oauth 2.0 web messaging response mode - openid summit tokyo 2015
Post on 16-Apr-2017
2.261 Views
Preview:
TRANSCRIPT
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
OAuth 2.0 Web Messaging Response Mode
OpenID Summit 2015
November 10, 2015
Toru Yamaguchi Senior Architect Sub Business Unit Head Open Pla=orm Business Unit DeNA Co., Ltd.
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! ( )
! HN @zigorou
!
!
!
! Mobage
2
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! OAuth 2.0 Authorization Endpoint OAuth 2.0 Web Messaging Response Mode ! OAuth 2.0 Redirect URI ! OAuth 2.0 Form Post Response Mode ! OAuth 2.0 Web Messaging Response Mode
3
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
OAuth 2.0 Redirect URI
OAuth 2.0 Web Messaging Response Mode
4
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
OAuth 2.0
! Client (End User ) Access Token Authorization Server OAuth 2.0 Access Token Protected Resource (
API)
5
End User
AuthorizaDon Server Client
1. Redierct to AuthorizaDon Request 2. AuthorizaDon Request
3. AuthorizaDon Response 4. Redirect to Redirect URI
5. Token Request
6. Token Response
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
AuthorizaGon Code Grant
! Authorization Response Redirect URI UserAgent HTTP
6
hQp://goo.gl/kfZTNY
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
AuthorizaGon Request
! RFC 6749 Authorization Code Grant Authorization Request
7
GET /authorize? response_type=code& client_id=s6BhdRkqt3& state=xyz& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
AuthorizaGon Response
! RFC 6749 Authorization Code Grant Authorization Response
8
HTTP/1.1 302 Found Location: https://client.example.com/cb? code=SplxlOBeZQQYbYS6WxSbIA& state=xyz
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Implicit Grant
! Implicit Grant Token Response Authorization Endpoint HTTP Access Token URI Fragment (# )
JavaScript parse
9
hQp://goo.gl/95ddOd
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Redirect URI
! User Agent HTTP
HTTP UX Single Page
Application Implicit Protected Resource
Access Token JavaScript XSS Access Token
! Web Message Response Mode
10
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
OAuth 2.0 Form Post Response Mode
OAuth 2.0 Web Messaging Response Mode
11
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Form Post Response Mode
! Spec https://openid.net/specs/oauth-v2-form-post-response-
mode-1_0.html ! Authorization Endpoint HTTP
JavaScript form POST !
12
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
AuthorizaGon Code Grant /w form post
! Authorization Response form submit
13
hQp://goo.gl/3ci98I
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
AuthorizaGon Request
! Authorization Request response_mode form_post
14
GET /authorize? response_type=id_token &response_mode=form_post &client_id=some_client &scope=openid &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcallback &state=DcP7csa3hMlvybERqcieLHrRzKBra &nonce=2T1AgaeRTGTMAJyeDMN9IJbgiUG HTTP/1.1 Host: server.example.com
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
AuthorizaGon Request
! Authorization Request response_mode form_post
15
GET /authorize? response_type=id_token &response_mode=form_post &client_id=some_client &scope=openid &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcallback &state=DcP7csa3hMlvybERqcieLHrRzKBra &nonce=2T1AgaeRTGTMAJyeDMN9IJbgiUG HTTP/1.1 Host: server.example.com
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
AuthorizaGon Response (1)
! Redirect URI HTTP POST Submit
16
HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 Cache-Control: no-cache, no-store Pragma: no-cache
Submit This Form
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
AuthorizaGon Response (2)
! JavaScript UserAgent Redirect URI
17
POST /callback HTTP/1.1 Host: client.example.org Content-Type: application/x-www-form-urlencoded
id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzdWIiOiJqb2huIiwiYX VkIjoiZmZzMiIsImp0aSI6ImhwQUI3RDBNbEo0c2YzVFR2cllxUkIiLCJpc 3MiOiJodHRwczpcL1wvbG9jYWxob3N0OjkwMzEiLCJpYXQiOjEzNjM5MDMx MTMsImV4cCI6MTM2MzkwMzcxMywibm9uY2UiOiIyVDFBZ2FlUlRHVE1BSnl lRE1OOUlKYmdpVUciLCJhY3IiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTD oyLjA6YWM6Y2xhc3NlczpQYXNzd29yZCIsImF1dGhfdGltZSI6MTM2MzkwM Dg5NH0.c9emvFayy-YJnO0kxUNQqeAoYu7sjlyulRSNrru1ySZs2qwqqwwq -Qk7LFd3iGYeUWrfjZkmyXeKKs_OtZ2tI2QQqJpcfrpAuiNuEHII-_fkIuf bGNT_rfHUcY3tGGKxcvZO9uvgKgX9Vs1v04UaCOUfxRjSVlumE6fWGcqXVE KhtPadj1elk3r4zkoNt9vjUQt9NGdm1OvaZ2ONprCErBbXf1eJb4NW_hnrQ 5IKXuNsQ1g9ccT5DMtZSwgDFwsHMDWMPFGax5Lw6ogjwJ4AQDrhzNCFc0uV AwBBb772-86HpAkGWAKOK-wTC6ErRTcESRdNRe0iKb47XRXaoz5acA& state=DcP7csa3hMlvybERqcieLHrRzKBra
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Form Post Response Mode
! GET URI RFC UserAgent HTTP Server
! Authorization Request response_type
id_token POST URI Fragment (OpenID Connect 1.0) Browser JavaScript parse
ID Token JWT JWS or JWE
Form Post Implicit ID
Token Server ! response_mode
18
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
