アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

OAuth1.0 / OAuth2 / Opened Connect

OAuth 1.0 OAuth 2.0 OpenID Connect
Web

Web

- URL  
https://webgame.link/auths/

- Github Ruby on Rails  
https://github.com/ngzm/auths-demo

OAuth 1.0 OAuth 2.0 OpenID Connect
 
RFC

Naoki Nagazumi

Johnny Depp

vue.js

Ruby

SIer

Twitter: @nk_ngzm

GitHub: https://github.com/ngzm/

Blog: http://ngzm.hateblo.jp/

OAuth 1.0
OAuth 2.0
OpenID Connect

Resource endpoint
ok
XX
ID PWD
Authorization endpoint
Access
Token
Token endpoint
Resource Owner OAuth Client
OAuth Server
OAuth

OK!
ID PWD
End-User Relying Party
(RP)
Identity Provider
(IdP)
Authorization endpoint
ID Token
Token endpoint
OpenID Connect
OpenID Provider
(OP)

OAuth 1.0
• RFC5849 - The OAuth 1.0 Protocol 
https://openid-foundation-japan.github.io/rfc5849.ja.html 
https://tools.ietf.org/html/rfc5849

• 2010 4 RFC 8

App
App
Request token
endpoint
Authorization
endpoint
Token
endpoint
Resource
endpoint
Redirect
Redirect
Oauth Token
OAuth
Client
Resource
Owner
OAuth
Server
Access Token
OAuth
START
OK
Client
User Information
login
token
token
request
token
client
access
token
oauth
token
request
token
Access token
client

OAuth OAuth
Twitter

I. consumer_key consumer_secret

II. request token request token secret

III. access token access token secret

OAuth 1.0
OAuth OAuth
Ⅰ

Signature
OAuth  
•

•

• HMAC-SHA1

1.
• access token token

• timestamp nonce

•

2.
• OAuth

3. HMAC-SHA1
• 2
https://syncer.jp/Web/API/OAuth/

Authorization Header
OAuth  
Authorization  
OAuth

Authorization: OAuth

oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",

oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg",

oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D",

oauth_signature_method="HMAC-SHA1",

oauth_timestamp="1318622958",

oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb",

oauth_version="1.0"
 
customer_key
nonce
token
(access token )

TSL SSL
TSL SSL  
-

-

- timestamp nonce

• Twitter OAuth
1. OAuth 1.0

2. OAuth 2.0 Client Credentials Flow

( OAuth 2.0 )
OAuth 1.0

App
App
Request token
Endpoint
Authorization
Endpoint
Token
Endpoint
Resource
Endpoint
#2. Request token
#1. Request toke
#3.
Redirect
Redirect
#5. Access token
OAuth
Client
Resource
Owner
OAuth
Server
#4. OK
#6. Access token
#7.
AuthDemo
START
OK
Access token
Client
User Information
login
token
token
token
client
access
token
oauth
token
request
token
Twitter

#0
Twitter Application Management
https://apps.twitter.com/

•
1. Name

2. Description

3. Website URL

4. Callback URL OAuth URL

•
1. Consumer Key (API Key) OAuth Client ID

2. Consumer Secret (API Secret) OAuth Client Secret
Redirect URI
Callback URL
ON
Consumer Secret

#1
Request token
POST https://api.twitter.com/oauth/request_token HTTP/1.1
…
…
Content-Type: application/x-www-form-urlencoded
oauth_callback="https://my-callback-host/my-callback/path/",
oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg",
oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D",
oauth_version="1.0"
…
1. consumer_key : 
#0 "Consumer Key"
2. callback : 
"callback uri"
3. nonce : 
 
Replay Attack
4. signature : 
 
#0 "Consumer Secret"
5. signature_method : 
twitter HMAC-SHA1
6. timestamp : 
 
Replay Attack
POST URL of Twitter Request Token Endpoint

#2
Request token
oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI"
&oauth_token_secret="4dW4gGLic6oItvd0YySWRU5aLjBQsw1N9xDC3Wkqw"
&oauth_callback_confirmed="true"
1. oauth_token : 
Request token  
token
2. oauth_token_secret : 
Request token secret  
 
access token
3. oauth_callback_conﬁrmed : 
oauth_callback  
true
Response body from Twitter Request Token Endpoint

#3
https://api.twitter.com/oauth/authorize?oauth_token="5mb9VtYwa27HTVjK5OhoyyI503dWoPndDQ9G4V8yCI"
oauth_token : #2 Request token
Redirect to Twitter Authorization Endpoint

