openid connect 101 @ openid technight vol.11
DESCRIPTION
TRANSCRIPT
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
♥OpenID Connect 101
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Nov Matake
OpenID Foundation Japan
Evangelist 初号機
翻訳WG Leader
OAuth.jp
Idcon
Rubyist
fb_graph, rack-oauth2, openid_connect etc.
池澤あやかと学ぼう! はじめてのOAuthとOpenID Connect
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
パスワード漏洩例
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
パスワードリストアタック被害例
…next ?
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
2段階認証
有効化する人1%以下 + 75%は2週間でやめる
リスクベース認証
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
セキュリティ専任スタッフが100人未満しかいないサービスにパスワードを預けるのは、自殺行為である。
Eric Sachs, Google
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
パスワード、ちゃんとハッシュ化してる?
まさかパスワード数字だけなんてことは…
定期的にメールアドレス生存確認してる?
あやしいユーザー行動、常に監視してる?
2段階認証提供すれば、後はユーザー責任?
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
御社はどうですか?
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
「○○ ID でログイン」http://klout.com
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
v.s
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Copyright 2013 OpenID Foundation Japan - All Rights Reserved. https://developers.facebook.com/products/login/
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
♥OpenID Connect
OAuth 2.0 + Identity Layer
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
2011~
ID Provider 向け
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Basic Client Implementation Guide +
Implicit Client Implementation Guide
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Basic Client Implementer's Guide 1.0 は, OAuth 2.0 Code Flow を利用して Web ベースの Relying Party を実装する為の実装ガイド
Implicit Client Implementer's Guide 1.0 は, OAuth 2.0 Implicit Flowを利用してWebベースの Relying Party を実装する為の実装ガイド
翻訳済 → http://j.mp/openid-trans
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Basic Client
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Implicit Client
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Code Flow - OpenID ConnectRelying Party OpenID Provider
Initiate
Request Authorization
Authorization Code
Authorization Code
Access Token + ID Token
End User
Authenticate & Authorize
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Code Flow - OpenID ConnectRelying Party OpenID Provider
Initiate
Request Authorization
Authorization Code
Authorization Code
Access Token + ID Token
End User
Authenticate & Authorize
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Code Flow - OpenID ConnectRelying Party OpenID Provider
Initiate
Request Authorization
Authorization Code
Authorization Code
Access Token + ID Token
End User
Authenticate & Authorizeclient_id=...& response_type=code& redirect_uri=https://...& scope=openid+email
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Code Flow - OpenID ConnectRelying Party OpenID Provider
Initiate
Request Authorization
Authorization Code
Authorization Code
Access Token + ID Token
End User
Authenticate & Authorize
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Code Flow - OpenID ConnectRelying Party OpenID Provider
Initiate
Request Authorization
Authorization Code
Authorization Code
Access Token + ID Token
End User
Authenticate & Authorize
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Code Flow - OpenID ConnectRelying Party OpenID Provider
Initiate
Request Authorization
Authorization Code
Authorization Code
Access Token + ID Token
End User
Authenticate & Authorize
code=...& client_id=...& client_secret=...& grant_type=authorization_code& redirect_uri=https://...
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
OpenID Connect =
OAuth 2.0 + Identity Layer
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
OpenID Connect Scopes
openid → OpenID Connect Request を明示
profile → 氏名, ニックネーム, プロフィール画像 etc.
email → メールアドレス, 検証済 Flag
address → 住所
phone → 電話番号, 検証済 Flag
offline_access → Refresh Token 取得用
ID Token
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
ID Token - 署名アルゴリズム
公開鍵暗号 (RSA-SHA256 etc)
OpenID Provider の公開鍵で署名検証
Native App に秘密鍵埋め込まなくても OK
共通鍵暗号 (HMAC-SHA256 etc)
公開鍵暗号が苦手なエンジニア多い?
でも Native App だと秘密鍵漏れちゃう…
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
ID Token - 認証イベントMetadata
誰が (issuer = OpenID Provider)
誰を (subject = End-User)
誰のために (audience = Relying Party)
いつ (Issued At)
認証したのか
検証方法は翻訳ドキュメントを
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
UserInfo API
Standardized JSON Format
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
OpenID Connect Discovery
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Developerサイト読まなくても 必要なエンドポイント情報等
すべて分かる
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
GET /.well-known/webfinger
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
GET /.well-known/openid-configuration
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
OpenID Connect Dynamic Client Registration
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Developerサイトのフォームから アプリ (=Client) 登録しなくても
動的にClient登録できる
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Static Client Registration
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
Dynamic Client Registration
Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
openid-foundation-japan.github.io
slideshare.net/matake
github.com/nov
twitter.com/nov