èªèšŒã¿ã¹ã¯
æ°åã®ãµãŒãã¹ã§ã®æ¿èªã®åé¡ã¯ãæ°å¹Žåããã¢ããªã¹ãéžã§åãæ代ãã®åãã«çºçããŸããããã®åé¡ã¯ãAuthãšåŒã°ããæ°ãããµãŒãã¹ã§è§£æ±ºãããŸããã圌ã¯ãããŸããŸãªãµãŒãã¹éã§ã·ãŒã ã¬ã¹ãªèªèšŒãå®è£ ãããŠãŒã¶ãŒããŒã¿ãåå¥ã®ããŒã¿ããŒã¹ã«ç§»è¡ããã®ãæ¯æŽããŸããã
AuthãµãŒãã¹ã«ã¯3ã€ã®äž»èŠãªã¿ã¹ã¯ããããŸãã
- ãã¹ãŠã®ã·ã¹ãã ãµãŒãã¹ã®åäžèªèšŒãã€ã³ãïŒSSOïŒããµãŒãã¹ã¯è³æ Œæ
å ±ãä¿åããŸããããããã1ã€ã®å°çšãµãŒãã¹ã«ä¿¡é ŒããŸãã
- ãªãœãŒã¹ãžã®å®å
šã§ãã现ããã¢ã¯ã»ã¹ããã¹ã¯ãŒãã¯1ã€ã®å Žæã«ä¿åãããå¯èœãªéãå®å
šã§ãããããå®å
šã§ãããµãŒãã¹ææè
ã¯ãèªèšŒãµãŒãã¹ããã®ããŒã¿ã«åºã¥ããŠãå¿
èŠã«å¿ããŠãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãæ§æã§ããããããã现ãããªããŸãã
- . , , .
Authã®æåã®ããŒãžã§ã³ã¯ã¢ããªã¹ã®äžéšã§ãããµãŒãã¹ãšã®éä¿¡ã«ç¬èªã®ãããã³ã«ã䜿çšããŸãããã®ãããªãèšç»ãã¯ãã®æç¹ã§å¿ èŠã§ããããæ°å¹Žã®äœæ¥ã®åŸã«åé¡ãçŸããŸããã
Authã¯ã¢ããªã¹ã®äžéšã§ãããã®çµæããµãŒãã¹ã¯ãªãªãŒã¹ãµã€ã¯ã«ã«é¢é£ä»ããããç¬ç«ããéçºãšå±éãäžå¯èœã«ãªããŸããããã«ãããšãã°ãµãŒãã¹ãã¹ã±ãŒãªã³ã°ãããšãã«Authããããã€ããå Žåã¯ãã¢ããªã¹å šäœããããã€ããå¿ èŠããããŸãã
DodoISã¯Authã«äŸåããŠããŸããå€ãå®è£ ã§ã¯ãå€éšãµãŒãã¹ã¯ãã¹ãŠã®ãŠãŒã¶ãŒã¢ã¯ã·ã§ã³ã§AuthãåŒã³åºããŠãããã«é¢ããããŒã¿ãæ€èšŒããŸãããã®ç·å¯ãªãã€ã³ãã«ãããäœããã®çç±ã§Authãã¹ã¿ãã¯ããå ŽåãDodoISå šäœãæ©èœããªããªãå¯èœæ§ããããŸãã
èªèšŒã¯Redisã«äŸåããŸã..ãããã«ãããã¯éåžžã«åŒ·åã§ã-Redisã®èª€åäœã¯Authã®äœäžã«ã€ãªãããŸããèšèŒãããŠããSLAã99.9ïŒ ã®AzureRedisã䜿çšããŠããŸããããã¯ããµãŒãã¹ã1ãæãããæ倧44åéå©çšã§ããªãå¯èœæ§ãããããšãæå³ããŸãããã®ãããªããŠã³ã¿ã€ã ã¯èš±å®¹ãããŸããã
