Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ad(microsoftの方)のOpenId Connect対応

9,487 views

Published on

#idcon vol.18のネタ
Azure Active DirectoryのOpenID Connect対応とOWIN Security OpenID Connectの話

Published in: Technology
  • Be the first to comment

Ad(microsoftの方)のOpenId Connect対応

  1. 1. AD(Microsoftの方)の OpenID Connect対応 2014/04/25 #idcon vol.18 Naohiro Fujie @phr_eidentity http://idmlab.eidentity.jp
  2. 2. AD? Advertising Active Directory 越後屋のチラシ 出典:wikipedia
  3. 3. Active Directory •Windows Server Active Directory •Microsoft Azure Active Directory
  4. 4. Overview
  5. 5. Azure AD for Developers • Identity Provider • ディレクトリサービスとして : Users/Groups (sync with WSAD) • プロトコル・サポート : SAML, ws-federation, OpenID Connect • 外部IdPのサポート : SAML, ws-federation • その他機能 : Multi-Factor AuthN, Self-Service Password Reset • Authorization Server • Register WebApps/API as protected resource
  6. 6. Identity Provider Application SAML-SP Application ws-fed RP Application OpenID Connect RP Microsoft Account Azure AD Account https://login.windows.com https://login.microsoftonline.com 3rd Party SAML IdP SAML EndPoint ws-fed EndPoint Ext IdPs RPs Home Realm Discover OAuth2.0 AuthZ/Token EndPoint
  7. 7. Identity Provider Application SAML-SP Application ws-fed RP Application OpenID Connect RP Microsoft Account Azure AD Account https://login.windows.com https://login.microsoftonline.com 3rd Party SAML IdP SAML EndPoint ws-fed EndPoint Ext IdPs RPs Home Realm Discover OAuth2.0 AuthZ/Token EndPoint ws- fed ws- fed ws- fed SAML ws res SAML SP
  8. 8. OpenID Connect Support https://login.windows.net/nfujie2.onmicrosoft.com/.well-known/openid-configuration { "issuer":"https://sts.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/", "authorization_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/authorize", "token_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/token", "token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt"], "jwks_uri":"https://login.windows.net/common/discovery/keys", "response_types_supported":["code","id_token","code id_token"], "response_modes_supported":["query","fragment","form_post"], "subject_types_supported":["pairwise"], "scopes_supported":["openid"], "id_token_signing_alg_values_supported":["RS256"], "microsoft_multi_refresh_token":true, "check_session_iframe":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/checksession", "end_session_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/logout" }
  9. 9. Sequence(ASP.NET MVC5 App)
  10. 10. Authorization Server OAuth2.0 AuthZ/Token EndPoint OAuth2.0 Client WebAPI Registry Register as a protected resource (use manifest file) ClientID Resource Grant be6ddad6-…. http://hoge read,write aa5dd18u-… http://bar read cc45aa89-… Azure AD SSO,read,write
  11. 11. WebAPIの登録とパーミッションの登録 "appPermissions": [ { "claimValue": "user_impersonation", "description": "Allow the application full access to the Todo List service on behalf of the signed-in user", "directAccessGrantTypes": [], "displayName": "Have full access to the Todo List service", "impersonationAccessGrantTypes": [{"impersonated": "User","impersonator": "Application"}], "isDisabled": false, "origin": "Application", "permissionId": "b69ee3c9-c40d-4f2a-ac80-961cd1534e40", "resourceScopeType": "Personal", "userConsentDescription": "Allow the application full access to the todo service on your behalf", "userConsentDisplayName": "Have full access to the todo service" }],
  12. 12. クライアント・ライブラリ • OWIN : Open Web Interface for .NET(http://owin.org) • サーバを抽象化したインターフェースを提供 • IIS/ASP.NETだけでなくセルフホスト(ネイティブアプリ)への共通インターフェース • OWIN Security Component(例) • Microsoft.Owin.Security.OAuth • Microsoft.Own.Security.Google • Microsoft.Own.Security.Facebook • Microsoft.Own.Security.MicrosoftAccount • Microsoft.Own.Security.Twitter • Microsoft.Own.Security.Foursquare • Microsoft.Own.Security.OpenIdConnect
  13. 13. OWIN OpenIdConnect Middleware app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { Client_Id = "be6ddad6-3eca-433c-a00b-b5753c04c703", Authority = "https://login.windows.net/nfujie.onmicrosoft.com", Description = new Microsoft.Owin.Security.AuthenticationDescription() { Caption = "OpenID Connect" } });
  14. 14. OpenIdConnectAuthenticationNotifications 以下のイベントに応じて処理を記述 ※今のところPOSTにしか反応しない。response_mode=form_postがデフォルトの理由? • AccessCodeReceived • AuthenticationFailed • MessageReceived • RedirectToIdentityProvider, • SecurityTokenReceived • SecurityTokenValidated • SignedIn • SignedOut
  15. 15. AccessCodeRecieved:code->token Notifications = new OpenIdConnectAuthenticationNotifications() { AccessCodeReceived = (context) => { var code = context.Code; ClientCredential credential = new ClientCredential(clientId, appKey); AuthenticationContext authContext = new AuthenticationContext(authority); AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode( code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId); } }
  16. 16. DEMO ASP.NET MVC Sign in : id_token Graph API access : code->access token
  17. 17. まとめ • Active Directoryにも2つあります • Windows Server Active Directory • Microsoft Azure Active Directory • Microsoft Azure Active Directoryには以下の機能があります(他に もあるけど) • Identity Provider(ディレクトリ、複数プロトコルサポート、MFA…) • Authorization Server • クライアント・ライブラリも用意されています • OpenID Connect対応はプレリリース。まだ汎用性は…?

×