access token
5 code id_token Hybrid Flow
Authorization Code Flow
Authorization Endpoint code ID token
Token Endpoint code access token ID token
6 code token Hybrid Flow
Authorization Code Flow
Authorization Endpoint code access token
Token Endpoint code access token ID token
7 code token id_token Hybrid Flow
Authorization Code Flow
Authorization Endpoint code access token ID token
Token Endpoint code access token ID token
8 none - ID token access token
‣ response_type

91. ID
”ID ”
ID token
‣ ID token IdP "ID"
‣ ID token IdP "ID" RP
ID 74387592 ngzm IdP

92. ID token
• "ID" IdP RP
•
• JWT JSON Web Token
RFC7519 JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519
Access token

93. JWT
JSON Header Claim (Payload)
SIgnature URL Safe
1. Header Claim BASE64urlEncode
2. 1 Header Claim '.'
3. 2 HMAC SHA256 RS256 ES256 PS256
JWS Signature
4. 3 BASE64urlEncode
5. 2 Header Claim '.' 4
JWT
BASE64urlEncode(Header) + '.' + BASE64urlEncode(Claim) + '.' + BASE64urlEncode(JWS Signature)

94. JWT
Google ID token JWT
Header
{
"alg":"RS256",
"kid":"7158dc8572 {略} 20a35b073447"
}
Claim
{
"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"3456789012.apps.google.com",
"email":"jsmith@example.com",
"aud":"3456789012.apps.google.com",
"iat":1353601026,
"exp":1353604926,
"nonce": "0394852-3190485-2490358",
}
1.iss: IdPのID
2.at_hash: 同時生成のaccess tokenハッシュ値
3.email_verified: email検証結果
4.sub: End Userのgoogle内部ID
5.azp： RPのclient_id
6.email： End Userのemail
7.aud： RPのID
8.iat： token発行時刻
9.exp： token有効期限時刻
10.nonce: nonce
1.alg: 署名アルゴリズム RS256形式
2.kid: RS256公開鍵を探すためのID
access token

95. JWT js
// JWT Header
let header = {}；
header.alg = 'HS256'; // 署名アルゴリズム：HMAC SHA256 による署名の場合は'HS256'
header.typ = 'JWT'; // JWT形式を明示
// JWT Payload（Claim Set）
let claim = {};
claim.iss = 'Identity Party ID'; // JWT発行者の識別子 → IdP の ID
claim.sub = 'End User ID'; // エンドユーザ識別子 → end user ID
claim.nbf = 'current time'; // JWTが有効になる日時
claim.iat = 'issue time'; // JWTを発行した日時
claim.exp = 'expire time'; // JWTの有効期限日時
claim.jti = 'unique ID'; // JWT自体を一意に識別する任意の文字列
claim.aud = 'Relying Party ID'; // JWT利用者の識別子 → RP の ID
// Secret Key
const secret_key = 'XXXXXXXXXX' ; // HMAC SHA256 署名の秘密鍵 → client_secret
// Generate JWT（jsrsasign というJSライブラリを使用した例）
const jwt = KJUR.jws.JWS.sign('HS256', JSON.stringify(header), JSON.stringify(claim), secret_key);

96. Userinfo Endpoint
‣ OAuth 2.0 Access token
‣ OpenID Connect Access token Userinfo Endpoint

97. OpenID Connect
Flow

98. Flow
1. Authorization Code Flow
2. Implicit Flow
3. Hybrid Flow
https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f7ef352b47

99. Authorization Code Flow
response_type=code
• OAuth 2.0 Authorization Code Flow
•

100. App
Authorization
endpoint
Token
endpoint
UserInfo endpoint
Redirect
Redirect
Relying PartyEnd-User
START
User Information
OK
OK
ID token
Identiy Provider
login
client
token
response_type = code
ID token
App
client
access
token
ID
token
client
code
code
ID token
Access token
ID token at_hash
claim
access token
ID token IdP RP
Client client_id
client_secret