#4
OK
https://my-callback-host/my-callback/path/
?oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM"
&oauth_verifier="TGUMMyQWCSJGKiXlUlQmgRQEYMv8mkIt5cHPERUgvw"
1. oauth_token : 
oauth token  
token
2. oauth_veriﬁer: 
oath token  
access token
Redirect from Twitter Authorization Endpoint
#1 callback

#5
Access token
POST https://api.twitter.com/oauth/access_token HTTP/1.1
…
…
oauth_nonce="BB8Y0ZFuYSe4vQ2pTgmZbxSWbWovY3",
oauth_signature="Hq4gCs1rx4Kkj06cOStnnAW%2FjLY%3D",
oauth_token="mFyphbOybZCKfoZWurAU7dbcTnFoUeksGfVyFauFWM",
oauth_verifier="TGUMMyQWCSJGKiXlUlQmgRQEYMv8mkIt5cHPERUgvw",
oauth_version="1.0"
…
#0 ”Consumer Key”
2. nonce : 
 
Replay Attack
3. signature : 
 
#0 Consumer Secret #2
request_token_secret
twitter HMAC-SHA1
5. token : 
#4 oauth token
6. veriﬁer : 
#4 oath veriﬁer
7. timestamp : 
 
Replay Attack
POST URL of Twitter Token Endpoint

#6
Access token
oauth_token="1528352858-UUCjYDVcLC4V34xHob5XTxboEgJWLwp9aIGSrBC"
&oauth_token_secret="VNhCQye7rX4P4u2OIuDHOgdSBATgZV3qWvJ8uSLkXqP25"
&user_id="12345678901"
&screen_name="nk_ngzm"
1. oauth_token : 
access token
2. oauth_token_secret : 
access token secret 
 
3. user_id : 
Twitter user_id
4. screen_name  
Twitter
Response body from Twitter Token Endpoint

#7
GET https://api.twitter.com/1.1/users/show.json?user_id=12345678901
…
…
oauth_nonce="FabxSWbkYjzBB8Y0ZWVovY3uu2pTgmZeN",
oauth_signature="CStnHscOx4Kkj06q4gn1rAW%2FjLY%3D",
oauth_token="1528352858-UUCjYDVcLC4V34xHob5XTxboEgJWLwp9aIGSrBC",
oauth_timestamp=“13186248263",
oauth_version="1.0"
…
#0 Consumer Key
2. nonce : 
 
Replay Attack
3. signature : 
 
#0 Consumer Secret  
#6 access_token_secret
twitter HMAC-SHA1
5. token : 
#6 access token
6. timestamp : 
 
Replay Attack
URL of Twitter Resource Endpoint ( )GET
#6 Twitter user_id

#0 calback #1
-  
token

#1 #5 #7 timestamp nonce
- access token Replay Attack

i.
ii.
OAuth 2.0
OpenID Connect

OAuth 2.0
• RFC6749 - The OAuth 2.0 Authorization Framework 
https://openid-foundation-japan.github.io/rfc6749.ja.html 
https://tools.ietf.org/html/rfc6749

• 2012 10 RFC

• Oauth 1.0

OAuth 2.0
• OAuth 1.0

• OAuth 1.0 OAuth 2.0  

•

…

OAuth 2.0
1. Authorization Code Flow Client Type Conﬁdential
2. Implicit Flow Client Type Public
3. Client Credentials Flow
4. Resource Owner Password Credentials Flow
5. Refreshing an Access Token token

Client Type
Client Type "Conﬁdential" "Public"
1. Conﬁdential ... Web
‣ OAuth Client

‣ Authorization code Flow

2. Public ...
‣
OAuth Client

‣ Implicit Flow

HTTP message
OAuth 1.0  
… TSL

‣ Client Type Conﬁdential OAuth Client
‣ Public OAuth Client  
→

OAuth 2.0
OAuth OAuth
Facebook

• client_id client_secret

OAuth OAuth

Token Authorization Header  
Bearer  
RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage 
https://tools.ietf.org/html/rfc6750 
https://openid-foundation-japan.github.io/rfc6750.ja.html
Authorization: Bearer mF_9.B5f-4.1JqM
Authorization header
access token

