Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

9,861 views

Published on

アプリケーション開発エンジニアが、OAuth 1.0 や OAuth 2.0、および OpenID Connect を活用したユーザ認可と認証機能を実装するにあたって、いろいろ調べた情報をベースに作成したものです。
これから認可・認証技術を学びたいという、特にアプリ開発エンジニアの助けになれば幸いです。

Published in: Technology

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

  1. 1. OAuth1.0 / OAuth2 / Opened Connect
  2. 2. OAuth 1.0 OAuth 2.0 OpenID Connect Web
  3. 3. Web - URL 
 https://webgame.link/auths/ - Github Ruby on Rails 
 https://github.com/ngzm/auths-demo
  4. 4. OAuth 1.0 OAuth 2.0 OpenID Connect 
 RFC 

  5. 5. Naoki Nagazumi Johnny Depp vue.js Ruby SIer Twitter: @nk_ngzm GitHub: https://github.com/ngzm/ Blog: http://ngzm.hateblo.jp/
  6. 6. Authorization • • →
  7. 7. Authentication • • ID
  8. 8. OAuth 1.0 OAuth 2.0 OpenID Connect
  9. 9. ok XX ID PWD
  10. 10. Resource endpoint ok XX ID PWD Authorization endpoint Access Token Token endpoint Resource Owner OAuth Client OAuth Server OAuth
  11. 11. OK! ID PWD
  12. 12. OK! ID PWD End-User Relying Party (RP) Identity Provider (IdP) Authorization endpoint ID Token Token endpoint OpenID Connect OpenID Provider (OP)
  13. 13. OAuth 1.0
  14. 14. OAuth 1.0 • RFC5849 - The OAuth 1.0 Protocol
 https://openid-foundation-japan.github.io/rfc5849.ja.html
 https://tools.ietf.org/html/rfc5849 • 2010 4 RFC 8
  15. 15. OAuth 1.0 • •
  16. 16. OAuth 1.0 Flow
  17. 17. App App Request token endpoint Authorization endpoint Token endpoint Resource endpoint Redirect Redirect Oauth Token OAuth Client Resource Owner OAuth Server Access Token OAuth START OK Client User Information login token token request token client access token oauth token request token Access token client
  18. 18. OAuth 1.0
  19. 19. 
 Web ‣
  20. 20. 
 ‣
  21. 21. OAuth OAuth Twitter I. consumer_key consumer_secret II. request token request token secret III. access token access token secret OAuth 1.0 OAuth OAuth Ⅰ
  22. 22. Signature OAuth 
 • • • HMAC-SHA1
  23. 23. 1. • access token token • timestamp nonce • 2. • OAuth 3. HMAC-SHA1 • 2 https://syncer.jp/Web/API/OAuth/
  24. 24. Authorization Header OAuth 
 Authorization 
 OAuth
  25. 25. Authorization Header Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1318622958", oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb", oauth_version="1.0" 
 customer_key nonce token (access token )
  26. 26. TSL SSL TSL SSL 
 - - - timestamp nonce
  27. 27. OAuth 1.0
  28. 28. • Twitter OAuth 1. OAuth 1.0 2. OAuth 2.0 Client Credentials Flow   ( OAuth 2.0 ) OAuth 1.0
  29. 29. App App Request token Endpoint Authorization Endpoint Token Endpoint Resource Endpoint #2. Request token #1. Request toke #3. Redirect Redirect #5. Access token OAuth Client Resource Owner OAuth Server #4. OK #6. Access token #7. AuthDemo START OK Access token Client User Information login token token token client access token oauth token request token Twitter
  30. 30. #0 Twitter Application Management https://apps.twitter.com/ • 1. Name 2. Description 3. Website URL 4. Callback URL OAuth URL • 1. Consumer Key (API Key) OAuth Client ID 2. Consumer Secret (API Secret) OAuth Client Secret Redirect URI Callback URL ON Consumer Secret
  31. 31. #1 Request token POST https://api.twitter.com/oauth/request_token HTTP/1.1 … … Content-Type: application/x-www-form-urlencoded Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_callback="https://my-callback-host/my-callback/path/", oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1318622958", oauth_version="1.0" … 1. consumer_key :
 #0 "Consumer Key" 2. callback :
 "callback uri" 3. nonce :
 
