ID連携入門 (実習編) - Security Camp 2016
-
Upload
nov-matake -
Category
Art & Photos
-
view
698 -
download
0
Transcript of ID連携入門 (実習編) - Security Camp 2016
![Page 1: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/1.jpg)
ID - -
Nov Matake
![Page 3: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/3.jpg)
Definition of “Federation” in NIST SP 800-63-3
“A process that allows for the conveyance of identity and authentication information across
a set of networked systems.”
https://pages.nist.gov/800-63-3/
![Page 4: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/4.jpg)
Definition of “Federation” in NIST SP 800-63-3
“ Identity ”
https://openid-foundation-japan.github.io/800-63-3/index.ja.html
![Page 5: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/5.jpg)
Login / Sign-up
Request an Assertion
Authentication Event
Issue an Assertion
Request Attributes
Attributes Welcome, Nov!
Verify the Assertion
![Page 6: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/6.jpg)
Login / Sign-up
Request an Assertion
Authentication Event
Issue an Artifact
Send the Artifact
Request Attributes
Attributes Welcome, Nov!
Assertion
![Page 7: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/7.jpg)
Login / Sign-up
Request an Assertion
Authentication Event
Issue an Assertion w/ Attributes
Verify the Assertion
Welcome, Nov!
![Page 8: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/8.jpg)
SAML (Security Assertion Markup Language)
OpenID Connect
![Page 9: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/9.jpg)
OpenID Connect~ OAuth 2.0 + Identity Layer ~
![Page 10: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/10.jpg)
![Page 11: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/11.jpg)
OAuth !!
Twitter API, Facebook API, GitHub API etc.
![Page 12: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/12.jpg)
https://developers.google.com/oauthplayground/
https://developers.facebook.com/tools/explorer
![Page 13: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/13.jpg)
OAuth Server Resource Owner
OAuth Client Resource Owner
![Page 14: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/14.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
![Page 16: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/16.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
![Page 17: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/17.jpg)
![Page 18: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/18.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
![Page 19: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/19.jpg)
![Page 20: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/20.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
![Page 21: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/21.jpg)
![Page 22: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/22.jpg)
![Page 23: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/23.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token
![Page 24: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/24.jpg)
![Page 25: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/25.jpg)
response_type=code
response_type=token
response_type=code+token
![Page 26: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/26.jpg)
![Page 27: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/27.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Access Token
Request Attributes
Attributes Welcome, Nov!
response_type=token
![Page 28: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/28.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Access Token + Code
Request Attributes
Attributes Welcome, Nov!
Code
Access Token
Code
??
App Backend
response_type=code+token
![Page 29: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/29.jpg)
Code Flow• “response_type=code”
• Token Endpoint
•
• Access Token User Agent
• ( ) Client
• Access Token
![Page 30: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/30.jpg)
Implicit Flow• “response_type=token”
• Token Endpoint
•
• Access Token User Agent
• Client (client_secret )
• End-User (Client ) Access Token
![Page 31: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/31.jpg)
Hybrid Flow• “response_type=code+token”
• Token Endpoint Access Token Token Endpoint Access Token
•
• Implicit Flow Access Token Code Flow Access Token
![Page 32: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/32.jpg)
User Agent User Agent
![Page 33: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/33.jpg)
![Page 34: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/34.jpg)
![Page 35: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/35.jpg)
![Page 36: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/36.jpg)
![Page 37: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/37.jpg)
(SSL/TLS etc.)
…
![Page 38: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/38.jpg)
![Page 39: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/39.jpg)
• RFC 6749 - OAuth 2.0 Core
• RFC 6750 - OAuth 2.0 Bearer Token Usage
• RFC 6819 - OAuth 2.0 Threat Model
• RFC 7519 - JSON Web Token
• RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange)
• RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
![Page 40: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/40.jpg)
• RFC 6749 - OAuth 2.0 Core
• RFC 6750 - OAuth 2.0 Bearer Token Usage
• RFC 6819 - OAuth 2.0 Threat Model
• RFC 7519 - JSON Web Token
• RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange)
• RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
[ ] http://openid-foundation-japan.github.io
![Page 41: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/41.jpg)
OpenID Connect~ OAuth 2.0 + Identity Layer ~
![Page 42: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/42.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token + ID Token
![Page 43: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/43.jpg)
![Page 44: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/44.jpg)
![Page 45: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/45.jpg)
![Page 46: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/46.jpg)
![Page 47: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/47.jpg)
![Page 48: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/48.jpg)
![Page 49: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/49.jpg)
response_type=code
response_type=code+id_token
response_type=token+id_token
response_type=code+token+id_token
![Page 50: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/50.jpg)
• iss (issuer)
• (ID Provider)
• sub (subject)
•
• aud (audience)
• Client
• exp / iat (expires_at / issued_at)
•
![Page 51: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/51.jpg)
• auth_time
• ( Authentication Event )
• nonce
• Authorization Request Token Response
• at_hash
• Access Token
• c_hash
• Authorization Code
![Page 52: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/52.jpg)
OAuth OpenID Connect
OAuth
![Page 54: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/54.jpg)
CSRF
![Page 55: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/55.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token (+ ID Token)
response_type=code
![Page 56: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/56.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token (+ ID Token)
response_type=code
![Page 57: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/57.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token (+ ID Token)
response_type=code
![Page 59: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/59.jpg)
Code
![Page 60: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/60.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Authorization Code
Send the Code
Request Attributes
Attributes Welcome, Nov!
Access Token (+ ID Token)
response_type=code
![Page 62: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/62.jpg)
Token
![Page 63: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/63.jpg)
Login / Sign-up
Request an Access Token
Authentication Event
Issue an Access Token
Welcome, Nov!
Token
Attributes
Token
Session
App Backend
response_type=token
![Page 65: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/65.jpg)
![Page 66: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/66.jpg)
prompt=login & max_age=N @
https://sec-camp-rp-code.herokuapp.com
![Page 67: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/67.jpg)
OAuth …•
•
• OAuth …
• state
• OpenID Connect (max_age etc.)
• Token
• nonce
• ( )
• ID Token aud, sub, auth_time etc.
• OAuth API (Token Introspection)
![Page 68: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/68.jpg)
OAuth …
API or
OpenID Connect
![Page 69: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/69.jpg)
OpenID Connect~ OAuth 2.0 + Identity Layer ~
![Page 70: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/70.jpg)
![Page 71: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/71.jpg)
• RFC 6749 - OAuth 2.0 Core
• RFC 6750 - OAuth 2.0 Bearer Token Usage
• RFC 6819 - OAuth 2.0 Threat Model
• RFC 7519 - JSON Web Token
• RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange)
• RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
![Page 72: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/72.jpg)
![Page 73: ID連携入門 (実習編) - Security Camp 2016](https://reader036.fdocuments.net/reader036/viewer/2022081722/5886b72d1a28ab6d0e8b742b/html5/thumbnails/73.jpg)
https://connect-rp.herokuapp.com
&
https://connect-op.herokuapp.com