101. Implicit Flow
response_type=token
response_type=id_token
response_type=token id_token
SPA JS

102. response_type = token id_token
Authorization
endpoint
Resource
endpoint
Redirect
User Information
App
Redirect
App
login
token
Token endpoint
START
client access token
access token id_token
Relying
Party
End-User
Identiy Provider
ID token at_hash
claim
access token
client_secret
Client client_id

103. Hybrid Flow
response_type=code token
response_type=code id_token
response_type=code token id_token
• OAuth 2.0 Implicit Flow Authorization Code Flow
- Implicit Flow Access token ID token
- Authorization code Flow code Access token ID token

104. code token
Authorization
endpoint
Redirect
End-User
App
Redirect
START
App
login
Relying Party
App
Identity Provider
response_type = code token
Relying Party
Token
endpoint
UserInfo endpoint
token
User Information
access token
client
access
token
ID
token
client
code
client
code
access token
access
token
access token

105. code access token, id_token
Authorization
endpoint
Redirect
End-User
App
Redirect
START
App
login
Relying Party
App
Identity Provider
response_type = code token id_token
Relying Party
Token
endpoint
UserInfo endpoint
token
User Information
access token
ID token
client
access
token
ID
token
client
code
client
code
access
token
access token

106. OpenID Connect

108. • Google Openid Connect
1. Authorization code Flow
2. Implicit Flow
( Hybrid Flow )
Authorization Code Flow

109. App
Authorization
endpoint
Token
endpoint
UserInfo endpoint
Redirect
Redirect
Relying PartyEnd-User
START
User Information
OK
OK
ID token
Identity Provider
login
client
token
App
client
access
token
ID
token
client
code
code
Google
Google
#1
#2 OK
#3 Access token + ID token
#4 Access token + ID token
#5 ID token
#6

110. #0
Google API Console
https://console.developers.google.com/
•
1.
2.
3. URL
4. JavaScript
5. URI OAuth URL
•
1. ID OAuth Client ID
2. Secret OAuth Client Secret
Google URI
Secret

111. #1
Location:
https://accounts.google.com/o/oauth2/v2/auth
?client_id="3456789012.apps.google.com"
&response_type="code"
&scope="openid email profile"
&redirect_uri="https://my-redirect-uri"
&state="random_text_data_agaist_csrf"
&nonce="0394852-3190485-2490358"
redirect to Google Authorization Endpoint
1. client_id :
#0 " ID"
2. request_type
"code" Authorization Code Flow
"token id_token" Implicit Flow
3. scope
"openid" OpenID Connect
"email"
"profile"
4. redirect_uri:
#0 redirect_uri
5. state
CSRF
6. nonce
Replay Attack
state CSRF
nonce
openid
code

112. #2
OK
https://my-callback-uri
?state="random_text_data_agaist_csrf"
&code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7"
1. state:
#1 state
CSRF #1
2. code :
code
3 4 code access token
#1 redirect_uri
state #1

113. #3
Access token, ID token
POST https://www.googleapis.com/oauth2/v4/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
...
...
code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7"
&client_id="3456789012.apps.google.com"
&client_secret="60abc01dab6ae4b0f8acf2abaf1"
&redirect_uri="https://my-redirect-uri"
&grant_type="authorization_code"
1. code
#2 code
2. client_id :
#0 " ID"
3. client_secret
#0 ” Secret"
4. redirect_uri:
#0 redirect_uri
5. grant_type
”autorization_code”
POST URL of Google Token Endpoint

114. #4
Access token, ID token
{
"access_token": "df7773dbc8b7d-{..省略..}-8a91ae2372e1",
"id_token": "eyJhbGJSLKDFJKLSzI1NiJ9
.eyJ3MiOit-{..省略..}-81ae2372e1
.jMgjfEYmy-{..省略..}-S5Iv5ZP5ZA",
"token_type": "bearer",
"expires_in": 5180974
}
1. access_token :
Access token
2. id_token :
ID token
3. token_type :
token
OK
4. expired_in :
Response body from Google Token Endpoint Json
Access token
ID token