 Replay Attack 4. signature :
 
 #0 "Consumer Secret" 5. signature_method :
 twitter HMAC-SHA1 6. timestamp :
 
 Replay Attack POST URL of Twitter Request Token Endpoint
  32. 32. #2 Request token oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI" &oauth_token_secret="4dW4gGLic6oItvd0YySWRU5aLjBQsw1N9xDC3Wkqw" &oauth_callback_confirmed="true" 1. oauth_token :
 Request token 
 token 2. oauth_token_secret :
 Request token secret 
 
 access token 3. oauth_callback_confirmed :
 oauth_callback 
 true Response body from Twitter Request Token Endpoint
  33. 33. #3 https://api.twitter.com/oauth/authorize?oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI" oauth_token : #2 Request token Redirect to Twitter Authorization Endpoint
  34. 34. #4 OK https://my-callback-host/my-callback/path/ ?oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM" &oauth_verifier="TGUMMyQWCSJGKiXlUlQmgRQEYMv8mkIt5cHPERUgvw" 1. oauth_token :
 oauth token 
 token 2. oauth_verifier:
 oath token 
 access token Redirect from Twitter Authorization Endpoint #1 callback
  35. 35. #5 Access token POST https://api.twitter.com/oauth/access_token HTTP/1.1 … … Content-Type: application/x-www-form-urlencoded Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="BB8Y0ZFuYSe4vQ2pTgmZbxSWbWovY3", oauth_signature="Hq4gCs1rx4Kkj06cOStnnAW%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM", oauth_verifier="TGUMMyQWCSJGKiXlUlQmgRQEYMv8mkIt5cHPERUgvw", oauth_timestamp="1318623847", oauth_version="1.0" … 1. consumer_key :
 #0 ”Consumer Key” 2. nonce :
 
 Replay Attack 3. signature :
 
 #0 Consumer Secret #2 request_token_secret 4. signature_method :
 twitter HMAC-SHA1 5. token :
 #4 oauth token 6. verifier :
 #4 oath verifier 7. timestamp :
 
 Replay Attack POST URL of Twitter Token Endpoint
  36. 36. #6 Access token oauth_token="1528352858-UUCjYDVcLC4V34xHob5XTxboEgJWLwp9aIGSrBC" &oauth_token_secret="VNhCQye7rX4P4u2OIuDHOgdSBATgZV3qWvJ8uSLkXqP25" &user_id="12345678901" &screen_name="nk_ngzm" 1. oauth_token :
 access token 2. oauth_token_secret :
 access token secret
 
 3. user_id :
 Twitter user_id 4. screen_name 
 Twitter Response body from Twitter Token Endpoint
  37. 37. #7 GET https://api.twitter.com/1.1/users/show.json?user_id=12345678901 … … Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="FabxSWbkYjzBB8Y0ZWVovY3uu2pTgmZeN", oauth_signature="CStnHscOx4Kkj06q4gn1rAW%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_token="1528352858-UUCjYDVcLC4V34xHob5XTxboEgJWLwp9aIGSrBC", oauth_timestamp=“13186248263", oauth_version="1.0" … 1. consumer_key :
 #0 Consumer Key 2. nonce :
 
 Replay Attack 3. signature :
 
 #0 Consumer Secret 
 #6 access_token_secret 4. signature_method :
 twitter HMAC-SHA1 5. token :
 #6 access token 6. timestamp :
 
