Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OpenID Connect 101 @ OpenID TechNight vol.11

9,368 views

Published on

Published in: Technology
  • Be the first to comment

OpenID Connect 101 @ OpenID TechNight vol.11

  1. 1. ♥ OpenID Connect 101 Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  2. 2. Nov Matake OpenID Foundation Japan Evangelist 初号機 翻訳WG Leader OAuth.jp Idcon Rubyist fb_graph, rack-oauth2, openid_connect etc. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  3. 3. 池澤あやかと学ぼう! はじめてのOAuthとOpenID Connect
  4. 4. パスワード漏洩例 Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  5. 5. パスワードリストアタック被害例 …next ? Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  6. 6. 2段階認証 有効化する人1%以下 + 75%は2週間でやめる Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  7. 7. リスクベース認証
  8. 8. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  9. 9. セキュリティ専任スタッフが 100人未満しかいないサービス にパスワードを預けるのは、 自殺行為である。 Eric Sachs, Google Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  10. 10. パスワード、ちゃんとハッシュ化してる? まさかパスワード数字だけなんてことは… 定期的にメールアドレス生存確認してる? あやしいユーザー行動、常に監視してる? 2段階認証提供すれば、後はユーザー責任? Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  11. 11. 御社はどうですか? Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  12. 12. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  13. 13. 「○○ ID でログイン」 Copyright 2013 OpenID Foundation Japan - All Rights Reserved. http://klout.com
  14. 14. v.s Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  15. 15. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  16. 16. Copyright 2013 OpenID Foundation Japan - All Rights Reserved. https://developers.facebook.com/products/login/
  17. 17. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  18. 18. ♥ OpenID Connect OAuth 2.0 + Identity Layer Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  19. 19. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  20. 20. 2011~ Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  21. 21. ID Provider 向け
  22. 22. Basic Client Implementation Guide + Implicit Client Implementation Guide Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  23. 23. Basic Client Implementer's Guide 1.0 は, OAuth 2.0 Code Flow を利用して Web ベース の Relying Party を実装する為の実装ガイド Implicit Client Implementer's Guide 1.0 は, OAuth 2.0 Implicit Flowを利用してWebベー スの Relying Party を実装する為の実装ガイド 翻訳済 → http://j.mp/openid-trans Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  24. 24. Basic Client Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  25. 25. Implicit Client Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  26. 26. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize Authorization Code Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  27. 27. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize Authorization Code Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  28. 28. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize client_id=...& response_type=code& Authorization Code redirect_uri=https://...& scope=openid+email Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  29. 29. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize Authorization Code Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  30. 30. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization Authenticate & Authorize Authorization Code Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  31. 31. Code Flow - OpenID Connect End User Relying Party OpenID Provider Initiate Request Authorization code=...& client_id=...& Authenticate & Authorize client_secret=...& grant_type=authorization_code& Authorization Code redirect_uri=https://... Authorization Code Access Token + ID Token Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  32. 32. OpenID Connect = OAuth 2.0 + Identity Layer Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  33. 33. OpenID Connect Scopes openid → OpenID Connect Request を明示 profile → 氏名, ニックネーム, プロフィール画像 etc. email → メールアドレス, 検証済 Flag address → 住所 phone → 電話番号, 検証済 Flag offline_access → Refresh Token 取得用 Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  34. 34. ID Token
  35. 35. ID Token - 署名アルゴリズム 公開 暗号 (RSA-SHA256 etc) OpenID Provider の公開 Native App に秘密 共通 公開 で署名検証 埋め込まなくても OK 暗号 (HMAC-SHA256 etc) 暗号が苦手なエンジニア多い? でも Native App だと秘密 Copyright 2013 OpenID Foundation Japan - All Rights Reserved. 漏れちゃう…
  36. 36. ID Token - 認証イベントMetadata 誰が (issuer = OpenID Provider) 誰を (subject = End-User) 誰のために (audience = Relying Party) いつ (Issued At) 認証したのか Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  37. 37. 検証方法は翻訳ドキュメントを
  38. 38. UserInfo API Standardized JSON Format Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  39. 39. OpenID Connect Discovery Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  40. 40. Developerサイト読まなくても 必要なエンドポイント情報等 すべて分かる Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  41. 41. GET /.well-known/webfinger Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  42. 42. GET /.well-known/openid-configuration Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  43. 43. OpenID Connect Dynamic Client Registration Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  44. 44. Developerサイトのフォームから アプリ (=Client) 登録しなくても 動的にClient登録できる Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  45. 45. Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  46. 46. Static Client Registration Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  47. 47. Dynamic Client Registration Copyright 2013 OpenID Foundation Japan - All Rights Reserved.
  48. 48. twitter.com/nov slideshare.net/matake github.com/nov openid-foundation-japan.github.io Copyright 2013 OpenID Foundation Japan - All Rights Reserved.

×