Copyright (C) DeNA Co.,Ltd. All Rights Reserved. Mobage Connect と Identity 関連技術への 取り組み OpenID Summit 2015 November 10, 2015 Toru Yamaguchi Senior Architect Sub Business Unit Head Open Pla=orm Business Unit DeNA Co., Ltd.
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Mobage Connect Identity
OpenID Summit 2015
November 10, 2015
Toru Yamaguchi Senior Architect Sub Business Unit Head Open Pla=orm Business Unit DeNA Co., Ltd.
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! ( )
! HN @zigorou
!
!
!
! Mobage
2
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! Mobage Connect (OpenID Server) CSRF Token JWT Access Token JWT Microservices Intent URI Scheme Browser Native App
! JWT Identity
3
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF Token JWT
Mobage Connect Identity
4
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF (Cross Site Request Forgery)
! CSRF
! CSRF Token
5
()
1.
2.
3. CSRF
1. URL 2. Web
3.
Web
Web
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF Token
! Page A Page Token Cache Server ( memcached Redis ) Page Token Page B Cache
6
hIp://goo.gl/Wfvcz0
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF Token
! CSRF Token Cache Server
CSRF Token Cache Server CSRF
Token Cache Server eviction
CSRF Token CSRF Token
! JWT
7
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF Token JWT Claims
! /typ csrf_token /_ext /_ext/a Page Token id /_ext/t Tracking Cookie Hash /_ext/p hidden ()
8
() Mobage Connect CSRF Token
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Cache ()
! JWT iat +
! Cache invalidate verified not verified
9
CSRF Token (JWT) ()
Cache invalidate JWT jU
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Source AcMon DesMnaMon AcMon (1)
! CSRF Token /_ext/a sa1 da1 sa1 CSRF Token da2, da3 Reject
10
Source (sa1) Source (sa2)
Source (sa3)
Dest (da1) accept (sa1)
Dest (da2) accept (sa2)
Dest (da3) accept (sa2, sa3)
Reject Reject
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Source AcMon DesMnaMon AcMon (2)
! Action WAF Router
11
Source (sa1) Source (sa2)
Source (sa3)
Dest (da1) accept (sa1)
Dest (da2) accept (sa2)
Dest (da3) accept (sa2, sa3)
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! Tracking Cookie CSRF Token Tracking Cookie
Reject !
submit form input[@type=hidden]
JWT object Reject
12
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Access Token JWT Microservices
Mobage Connect Identity
13
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Microservices Access Token
! Microservices DB API Thin Token DB
14
AuthZ Server Token DB
Client Resource Server
Token Endpoint
1. Token Request 3. Token Response
2. Store Token
4. Request to Resource Server
Token DB
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
OAuth 2.0 Token IntrospecMon (RFC 7662)
! Introspection Endpoint Access Token AuthZ Server Microservices
15
AuthZ Server Token DB
Client Resource Server
Token Endpoint
1. Token Request 3. Token Response
2. Store Token 6. Lookup Token
4. Request to Resource Server
IntrospecUon Endpoint
5. IntrospecUon Request 7. IntrospecUon Response
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
IntrospecMon API
! API Gateway Access Token Service Service Access Token API Microservices
! API Gateway Introspection Endpoint
16
Client API Gateway
API (1)
API (3)
API (2)
1. API Request 2.
3.
4.
5.
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Access Token JWT
! Access Token exp revoke Resource Server /_ext/st Scope Token ()
17
() Mobage Connect Access Token
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
18
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Subscribe Endpoint
! Access Token revoke Resource Server AuthZ Server session_state
PubSub
19
AuthZ Server Token DB
Client Resource Server
Revoke Endpoint
1. Revoke Request 4. Revoke Response
2. Remove Token
Subscribe Endpoint
Revoke Token Subscriber Endpoint
3. Publish Revoke Event
Subscribe Endpoint Revoke Event subscribe
URL
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Revoke Event
! Revoke Access Token jti Revoke Service API local revoke Access
Token
20
API
Revoked Token DB (Redis)
Service
API
Revoked Token DB (Redis)
Service Revoked
Token Publisher (Redis)
Revoke Token Subscriber Endpoint
AuthZ Server
1. Publish Token Revoked Event
2. Publish to channel Subscribe
channel
Lookup token (localhost)
Lookup token (localhost)
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Revoke Token
! CSRF Token ! revoke jti Service
Redis exp
21
Access Token (JWT)
Cache revoke JWT jU
Revoke
iat exp
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Intent URI Scheme Browser NaMve App
Mobage Connect Identity
22
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
NaMve App OAuth 2/OIDC 1.0
! AuthZ Server Browser App
! Native App access token Implicit or Authorization Code Implicit Custom URI interception
() Native App public client client secret
Authorization Code ! Native App access token
Browser immediate login implicit
AuthZ Server Browser Native App
23
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Custom URI
! Custom URI App App Redirect URI
24
hIp://tools.ie=.org/html/rfc7636
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Custom URI
! Mobage Connect Native SDK
!
25
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Intent URI Scheme (Chrome)
! Chrome for Android https://developer.chrome.com/multidevice/android/intents
! Android Intent Filter Native App
26
intent:{origin}{/path}{?queries*}#Intent {;package,action,category,component,scheme} ;end
intent:appId/callback? access_token=xyz123&state=abcd1234 #Intent;package=jp.or.openid; scheme=custom-scheme;end
URI Template
URI
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Intent URI Scheme (Chrome)
! Original URI Intent URI Scheme ! package
package AuthZ Server Redirect URI
! package AuthZ Response
27
custom-scheme:appId/callback? access_token=xyz123&state=abcd1234
intent:appId/callback? access_token=xyz123&state=abcd1234 #Intent;package=jp.or.openid; scheme=custom-scheme;end
Original URI
Intent URI
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! Chrome for Android iOS Mobile Safari Android/iOS
28
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
!
29