Authã®çŸåšã®å®è£ ã§ã¯ãæšæºã«äŸåããã«ç¬èªã®èªèšŒãããã³ã«ã䜿çšããŠããŸããã»ãšãã©ã®ãµãŒãã¹ã§ã¯ãCïŒã䜿çšããŠããïŒããã¯ãšã³ãã«ã€ããŠè©±ããŠããå ŽåïŒããããã³ã«çšã®ã©ã€ãã©ãªãç¶æããããšã«åé¡ã¯ãããŸãããããããPythonãGoããŸãã¯Rustã®ãµãŒãã¹ãçªç¶ç»å Žããå Žåããããã®èšèªã®ã©ã€ãã©ãªã®éçºãšãµããŒãã«ã¯ããã«æéãããããããã«è€éã«ãªããŸãã
çŸåšã®èªèšŒã§ã¯ã圹å²ã«åºã¥ã圹å²ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ã¹ããŒã ã䜿çšããŠããŸã..ãéåžžãããŒã«ã«ã¯ãç¹å®ã®æ©èœã«é¢é£ä»ããããã®ã§ã¯ãªããç¹å®ã®ãµãŒãã¹ãžã®ãã«ã¢ã¯ã»ã¹ãä»äžãããŸããããšãã°ããããã§ãªã¢ã«ã¯ãã¹ã±ãžã¥ãŒã«ãäœæããããåææãèæ ®ããããããªã©ãç¹å®ã®ãããžã§ã¯ããäž»å°ã§ããå¯ãããŒãžã£ãŒãããŸãããã ããã·ã¹ãã ã®ç¹å®ã®ã³ã³ããŒãã³ãã«å¯Ÿããæš©å©ã®çºè¡ã¯ãããŸãããåŸæ¥å¡ãä»»æã®ã¢ã«ãŠã³ãã£ã³ã°ã³ã³ããŒãã³ãã®ã¹ã±ãžã¥ãŒã«ãŸãã¯èšå®ã«ã¢ã¯ã»ã¹ã§ããããã«ããµãŒãã¹ãžã®ãã«ã¢ã¯ã»ã¹ãèš±å¯ããå¿ èŠããããŸãã
åé¡ãçºçãããããæ°ããããŒãžã§ã³ã®Authãèšèšããã³äœæããå¿ èŠããããŸããããããžã§ã¯ãã®éå§æã«ãOAuth2.0ããã³OpenIDConnect1.0ã®èªèšŒããã³èªèšŒæšæºã®èª¿æ»ã®ã¿ã3é±éè¡ããŸããã
泚æ..ãèªåŒµãããŠããã®èšäºã¯RFCã®å話ã§ãããäœãèµ·ãã£ãŠããã®ããç解ããããã«äœåºŠãèªã¿çŽããªããã°ãªããŸããã§ãããããã§ã¯ããã®è€éããåé¿ãããµãŒãã¹ã¬ã¹ãã³ã¹ã«å«ãŸããå¯èœæ§ã®ããæåãªã©ãè€éãªããšã説æããã«ããã¹ãŠãåçŽãæ§é åãç°¡æœã«äŒããããšããŸãããRFCãšã¯ç°ãªãããããäžåºŠèªãã åŸããã¹ãŠãç解ããããšãã§ããŸãããã®èšäºããèªèšŒãµãŒãã¹ãå®è£ ããããã®ãœãªã¥ãŒã·ã§ã³ãéžæããéã«åœ¹ç«ã¡ãæéãç¯çŽã§ããããšãé¡ã£ãŠããŸãããããã¯ã誰ãã«ãã®å¿ èŠæ§ã«ã€ããŠèãããããããããŸããã
OAuth2.0ãšã¯äœã§ããïŒ
å©çšå¯èœãªãããã³ã«ãšãã¯ãããžãŒã調ã¹ãŠãæ°ããAuthã®éçºãéå§ããããšã«ããŸãããæãäžè¬çãªèªèšŒæšæºã¯ãOAuth2.0èªèšŒãã¬ãŒã ã¯ãŒã¯ã§ãã
