Mais conteúdo relacionado
Semelhante a Standard-based Identity (1) (20)
Standard-based Identity (1)
- 1. ID & IT Management Conference 2016
Standard-‐‑‒based Identity (1)
2016/9/16
ヤフー株式会社 倉林林 雅
- 3. アジェンダ
1. はじめに
2. ID連携標準技術のトレンドの流流れ
3. 各プロトコル概要
4. 各プロトコルユースケース
5. OpenID Connectフロー解説
6. まとめ
3
- 18. 読み⽅方:オーオース
概要
OAuth 1.0・OAuth 2.0は認可の技術
ユーザーのリソースアクセス(Web API)が⽬目的
使⽤用技術:REST APIライク・JSON
OAuth
18
- 27. SCIM
読み⽅方:スキム
概要
System for Cross-‐‑‒domain Identity Management
クラウドサービスにおけるID管理理の仕様
ユーザー情報の追加、更更新、削除、取得/検索索
使⽤用技術:REST API・JSON
27
- 33. 33
HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid%20profile%20email
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Authorization Request
- 34. 34
HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid%20profile%20email
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Authorization Request
Authorization Code Flowの場合
code を指定
- 39. 39
HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj
Authorization Response
Authorization Code Flowの場合、
クエリでパラメーターが返却
- 40. 40
HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj
Authorization Response
Authorization Code(認可コード)
がクエリに付与されて返却される
- 41. 41
HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj
Authorization Response
セッションにひも付けておいた
State値と比較
値が一致しない場合は処理を中断
- 43. 43
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Token Request
- 44. 44
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Token Request
Basic認証
base64_encode(Client_ID . : . Secret);
- 45. 45
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Token Request
取得したAuthorization Codeを指定
- 46. 46
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Token Request
SecretやAuthorization Codeを
扱うので POST メソッド
- 48. 48
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
- 49. 49
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
JSON形式
- 50. 50
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
Access Tokenと
Refresh Tokenを取得
- 51. 51
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
Access Tokenは Bearer形式
Authorization: Bearer <Access Token>
- 52. HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
ID Token(認証用トークン)を取得
シグネチャとデコードして各パラメーターを検証
52
- 57. GET /userinfo HTTP/1.1
Host: server.example.com
Authorization: Bearer SlAV32hkKG…segsef
UserInfo Request
Bearerトークン
Authorization: Bearer <Access Token>
57
- 59. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
59
- 60. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
JSON形式
60
- 61. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
ユーザー識別子(openid)
61
- 62. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
プロフィール情報(profile)
62
- 63. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
メールアドレス(email)
63
- 64. 定義されている属性
メンバー scope 説明
sub - ユーザー識別子
name profile 氏名
given_name profile 名
family_name profile 姓
middle_name profile ミドルネーム
nickname profile ニックネーム
preferred_
username
profile 簡略名
メンバー scope 説明
profile profile
プロフィール情報
のURL
picture profile
プロフィール画像
のURL
website profile サイトURL
email email メールアドレス
email_verified email
メールアドレスの
検証済みの有無
gender profile 性別
birthdate profile 生年月日
64
- 65. 定義されている属性
メンバー scope 説明
zoneinfo profile タイムゾーン
locale profile 国コード
phone_number phone 電話番号
phone_number_verified phone
電話番号の検証済み
の有無
address address 住所
updated_at profile 属性情報更新日時
65
- 67. まとめ
1. ID連携標準技術のトレンドの流流れ
SAML 2.0はエンタープライズ系では主流流
OpenID Connectは現⾏行行、トレンド
2. 各プロトコル概要
認証と認可は異異なる仕組みである
SOAP・XMLからREST APIライク・JSONベースの
プロトコルへ変化
67