 Replay Attack URL of Twitter Resource Endpoint ( )GET #6 Twitter user_id
  38. 38. #0 calback #1 - 
 token #1 #5 #7 timestamp nonce - access token Replay Attack
  39. 39. OAuth 1.0
  40. 40. i. ii. OAuth 2.0 OpenID Connect
  41. 41. 
 OAuth 2.0
  42. 42. OAuth 2.0
  43. 43. OAuth 2.0 • RFC6749 - The OAuth 2.0 Authorization Framework
 https://openid-foundation-japan.github.io/rfc6749.ja.html
 https://tools.ietf.org/html/rfc6749 • 2012 10 RFC • Oauth 1.0
  44. 44. OAuth 2.0 • OAuth 1.0 • OAuth 1.0 OAuth 2.0 
 • …
  45. 45. OAuth 2.0
  46. 46. 
 ‣ SPA JS ‣
  47. 47. OAuth 2.0 1. Authorization Code Flow Client Type Confidential 2. Implicit Flow Client Type Public 3. Client Credentials Flow 4. Resource Owner Password Credentials Flow 5. Refreshing an Access Token token
  48. 48. Client Type Client Type "Confidential" "Public" 1. Confidential ... Web ‣ OAuth Client ‣ Authorization code Flow 2. Public ... ‣ OAuth Client ‣ Implicit Flow
  49. 49. TSL TSL OAuth 2.0
  50. 50. TSL 

  51. 51. 
 HTTP message OAuth 1.0 
 … TSL ‣ Client Type Confidential OAuth Client ‣ Public OAuth Client 
 →
  52. 52. OAuth 2.0 OAuth OAuth Facebook • client_id client_secret OAuth OAuth
  53. 53. Authorization Header Token Authorization Header 
 Bearer 
 RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
 https://tools.ietf.org/html/rfc6750
 https://openid-foundation-japan.github.io/rfc6750.ja.html Authorization: Bearer mF_9.B5f-4.1JqM Authorization header access token
  54. 54. Access token • Implicit Grant Flow access token - token - OAuth 1.0 access token 1
  55. 55. Access token 
 ‣ OAuth 2.0 RFC6749
  56. 56. OAuth 2.0 Flow
  57. 57. Flow 1. Authorization Code Flow Client Type Confidential 2. Implicit Flow Client Type Public https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f
  58. 58. Authorization Code Flow Confidential Client Type OAuth 2.0
  59. 59. App App Authorization endpoint Token endpoint Resource endpoint Redirect Redirect OAuth Client Resource Owner Authorization ServerSTART User Information OAuth 2.0 Resource Server OK Access token OAuth Server login token client client code access token Client code Client client_id client_secret
  60. 60. Implicit Flow Public Client Type ‣ OAuth Client access token 
 token
  61. 61. Authorization endpoint Resource endpoint Redirect User Information App Redirect Authorization Server Resource Server App login token client_secret OAuth Client Resource Owner OAuth Server Token endpoint START client access token Client client_id OAuth Client access token token
  62. 62. OAuth 2.0
  63. 63. • Facebook OAuth 2.0 1. Authorization code Flow 2. Implicit Flow 3. Hybrid Flow ( Hybrid Flow OpenID Connect ) Authorization Code Flow
  64. 64. • Facebook access token #5 #6 access token • "Graph API Endpoint"
  65. 65. App App Authorization Endpoint Redirect Redirect OAuth Client Resource Owner #1 START User Information OK Access token OAuth Server login Client token access token Graph API Endpoint API API #2 OK #3 Access token #4 Access token #5 Access token #6 Access token #7 code client client code access token Facebook Facebook
  66. 66. #0 Facebook for Developers https://developers.facebook.com/ • 1. 2. Valid OAuth Redirect URIs OAuth URL • 1. ID OAuth Client ID 2. Secret OAuth Client Secret Redirect URI URI Redirect URL ON Secret
  67. 67. #1 Location: https://www.facebook.com/v2.12/dialog/oauth ?client_id="245678901234567" &request_type="code" &scope="email public_profile" &redirect_uri="https://my-redirect-uri" &state="random_text_data_agaist_csrf" redirect to Facebook Authorization Endpoint 1. client_id :
 #0 " ID"
 client 2. request_type ”code” 
 "code" Authorization Code Flow
 "token" Implicit Flow
 "code token" Hybrid Flow 3. scope 
 
