Download as PDF, PPTX
![• RFC 6749 - OAuth 2.0 Core
• RFC 6750 - OAuth 2.0 Bearer Token Usage
• RFC 6819 - OAuth 2.0 Threat Model
• RFC 7519 - JSON Web Token
• RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange)
• RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
[ ] http://openid-foundation-japan.github.io](https://image.slidesharecdn.com/securitycamp2016-160812013453/85/ID-Security-Camp-2016-40-320.jpg)
Uploaded byNov Matake
ID連携入門 (実習編) - Security Camp 2016
The document discusses OAuth and OpenID Connect protocols. It provides diagrams illustrating the flows of OAuth authorization code grant, implicit grant and hybrid grant flows. It also compares OAuth and OpenID Connect, noting that OpenID Connect builds upon OAuth by adding an identity layer. Key aspects of OpenID Connect like ID tokens and their claims are outlined. Examples of OAuth and OpenID Connect implementations are provided at the end.
More Related Content
Similar to ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
- 1.
- 2.
- 3. Definition of “Federation”in NIST SP 800-63-3 “A process that allows for the conveyance of identity and authentication information across a set of networked systems.” https://pages.nist.gov/800-63-3/
- 4. Definition of “Federation”in NIST SP 800-63-3 “ Identity ” https://openid-foundation-japan.github.io/800-63-3/index.ja.html
- 5. Login / Sign-up Requestan Assertion Authentication Event Issue an Assertion Request Attributes AttributesWelcome, Nov! Verify the Assertion
- 6. Login / Sign-up Requestan Assertion Authentication Event Issue an Artifact Send the Artifact Request Attributes AttributesWelcome, Nov! Assertion
- 7. Login / Sign-up Requestan Assertion Authentication Event Issue an Assertion w/ Attributes Verify the Assertion Welcome, Nov!
- 8. SAML (Security Assertion MarkupLanguage) OpenID Connect
- 9. OpenID Connect ~ OAuth2.0 + Identity Layer ~
- 11. OAuth !! Twitter API,Facebook API, GitHub API etc.
- 12.
- 13. OAuth Server ResourceOwner OAuth Client Resource Owner
- 14. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
- 15.
- 16. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
- 18. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
- 20. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
- 23. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
- 25.
- 27. Login / Sign-up Requestan Access Token Authentication Event Issue an Access Token Request Attributes AttributesWelcome, Nov! response_type=token
- 28. Login / Sign-up Requestan Access Token Authentication Event Issue an Access Token + Code Request Attributes AttributesWelcome, Nov! Code Access Token Code ?? App Backend response_type=code+token
- 29. Code Flow • “response_type=code” •Token Endpoint • • Access Token User Agent • ( ) Client • Access Token
- 30. Implicit Flow • “response_type=token” •Token Endpoint • • Access Token User Agent • Client (client_secret ) • End-User (Client ) Access Token
- 31. Hybrid Flow • “response_type=code+token” •Token Endpoint Access Token Token Endpoint Access Token • • Implicit Flow Access Token Code Flow Access Token
- 32.
- 37.
- 39. • RFC 6749- OAuth 2.0 Core • RFC 6750 - OAuth 2.0 Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model • RFC 7519 - JSON Web Token • RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange) • RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
- 40. • RFC 6749- OAuth 2.0 Core • RFC 6750 - OAuth 2.0 Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model • RFC 7519 - JSON Web Token • RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange) • RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession) [ ] http://openid-foundation-japan.github.io
- 41. OpenID Connect ~ OAuth2.0 + Identity Layer ~
- 42. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token + ID Token
- 49.
- 50. • iss (issuer) •(ID Provider) • sub (subject) • • aud (audience) • Client • exp / iat (expires_at / issued_at) •
- 51. • auth_time • (Authentication Event ) • nonce • Authorization Request Token Response • at_hash • Access Token • c_hash • Authorization Code
- 52.
- 53.
- 54.
- 55. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
- 56. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
- 57. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
- 58.
- 59.
- 60. Login / Sign-up Requestan Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
- 61.
- 62.
- 63. Login / Sign-up Requestan Access Token Authentication Event Issue an Access Token Welcome, Nov! Token Attributes Token Session App Backend response_type=token
- 64.
- 66.
- 67. OAuth … • • • OAuth… • state • OpenID Connect (max_age etc.) • Token • nonce • ( ) • ID Token aud, sub, auth_time etc. • OAuth API (Token Introspection)
- 68.
- 69. OpenID Connect ~ OAuth2.0 + Identity Layer ~
- 71. • RFC 6749- OAuth 2.0 Core • RFC 6750 - OAuth 2.0 Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model • RFC 7519 - JSON Web Token • RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange) • RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
- 73.