OAuth 2.0 Web Messaging Response Mode
OAuth 2.0 Web Messaging Response Mode
19
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
OAuth 2.0 Web Messaging Response Mode
! Spec https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00
! postMessage() response_mode
web_message Google+ SignIn
Mobage Connect simple, relay relay Access Token
20
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Redirect URI ()
! User Agent HTTP
HTTP UX Single Page
Application Implicit Protected Resource
Access Token JavaScript XSS Access Token
! Web Message Response Mode
21
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
SPA UX
! Single Page Application
submit
! window.open() window
window Authorization Grant Authorization Response Web Messaging Response Mode window window frame
(window.postMessage())
22
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
UnauthenGcated Window Messaging (simple mode)
! Unauthenticated Window window End User Authorization window
23
Main Window (Public Client)
UnauthenDcated Window
AuthorizaDon Server
window.addEventListener( message, authorizationResponseListener, false ); var win = window.open( https://as.example.com/authorize?..., _new );
window.opener.postMessage( authorizationResponse, redirectURI );
1. Window AuthorizaDon Request
2. AuthorizaDon Request
3. AuthorizaDon Response 4. AuthorizaDon Response
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Immediate Login [1]
! OpenID Connect AuthZ Request prompt none Immediate Login
24
GET /authorize? response_type=code& scope=openid%20profile& client_id=s6BhdRkqt3& state=xyz123& prompt=none& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1
HTTP/1.1 302 Found Location: https://client.example.org/cb? error=login_required& state=xyz123
1. AuthorizaDon Request
2. AuthorizaDon Request
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Immediate Login [2]
! Immediate Login iframe iframe load iframe src
Redirect URI Redirect URI postMessage Main Window
25
Main Window (Public Client)
AuthenDcated Window
1. iframe AuthorizaDon Request
4. AuthorizaDon Response load ()
AuthorizaDon Server
var iframe = document.createElement(iframe); iframe.addEventListener( load, authorizationResponseListener, false ); iframe.src = https://as.example.com/authorize?...;
2. AuthorizaDon Request
3. AuthorizaDon Response
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
AuthenGcated Window Messaging (simple mode)
! Authenticated Window iframe End User Authorization window
26
Main Window (Public Client)
AuthenDcated Window
AuthorizaDon Server
window.addEventListener( message, authorizationResponseListener, false ); var win = document.createElement(iframe); iframe.src = https://as.example.com/authorize?..;
window.parent.postMessage( authorizationResponse, redirectURI );
1. iframe AuthorizaDon Request
2. AuthorizaDon Request
3. AuthorizaDon Response 4. AuthorizaDon Response
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! Response Mode window.open() Redirect
SPA Mobage JavaScript SDK
(Unauthenticated Window) Immediate Login (Authenticated Window) Response Mode
! relay mode
27
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Hybrid Flow scope [1]
! Hybrid Flow OpenID Connect Implicit Authorization Code response_type
28
Redirect Endpoint
(public client)
AuthorizaDon Server
1. AuthorizaDon Response
AuthorizaDon Endpoint
Token Endpoint
Client Server (confidenDal client)
2. Token Request
3. Token Response
code, access_token(implicit), id_token(implicit)
access_token(authorizaDon_code)
Protected Resource Server API
access
API access
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Hybrid Flow scope [2]
! Authorization Request scope Authorization Code/Implicit Implicit access token
confidential client public client
! public client access token
access token API access token
Hybrid Flow scope
29
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
UnauthenGcated Window Messaging (relay mode)
! Main Window Relay Request/Response Main Window window window frames origin
30
Main Window (Public Client)
UnauthenDcated Window
Protected Resource Server
2. Window AuthorizaDon Request 2. AuthorizaDon Request
3. AuthorizaDon Response 4. Relay Request 5. Relay Response
Message Targeted Window
1. iframe
AuthorizaDon Server
6. AuthorizaDon Response
API Access
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
Relay Mode JavaScript SDK
! Authorization Response ( access token) Message Targeted Window Main Window access token
! Main Window Message Targeted Window window.postMessage() API request/response access token API
31
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! IE11 window.postMessage() Edge
32
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! draft Message window Web Worker UI
33
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
! Web Message Response Mode Redirect SPA UX Immediate Login
! relay mode
Main Window access token
Message Targeted Window API
34
-
Copyright (C) DeNA Co.,Ltd. All Rights Reserved.
!
35
top related