 "email" 
 "public_profile" 4. redirect_uri:
 #0 "redirect_uri" 5. state 
 
 CSRF state CSRF code client
  68. 68. #2 OK https://my-callback-uri ?code="AQBORpgp-sdRaLAo-xR_assef-lpZiG6W" &state="random_text_data_agaist_csrf" 1. code :
 code
 3 4 code access token 2. state:
 #1 state
 CSRF #1 #1 redirect_uri state #1
  69. 69. #3 Access token GET https://graph.facebook.com/v2.12/oauth/access_token ?client_id="245678901234567" &client_secret="60abc01dab6ae4b0f8acf2abaf1" &redirect_uri="https://my-redirect-uri/" &code="AQBORpgp-sdRaLAo-xR_assef-lpZiG6W" 1. client_id :
 #0 " ID"
 client 2. client_secret 
 #0 " Secret"
 client 3. redirect_uri:
 #0 "redirect_uri" 4. code 
 #2 code GET URL of Facebook Token Endpoint client_secret
  70. 70. #4 Access token { "access_token": "CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD", "token_type": "bearer", "expires_in": 5180974 } 1. access_token :
 Access token 2. token_type :
 token 
 OK 3. expired_in :
 Response body from Facebook Token Endpoint Json Access token
  71. 71. #5 Access token GET https://graph.facebook.com/debug_token ?input_token="CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD" &access_token="245678901234567|60abc01dab6ae4b0f8acf2abaf1" 1. input_token :
 token
 #4 access token 2. access_token 
 
