Ritou idcon7
Transcript of Ritou idcon7
![Page 1: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/1.jpg)
OAuth 2.0仕様紹介
伊東 諒
ヤフー株式会社
2010/6/25
idcon #7
![Page 2: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/2.jpg)
2
自己紹介
• 伊東 諒 (=ritou,@ritou)
– ヤフー株式会社R&D統括本部プラットフォーム開発本部
• 担当業務
– ユーザー認証PF
– ↑に関係する不正利用対策系のプロダクト
•ログイン3兄弟
– 外部パートナーとのサービス連携PF
• OAuth,OpenID,もっと前のしくみ
• Contributor : OpenID Artifact Binding WG
![Page 3: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/3.jpg)
3
本資料について
• 2010年6月15日に更新されたOAuth 2.0
draft 8時点のSpecを紹介するものである
• Yahoo! JAPANがOAuth 2.0を早期にサポートするという表明ではない
•現在も関係者間で議論が重ねられ、今後仕様が変更になる可能性は十二分に考えられる
![Page 4: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/4.jpg)
4
History
• 2007/12/4 OAuth Core 1.0
• 2009/6/24 OAuth Core 1.0 Revision A
• 2009/7/10 Yahoo! JAPAN SP start!!!
• 2009/12 OAuth WRAP
• 2010/4 OAuth 1.0 RFC 5849
• 2010-2011? OAuth 2.0
![Page 5: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/5.jpg)
5
OAuth 1.0系の課題 by Eran
• Authentication and Signatures
– 署名が複雑、ライブラリが必要
• User Experience and Alternative Token Issuance Options
– Flowを1つにまとめたらWeb App以外のUXが・・・
– Facebook Connectって使いやすいよね
• Performance at Scale
– 2種類のToken、Client Credentialの管理が必要
– APIアクセス時にClient Credential, TokenCredentialの両方を確認必須
![Page 6: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/6.jpg)
6
OAuth 2.0 Spec
• IETF OAuth WG
– based OAuth WRAP
• Abstruct
– Client type and profile
•アクセス権の委譲までの流れ
– Endpoint
•2つのエンドポイントの処理
– Resource access
•bearer tokenを用いたAPIアクセス
![Page 7: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/7.jpg)
7
Client Type and Profile
• 4 Client types
– Web Servers
– User-Agents
– Native Applications
– Autonomous Clients
![Page 8: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/8.jpg)
8
Web Server Profile
• Client Credential
– Client ID
– Client Secret
• Diff with OAuth 1.0a
– No Request Token
– No Signature
– No Token Secret
User-Agent
Web Client
AuthZ Server
Protected Resource
![Page 9: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/9.jpg)
99
![Page 10: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/10.jpg)
10
User-Agent Profile
• Client on User-Agent
– Twitter : @anywhere
– Facebook :
JavaScript-Based
Authentication
• Client Credential
– Client ID
• Access Token as URI
Fragment Identifier
User-Agent AuthZ Server
Protected Resource
Client in Browser
![Page 11: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/11.jpg)
11
![Page 12: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/12.jpg)
12
Native Applications
iPhone/Android App, Desktop App
• External User-Agent
– Use custom URI scheme
– Polling UA window and looking for a title
change
• Embedded User-Agent
– Check URL Redirection
• Prompt for user credential
– ID/PW to Access Token (discouraged)
![Page 13: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/13.jpg)
13
Autonomous Clients
• Clients = Resource Owner
≒ OAuth Consumer Request
• Exsisting Trust Relationship / Framework
– SAML etc...
![Page 14: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/14.jpg)
14
Client credential
• Client credential
– client identifier
– client secret(option)
• AuthN schemes
– Request parameters
– HTTP Basic authN ← 必要なのかな・・・
![Page 15: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/15.jpg)
15
Endpoint
• End-user authZ endpoint : Indirect Communication
– Obtaining End-User Authorization
• Token Endpoint : Direct Communication
– TLS 1.2 必須
– Authrorized Code2Access Token
– Resource Owner Credentials2Access Token
– Assertion2Access Token
– Refresh Token
![Page 16: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/16.jpg)
16
End-user authZ endpoint
• Request format
– HTTP GET
• Request Params
– type,client_id,redirect_uri,state,scope
•URL長い疑惑
– Extensionきたらモバイルやばくない?↓
– Proposal to use request_url parameter
•Request by Reference ver.1.0 for OAuth 2.0 draft-sakimura-oauth-requrl-00
![Page 17: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/17.jpg)
17
End-user authZ endpoint
• Response format
– type = web_server : query parameters
– type = user_agent : URI fragment
identifier
• Response params
– type = web_server : code,state
– type = user_agent :
access_token,expired_in,state
![Page 18: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/18.jpg)
18
Token endpoint
• Request format
– HTTP POST
• Request params
– Client credential
– Specific params
•grant_type, scope
– code, redirect_uri
– username, password
– assertion_type, assertion
– refresh_token
![Page 19: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/19.jpg)
19
Token Refresh
≒OAuth Session Extension(Y!Inc,Y!J)
• Tokens
– Refresh Token : Long live
– Access Token : Short live
• Request
– grant_type : refresh_token
– client_id,client_secret,refresh_token
• Response
– access_token
![Page 20: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/20.jpg)
20
Token endpoint
• Response format
– JSONのみ
• Response params
– access_token, expires_in, refresh_token,
scope
![Page 21: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/21.jpg)
21
Accessing a Protected Resource
• Param
– Access Tokenのみ
•ブラウザとHTTP Cookieのような位置づけ by Allen
• Method
– The Authorization Request Header Field
– URI Query Parameter
– Form-Encoded Body Parameter
![Page 22: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/22.jpg)
22
まとめ
• Profileが細かく定義される
• Endpoint2つ
•実装簡略化
– NoSignature
– BearerToken
• Basic認証の呪い?
![Page 23: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/23.jpg)
23
気になること
• Level Of Assuarance
– これ使って決済系のAPI出しても良いですか?
• AuthZ Server initiated
– StateやExtensionで工夫すればできる
• User-Centric OAuth
– Discovery
– Asymmetric Signature
– User Identifier Extension
•渡すタイミング、フォーマット決めとけば良い
→あれ?これってOpenID ABじゃないですか!
![Page 24: Ritou idcon7](https://reader033.fdocuments.net/reader033/viewer/2022051017/55accddb1a28ab392c8b46de/html5/thumbnails/24.jpg)
24
終わりです
• これからもSpec追っていきます
•質問はWGまで!?
Open Stack FTW!