2015.8.26 OpenID ファウンデーション・ジャパン 倉林 雅 OpenID Connect 入門 ~コンシューマーにおけるID連携のトレンド~
2015.8.26 OpenID
OpenID Connect ID
kura
OpenID ID
ID @kura_lab
1.
2. OpenID Connect
3. OpenID Connect
4. ID
5. UserInfo Endpoint
RP
SAMLOpenIDOAuth 1.0OAuth 2.0
SOAP or RESTful / XML or JSON
RP
OpenID Connect
AppsWebNative
FlowAuthorization CodeImplicitHybrid
RP
IdP
RP
IdPRP
OpenID Connect
OpenID Connect
OpenID Connect
2014227
OpenID ConnectOAuth 2.0
OpenIDOpenID 2.0
OpenID
OpenID AX
OpenID
OAuth 1.0OAuth 2.0
Web API
OAuth
OpenIDOAuth
OAuth 2.0
OpenID Connect
API
OpenID Connect
OpenID Connect ID
http://openid.net/connect/
http://openid.net/connect/
OpenID Connect
OpenID Connect Authorization Code Flow
Implicit Flow
Hybrid Flow
Authorization Code Flow
OAuth 2.0OpenID Connect
OAuth 2.0 Authorization Code Flow
IdPRPEnd-UserResource Server
Start OAuth
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
Login / Consent
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
Authorization Code (Redirect)
Login / Consent
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token
IdPRPEnd-User
Authorization Request (Redirect)
Resource Server
Start OAuth
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token
Resource Access
Resource
OpenID Connect Authorization Code Flow
IdPRPEnd-UserUserInfo Endpoint
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
http://2Fclient.example.org
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
Scope openid
http://2Fclient.example.org
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
http://2Fclient.example.org
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
CSRF
http://2Fclient.example.org
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
http://2Fclient.example.org
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Login / Consent
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Start OpenID Connect
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
Authorization Code
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
State
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Start OpenID Connect
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
Basic base64_encode(Client_ID . : . Secret);
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
Authorization Code
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
SecretAuthorization Code POST
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
JSONXML
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
Access TokenRefresh Token
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token ResponseAccess TokenBearer
Authorization: Bearer
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
ID Token
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.JggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
eyj...eyj...
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Start OpenID Connect
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef
UserInfo Request
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef
UserInfo Request
Bearer Authorization: Bearer
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
JSONXML
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
openid
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
profile
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
GREE Y! YConnect GREE
GREE Y! YConnect GREE
RP OpenID Connect
IdPRPEnd-UserUserInfo Endpoint
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Login / Consent
Start OpenID Connect
GREE Y! YConnect GREE
IdP
GREE Y! YConnect GREE
API
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Login / Consent
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
GREE Y! YConnect GREE
ID
issuer audience subject
ID
issuer audience subject
Identity Provider
ID
issuer audience subject
Relying Party
ID
issuer audience subject
End-User
ID
Facebook SlideShare kura
ID
Yahoo! GREE kura
ID
JSON Web Token
JSONURLSafeBase64
HMACRSAECDSA
{ typ:JWT, alg:RS256}
{ typ:JWT, alg:RS256}
JSON Web Token JWTjot
{ typ:JWT, alg:RS256}
RSA-SHA256
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
issuer ID
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
subject
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
audience Client IDID
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
Nonce
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
issue at Unix
10
{ iss:https://auth.login.yahoo.co.jp, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
expiration
ID
RPCookie
{ typ:JWT, alg:RS256}{ iss:https://example.com, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
{ typ:JWT, alg:RS256}{ iss:https://example.com, sub:123456789, aud:abcdefg, nonce:xyz, iat:1291836800, exp:1300819380}
Base64
URL Safe + - / _ =
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
JSON{Base64 eyJ
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
RSA-SHA256
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Base64URL Safe
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID
.
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID
ID
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID + . +
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ID
UserInfo Endpoint
UserInfo
OpenID ConnectClaim
OpenID ConnectIdPScope
scope
sub -
name profile
given_name profile
family_name profile
middle_name profile
nickname profile
preferred_username profile
scope
profile profile URL
picture profile URL
website profile URL
email email
email_verified email
gender profile
birthdate profile
scope
zoneinfo profile
locale profile
phone_number phone
phone_number_verified phone
address address
updated_at profile
UserInfoUserInfo
1. OpenID Connect
OAuth 2.0
2. OpenID Connect
Authorization Code Flow
3. ID
JSON Web Token
4. UserInfo Endpoint