安全なID連携のハウツー

2,309
-1

Published on

第3回合同勉強会@UZABASE on Jun. 5, 2014

Published in: Internet
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,309
On Slideshare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
16
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

安全なID連携のハウツー

  1. 1. 安全なID連携のハウツー 2014/06/05 OpenIDファウンデーション・ジャパン 倉林雅
  2. 2. 倉林 雅(通称: kura) OpenID ファウンデーション・ジャパン エバンジェリスト ヤフー株式会社 IDサービス エンジニア ID厨 @kura_lab
  3. 3. Armour on display in the War Gallery by Royal Armouries ID・パスワードの管理 高コスト Armour on display in the War Gallery by Royal Armouries
  4. 4. 認証はIdPに任せよう!
  5. 5. OAuth・OpenID
  6. 6. Covert Redirect? Question Mark Block by Jared Cherup
  7. 7. OAuth 2.0 Implicitフロー
  8. 8. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. Source: developers.facebook.com User’s Browser
  9. 9. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. Source: developers.facebook.com Your App
  10. 10. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. Source: developers.facebook.com Facebook
  11. 11. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. アプリ表示 Source: developers.facebook.com
  12. 12. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. Source: developers.facebook.com ダイアログ表示
  13. 13. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. access token 取得 Source: developers.facebook.com
  14. 14. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. Source: developers.facebook.com APIリクエスト
  15. 15. Covert Redirect 254/365: X marks the spot by Addison Berry
  16. 16. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. : Source: developers.facebook.com
  17. 17. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. : Source: developers.facebook.com 悪意あるサーバ
  18. 18. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. : Source: developers.facebook.com Weak Point
  19. 19. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. : Source: developers.facebook.com アプリ表示
  20. 20. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. : Source: developers.facebook.com ダイアログ表示
  21. 21. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. : Source: developers.facebook.com access token 取得
  22. 22. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. : Source: developers.facebook.com access token漏洩
  23. 23. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. GET /me User Info : Source: developers.facebook.com Profile API取得
  24. 24. APIの悪用 フィッシング
  25. 25. Covert Redirect OAuth/OpenIDの脆弱性?
  26. 26. オープンリダイレクタ の脆弱性 Marsmettnn Tallahassee
  27. 27. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. : Source: developers.facebook.com オープンリダイレクタの脆弱性
  28. 28. (090/365) January 22, 2010: Can't stop the music by Jason Alley Covert Redirect 対策
 (オープンリダイレクタ対策) コールバックURLで外部サイトへ
 リダイレクトしないようにする
  29. 29. Web Trend Map 4 (Detail) / 20090914.10D.53870.P1 / SML by See-ming Lee ID界隈でのトレンド
  30. 30. OpenID Connect
  31. 31. ♥ OpenID Connect OAuth 2.0 + Identity Layer
  32. 32. Copyright(C) 2014 Yahoo Japan Corporation. All Rights Reserved. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. 2014.2.25 OpenID Connect 仕様最終版へ!! Nate and Birthday Cake (2 of 5) by Chris Pencis
  33. 33. ご清聴ありがとう ございました
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×