Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ID連携入門 (実習編) - Security Camp 2016

1,216 views

Published on

なんか日本語表示されないからダウンロードしてみてね。

Published in: Art & Photos
  • Be the first to comment

ID連携入門 (実習編) - Security Camp 2016

  1. 1. ID - - Nov Matake
  2. 2. http://bit.ly/sec2016nov
  3. 3. Definition of “Federation” in NIST SP 800-63-3 “A process that allows for the conveyance of identity and authentication information across a set of networked systems.” https://pages.nist.gov/800-63-3/
  4. 4. Definition of “Federation” in NIST SP 800-63-3 “ Identity ” https://openid-foundation-japan.github.io/800-63-3/index.ja.html
  5. 5. Login / Sign-up Request an Assertion Authentication Event Issue an Assertion Request Attributes AttributesWelcome, Nov! Verify the Assertion
  6. 6. Login / Sign-up Request an Assertion Authentication Event Issue an Artifact Send the Artifact Request Attributes AttributesWelcome, Nov! Assertion
  7. 7. Login / Sign-up Request an Assertion Authentication Event Issue an Assertion w/ Attributes Verify the Assertion Welcome, Nov!
  8. 8. SAML (Security Assertion Markup Language) OpenID Connect
  9. 9. OpenID Connect ~ OAuth 2.0 + Identity Layer ~
  10. 10. OAuth !! Twitter API, Facebook API, GitHub API etc.
  11. 11. https://developers.google.com/oauthplayground/ https://developers.facebook.com/tools/explorer
  12. 12. OAuth Server Resource Owner OAuth Client Resource Owner 

  13. 13. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  14. 14. https://sec-camp-idp.herokuapp.com
  15. 15. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  16. 16. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  17. 17. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  18. 18. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  19. 19. response_type=code response_type=token response_type=code+token
  20. 20. Login / Sign-up Request an Access Token Authentication Event Issue an Access Token Request Attributes AttributesWelcome, Nov! response_type=token
  21. 21. Login / Sign-up Request an Access Token Authentication Event Issue an Access Token + Code Request Attributes AttributesWelcome, Nov! Code Access Token Code ?? App Backend response_type=code+token
  22. 22. Code Flow • “response_type=code” • Token Endpoint • • Access Token User Agent • ( ) Client • Access Token
  23. 23. Implicit Flow • “response_type=token” • Token Endpoint • • Access Token User Agent • Client (client_secret ) • End-User (Client ) Access Token
  24. 24. Hybrid Flow • “response_type=code+token” • Token Endpoint Access Token Token Endpoint Access Token • • Implicit Flow Access Token Code Flow Access Token
  25. 25. User Agent User Agent
  26. 26. (SSL/TLS etc.) …
  27. 27. • RFC 6749 - OAuth 2.0 Core • RFC 6750 - OAuth 2.0 Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model • RFC 7519 - JSON Web Token • RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange) • RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
  28. 28. • RFC 6749 - OAuth 2.0 Core • RFC 6750 - OAuth 2.0 Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model • RFC 7519 - JSON Web Token • RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange) • RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession) [ ] http://openid-foundation-japan.github.io
  29. 29. OpenID Connect ~ OAuth 2.0 + Identity Layer ~
  30. 30. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token + ID Token
  31. 31. response_type=code response_type=code+id_token response_type=token+id_token response_type=code+token+id_token
  32. 32. • iss (issuer) • (ID Provider) • sub (subject) • • aud (audience) • Client • exp / iat (expires_at / issued_at) •
  33. 33. • auth_time • ( Authentication Event ) • nonce • Authorization Request Token Response • at_hash • Access Token • c_hash • Authorization Code
  34. 34. OAuth OpenID Connect OAuth
  35. 35. http://bitly.com/sec2016nov
  36. 36. CSRF
  37. 37. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
  38. 38. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
  39. 39. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
  40. 40. https://sec-camp-rp-code.herokuapp.com
  41. 41. Code
  42. 42. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
  43. 43. https://sec-camp-rp-code.herokuapp.com
  44. 44. Token
  45. 45. Login / Sign-up Request an Access Token Authentication Event Issue an Access Token Welcome, Nov! Token Attributes Token Session App Backend response_type=token
  46. 46. https://sec-camp-rp-implicit.herokuapp.com
  47. 47. prompt=login & max_age=N @ https://sec-camp-rp-code.herokuapp.com
  48. 48. OAuth … • • • OAuth … • state • OpenID Connect (max_age etc.) • Token • nonce • ( ) • ID Token aud, sub, auth_time etc. • OAuth API (Token Introspection)
  49. 49. OAuth … API or OpenID Connect
  50. 50. OpenID Connect ~ OAuth 2.0 + Identity Layer ~
  51. 51. • RFC 6749 - OAuth 2.0 Core • RFC 6750 - OAuth 2.0 Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model • RFC 7519 - JSON Web Token • RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange) • RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
  52. 52. https://connect-rp.herokuapp.com & https://connect-op.herokuapp.com

×