115. #5
ID token
{
"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"3456789012.apps.google.com",
"email":"jsmith@example.com",
"aud":"3456789012.apps.google.com",
"iat":1353601026,
"exp":1353604926,
"nonce": "0394852-3190485-2490358",
}
1. iss :
IdP ID
2. at_hash :
access token
3. email _verified:
End User email
4. sub :
End User google ID
5. azp
RP client_id
6. email
End User email
7. aud
RP ID
8. iat
token
9. exp
token
10.nonce
1 nonce
Google ID token 's Payload
nonce #1
access token
End User ID
Idp
RP

116. #7
GET https://www.googleapis.com/oauth2/v3/userinfo
…
…
Authorization: Bearer "df7773dbc8b7d-{..省略..}-8a91ae2372e1"
…
…
GET URL of Google Userinfo Endpoint
Authorization Bearer #4 access token

117. #0 redirect_uri #1
- code
token
state #1 #2
#1
- CSRF code token
Google

118. nonce #1 #5
Replay Attack
- Replay Attack
nonce Replay Attack
Implicit Flow Hybrid Flow nonce

119. OpenID Connect

120. •
• OAuth 1.0 OAuth 2.0 OpenID
OpenID Connect
...
OpenID Connect

122. •
• OAuth 1.0 OAuth 2.0
• OpenID Connect

123. • OAuth 1.0 → OAuth 2.0 → OpenID Connect
• OAuth 1.0 OAuth 2.0
• OpenID Connect OAuth 2.0
ID token

124. • OAuth 1.0
‣
‣ TSL
‣
‣ Replay Attack

125. • OAuth 2.0
‣ TSL
‣
‣
‣ token
‣ CSRF Redirect URI

126. • OpenID Connect
‣ TSL OAuth 2.0
‣
‣ ID token IdP ID
ID
‣ ID token Access token
‣ CSRF Redirect URI Replay Attack

127. • RFC and OpenID Foundation
- https://tools.ietf.org/html/rfc5849 (5849: OAuth 1.0)
- https://tools.ietf.org/html/rfc6749 (6749: OAuth 2.0)
- https://tools.ietf.org/html/rfc6750 (6750: Bearer token)
- http://openid.net/specs/openid-connect-core-1_0.html (OpenID Connect)
• RFC and OpenID Foundation
- https://openid-foundation-japan.github.io/rfc5849.ja.html
- https://openid-foundation-japan.github.io/rfc6749.ja.html
- https://openid-foundation-japan.github.io/rfc6750.ja.html
- https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html
• OAuth & OpenID Connect RFC
- https://qiita.com/TakahikoKawasaki/items/185d34814eb9f7ac7ef3

128. • OAuth 1.0 on Twitter
- https://developer.twitter.com/en/docs/basics/authentication/overview/oauth
- https://dev.twitter.com/web/sign-in/implementing
- https://syncer.jp/Web/API/Twitter/REST_API/
• OAuth 2.0
- https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f
- https://www.buildinsider.net/enterprise/openid/oauth20
- http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html
• OAuth 2.0 on Facebook
- https://developers.facebook.com/
- https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow
- http://tech.vasily.jp/entry/facebook_graph_api

129. • OpenID Connect
- https://www.slideshare.net/kura_lab/openid-connect-id
- https://www.slideshare.net/matake/connect-intro-dev-love
- https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f7ef352b47
- https://www.buildinsider.net/enterprise/openid/connect
- https://tools.ietf.org/html/rfc7519 (RFC)
- https://hiyosi.tumblr.com/post/70073770678/
jwt%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6%E7%B0%A1%E5%8D%98%E3%8
1%AB%E3%81%BE%E3%81%A8%E3%82%81%E3%81%A6%E3%81%BF%E3%81%9F
• OpenID Connect on Google
- https://developers.google.com/identity/protocols/OpenIDConnect

130. •
- https://tools.ietf.org/html/rfc6819 (RFC)
- http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
- http://www.atmarkit.co.jp/ait/articles/1710/24/news011.html