Access token
• Implicit Grant Flow access token
- token

- OAuth 1.0 access token 1

Access token  
‣ OAuth 2.0 RFC6749

Flow

1. Authorization Code Flow
Client Type Conﬁdential

2. Implicit Flow
Client Type Public
https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f

Authorization Code Flow
Conﬁdential Client Type
OAuth 2.0

App
App
Authorization
endpoint
Token
endpoint
Resource
endpoint
Redirect
Redirect
OAuth
Client
Resource
Owner
Authorization ServerSTART
User Information
OAuth 2.0
Resource Server
OK
Access token
OAuth
Server
login
token
client
client
code
access
token
Client
code
Client client_id
client_secret

Implicit Flow
Public Client Type
‣
OAuth Client access token  
token

Authorization
endpoint
Resource
endpoint
Redirect
User Information
App
Redirect
Authorization Server
Resource Server
App
login
token
client_secret
OAuth
Client
Resource
Owner
OAuth Server
Token endpoint
START
client access token
Client client_id
OAuth Client
access token
token

• Facebook OAuth 2.0
1. Authorization code Flow

2. Implicit Flow

3. Hybrid Flow

( Hybrid Flow OpenID Connect )

• Facebook access token
#5 #6

access token
•
"Graph API Endpoint"

App
App
Authorization Endpoint
Redirect
Redirect
OAuth
Client
Resource
Owner
#1
START
User Information
OK
Access token
OAuth
Server
login
Client
token
access
token
Graph API Endpoint
API
API
#2 OK
#3 Access token
#4 Access token
#5 Access token
#6 Access token
#7
code
client
client
code
access
token
Facebook
Facebook

#0
Facebook for Developers
https://developers.facebook.com/

•
1.

2. Valid OAuth Redirect URIs OAuth URL

•
1. ID OAuth Client ID

2. Secret OAuth Client Secret
Redirect URI
URI
Redirect URL
ON
Secret

#1
Location:
https://www.facebook.com/v2.12/dialog/oauth
?client_id="245678901234567"
&request_type="code"
&scope="email public_profile"
&redirect_uri="https://my-redirect-uri"
&state="random_text_data_agaist_csrf"
redirect to Facebook Authorization Endpoint
1. client_id : 
#0 " ID" 
client
2. request_type ”code”  
"code" Authorization Code Flow 
"token" Implicit Flow 
"code token" Hybrid Flow
3. scope  
 
"email"  
"public_proﬁle"
4. redirect_uri: 
#0 "redirect_uri"
5. state  
 
CSRF
state CSRF
code
client

#2
OK
https://my-callback-uri
?code="AQBORpgp-sdRaLAo-xR_assef-lpZiG6W"
1. code : 
code 
3 4 code access token
2. state: 
#1 state 
CSRF #1
#1 redirect_uri
state #1

#3
Access token
GET https://graph.facebook.com/v2.12/oauth/access_token
?client_id="245678901234567"
&client_secret="60abc01dab6ae4b0f8acf2abaf1"
&redirect_uri="https://my-redirect-uri/"
&code="AQBORpgp-sdRaLAo-xR_assef-lpZiG6W"
1. client_id : 
#0 " ID" 
client
2. client_secret  
#0 " Secret" 
client
3. redirect_uri: 
#0 "redirect_uri"
4. code  
#2 code
GET URL of Facebook Token Endpoint
client_secret

#4
Access token
{
"access_token": "CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD",
"token_type": "bearer",
"expires_in": 5180974
}
1. access_token : 
Access token
2. token_type : 
token  
OK
3. expired_in : 
Response body from Facebook Token Endpoint
Json
Access token

#5
Access token
GET https://graph.facebook.com/debug_token
?input_token="CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD"
&access_token="245678901234567|60abc01dab6ae4b0f8acf2abaf1"
1. input_token : 
token 
#4 access token
2. access_token  
 
GET URL of Facebook Debug Token Endpoint

#6
Access token
{
"data": {
"app_id": 245678901234567,
"type": "USER",
"application": "MyApplication",
"expires_at": 1386248263,
"is_valid": true,
"issued_at": 1386251863,
"metadata": {
"sso": "iphone-safari"
},
"scopes": [
"email",
"publish_actions"
],
"user_id": "1234567"
}
}
1. app_id : 
#0 client_id  
token
2. user_id : 
user_id
Response body from Facebook Token Debug Endpoint
Json

#7
GET https://graph.facebook.com/1234567?fields="id,first_name,name,picture,email"
…
…
…
Authorization: Bearer "CAWx8Qv2EvZB0-{..省略..}-AvvtNhQZDZD"
…
…
GET URL of Facebook Resource Endpoint
Authorization Bearer #4 access token
1. ﬁelds : #6 user_id

