OpenID Connect 101 @ OpenID TechNight vol.11

7,878 views

Published on

Published in: Technology

OpenID Connect 101 @ OpenID TechNight vol.11

  1. 1. ♥ OpenID Connect 101 Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  2. 2. Nov Matake OpenID Foundation Japan Evangelist 初号機 翻訳WG Leader OAuth.jp Idcon Rubyist fb_graph, rack-oauth2, openid_connect etc. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  3. 3. 池澤あやかと学ぼう! はじめてのOAuthとOpenID Connect
  4. 4. パスワード漏洩例 Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  5. 5. パスワードリストアタック被害例 …next ? Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  6. 6. 2段階認証 有効化する人1%以下 + 75%は2週間でやめる Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  7. 7. リスクベース認証
  8. 8. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  9. 9. セキュリティ専任スタッフが 100人未満しかいないサービス にパスワードを預けるのは、 自殺行為である。 Eric Sachs, Google Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  10. 10. パスワード、ちゃんとハッシュ化してる? まさかパスワード数字だけなんてことは… 定期的にメールアドレス生存確認してる? あやしいユーザー行動、常に監視してる? 2段階認証提供すれば、後はユーザー責任? Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  11. 11. 御社はどうですか? Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  12. 12. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  13. 13. 「○○ ID でログイン」 Copyright 2013 OpenID Foundation Japan - All Rights Reserved. http://klout.com
  14. 14. v.s Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  15. 15. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  16. 16. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. https://developers.facebook.com/products/login/
  17. 17. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  18. 18. ♥ OpenID Connect OAuth 2.0 + Identity Layer Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  19. 19. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  20. 20. 2011~ Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  21. 21. ID Provider 向け
  22. 22. Basic Client Implementation Guide + Implicit Client Implementation Guide Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  23. 23. Basic Client Implementer's Guide 1.0 は, OAuth 2.0 Code Flow を利用して Web ベース の Relying Party を実装する為の実装ガイド Implicit Client Implementer's Guide 1.0 は, OAuth 2.0 Implicit Flowを利用してWebベー スの Relying Party を実装する為の実装ガイド 翻訳済 → http://j.mp/openid-trans Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  24. 24. Basic Client Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  25. 25. Implicit Client Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  26. 26. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize Authorization Code Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  27. 27. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize Authorization Code Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  28. 28. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize client_id=...& response_type=code& Authorization Code redirect_uri=https://...& scope=openid+email Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  29. 29. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize Authorization Code Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  30. 30. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize Authorization Code Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  31. 31. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization code=...& client_id=...& Authenticate & Authorize client_secret=...& grant_type=authorization_code& Authorization Code redirect_uri=https://... Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  32. 32. OpenID Connect = OAuth 2.0 + Identity Layer Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  33. 33. OpenID Connect Scopes openid → OpenID Connect Request を明示 profile → 氏名, ニックネーム, プロフィール画像 etc. email → メールアドレス, 検証済 Flag address → 住所 phone → 電話番号, 検証済 Flag offline_access → Refresh Token 取得用 Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  34. 34. ID Token
  35. 35. ID Token - 署名アルゴリズム 公開 暗号 (RSA-SHA256 etc) OpenID Provider の公開 Native App に秘密 共通 公開 で署名検証 埋め込まなくても OK 暗号 (HMAC-SHA256 etc) 暗号が苦手なエンジニア多い? でも Native App だと秘密 Copyright 2013 OpenID Foundation Japan - All Rights Reserved. 漏れちゃう…
  36. 36. ID Token - 認証イベントMetadata 誰が (issuer = OpenID Provider) 誰を (subject = End-User) 誰のために (audience = Relying Party) いつ (Issued At) 認証したのか Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  37. 37. 検証方法は翻訳ドキュメントを
  38. 38. UserInfo API Standardized JSON Format Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  39. 39. OpenID Connect Discovery Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  40. 40. Developerサイト読まなくても 必要なエンドポイント情報等 すべて分かる Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  41. 41. GET /.well-known/webfinger Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  42. 42. GET /.well-known/openid-configuration Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  43. 43. OpenID Connect Dynamic Client Registration Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  44. 44. Developerサイトのフォームから アプリ (=Client) 登録しなくても 動的にClient登録できる Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  45. 45. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  46. 46. Static Client Registration Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  47. 47. Dynamic Client Registration Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  48. 48. twitter.com/nov slideshare.net/matake github.com/nov openid-foundation-japan.github.io Copyright 2013 OpenID Foundation Japan - All Rights Reserved.

×