openid connect 入門 〜コンシューマーにおけるid連携のトレンド〜
TRANSCRIPT
-
2015.8.26 OpenID
OpenID Connect ID
-
kura
OpenID ID
ID @kura_lab
-
1.
2. OpenID Connect
3. OpenID Connect
4. ID
5. UserInfo Endpoint
-
RP
SAMLOpenIDOAuth 1.0OAuth 2.0
SOAP or RESTful / XML or JSON
-
RP
OpenID Connect
AppsWebNative
FlowAuthorization CodeImplicitHybrid
-
RP
-
IdP
-
RP
IdPRP
OpenID Connect
-
OpenID Connect
-
OpenID Connect
2014227
OpenID ConnectOAuth 2.0
OpenIDOpenID 2.0
-
OpenID
OpenID AX
OpenID
-
OAuth 1.0OAuth 2.0
Web API
OAuth
-
OpenIDOAuth
OAuth 2.0
OpenID Connect
-
API
OpenID Connect
-
OpenID Connect ID
-
http://openid.net/connect/
http://openid.net/connect/
-
OpenID Connect
-
OpenID Connect Authorization Code Flow
Implicit Flow
Hybrid Flow
-
Authorization Code Flow
OAuth 2.0OpenID Connect
-
OAuth 2.0 Authorization Code Flow
-
IdPRPEnd-UserResource Server
Start OAuth
-
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
-
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
Login / Consent
-
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
Authorization Code (Redirect)
Login / Consent
-
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token
-
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token
Resource Access
Resource
-
OpenID Connect Authorization Code Flow
-
IdPRPEnd-UserUserInfo Endpoint
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
-
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
http://2Fclient.example.org
-
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
Scope openid
http://2Fclient.example.org
-
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
http://2Fclient.example.org
-
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
CSRF
http://2Fclient.example.org
-
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
http://2Fclient.example.org
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Login / Consent
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Start OpenID Connect
-
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
-
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
Authorization Code
-
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
State
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Start OpenID Connect
-
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
-
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
Basic base64_encode(Client_ID . : . Secret);
-
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
Authorization Code
-
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
SecretAuthorization Code POST
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
-
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
-
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
JSONXML
-
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
Access TokenRefresh Token
-
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token ResponseAccess TokenBearer
Authorization: Bearer
-
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
ID Token
-
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.JggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
eyj...eyj...
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Start OpenID Connect
-
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef
UserInfo Request
-
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef
UserInfo Request
Bearer Authorization: Bearer
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
JSONXML
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
openid
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
profile
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
email
-
GREE Y! YConnect GREE
-
GREE Y! YConnect GREE
RP OpenID Connect
-
IdPRPEnd-UserUserInfo Endpoint
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Login / Consent
Start OpenID Connect
-
GREE Y! YConnect GREE
IdP
-
GREE Y! YConnect GREE
API
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Login / Consent
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
-
GREE Y! YConnect GREE
-
ID
-
issuer audience subject
ID
-
issuer audience subject
Identity Provider
ID
-
issuer audience subject
Relying Party
ID
-
issuer audience subject
End-User
ID
-
Facebook SlideShare kura
ID
-
Yahoo! GREE kura
ID
-
JSON Web Token
JSONURLSafeBase64
HMACRSAECDSA
-
{ typ:JWT, alg:RS256}
-
{ typ:JWT, alg:RS256}
JSON Web Token JWTjot
-
{ typ:JWT, alg:RS256}
RSA-SHA256
-
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
-
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
issuer ID
-
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
subject
-
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
audience Client IDID
-
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
Nonce
-
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
issue at Unix
10
-
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
expiration
ID
RPCookie
-
{ typ:JWT, alg:RS256}{ iss:https://example.com, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
-
{ typ:JWT, alg:RS256}{ iss:https://example.com, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
Base64
URL Safe + - / _ =
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
JSON{Base64 eyJ
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
RSA-SHA256
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Base64URL Safe
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID
.
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID
ID
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID + . +
-
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID
-
UserInfo Endpoint
-
UserInfo
OpenID ConnectClaim
OpenID ConnectIdPScope
-
scope
sub -
name profile
given_name profile
family_name profile
middle_name profile
nickname profile
preferred_username profile
scope
profile profile URL
picture profile URL
website profile URL
email email
email_verified email
gender profile
birthdate profile
-
scope
zoneinfo profile
locale profile
phone_number phone
phone_number_verified phone
address address
updated_at profile
-
UserInfoUserInfo
-
1. OpenID Connect
OAuth 2.0
2. OpenID Connect
Authorization Code Flow
3. ID
JSON Web Token
4. UserInfo Endpoint