 GET URL of Facebook Debug Token Endpoint
  72. 72. #6 Access token { "data": { "app_id": 245678901234567, "type": "USER", "application": "MyApplication", "expires_at": 1386248263, "is_valid": true, "issued_at": 1386251863, "metadata": { "sso": "iphone-safari" }, "scopes": [ "email", "publish_actions" ], "user_id": "1234567" } } 1. app_id :
 #0 client_id 
 token 2. user_id :
 user_id Response body from Facebook Token Debug Endpoint Json
  73. 73. #7 GET https://graph.facebook.com/1234567?fields="id,first_name,name,picture,email" … … … Authorization: Bearer "CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD" … … GET URL of Facebook Resource Endpoint Authorization Bearer #4 access token 1. fields :
#6 user_id
  74. 74. #0 redirect_uri #1 - code token 2018 3 Facebook 1. redirect_uri 2. redirect_uri TSL
  75. 75. #1 state #2 #1 - CSRF code token
  76. 76. OAuth 2.0
  77. 77. ”Access Token ” ”OAuth ” - Access token - Access token - token OpenID Connect
  78. 78. Implicit Flow - token (token replace attack) http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
 https://www.sakimura.org/2012/02/1487/ OpenID Connect
  79. 79. - Authorization Code Flow Web Implicit Flow - OpenID Connect OAuth2.0
  80. 80. OpenID Connect
  81. 81. OpenID Connect • OpenID Connect Core 1.0 incorporating errata set 1
 https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html
 http://openid.net/specs/openid-connect-core-1_0.html • OpenID Foundation RFC •
  82. 82. OpenID Connect • OAuth 2.0 - OAuth Access token ID token - token
  83. 83. OpenID Connect
  84. 84. OAuth 2.0 OAuth 2.0 
 OAuth 2.0 • TSL • • Access token Authorization Bearer • Access token
  85. 85. Hybrid Flow 
 Hybrid Flow ‣ token ‣
  86. 86. Flow 1. Authorization Code Flow 2. Implicit Flow 3. Hybrid Flow Hybrid Flow OpenID Connect OAuth 2.0
  87. 87. response_type & Flow No response_type Flow 1 code Authorization Code Flow OAuth 2.0 Authorization Code Flow Authorization Endpoint code Token Endpoint code access token ID token 2 token Implicit Flow OAuth 2.0 Implicit Flow Authorization Endpoint access token ID token 3 id_token Implicit Flow Authorization Endpoint ID token access token 4 id_token token Implicit Flow Authorization Endpoint ID token access token 5 code id_token Hybrid Flow Authorization Code Flow Authorization Endpoint code ID token Token Endpoint code access token ID token 6 code token Hybrid Flow Authorization Code Flow Authorization Endpoint code access token Token Endpoint code access token ID token 7 code token id_token Hybrid Flow Authorization Code Flow Authorization Endpoint code access token ID token Token Endpoint code access token ID token 8 none - ID token access token ‣ response_type
  88. 88. ID ”ID ” 
 ID token ‣ ID token IdP "ID" ‣ ID token IdP "ID" RP ID 74387592 ngzm IdP
  89. 89. ID token • "ID" IdP RP • • JWT JSON Web Token 
 RFC7519 JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519 Access token
  90. 90. JWT JSON Header Claim (Payload) SIgnature URL Safe 1. Header Claim BASE64urlEncode 2. 1 Header Claim '.' 3. 2 HMAC SHA256 RS256 ES256 PS256 JWS Signature 4. 3 BASE64urlEncode 5. 2 Header Claim '.' 4 JWT BASE64urlEncode(Header) + '.' + BASE64urlEncode(Claim) + '.' + BASE64urlEncode(JWS Signature)
  91. 91. JWT Google ID token JWT Header { "alg":"RS256", "kid":"7158dc8572 {略} 20a35b073447" } Claim { "iss":"accounts.google.com", "at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q", "email_verified":"true", "sub":"10769150350006150715113082367", "azp":"3456789012.apps.google.com", "email":"jsmith@example.com", "aud":"3456789012.apps.google.com", "iat":1353601026, "exp":1353604926, "nonce": "0394852-3190485-2490358", } 1.iss: IdPのID 2.at_hash: 同時生成のaccess tokenハッシュ値 3.email_verified: email検証結果 4.sub: End Userのgoogle内部ID 5.azp: RPのclient_id 6.email: End Userのemail 7.aud: RPのID 8.iat: token発行時刻 9.exp: token有効期限時刻 10.nonce: nonce 1.alg: 署名アルゴリズム RS256形式 2.kid: RS256公開鍵を探すためのID access token
