Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

ID連携入門 (実習編) - Security Camp 2016

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Cargando en…3
×

Eche un vistazo a continuación

1 de 73 Anuncio
Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)

A los espectadores también les gustó (20)

Anuncio

Similares a ID連携入門 (実習編) - Security Camp 2016 (20)

Más de Nov Matake (20)

Anuncio

Más reciente (20)

ID連携入門 (実習編) - Security Camp 2016

  1. 1. ID - - Nov Matake
  2. 2. http://bit.ly/sec2016nov
  3. 3. Definition of “Federation” in NIST SP 800-63-3 “A process that allows for the conveyance of identity and authentication information across a set of networked systems.” https://pages.nist.gov/800-63-3/
  4. 4. Definition of “Federation” in NIST SP 800-63-3 “ Identity ” https://openid-foundation-japan.github.io/800-63-3/index.ja.html
  5. 5. Login / Sign-up Request an Assertion Authentication Event Issue an Assertion Request Attributes AttributesWelcome, Nov! Verify the Assertion
  6. 6. Login / Sign-up Request an Assertion Authentication Event Issue an Artifact Send the Artifact Request Attributes AttributesWelcome, Nov! Assertion
  7. 7. Login / Sign-up Request an Assertion Authentication Event Issue an Assertion w/ Attributes Verify the Assertion Welcome, Nov!
  8. 8. SAML (Security Assertion Markup Language) OpenID Connect
  9. 9. OpenID Connect ~ OAuth 2.0 + Identity Layer ~
  10. 10. OAuth !! Twitter API, Facebook API, GitHub API etc.
  11. 11. https://developers.google.com/oauthplayground/ https://developers.facebook.com/tools/explorer
  12. 12. OAuth Server Resource Owner OAuth Client Resource Owner 

  13. 13. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  14. 14. https://sec-camp-idp.herokuapp.com
  15. 15. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  16. 16. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  17. 17. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  18. 18. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token
  19. 19. response_type=code response_type=token response_type=code+token
  20. 20. Login / Sign-up Request an Access Token Authentication Event Issue an Access Token Request Attributes AttributesWelcome, Nov! response_type=token
  21. 21. Login / Sign-up Request an Access Token Authentication Event Issue an Access Token + Code Request Attributes AttributesWelcome, Nov! Code Access Token Code ?? App Backend response_type=code+token
  22. 22. Code Flow • “response_type=code” • Token Endpoint • • Access Token User Agent • ( ) Client • Access Token
  23. 23. Implicit Flow • “response_type=token” • Token Endpoint • • Access Token User Agent • Client (client_secret ) • End-User (Client ) Access Token
  24. 24. Hybrid Flow • “response_type=code+token” • Token Endpoint Access Token Token Endpoint Access Token • • Implicit Flow Access Token Code Flow Access Token
  25. 25. User Agent User Agent
  26. 26. (SSL/TLS etc.) …
  27. 27. • RFC 6749 - OAuth 2.0 Core • RFC 6750 - OAuth 2.0 Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model • RFC 7519 - JSON Web Token • RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange) • RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
  28. 28. • RFC 6749 - OAuth 2.0 Core • RFC 6750 - OAuth 2.0 Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model • RFC 7519 - JSON Web Token • RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange) • RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession) [ ] http://openid-foundation-japan.github.io
  29. 29. OpenID Connect ~ OAuth 2.0 + Identity Layer ~
  30. 30. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token + ID Token
  31. 31. response_type=code response_type=code+id_token response_type=token+id_token response_type=code+token+id_token
  32. 32. • iss (issuer) • (ID Provider) • sub (subject) • • aud (audience) • Client • exp / iat (expires_at / issued_at) •
  33. 33. • auth_time • ( Authentication Event ) • nonce • Authorization Request Token Response • at_hash • Access Token • c_hash • Authorization Code
  34. 34. OAuth OpenID Connect OAuth
  35. 35. http://bitly.com/sec2016nov
  36. 36. CSRF
  37. 37. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
  38. 38. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
  39. 39. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
  40. 40. https://sec-camp-rp-code.herokuapp.com
  41. 41. Code
  42. 42. Login / Sign-up Request an Access Token Authentication Event Issue an Authorization Code Send the Code Request Attributes AttributesWelcome, Nov! Access Token (+ ID Token) response_type=code
  43. 43. https://sec-camp-rp-code.herokuapp.com
  44. 44. Token
  45. 45. Login / Sign-up Request an Access Token Authentication Event Issue an Access Token Welcome, Nov! Token Attributes Token Session App Backend response_type=token
  46. 46. https://sec-camp-rp-implicit.herokuapp.com
  47. 47. prompt=login & max_age=N @ https://sec-camp-rp-code.herokuapp.com
  48. 48. OAuth … • • • OAuth … • state • OpenID Connect (max_age etc.) • Token • nonce • ( ) • ID Token aud, sub, auth_time etc. • OAuth API (Token Introspection)
  49. 49. OAuth … API or OpenID Connect
  50. 50. OpenID Connect ~ OAuth 2.0 + Identity Layer ~
  51. 51. • RFC 6749 - OAuth 2.0 Core • RFC 6750 - OAuth 2.0 Bearer Token Usage • RFC 6819 - OAuth 2.0 Threat Model • RFC 7519 - JSON Web Token • RFC 7636 - OAuth 2.0 PKCE (Proof Key for Code Exchange) • RFC 7800 - OAuth 2.0 PoP Token (Proof of Possession)
  52. 52. https://connect-rp.herokuapp.com & https://connect-op.herokuapp.com

×