ãã®èŠæ Œã¯2012幎ã«æ¡çšããã8幎以äžã«ããã£ãŠãããã³ã«ãå€æŽãããè£è¶³ãããŠããŸãããRFCãéåžžã«å€ããããå ã®ãããã³ã«ã®äœæè ã¯OAuth 2.1ãäœæããããšã決å®ããŸãããããã«ãããOAuth2.0ã«å¯ŸããçŸåšã®ãã¹ãŠã®å€æŽã1ã€ã®ããã¥ã¡ã³ãã«ãŸãšããããŸãã圌ããã©ãã段éã«ããéã
OAuthã®çŸåšã®ããŒãžã§ã³ã¯ãRFC6749ã§èª¬æãããŠããŸããåæããŸãã
OAuth2.0ã¯èªèšŒãã¬ãŒã ã¯ãŒã¯ã§ãã
å®å šãªèªèšŒã確ä¿ããããã«ããµãŒãã¹éã®éä¿¡ãå®è£ ããæ¹æ³ã«ã€ããŠèª¬æããŸããããŒãéã®çžäºäœçšã®æµããªã©ãå€ãã®ãã¥ã¢ã³ã¹ãååã«è©³çŽ°ã«èª¬æãããŠããŸãããç¹å®ã®å®è£ ã«ç¿»åŒããããã®ããããŸãã
ç¹åŸŽïŒ
- ãŠãŒã¶ãŒã®ãšã³ãã£ãã£ãšã¢ã¯ã»ã¹ãèŠæ±ããã¢ããªã±ãŒã·ã§ã³ãåé¢ããŸãããã®åé¢ã®ãããã§ããŠãŒã¶ãŒæš©éãšã¯å¥ã«ã¢ããªã±ãŒã·ã§ã³æš©éã管çã§ããŸãã
- ç¹å®ã®æš©éãšæå¹æéãæã€éåžžã®ãã°ã€ã³ãšãã¹ã¯ãŒãã®ä»£ããã«ãã©ã³ãã ã«çæãããæååïŒããŒã¯ã³ïŒã䜿çšããŠãªãœãŒã¹ã«ã¢ã¯ã»ã¹ããŸãã
- äºåã«æ±ºããããäžé£ã®æš©å©ã§ã¯ãªããèªåã®åžæã«åºã¥ããŠãå¯èœãªéãæ£ç¢ºã«æš©å©ãçºè¡ã§ããŸãã
æ©èœã詳ããèŠãŠã¿ãŸãããã
圹å²
OAuth 2.0ã¯ã次ã®4ã€ã®åœ¹å²ãå®çŸ©ããŸãã
- ãªãœãŒã¹ææè
ã¯ãä¿è·ããããªãœãŒã¹ãžã®ã¢ã¯ã»ã¹æš©ãæã€ãšã³ãã£ãã£ã§ãããšã³ãã£ãã£ã¯ããšã³ããŠãŒã¶ãŒãŸãã¯ããçš®ã®ã·ã¹ãã ã«ããããšãã§ããŸããä¿è·ããããªãœãŒã¹ã¯HTTPãšã³ããã€ã³ãã§ãããAPIãšã³ããã€ã³ããCDNäžã®ãã¡ã€ã«ãWebãµãŒãã¹ãªã©ãäœã§ãããŸããŸããã
- ãªãœãŒã¹ãµãŒããŒ-ãªãœãŒã¹ææè
ãã¢ã¯ã»ã¹ã§ããä¿è·ããããªãœãŒã¹ãæ ŒçŽãããµãŒããŒã
- ã¯ã©ã€ã¢ã³ããããã¯ããªãœãŒã¹ã®ææè
ã«ä»£ãã£ãŠã圌ã®èš±å¯ãåŸãŠãèš±å¯ãåŸãŠãä¿è·ããããªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèŠæ±ããã¢ããªã±ãŒã·ã§ã³ã§ãã
- æ¿èªãµãŒããŒ-ãªãœãŒã¹ææè
ã®æ¿èªãæåããåŸãä¿è·ããããªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããã«ã¯ã©ã€ã¢ã³ãã«ããŒã¯ã³ãçºè¡ãããµãŒããŒã
