Copyright (C) DeNA Co.,Ltd. All Rights Reserved. Mobage Connect と Identity 関連技術への 取り組み OpenID Summit 2015 November 10, 2015 Toru Yamaguchi Senior Architect Sub Business Unit Head Open Pla=orm Business Unit DeNA Co., Ltd.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Mobage Connect Identity
OpenID Summit 2015
November 10, 2015
Toru Yamaguchi Senior Architect Sub Business Unit Head Open Pla=orm Business Unit DeNA Co., Ltd.
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! ( )
! HN @zigorou
!
!
!
! Mobage
2
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! Mobage Connect (OpenID Server) CSRF Token JWT Access Token JWT Microservices Intent URI Scheme Browser Native App
! JWT Identity
3
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF Token JWT
Mobage Connect Identity
4
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF (Cross Site Request Forgery)
! CSRF
! CSRF Token
5
()
1.
2.
3. CSRF
1. URL 2. Web
3.
Web
Web
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF Token
! Page A Page Token Cache Server ( memcached Redis ) Page Token Page B Cache
6
hIp://goo.gl/Wfvcz0
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF Token
! CSRF Token Cache Server
CSRF Token Cache Server CSRF
Token Cache Server eviction
CSRF Token CSRF Token
! JWT
7
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
CSRF Token JWT Claims
! /typ csrf_token /_ext /_ext/a Page Token id /_ext/t Tracking Cookie Hash /_ext/p hidden ()
8
() Mobage Connect CSRF Token
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Cache ()
! JWT iat +
! Cache invalidate verified not verified
9
CSRF Token (JWT) ()
Cache invalidate JWT jU
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Source AcMon DesMnaMon AcMon (1)
! CSRF Token /_ext/a sa1 da1 sa1 CSRF Token da2, da3 Reject
10
Source (sa1) Source (sa2)
Source (sa3)
Dest (da1) accept (sa1)
Dest (da2) accept (sa2)
Dest (da3) accept (sa2, sa3)
Reject Reject
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Source AcMon DesMnaMon AcMon (2)
! Action WAF Router
11
Source (sa1) Source (sa2)
Source (sa3)
Dest (da1) accept (sa1)
Dest (da2) accept (sa2)
Dest (da3) accept (sa2, sa3)
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! Tracking Cookie CSRF Token Tracking Cookie
Reject !
submit form input[@type=hidden]
JWT object Reject
12
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Access Token JWT Microservices
Mobage Connect Identity
13
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Microservices Access Token
! Microservices DB API Thin Token DB
14
AuthZ Server Token DB
Client Resource Server
Token Endpoint
1. Token Request 3. Token Response
2. Store Token
4. Request to Resource Server
Token DB
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
OAuth 2.0 Token IntrospecMon (RFC 7662)
! Introspection Endpoint Access Token AuthZ Server Microservices
15
AuthZ Server Token DB
Client Resource Server
Token Endpoint
1. Token Request 3. Token Response
2. Store Token 6. Lookup Token
4. Request to Resource Server
IntrospecUon Endpoint
5. IntrospecUon Request 7. IntrospecUon Response
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
IntrospecMon API
! API Gateway Access Token Service Service Access Token API Microservices
! API Gateway Introspection Endpoint
16
Client API Gateway
API (1)
API (3)
API (2)
1. API Request 2.
3.
4.
5.
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Access Token JWT
! Access Token exp revoke Resource Server /_ext/st Scope Token ()
17
() Mobage Connect Access Token
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
18
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Subscribe Endpoint
! Access Token revoke Resource Server AuthZ Server session_state
PubSub
19
AuthZ Server Token DB
Client Resource Server
Revoke Endpoint
1. Revoke Request 4. Revoke Response
2. Remove Token
Subscribe Endpoint
Revoke Token Subscriber Endpoint
3. Publish Revoke Event
Subscribe Endpoint Revoke Event subscribe
URL
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Revoke Event
! Revoke Access Token jti Revoke Service API local revoke Access
Token
20
API
Revoked Token DB (Redis)
Service
API
Revoked Token DB (Redis)
Service Revoked
Token Publisher (Redis)
Revoke Token Subscriber Endpoint
AuthZ Server
1. Publish Token Revoked Event
2. Publish to channel Subscribe
channel
Lookup token (localhost)
Lookup token (localhost)
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Revoke Token
! CSRF Token ! revoke jti Service
Redis exp
21
Access Token (JWT)
Cache revoke JWT jU
Revoke
iat exp
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Intent URI Scheme Browser NaMve App
Mobage Connect Identity
22
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
NaMve App OAuth 2/OIDC 1.0
! AuthZ Server Browser App
! Native App access token Implicit or Authorization Code Implicit Custom URI interception
() Native App public client client secret
Authorization Code ! Native App access token
Browser immediate login implicit
AuthZ Server Browser Native App
23
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Custom URI
! Custom URI App App Redirect URI
24
hIp://tools.ie=.org/html/rfc7636
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Custom URI
! Mobage Connect Native SDK
!
25
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Intent URI Scheme (Chrome)
! Chrome for Android https://developer.chrome.com/multidevice/android/intents
! Android Intent Filter Native App
26
intent:{origin}{/path}{?queries*}#Intent {;package,action,category,component,scheme} ;end
intent:appId/callback? access_token=xyz123&state=abcd1234 #Intent;package=jp.or.openid; scheme=custom-scheme;end
URI Template
URI
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Intent URI Scheme (Chrome)
! Original URI Intent URI Scheme ! package
package AuthZ Server Redirect URI
! package AuthZ Response
27
custom-scheme:appId/callback? access_token=xyz123&state=abcd1234
intent:appId/callback? access_token=xyz123&state=abcd1234 #Intent;package=jp.or.openid; scheme=custom-scheme;end
Original URI
Intent URI
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! Chrome for Android iOS Mobile Safari Android/iOS
28
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
!
29
Related Documents