#0 redirect_uri #1
- code
token
2018 3 Facebook
1. redirect_uri
2. redirect_uri TSL

#1 state #2
#1
- CSRF code token

”Access Token ” ”OAuth ”
- Access token

- Access token

- token
OpenID Connect

Implicit Flow
- token (token replace attack)
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html 
https://www.sakimura.org/2012/02/1487/
OpenID Connect

- Authorization Code Flow Web Implicit
Flow

-
OpenID Connect
OAuth2.0

OpenID Connect
• OpenID Connect Core 1.0 incorporating errata set 1 
https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html 
http://openid.net/specs/openid-connect-core-1_0.html

• OpenID Foundation RFC

•

OpenID Connect
• OAuth 2.0

- OAuth Access token
ID token

- token

OAuth 2.0
OAuth 2.0  
OAuth 2.0
• TSL
•
• Access token Authorization Bearer
• Access token

Hybrid Flow
 
Hybrid Flow
‣ token

‣

Flow
2. Implicit Flow
3. Hybrid Flow
Hybrid Flow OpenID Connect
OAuth 2.0

response_type & Flow
No response_type Flow
1 code
Authorization
Code Flow
OAuth 2.0 Authorization Code Flow

Authorization Endpoint code

Token Endpoint code access token ID token
2 token Implicit Flow
OAuth 2.0 Implicit Flow

Authorization Endpoint access token ID token
3 id_token Implicit Flow Authorization Endpoint ID token access token
4 id_token token Implicit Flow Authorization Endpoint ID token access token
5 code id_token Hybrid Flow

Authorization Endpoint code ID token

6 code token Hybrid Flow

Authorization Endpoint code access token

7 code token id_token Hybrid Flow

Authorization Endpoint code access token ID token

8 none - ID token access token
‣ response_type

ID
”ID ”  
ID token
‣ ID token IdP "ID"
‣ ID token IdP "ID" RP
ID 74387592 ngzm IdP

ID token
• "ID" IdP RP
•
• JWT JSON Web Token  
RFC7519 JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519
Access token

JWT
JSON Header Claim (Payload)
SIgnature URL Safe
1. Header Claim BASE64urlEncode

2. 1 Header Claim '.'

3. 2 HMAC SHA256 RS256 ES256 PS256
JWS Signature

4. 3 BASE64urlEncode

5. 2 Header Claim '.' 4

JWT
BASE64urlEncode(Header) + '.' + BASE64urlEncode(Claim) + '.' + BASE64urlEncode(JWS Signature)

JWT
Google ID token JWT
Header
{
"alg":"RS256",
"kid":"7158dc8572 {略} 20a35b073447"
}
Claim
{
"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"3456789012.apps.google.com",
"email":"jsmith@example.com",
"aud":"3456789012.apps.google.com",
"iat":1353601026,
"exp":1353604926,
"nonce": "0394852-3190485-2490358",
}
1.iss: IdPのID
2.at_hash: 同時生成のaccess tokenハッシュ値
3.email_verified: email検証結果
4.sub: End Userのgoogle内部ID
5.azp： RPのclient_id
6.email： End Userのemail
7.aud： RPのID
8.iat： token発行時刻
9.exp： token有効期限時刻
10.nonce: nonce
1.alg: 署名アルゴリズム RS256形式
2.kid: RS256公開鍵を探すためのID
access token

JWT js
// JWT Header
let header = {}；
header.alg = 'HS256'; // 署名アルゴリズム：HMAC SHA256 による署名の場合は'HS256'
header.typ = 'JWT'; // JWT形式を明示
// JWT Payload（Claim Set）
let claim = {};
claim.iss = 'Identity Party ID'; // JWT発行者の識別子 → IdP の ID
claim.sub = 'End User ID'; // エンドユーザ識別子 → end user ID
claim.nbf = 'current time'; // JWTが有効になる日時
claim.iat = 'issue time'; // JWTを発行した日時
claim.exp = 'expire time'; // JWTの有効期限日時
claim.jti = 'unique ID'; // JWT自体を一意に識別する任意の文字列
claim.aud = 'Relying Party ID'; // JWT利用者の識別子 → RP の ID
// Secret Key
const secret_key = 'XXXXXXXXXX' ; // HMAC SHA256 署名の秘密鍵 → client_secret
// Generate JWT（jsrsasign というJSライブラリを使用した例）
const jwt = KJUR.jws.JWS.sign('HS256', JSON.stringify(header), JSON.stringify(claim), secret_key);