ã€ã³ã¿ã©ã¯ã·ã§ã³ã®ååå è ã¯ãããã€ãã®åœ¹å²ãçµã¿åãããããšãã§ããŸããããšãã°ãã¯ã©ã€ã¢ã³ãã¯åæã«ãªãœãŒã¹ææè ã«ãªããèªåã®ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèŠæ±ã§ããŸããçžäºäœçšã¹ããŒã ãããã«æ€èšããŠã¿ãŸãããã
éèŠïŒã¯ã©ã€ã¢ã³ãã¯äºåã«ãµãŒãã¹ã«ç»é²ããå¿ èŠããããŸããã©ããã£ãŠããã®ïŒ
ã¯ã©ã€ã¢ã³ãç»é²
ç¹å®ã®å®è£ ã®
ãªãã€ã¬ã¯ãURI-æ¿èªãæåããåŸã«ãªãœãŒã¹ææè ãéä¿¡ãããã¢ãã¬ã¹ãæ¿èªã«å ããŠãã¢ãã¬ã¹ã¯ãæ¿èªãç³è«ãããµãŒãã¹ãæ¬äººã§ããããšã確èªããããã«äœ¿çšãããŸãã
ã¯ã©ã€ã¢ã³ãã¿ã€ã-ã¯ã©ã€ã¢ã³ããšã®å¯Ÿè©±æ¹æ³ã決å®ããã¯ã©ã€ã¢ã³ãã®ã¿ã€ããã¯ã©ã€ã¢ã³ãã®ã¿ã€ãã¯ãæ¿èªã®ããã«è³æ Œæ å ±ïŒããŒã¯ã³ïŒãå®å šã«ä¿åããèœåã«ãã£ãŠæ±ºãŸããŸãããããã£ãŠãã¯ã©ã€ã¢ã³ãã«ã¯2ã€ã®ã¿ã€ããããããŸããã
- Confidential â , . , web-, backend.
- Public â . , , .
OAuth 2.0ã®ããŒã¯ã³ã¯ãã¯ã©ã€ã¢ã³ãã«å¯ŸããŠééçã§ã¯ãªãæååã§ããéåžžãæååã¯ã©ã³ãã ã«çæãããããã«èŠããŸãããã®åœ¢åŒã¯ã¯ã©ã€ã¢ã³ãã«ãšã£ãŠéèŠã§ã¯ãããŸãããããŒã¯ã³ã¯ãä¿è·ããããªãœãŒã¹ïŒã¢ã¯ã»ã¹ããŒã¯ã³ïŒãæ°ããããŒã¯ã³ïŒæŽæ°ããŒã¯ã³ïŒãªã©ã«ã¢ã¯ã»ã¹ããããã®ããŒã§ãã
åããŒã¯ã³ã«ã¯ç¬èªã®æå¹æéããããŸãããã ããæŽæ°ããŒã¯ã³ã«ã¯ããã«å€ãã®æ å ±ãå¿ èŠã§ããã¢ã¯ã»ã¹ããŒã¯ã³ãååŸããããã«äœ¿çšãããŸããããšãã°ãã¢ã¯ã»ã¹ããŒã¯ã³ã®æå¹æéãçŽ1æéã®å ŽåãæŽæ°ããŒã¯ã³ã¯1é±éãã®ãŸãŸã«ããŠããããšãã§ããŸãã
æŽæ°ããŒã¯ã³ã¯ãªãã·ã§ã³ã§ãããæ©å¯ã¯ã©ã€ã¢ã³ãã§ã®ã¿äœ¿çšã§ããŸã..ããªãã·ã§ã³ã®ããŒã¯ã³ã䜿çšãããšãäžéšã®å®è£ ã§ã¯ãã¢ã¯ã»ã¹ããŒã¯ã³ã®æå¹æéãéåžžã«é·ããªããæŽæ°ã«ç ©ããããªãããã«ãæŽæ°ããŒã¯ã³ã¯ãŸã£ãã䜿çšãããŸãããããããããã¯å®å šã§ã¯ãããŸãããã¢ã¯ã»ã¹ããŒã¯ã³ã䟵害ãããå Žåããªã»ããããããšãã§ãããµãŒãã¹ã¯æŽæ°ããŒã¯ã³ã䜿çšããŠæ°ããã¢ã¯ã»ã¹ããŒã¯ã³ãåãåããŸããæŽæ°ããŒã¯ã³ããªãå Žåã¯ãæ¿èªããã»ã¹ãå床å®è¡ããå¿ èŠããããŸãã