  92. 92. JWT js // JWT Header let header = {}; header.alg = 'HS256'; // 署名アルゴリズム:HMAC SHA256 による署名の場合は'HS256' header.typ = 'JWT'; // JWT形式を明示 // JWT Payload(Claim Set) let claim = {}; claim.iss = 'Identity Party ID'; // JWT発行者の識別子 → IdP の ID claim.sub = 'End User ID'; // エンドユーザ識別子 → end user ID claim.nbf = 'current time'; // JWTが有効になる日時 claim.iat = 'issue time'; // JWTを発行した日時 claim.exp = 'expire time'; // JWTの有効期限日時 claim.jti = 'unique ID'; // JWT自体を一意に識別する任意の文字列 claim.aud = 'Relying Party ID'; // JWT利用者の識別子 → RP の ID // Secret Key const secret_key = 'XXXXXXXXXX' ; // HMAC SHA256 署名の秘密鍵 → client_secret // Generate JWT(jsrsasign というJSライブラリを使用した例) const jwt = KJUR.jws.JWS.sign('HS256', JSON.stringify(header), JSON.stringify(claim), secret_key);
  93. 93. Userinfo Endpoint 
 ‣ OAuth 2.0 Access token ‣ OpenID Connect Access token Userinfo Endpoint
  94. 94. OpenID Connect Flow
  95. 95. Flow 1. Authorization Code Flow 2. Implicit Flow 3. Hybrid Flow https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f7ef352b47
  96. 96. Authorization Code Flow response_type=code • OAuth 2.0 Authorization Code Flow •
  97. 97. App Authorization endpoint Token endpoint UserInfo endpoint Redirect Redirect Relying PartyEnd-User START User Information OK OK ID token Identiy Provider login client token response_type = code ID token App client access token ID token client code code ID token Access token ID token at_hash claim access token ID token IdP RP Client client_id client_secret
  98. 98. Implicit Flow response_type=token response_type=id_token response_type=token id_token SPA JS
  99. 99. response_type = token id_token Authorization endpoint Resource endpoint Redirect User Information App Redirect App login token Token endpoint START client access token access token id_token Relying Party End-User Identiy Provider ID token at_hash claim access token client_secret Client client_id
  100. 100. Hybrid Flow response_type=code token response_type=code id_token response_type=code token id_token • OAuth 2.0 Implicit Flow Authorization Code Flow - Implicit Flow Access token ID token - Authorization code Flow code Access token ID token
  101. 101. code token Authorization endpoint Redirect End-User App Redirect START App login Relying Party App Identity Provider response_type = code token Relying Party Token endpoint UserInfo endpoint token User Information access token client access token ID token client code client code access token access token access token
  102. 102. code access token, id_token Authorization endpoint Redirect End-User App Redirect START App login Relying Party App Identity Provider response_type = code token id_token Relying Party Token endpoint UserInfo endpoint token User Information access token ID token client access token ID token client code client code access token access token
  103. 103. OpenID Connect
  104. 104. • Google Openid Connect 1. Authorization code Flow 2. Implicit Flow ( Hybrid Flow ) Authorization Code Flow
  105. 105. App Authorization endpoint Token endpoint UserInfo endpoint Redirect Redirect Relying PartyEnd-User START User Information OK OK ID token Identity Provider login client token App client access token ID token client code code Google Google #1 #2 OK #3 Access token + ID token #4 Access token + ID token #5 ID token #6
  106. 106. #0 Google API Console https://console.developers.google.com/ • 1. 2. 3. URL 4. JavaScript 5. URI OAuth URL • 1. ID OAuth Client ID 2. Secret OAuth Client Secret Google URI Secret
  107. 107. #1 Location: https://accounts.google.com/o/oauth2/v2/auth ?client_id="3456789012.apps.google.com" &response_type="code" &scope="openid email profile" &redirect_uri="https://my-redirect-uri" &state="random_text_data_agaist_csrf" &nonce="0394852-3190485-2490358" redirect to Google Authorization Endpoint 1. client_id :
 #0 " ID" 2. request_type 
 "code" Authorization Code Flow
 "token id_token" Implicit Flow 3. scope 
 
