yj openid tech_night_v6
DESCRIPTION
TRANSCRIPT
Yahoo! JAPAN OpenID @OpenID Tech Night Vol.6
2010 年 5 月 28 日(金)
2
自己紹介
• 近藤 裕介 (@konfoo)• ヤフー株式会社
– R&D 統括本部 プラットフォーム開発本部 • 仕事
– OAuth– OpenID– ログインまわり ←イマココ
• OpenID Foundation Japan– 翻訳・教育 Working Group
3
Yahoo! JAPAN の OpenID
• 2008 年 1 月– リリース( OpenID 2.0 対応)
• 2010 年 3 月– Attribute Exchange 1.0 対応
– UI Extension 1.0(draft) 対応
– iPhone UI 対応
4
OP のサーバ構成
• サーバ構成– open.login.yahooapis.jp x 3
– open.login.yahoo.co.jp x 3
– me.yahoo.co.jp x 2
• 属性情報– Y! プロフィールの専用 DB (ソーシャ
ル DB )
5
OpenID Flow
input OpenID
OP Discovery
AssociationAuthentication Request
RP Discovery
show Login Page
input ID/PW
Authentication Response
OP Discovery
Check AuthenticationOpenID login succeeded!
RP OPUA
show Let-me-in Page
click Let-me-in!
6
Yahoo! JAPAN の XRDS
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/server</Type> <Type>http://specs.openid.net/extensions/pape/1.0</Type> <Type>http://openid.net/srv/ax/1.0</Type> <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type> <URI>https://open.login.yahooapis.jp/openid/op/auth</URI> </Service> </XRD></xrds:XRDS>
7
Attribute Exchange Flow
input OpenID
OP Discovery
AssociationAuthentication Request
RP Discovery
show Login Page
input ID/PW
Authentication Response
OP Discovery
Check AuthenticationOpenID login succeeded!
RP OPUA
show Let-me-in Page
click Let-me-in!
+ AX Parameters
AX 用の UI
+ AX Response
8
Attributes
画像 http://axschema.org/media/image/default
表示名 http://axschema.org/namePerson/friendly
姓 http://axschema.org/namePerson/last
名 http://axschema.org/namePerson/first
性別 http://axschema.org/person/gender
生年 http://axschema.org/birthDate/birthYear
提供している属性情報
Yahoo! プロフィール (http://profiles.yahoo.co.jp)
9
AX Request
https://open.login.yahooapis.jp/openid/op/auth?openid.assoc_handle=xxxx&openid.ax.mode=fetch_request&openid.ax.required=nickname%2Cgender%2Cfirstname%2Clastname%2Cbirthyear%2Cprofile_img&openid.ax.type.birthyear=http%3A%2F%2Faxschema.org%2FbirthDate%2FbirthYear&openid.ax.type.firstname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ax.type.gender=http%3A%2F%2Faxschema.org%2Fperson%2Fgender&openid.ax.type.lastname=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ax.type.nickname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffriendly&openid.ax.type.profile_img=http%3A%2F%2Faxschema.org%2Fmedia%2Fimage%2Fdefault&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.realm=http%3A%2F%2Frp.example.com%2F&openid.return_to=http%3A%2F%2Frp.example.com%2Freturn_to
10
AX UI
11
AX Responseopenid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.return_to=http%3A%2F%2Frp.example.com%2Fpopup_return_to&openid.claimed_id=https%3A%2F%2Fme.yahoo.co.jp%2Fa%2Fxxxxx&openid.identity=https%3A%2F%2Fme.yahoo.co.jp%2Fa%2Fxxxxx&openid.assoc_handle=xxxxx&openid.realm=http%3A%2F%2Frp.example.com%2Fpopup_return_to%2F&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_response&openid.ax.value.nickname=konfoo&openid.ax.value.gender=M&openid.ax.value.firstname=%E3%82%86%E3%81%86%E3%81%99%E3%81%91&openid.ax.value.lastname=%E3%81%93%E3%82%93%E3%81%A9%E3%81%86&openid.ax.value.image=https%3A%2F%2Fproxy.f4.ymdb.yahoofs.jp%2Fmingle%2F44bfb0eazf57fa5ff%2Fprofile%2F__tn_%2Ffa32.png%3Fmgw_m_LBemHb.LOL&openid.response_nonce=2010-05-26T12%3A18%3A10ZbfKqKuLqi5UkBthqAVLL.Kkr_pt6R.Gtmg--&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned%2Cax.value.nickname%2Cax.type.nickname%2Cax.value.gender%2Cax.type.gender%2Cax.value.firstname%2Cax.type.firstname%2Cax.value.lastname%2Cax.type.lastname%2Cax.value.image%2Cax.type.image%2Cns.ax%2Cax.mode%2Cpape.auth_level.nist&openid.op_endpoint=https%3A%2F%2Fopen.login.yahooapis.jp%2Fopenid%2Fop%2Fauth&openid.ax.type.nickname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffriendly&openid.ax.type.gender=http%3A%2F%2Faxschema.org%2Fperson%2Fgender&openid.ax.type.firstname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ax.type.lastname=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ax.type.image=http%3A%2F%2Faxschema.org%2Fmedia%2Fimage%2Fdefault&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.auth_level.nist=0&openid.sig=xxxxxx
12
AX Spec について
• Assertion の URL が長すぎる!– 2000 over で POST に要切替
• Fetch Request のパラメータ– ‘openid.ax.required’ と ’ openid.ax.if_avalibale’
• Store Request は必要?– どこも実装していない
– OAuth+ プロフィール更新 API で代替可能
13
UI Extension(popup)
input OpenID
OP Discovery
AssociationAuthentication Request
RP Discovery
show Login Page
input ID/PW
Authentication Response
OP Discovery
Check AuthenticationOpenID login succeeded!
RP OPUA
show Let-me-in Page
click Let-me-in!
+ UI Parameters
show popup UI
open popup window (RP)
close popup window and continue the rest process in
main window(RP)
14
UI Extension(popup) Request
https://open.login.yahooapis.jp/openid/op/auth?openid.assoc_handle=xxxx&openid.ax.mode=fetch_request&openid.ax.required=nickname%2Cgender%2Cfirstname%2Clastname%2Cbirthyear%2Cprofile_img&openid.ax.type.birthyear=http%3A%2F%2Faxschema.org%2FbirthDate%2FbirthYear&openid.ax.type.firstname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ax.type.gender=http%3A%2F%2Faxschema.org%2Fperson%2Fgender&openid.ax.type.lastname=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ax.type.nickname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffriendly&openid.ax.type.profile_img=http%3A%2F%2Faxschema.org%2Fmedia%2Fimage%2Fdefault&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ns.ui=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.realm=http%3A%2F%2Frp.example.com%2F&openid.return_to=http%3A%2F%2Frp.example.com%2Fpopup_return_to&openid.ui.mode=popup
15
popup UI
16
UI Extension Spec について
• ポップアップウィンドウ単体で表示( MUST )– ブラウザの設定によってはポップアップ禁止
or 別タブ
• サイズは 450 x 500 px ( SHOULD )– 日本語のフォントサイズだと難しい
– 大きくしても微妙
• ポップアップ制御の実装– RP 側はちょっとめんどくさい
17
OP が popup 対応するにあたって
• popup 画面からの導線に注意– popup の popup
– リンクを辿ると元のページに戻れない• 汎用的な UI が望ましい
– Yahoo.com / Facebook / myspace は同意画面がデフォルトで小さいサイズ
– PC / popup / smart phone
18
Yahoo! JAPAN の OpenID でAX/Popup 使ってみてくださ
い