ã¢ã¯ã»ã¹ããŒã¯ã³ã«ã¯ç¹å®ã®ã¢ã¯ã»ã¹æš©ã®ã»ãããå²ãåœãŠãããèªèšŒäžã«ã¯ã©ã€ã¢ã³ãã«ä»äžãããŸããOAuth2.0ã§ã®ã¢ã¯ã»ã¹èš±å¯ãã©ã®ããã«èŠããããèŠãŠã¿ãŸãããã
ã¢ã¯ã»ã¹æš©
ã¢ã¯ã»ã¹æš©ã¯ã¹ã³ãŒããšããŠã¯ã©ã€ã¢ã³ãã«çºè¡ãããŸããã¹ã³ãŒãã¯ãã¹ããŒã¹ã§åºåãããæååïŒscope-tokenïŒã§æ§æããããã©ã¡ãŒã¿ãŒã§ãã
åã¹ã³ãŒãããŒã¯ã³ã¯ãã¯ã©ã€ã¢ã³ãã«ä»äžãããç¹å®ã®æš©éãè¡šããŸããããšãã°ãã¹ã³ãŒãããŒã¯ã³
doc_read
ã¯ããªãœãŒã¹ãµãŒããŒäžã®ããã¥ã¡ã³ããžã®èªã¿åãã¢ã¯ã»ã¹ãæäŸããemployee
äŒç€Ÿã®åŸæ¥å¡ã®ã¿ã«ã¢ããªã±ãŒã·ã§ã³æ©èœãžã®ã¢ã¯ã»ã¹ãæäŸã§ããŸããæçµçãªã¹ã³ãŒãã¯æ¬¡ã®ããã«ãªããŸãemail doc_read employee
ã
OAuth 2.0ã§ã¯ãã¹ã³ãŒãããŒã¯ã³ãèªåã§äœæããããŒãºã«åãããŠã«ã¹ã¿ãã€ãºããŸããã¹ã³ãŒãããŒã¯ã³åã¯ããã¡ã³ã¿ãžãŒãš2ã€ã®ASCIIæåïŒ
"
ããã³ïŒã«ãã£ãŠã®ã¿å¶éãã\
ãŸãã
ã¯ã©ã€ã¢ã³ãç»é²ã®æ®µéã§ãèªèšŒãµãŒãã¹èšå®ã§ãã¯ã©ã€ã¢ã³ãã«ã¯ããã©ã«ãã§æšæºã¹ã³ãŒããäžããããŸãããã ããã¯ã©ã€ã¢ã³ãã¯ãæ¿èªãµãŒããŒã«æšæºä»¥å€ã®ã¹ã³ãŒããèŠæ±ã§ããŸããæ¿èªãµãŒããŒã®ããªã·ãŒãšãªãœãŒã¹ææè ã®éžæã«ãã£ãŠã¯ãçµæã®ã¹ã³ãŒãã倧ããç°ãªãå ŽåããããŸããå°æ¥çã«ã¯ãã¯ã©ã€ã¢ã³ããæ¿èªãããåŸããªãœãŒã¹ææè ã¯ãµãŒãã¹ãåæ¿èªããã«äžéšã®æš©éãååŸã§ããŸãããè¿œå ã®æš©éãçºè¡ããã«ã¯ãã¯ã©ã€ã¢ã³ãã®åæ¿èªãå¿ èŠã«ãªããŸãã
æœè±¡OAuth2.0ãã¢ã¯ã»ã¹ããŒã¯ã³ã䜿çšãããããŒ
ããŒã«ãããŒã¯ã³ã®ã¿ã€ããããã³ã¹ã³ãŒããã©ã®ããã«èŠãããã調ã¹ãŸããããµãŒãã¹ãžã®ã¢ã¯ã»ã¹ãæäŸãããããŒãèŠãŠã¿ãŸãããã
以äžã¯ãåå è éã®çžäºäœçšã®æœè±¡çãªå³ïŒãŸãã¯ãããŒïŒã§ãããã®å³ã®ãã¹ãŠã®ã¹ãããã¯ãå³å¯ã«äžããäžã«å®è¡ãããŸãããã£ãšè©³ããåæããŠã¿ãŸãããã
- ã¯ã©ã€ã¢ã³ãã¯ãå¿
èŠãªãªãœãŒã¹ææè
ã«ã¢ã¯ã»ã¹ããããã®èŠæ±ãéä¿¡ããŸãã
- ãªãœãŒã¹ææè
ã¯ã¯ã©ã€ã¢ã³ãã«æ¿èªä»äžãè¿ããŸããããã«ããããªãœãŒã¹ææè