 "openid" OpenID Connect 
 "email" 
 "profile" 4. redirect_uri:
 #0 redirect_uri 5. state 
 CSRF 6. nonce 
 
 Replay Attack state CSRF nonce openid code
  108. 108. #2 OK https://my-callback-uri ?state="random_text_data_agaist_csrf" &code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7" 1. state:
 #1 state
 CSRF #1 2. code :
 code
 3 4 code access token #1 redirect_uri state #1
  109. 109. #3 Access token, ID token POST https://www.googleapis.com/oauth2/v4/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded ... ... code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7" &client_id="3456789012.apps.google.com" &client_secret="60abc01dab6ae4b0f8acf2abaf1" &redirect_uri="https://my-redirect-uri" &grant_type="authorization_code" 1. code 
 #2 code 2. client_id :
 #0 " ID" 3. client_secret 
 #0 ” Secret" 4. redirect_uri:
 #0 redirect_uri 5. grant_type 
 ”autorization_code” POST URL of Google Token Endpoint
  110. 110. #4 Access token, ID token { "access_token": "df7773dbc8b7d-{..省略..}-8a91ae2372e1", "id_token": "eyJhbGJSLKDFJKLSzI1NiJ9 .eyJ3MiOit-{..省略..}-81ae2372e1 .jMgjfEYmy-{..省略..}-S5Iv5ZP5ZA", "token_type": "bearer", "expires_in": 5180974 } 1. access_token :
 Access token 2. id_token :
 ID token 3. token_type :
 token 
 OK 4. expired_in :
 Response body from Google Token Endpoint Json Access token ID token
  111. 111. #5 ID token { "iss":"accounts.google.com", "at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q", "email_verified":"true", "sub":"10769150350006150715113082367", "azp":"3456789012.apps.google.com", "email":"jsmith@example.com", "aud":"3456789012.apps.google.com", "iat":1353601026, "exp":1353604926, "nonce": "0394852-3190485-2490358", } 1. iss :
 IdP ID 2. at_hash :
 access token 3. email _verified:
 End User email 4. sub :
 End User google ID 5. azp 
 RP client_id 6. email 
 End User email 7. aud 
 RP ID 8. iat 
 token 9. exp 
 token 10.nonce 
 1 nonce Google ID token 's Payload nonce #1 access token End User ID Idp RP
  112. 112. #7 GET https://www.googleapis.com/oauth2/v3/userinfo … … Authorization: Bearer "df7773dbc8b7d-{..省略..}-8a91ae2372e1" … … GET URL of Google Userinfo Endpoint Authorization Bearer #4 access token
  113. 113. #0 redirect_uri #1 - code token state #1 #2 #1 - CSRF code token Google
  114. 114. nonce #1 #5 Replay Attack - Replay Attack nonce Replay Attack Implicit Flow Hybrid Flow nonce
  115. 115. OpenID Connect
  116. 116. • • OAuth 1.0 OAuth 2.0 OpenID OpenID Connect 
 ... OpenID Connect
  117. 117. • • OAuth 1.0 OAuth 2.0 • OpenID Connect
  118. 118. • OAuth 1.0 → OAuth 2.0 → OpenID Connect • OAuth 1.0 OAuth 2.0 • OpenID Connect OAuth 2.0 ID token
  119. 119. • OAuth 1.0 ‣ ‣ TSL ‣ ‣ Replay Attack
  120. 120. • OAuth 2.0 ‣ TSL ‣ ‣ ‣ token ‣ CSRF Redirect URI
  121. 121. • OpenID Connect ‣ TSL OAuth 2.0 ‣ ‣ ID token IdP ID ID ‣ ID token Access token ‣ CSRF Redirect URI Replay Attack
  122. 122. • RFC and OpenID Foundation - https://tools.ietf.org/html/rfc5849 (5849: OAuth 1.0) - https://tools.ietf.org/html/rfc6749 (6749: OAuth 2.0) - https://tools.ietf.org/html/rfc6750 (6750: Bearer token) - http://openid.net/specs/openid-connect-core-1_0.html (OpenID Connect) • RFC and OpenID Foundation - https://openid-foundation-japan.github.io/rfc5849.ja.html - https://openid-foundation-japan.github.io/rfc6749.ja.html - https://openid-foundation-japan.github.io/rfc6750.ja.html - https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html • OAuth & OpenID Connect RFC - https://qiita.com/TakahikoKawasaki/items/185d34814eb9f7ac7ef3
  123. 123. • OAuth 1.0 on Twitter - https://developer.twitter.com/en/docs/basics/authentication/overview/oauth - https://dev.twitter.com/web/sign-in/implementing - https://syncer.jp/Web/API/Twitter/REST_API/ • OAuth 2.0 - https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f - https://www.buildinsider.net/enterprise/openid/oauth20 - http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html • OAuth 2.0 on Facebook - https://developers.facebook.com/ - https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow - http://tech.vasily.jp/entry/facebook_graph_api
  124. 124. • OpenID Connect - https://www.slideshare.net/kura_lab/openid-connect-id - https://www.slideshare.net/matake/connect-intro-dev-love - https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f7ef352b47 - https://www.buildinsider.net/enterprise/openid/connect - https://tools.ietf.org/html/rfc7519 (RFC) - https://hiyosi.tumblr.com/post/70073770678/ jwt%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6%E7%B0%A1%E5%8D%98%E3%8 1%AB%E3%81%BE%E3%81%A8%E3%82%81%E3%81%A6%E3%81%BF%E3%81%9F • OpenID Connect on Google - https://developers.google.com/identity/protocols/OpenIDConnect
  125. 125. • - https://tools.ietf.org/html/rfc6819 (RFC) - http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html - http://www.atmarkit.co.jp/ait/articles/1710/24/news011.html

×