安全なid連携のハウツー
DESCRIPTION
第3回合同勉強会@UZABASE on Jun. 5, 2014TRANSCRIPT
安全なID連携のハウツー2014/06/05
OpenIDファウンデーション・ジャパン 倉林雅
倉林 雅(通称: kura) OpenID ファウンデーション・ジャパン
エバンジェリスト ヤフー株式会社 IDサービス エンジニア
ID厨 @kura_lab
Armour on display in the War Gallery by Royal Armouries
ID・パスワードの管理 高コスト
Armour on display in the War Gallery by Royal Armouries
認証はIdPに任せよう!
OAuth・OpenID
Covert Redirect?
Question Mark Block by Jared Cherup
OAuth 2.0 Implicitフロー
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Source: developers.facebook.com
User’s Browser
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Source: developers.facebook.com
Your App
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Source: developers.facebook.com
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
アプリ表示
Source: developers.facebook.com
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Source: developers.facebook.com
ダイアログ表示
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
access token 取得
Source: developers.facebook.com
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Source: developers.facebook.com
APIリクエスト
Covert Redirect
254/365: X marks the spot by Addison Berry
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
:
Source: developers.facebook.com
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
:
Source: developers.facebook.com
悪意あるサーバ
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
:
Source: developers.facebook.com
Weak Point
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
:
Source: developers.facebook.com
アプリ表示
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
:
Source: developers.facebook.com
ダイアログ表示
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
:
Source: developers.facebook.com
access token 取得
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
:
Source: developers.facebook.com
access token漏洩
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
GET /me
User Info
:
Source: developers.facebook.com
Profile API取得
APIの悪用 フィッシング
Covert Redirect OAuth/OpenIDの脆弱性?
オープンリダイレクタの脆弱性
Marsmettnn Tallahassee
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
:
Source: developers.facebook.com
オープンリダイレクタの脆弱性
(090/365) January 22, 2010: Can't stop the music by Jason Alley
Covert Redirect 対策 (オープンリダイレクタ対策)
コールバックURLで外部サイトへリダイレクトしないようにする
Web Trend Map 4 (Detail) / 20090914.10D.53870.P1 / SML by See-ming Lee
ID界隈でのトレンド
OpenID Connect
♥OpenID Connect
OAuth 2.0 + Identity Layer
Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved.Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
2014.2.25 OpenID Connect 仕様最終版へ!!
Nate and Birthday Cake (2 of 5) by Chris Pencis
ご清聴ありがとう ございました