Userinfo Endpoint  
‣ OAuth 2.0 Access token

‣ OpenID Connect Access token Userinfo Endpoint

Flow


2. Implicit Flow

3. Hybrid Flow
https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f7ef352b47

response_type=code
• OAuth 2.0 Authorization Code Flow
•

App
Authorization
endpoint
Token
endpoint
UserInfo endpoint
Redirect
Redirect
Relying PartyEnd-User
START
User Information
OK
OK
ID token
Identiy Provider
login
client
token
response_type = code
ID token
App
client
access
token
ID
token
client
code
code
ID token
Access token
ID token at_hash
claim
access token
ID token IdP RP
Client client_id
client_secret

Implicit Flow
response_type=token
response_type=id_token
response_type=token id_token
SPA JS

response_type = token id_token
Authorization
endpoint
Resource
endpoint
Redirect
User Information
App
Redirect
App
login
token
Token endpoint
START
client access token
access token id_token
Relying
Party
End-User
Identiy Provider
ID token at_hash
claim
access token
client_secret
Client client_id

Hybrid Flow
response_type=code token
response_type=code id_token
response_type=code token id_token
• OAuth 2.0 Implicit Flow Authorization Code Flow
- Implicit Flow Access token ID token

- Authorization code Flow code Access token ID token

code token
Authorization
endpoint
Redirect
End-User
App
Redirect
START
App
login
Relying Party
App
Identity Provider
response_type = code token
Relying Party
Token
endpoint
UserInfo endpoint
token
User Information
access token
client
access
token
ID
token
client
code
client
code
access token
access
token
access token

code access token, id_token
Authorization
endpoint
Redirect
End-User
App
Redirect
START
App
login
Relying Party
App
Identity Provider
response_type = code token id_token
Relying Party
Token
endpoint
UserInfo endpoint
token
User Information
access token
ID token
client
access
token
ID
token
client
code
client
code
access
token
access token

• Google Openid Connect
1. Authorization code Flow

2. Implicit Flow

( Hybrid Flow )

App
Authorization
endpoint
Token
endpoint
UserInfo endpoint
Redirect
Redirect
Relying PartyEnd-User
START
User Information
OK
OK
ID token
Identity Provider
login
client
token
App
client
access
token
ID
token
client
code
code
Google
Google
#1
#2 OK
#3 Access token + ID token
#4 Access token + ID token
#5 ID token
#6

#0
Google API Console
https://console.developers.google.com/

•
1.

2.

3. URL

4. JavaScript

5. URI OAuth URL

•
1. ID OAuth Client ID

2. Secret OAuth Client Secret
Google URI
Secret

#1
Location:
https://accounts.google.com/o/oauth2/v2/auth
?client_id="3456789012.apps.google.com"
&response_type="code"
&scope="openid email profile"
&nonce="0394852-3190485-2490358"
redirect to Google Authorization Endpoint
1. client_id : 
#0 " ID"
2. request_type  
"code" Authorization Code Flow 
"token id_token" Implicit Flow
3. scope  
 
"openid" OpenID Connect  
"email"  
"proﬁle"
4. redirect_uri: 
#0 redirect_uri
5. state  
CSRF
6. nonce  
 
Replay Attack
state CSRF
nonce
openid
code

#2
OK
https://my-callback-uri
?state="random_text_data_agaist_csrf"
&code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7"
1. state: 
#1 state 
CSRF #1
2. code : 
code 
3 4 code access token
#1 redirect_uri
state #1

#3
Access token, ID token
POST https://www.googleapis.com/oauth2/v4/token HTTP/1.1
...
...
code="4/P7q7W91a-oMsCeLvIaQm6bTrgtp7"
&client_id="3456789012.apps.google.com"
&client_secret="60abc01dab6ae4b0f8acf2abaf1"
&grant_type="authorization_code"
1. code  
#2 code
2. client_id : 
#0 " ID"
3. client_secret  
#0 ” Secret"
4. redirect_uri: 
#0 redirect_uri
5. grant_type  
”autorization_code”
POST URL of Google Token Endpoint

