Ad(microsoftの方)のOpenId Connect対応

9,047 views

Published on

#idcon vol.18のネタ
Azure Active DirectoryのOpenID Connect対応とOWIN Security OpenID Connectの話

Published in: Technology
  • Be the first to comment

Ad(microsoftの方)のOpenId Connect対応

  1. 1. AD(Microsoftの方)の OpenID Connect対応 2014/04/25 #idcon vol.18 Naohiro Fujie @phr_eidentity http://idmlab.eidentity.jp
  2. 2. AD? Advertising Active Directory 越後屋のチラシ 出典:wikipedia
  3. 3. Active Directory •Windows Server Active Directory •Microsoft Azure Active Directory
  4. 4. Overview
  5. 5. Azure AD for Developers • Identity Provider • ディレクトリサービスとして : Users/Groups (sync with WSAD) • プロトコル・サポート : SAML, ws-federation, OpenID Connect • 外部IdPのサポート : SAML, ws-federation • その他機能 : Multi-Factor AuthN, Self-Service Password Reset • Authorization Server • Register WebApps/API as protected resource
  6. 6. Identity Provider Application SAML-SP Application ws-fed RP Application OpenID Connect RP Microsoft Account Azure AD Account https://login.windows.com https://login.microsoftonline.com 3rd Party SAML IdP SAML EndPoint ws-fed EndPoint Ext IdPs RPs Home Realm Discover OAuth2.0 AuthZ/Token EndPoint
  7. 7. Identity Provider Application SAML-SP Application ws-fed RP Application OpenID Connect RP Microsoft Account Azure AD Account https://login.windows.com https://login.microsoftonline.com 3rd Party SAML IdP SAML EndPoint ws-fed EndPoint Ext IdPs RPs Home Realm Discover OAuth2.0 AuthZ/Token EndPoint ws- fed ws- fed ws- fed SAML ws res SAML SP
  8. 8. OpenID Connect Support https://login.windows.net/nfujie2.onmicrosoft.com/.well-known/openid-configuration { "issuer":"https://sts.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/", "authorization_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/authorize", "token_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/token", "token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt"], "jwks_uri":"https://login.windows.net/common/discovery/keys", "response_types_supported":["code","id_token","code id_token"], "response_modes_supported":["query","fragment","form_post"], "subject_types_supported":["pairwise"], "scopes_supported":["openid"], "id_token_signing_alg_values_supported":["RS256"], "microsoft_multi_refresh_token":true, "check_session_iframe":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/checksession", "end_session_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/logout" }
  9. 9. Sequence(ASP.NET MVC5 App)
  10. 10. Authorization Server OAuth2.0 AuthZ/Token EndPoint OAuth2.0 Client WebAPI Registry Register as a protected resource (use manifest file) ClientID Resource Grant be6ddad6-…. http://hoge read,write aa5dd18u-… http://bar read cc45aa89-… Azure AD SSO,read,write
  11. 11. WebAPIの登録とパーミッションの登録 "appPermissions": [ { "claimValue": "user_impersonation", "description": "Allow the application full access to the Todo List service on behalf of the signed-in user", "directAccessGrantTypes": [], "displayName": "Have full access to the Todo List service", "impersonationAccessGrantTypes": [{"impersonated": "User","impersonator": "Application"}], "isDisabled": false, "origin": "Application", "permissionId": "b69ee3c9-c40d-4f2a-ac80-961cd1534e40", "resourceScopeType": "Personal", "userConsentDescription": "Allow the application full access to the todo service on your behalf", "userConsentDisplayName": "Have full access to the todo service" }],
  12. 12. クライアント・ライブラリ • OWIN : Open Web Interface for .NET(http://owin.org) • サーバを抽象化したインターフェースを提供 • IIS/ASP.NETだけでなくセルフホスト(ネイティブアプリ)への共通インターフェース • OWIN Security Component(例) • Microsoft.Owin.Security.OAuth • Microsoft.Own.Security.Google • Microsoft.Own.Security.Facebook • Microsoft.Own.Security.MicrosoftAccount • Microsoft.Own.Security.Twitter • Microsoft.Own.Security.Foursquare • Microsoft.Own.Security.OpenIdConnect
  13. 13. OWIN OpenIdConnect Middleware app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { Client_Id = "be6ddad6-3eca-433c-a00b-b5753c04c703", Authority = "https://login.windows.net/nfujie.onmicrosoft.com", Description = new Microsoft.Owin.Security.AuthenticationDescription() { Caption = "OpenID Connect" } });
  14. 14. OpenIdConnectAuthenticationNotifications 以下のイベントに応じて処理を記述 ※今のところPOSTにしか反応しない。response_mode=form_postがデフォルトの理由? • AccessCodeReceived • AuthenticationFailed • MessageReceived • RedirectToIdentityProvider, • SecurityTokenReceived • SecurityTokenValidated • SignedIn • SignedOut
  15. 15. AccessCodeRecieved:code->token Notifications = new OpenIdConnectAuthenticationNotifications() { AccessCodeReceived = (context) => { var code = context.Code; ClientCredential credential = new ClientCredential(clientId, appKey); AuthenticationContext authContext = new AuthenticationContext(authority); AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode( code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId); } }
  16. 16. DEMO ASP.NET MVC Sign in : id_token Graph API access : code->access token
  17. 17. まとめ • Active Directoryにも2つあります • Windows Server Active Directory • Microsoft Azure Active Directory • Microsoft Azure Active Directoryには以下の機能があります(他に もあるけど) • Identity Provider(ディレクトリ、複数プロトコルサポート、MFA…) • Authorization Server • クライアント・ライブラリも用意されています • OpenID Connect対応はプレリリース。まだ汎用性は…?

×