Más contenido relacionado
La actualidad más candente (20)
Similar a OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜 (20)
Más de Masaru Kurahayashi (6)
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
- 5. RPはつらいよ
数年年に⼀一度度くらいの頻度度で
新しい認証・認可プロトコルがでてくる
…SAML・OpenID・OAuth 1.0・OAuth 2.0
対応するにも実装⽅方法全然違う
SOAP or RESTful / XML or JSON
- 31. HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid%20profile%20email
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Authorization Request
- 32. HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid%20profile%20email
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Authorization Request
Scopeパラメーターに
openid は必須
- 33. HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid%20profile%20email
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Authorization Request
取得する属性情報を指定
- 34. HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid%20profile%20email
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Authorization Request
CSRF対策のランダム文字列を指定
セッションにひも付けて保存しておく
- 35. HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=code
&scope=openid%20profile%20email
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Authorization Request
リプレイアタック対策のランダム文字列を指定
セッションにひも付けて保存しておく
- 40. HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj
Authorization Response
Authorization Code(認可コード)
がクエリに付与されて返却される
- 41. HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj
Authorization Response
セッションにひも付けておいた
State値と比較
値が一致しない場合は処理を中断
- 44. POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Token Request
- 45. POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Token Request
Basic認証
base64_encode(Client_ID . : . Secret);
- 46. POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Token Request
取得したAuthorization Codeを指定
- 47. POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F
%2Fclient.example.org%2Fcb
Token Request
SecretやAuthorization Codeを
扱うので POST メソッド
- 50. HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
- 51. HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
JSON形式(XMLじゃない)
- 52. HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
Access Tokenと
Refresh Tokenを取得
- 53. HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
Access Tokenは Bearer形式
Authorization: Bearer <Access Token>
- 54. HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
ID Token(認証用トークン)を取得
シグネチャとデコードして各パラメーターを検証
- 55. HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token":
“eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiA
ibm9uY2UiOiODA5NzAKfQ.JggW8hZ16IcmD3HP99Obi1PRs-
cwhJ3LO-p146waJMzqg"
}
Token Response
eyj...eyj...(テンション↑↑)
- 59. GET /userinfo HTTP/1.1
Host: server.example.com
Authorization: Bearer SlAV32hkKG…segsef
UserInfo Request
Bearerトークン
Authorization: Bearer <Access Token>
- 62. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
- 63. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
JSON形式(XMLじゃない)
- 64. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
ユーザー識別子(openid)
- 65. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
プロフィール情報(profile)
- 66. HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"picture": “http://example.com/janedoe/me.jpg”,
"email": "janedoe@example.com"
}
UserInfo Response
メールアドレス(email)
- 112. 定義されている属性
メンバー scope 説明
sub - ユーザー識別子
name profile 氏名
given_name profile 名
family_name profile 姓
middle_name profile ミドルネーム
nickname profile ニックネーム
preferred_
username
profile 簡略名
メンバー scope 説明
profile profile
プロフィール情報
のURL
picture profile
プロフィール画像
のURL
website profile サイトURL
email email メールアドレス
email_verified email
メールアドレスの
検証済みの有無
gender profile 性別
birthdate profile 生年月日
- 113. 定義されている属性
メンバー scope 説明
zoneinfo profile タイムゾーン
locale profile 国コード
phone_number phone 電話番号
phone_number_verified phone
電話番号の検証済み
の有無
address address 住所
updated_at profile 属性情報更新日時
- 115. まとめ
1. OpenID Connectの特徴
OAuth 2.0ベース・認証・認可・属性取得
2. OpenID Connectの流れ
基本となるAuthorization Code Flow
3. IDトークンについて
JSON Web Token
4. UserInfo Endpointについて
よく利用しそうな属性情報が定義されている