#4
Access token, ID token
{
"access_token": "df7773dbc8b7d-{..省略..}-8a91ae2372e1",
"id_token": "eyJhbGJSLKDFJKLSzI1NiJ9
.eyJ3MiOit-{..省略..}-81ae2372e1
.jMgjfEYmy-{..省略..}-S5Iv5ZP5ZA",
"token_type": "bearer",
"expires_in": 5180974
}
1. access_token : 
Access token
2. id_token : 
ID token
3. token_type : 
token  
OK
4. expired_in : 
Response body from Google Token Endpoint Json
Access token
ID token

#5
ID token
{
"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"3456789012.apps.google.com",
"email":"jsmith@example.com",
"aud":"3456789012.apps.google.com",
"iat":1353601026,
"exp":1353604926,
"nonce": "0394852-3190485-2490358",
}
1. iss : 
IdP ID
2. at_hash : 
access token
3. email _veriﬁed: 
End User email
4. sub : 
End User google ID
5. azp  
RP client_id
6. email  
End User email
7. aud  
RP ID
8. iat  
token
9. exp  
token
10.nonce  
1 nonce
Google ID token 's Payload
nonce #1
access token
End User ID
Idp
RP

#7
GET https://www.googleapis.com/oauth2/v3/userinfo
…
…
Authorization: Bearer "df7773dbc8b7d-{..省略..}-8a91ae2372e1"
…
…
GET URL of Google Userinfo Endpoint
Authorization Bearer #4 access token

#0 redirect_uri #1
- code
token

state #1 #2
#1
- CSRF code token
Google

nonce #1 #5
Replay Attack
- Replay Attack

nonce Replay Attack

Implicit Flow Hybrid Flow nonce

•

• OAuth 1.0 OAuth 2.0 OpenID
OpenID Connect  
...
OpenID Connect

•

• OAuth 1.0 OAuth 2.0

• OpenID Connect

• OAuth 1.0 → OAuth 2.0 → OpenID Connect

• OAuth 1.0 OAuth 2.0

• OpenID Connect OAuth 2.0
ID token

• OAuth 1.0

‣

‣ TSL

‣

‣ Replay Attack

• OAuth 2.0

‣ TSL

‣

‣

‣ token

‣ CSRF Redirect URI

• OpenID Connect

‣ TSL OAuth 2.0

‣

‣ ID token IdP ID
ID

‣ ID token Access token

‣ CSRF Redirect URI Replay Attack

• RFC and OpenID Foundation

- https://tools.ietf.org/html/rfc5849 (5849: OAuth 1.0)

- https://tools.ietf.org/html/rfc6749 (6749: OAuth 2.0)

- https://tools.ietf.org/html/rfc6750 (6750: Bearer token)

- http://openid.net/specs/openid-connect-core-1_0.html (OpenID Connect)

• RFC and OpenID Foundation

- https://openid-foundation-japan.github.io/rfc5849.ja.html



- https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html

• OAuth & OpenID Connect RFC

- https://qiita.com/TakahikoKawasaki/items/185d34814eb9f7ac7ef3

• OAuth 1.0 on Twitter

- https://developer.twitter.com/en/docs/basics/authentication/overview/oauth

- https://dev.twitter.com/web/sign-in/implementing

- https://syncer.jp/Web/API/Twitter/REST_API/

• OAuth 2.0

- https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f

- https://www.buildinsider.net/enterprise/openid/oauth20

- http://www.atmarkit.co.jp/fsmart/articles/oauth2/01.html

• OAuth 2.0 on Facebook

- https://developers.facebook.com/

- https://developers.facebook.com/docs/facebook-login/manually-build-a-login-ﬂow

- http://tech.vasily.jp/entry/facebook_graph_api

• OpenID Connect

- https://www.slideshare.net/kura_lab/openid-connect-id

- https://www.slideshare.net/matake/connect-intro-dev-love

- https://qiita.com/TakahikoKawasaki/items/4ee9b55db9f7ef352b47

- https://www.buildinsider.net/enterprise/openid/connect

- https://tools.ietf.org/html/rfc7519 (RFC)

- https://hiyosi.tumblr.com/post/70073770678/
jwt%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6%E7%B0%A1%E5%8D%98%E3%8
1%AB%E3%81%BE%E3%81%A8%E3%82%81%E3%81%A6%E3%81%BF%E3%81%9F

• OpenID Connect on Google

- https://developers.google.com/identity/protocols/OpenIDConnect

•

- https://tools.ietf.org/html/rfc6819 (RFC)

- http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html

- http://www.atmarkit.co.jp/ait/articles/1710/24/news011.html

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

Similar to アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect - (20)

Recently uploaded

Recently uploaded (20)

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -