id連携入門 (実習編) - security camp 2016
TRANSCRIPT
ID - -
Nov Matake
http://bit.ly/sec2016nov
Definition of “Federation” in NIST SP 800-63-3
“A process that allows for the conveyance of identity and authentication information across
a set of networked systems.”
https://pages.nist.gov/800-63-3/
Definition of “Federation” in NIST SP 800-63-3
“ Identity ”
https://openid-foundation-japan.github.io/800-63-3/index.ja.html
Login / Sign-up
Request an Assertion
Authentication Event
Issue an Assertion
Request Attributes
Attributes Welcome, Nov!
Verify the Assertion
Login / Sign-up
Request an Assertion
Authentication Event
Issue an Artifact
Send the Artifact
Request Attributes
Attributes Welcome, Nov!
Assertion
Login / Sign-up
Request an Assertion
Authentication Event
Issue an Assertion w/ Attributes
Verify the Assertion
Welcome, Nov!
SAML (Security Assertion Markup Language)
OpenID Connect
OpenID Connect~ OAuth 2.0 + Identity Layer ~
OAuth !!
Twitter API, Facebook API, GitHub API etc.
https://developers.google.com/oauthplayground/
https://developers.facebook.com/tools/explorer
OAuth Server Resource Owner
OAuth Client Resource Owner
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
https://sec-camp-idp.herokuapp.com
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
response_type=code
response_type=token
response_type=code+token
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Access Token
Request Attributes
Attributes Welcome, Nov!
response_type=token
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Access Token + Code
Request Attributes
Attributes Welcome, Nov!
Code
Access Token
Code
??
App Backend
response_type=code+token
Code Flow• “response_type=code”
• Token Endpoint
•
• Access Token User Agent
• ( ) Client
• Access Token
Implicit Flow• “response_type=token”
• Token Endpoint
•
• Access Token User Agent
• Client (client_secret )
• End-User (Client ) Access Token
Hybrid Flow• “response_type=code+token”
• Token Endpoint Access Token Token Endpoint Access Token
•
• Implicit Flow Access Token Code Flow Access Token
User Agent User Agent
(SSL/TLS etc.)
…
• RFC 6749 - OAuth 2.0 Core
• RFC 6750 - OAuth 2.0 Bearer Token Usage
• RFC 6819 - OAuth 2.0 Threat Model
• RFC 7519 - JSON Web Token
• RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange)
• RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
• RFC 6749 - OAuth 2.0 Core
• RFC 6750 - OAuth 2.0 Bearer Token Usage
• RFC 6819 - OAuth 2.0 Threat Model
• RFC 7519 - JSON Web Token
• RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange)
• RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
[ ] http://openid-foundation-japan.github.io
OpenID Connect~ OAuth 2.0 + Identity Layer ~
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token + ID Token
response_type=code
response_type=code+id_token
response_type=token+id_token
response_type=code+token+id_token
• iss (issuer)
• (ID Provider)
• sub (subject)
•
• aud (audience)
• Client
• exp / iat (expires_at / issued_at)
•
• auth_time
• ( Authentication Event )
• nonce
• Authorization Request Token Response
• at_hash
• Access Token
• c_hash
• Authorization Code
OAuth OpenID Connect
OAuth
http://bitly.com/sec2016nov
CSRF
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token (+ ID Token)
response_type=code
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token (+ ID Token)
response_type=code
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token (+ ID Token)
response_type=code
https://sec-camp-rp-code.herokuapp.com
Code
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token (+ ID Token)
response_type=code
https://sec-camp-rp-code.herokuapp.com
Token
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Access Token
Welcome, Nov!
Token
Attributes
Token
Session
App Backend
response_type=token
https://sec-camp-rp-implicit.herokuapp.com
prompt=login & max_age=N @
https://sec-camp-rp-code.herokuapp.com
OAuth …•
•
• OAuth …
• state
• OpenID Connect (max_age etc.)
• Token
• nonce
• ( )
• ID Token aud, sub, auth_time etc.
• OAuth API (Token Introspection)
OAuth …
API or
OpenID Connect
OpenID Connect~ OAuth 2.0 + Identity Layer ~
• RFC 6749 - OAuth 2.0 Core
• RFC 6750 - OAuth 2.0 Bearer Token Usage
• RFC 6819 - OAuth 2.0 Threat Model
• RFC 7519 - JSON Web Token
• RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange)
• RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
https://connect-rp.herokuapp.com
&
https://connect-op.herokuapp.com