Contenu connexe
Similaire à OpenID_Connect_Spec_Demo
Similaire à OpenID_Connect_Spec_Demo (20)
OpenID_Connect_Spec_Demo
- 1. OpenID Connect
Spec & Demo?
@ritou
http://d.hatena.ne.jp/ritou
OpenID TechNight #8
2011/9/9
- 2. OpenID Tech Night Vol.7
↓@_natさんによる詳しい説明はこちら↓
Event Report
http://j.mp/openid-tn7
- 6. OpenID OAuth Extension
OpenID 2.0とOAuth 1.0は似たようなUXな
ので、一緒にしてみた
結果は...
OAuth 部分の処理があるためOPが限定される
異なる仕様の組み合わせは工数も足し算
- 8. OAuth for SSO
OAuth + Profile APIでSSO機能を実現できる
Twitter / Facebook だけでじゅうぶん
OpenID なんていらない?
本当に、それでいいの?
Profile APIの仕様って統一されてるの?
PAPEみたいな認証に関する要求はできる?
そもそもOAuthでセッション管理とか・・・
ユーザーが自由にOPを選ぶ時代は・・・
- 9. OpenID Connect
OAuth 2.0 Base
ID Token
認証結果の確認
セッション管理
UserInfo API
OPが持っているデータ
他のOPが持つデータ(集約/分散Claims)
Discovery & Dinamic Registration(Optional)
事前登録なしからの動的RP(Client)登録
- 11. OpenID Connect Specs
Basic Client Profile: Simple RP
Standard : HTTP Binding
Messages
Dynamic Registration
Discovery
Session Management
- 12. JSON Web Token
JSONオブジェクトを文字列で表したもの
HTTP Header
query parameter
Base64 URL Encode/Decode
3 Segment
Header
Claim
Crypt
jwtHeader.jwtPayload.jwtCrypt
- 13. OpenID Connect Basic Client
もっともシンプルな実装
OAuth 2.0 Implicit Flow
JavaScriptのみでも実装可能!
Twitter @ anywhereのようなユースケース
- 14. End User RP OP
1. Authorization Request
2. Authentication
3. Consent/Authorization
4. Authorization Response
5. Check Session Request
6. Check Session Response
7. UserInfo Request
8. UserInfo Response
- 15. Authorization Request
HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
response_type=token id_token
&client_id=your_clientid_string
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom
%2Fcb
&scope=openid email picture
&state=state_string
&display=touch
&prompt=login concent
&nonce=nonce_string
- 16. End User RP OP
1. Authorization Request
2. Authentication
3. Consent/Authorization
4. Authorization Response
5. Check Session Request
6. Check Session Response
7. UserInfo Request
8. UserInfo Response
- 17. Authorization Response
HTTP/1.1 302 Found
Location: https://client.example.com/#
access_token=access_token_str
&token_type=bearer
&id_token=jwtheader.jwtpayload.jwtsigned
&expires_in=3600
&state=state_string
- 18. End User RP OP
1. Authorization Request
2. Authentication
3. Consent/Authorization
4. Authorization Response
5. Check Session Request
6. Check Session Response
7. UserInfo Request
8. UserInfo Response
- 19. Check Session Request
GET /check_session?id_token=
jwtheader.jwtpayload.jwtsigned
HTTP/1.1
Host: server.example.com
- 20. Check Session Response
HTTP/1.1 200 OK
Content-Type: application/json
{
"iss": "http://server.example.com",
"user_id": "00001",
"aud": "http://client.example.net",
"exp":1311281970,
“nonce”:nonce_string (←optional)
}
- 21. End User RP OP
1. Authorization Request
2. Authentication
3. Consent/Authorization
4. Authorization Response
5. Check Session Request
6. Check Session Response
7. UserInfo Request
8. UserInfo Response
- 22. UserInfo Request
GET /userinfo HTTP/1.1
Host: server.example.com
Authorization: Bearer access_token_str
- 23. UserInfo Response
HTTP/1.1 200 OK
Content-Type: application/json
{
"name": " ritou ",
"given_name": "Ryo",
"family_name": "Ito",
"email": "ritou.06@gmail.com",
"picture": "http://example.com/ritou/me.jpg"
}
- 24. OpenID Connect Standard
Authorization Codeにも対応
Connect独自部分の要求をJSONオブジェク
トで表現
ID TokenはJWT形式
中身はCheck Session Endpointで返されるJSON
オブジェクト
RSAで署名ならRP側でも検証可能
UserInfoのレスポンスを拡張
- 25. OpenID Request Object
{ "response_type": "code id_token",
...
"userinfo":
{
"claims":
{
"name": null,
"nickname": {"optional": true},
"email": null,
"verified": null,
"profile": null,
}
"format": "unsigned"
}
- 27. UserInfo Claims
Normal Claims
OPが持つユーザーデータ
標準的なプロフィール
Aggregated Claims
他のOPが持つユーザーデータ
JWT形式で返す
Distributed Claims
他のOPが持つユーザーデータ
Endpoint
Access Token(optional)
- 28. Aggregated Claims
{
"name": "Jane Doe",
"_claim_names": { "address": "src1",
"phone_number": "src1“},
"_claim_sources": {
"src1": {
"JWT": "JWT-A_header.JWT-A_payload.JWT-
A_signature“
},
}
}
- 29. Distributed Claims
{
"name": "Jane Doe",
"_claim_names": {
"payment_info": "src1",
"credit_score": "src2"
},
"_claim_sources": {
"src1": {"endpoint":
"https://bank.example.com/claimsource"},
"src2": {
"endpoint":
"https://creditagency.example.com/claimshere",
"access_token": "ksj3n283dke"}
}
}
- 30. Distributed Claims
{
"name": "Jane Doe",
"_claim_names": {
"payment_info": "src1",
"credit_score": "src2"
},
"_claim_sources": {
"src1": {"endpoint":
"https://bank.example.com/claimsource"},
"src2": {
"endpoint":
"https://creditagency.example.com/claimshere",
"access_token": "ksj3n283dke"}
}
}
- 34. OpenID Connect Sandbox
https://openidconnect.info/
OpenID ConnectのOP機能
ID Token
UserInfo API
Discovery
Dynamic Client Registration
mixiアカウントで利用可能
- 35. OpenID Connect やってみませんか?
ほぼ確実に流行ります
Facebook, Google, salesforce...
今は仕様つめてる段階
“手を出せない” のではなく”仕様決められる”
今、文句を言える人が求められています!