ã®IDãšãã¯ã©ã€ã¢ã³ããã¢ã¯ã»ã¹ãèŠæ±ããŠãããªãœãŒã¹ã«å¯Ÿãã圌ã®æš©å©ã確èªãããŸãããããŒã«å¿ããŠãããã¯ããŒã¯ã³ãŸãã¯è³æ Œæ
å ±ã«ãªããŸãã
- ã¯ã©ã€ã¢ã³ãã¯ãåã®æé ã§ååŸããèš±å¯ä»äžãèš±å¯ãµãŒããŒã«éä¿¡ããã¯ã©ã€ã¢ã³ãããã®ã¢ã¯ã»ã¹ããŒã¯ã³ãä¿è·ããããªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããšãæåŸ
ããŸãã
- æ¿èªãµãŒããŒã¯ãæ¿èªä»äžãæå¹ã§ããããšã確èªããŠãããã¢ã¯ã»ã¹ããŒã¯ã³ãã¯ã©ã€ã¢ã³ãã«éãè¿ããŸãã
- ã¢ã¯ã»ã¹ããŒã¯ã³ãåä¿¡ããåŸãã¯ã©ã€ã¢ã³ãã¯ãªãœãŒã¹ãµãŒããŒããä¿è·ããããªãœãŒã¹ãèŠæ±ããŸãã
- ãªãœãŒã¹ãµãŒããŒã¯ãã¢ã¯ã»ã¹ããŒã¯ã³ãæ£ããããšã確èªããŠãããä¿è·ããããªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãæäŸããŸãã
ã¯ã©ã€ã¢ã³ãã¯ãªãœãŒã¹ææè ããæ¿èªãåããããã«åºã¥ããŠãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèš±å¯ãããŸããç°¡åã ããã®ã¹ããŒã ã«æŽæ°ããŒã¯ã³ãè¿œå ããã®ã¯ç°¡åã§ããïŒ
æœè±¡OAuth2.0ãæŽæ°ããŒã¯ã³ã䜿çšãããããŒ
ãã®å³ã§ã¯ãæåãš2çªç®ã®ã¹ãããã¯çç¥ãããŠããŸãããããã¯ãäžèšã®æœè±¡çãªãããŒå³ãšåãã§ãã
ãã詳现ãªã¹ããŒã ïŒ
- ã¯ã©ã€ã¢ã³ãã«ã¯ãæ¿èªãµãŒããŒãžã®æ¿èªä»äžãä»å±ããŠãããã¢ã¯ã»ã¹ããŒã¯ã³ãšæŽæ°ããŒã¯ã³ãæäŸããããã«æ±ããããŸãã
- Authorization server , authorization grant access token refresh token.
- Client access token , â invalid token error.
- , authorization server refresh token access token .
- access token, refresh token, refresh token.
grant?
Grantã¯ããªãœãŒã¹ã®ææè ã«ããã¯ã©ã€ã¢ã³ãã®æ£åžžãªæ¿èªãè¡šãããŒã¿ã§ãããã¯ã©ã€ã¢ã³ããã¢ã¯ã»ã¹ããŒã¯ã³ãååŸããããã«äœ¿çšããŸãã
ããšãã°ãã©ããã§Googleã§èªèšŒãããšãç®ã®åã«éç¥ããããã¢ãã衚瀺ãããŸãããã®ãããªãµãŒãã¹ãããªããŸãã¯ããªãã®ãªãœãŒã¹ã«é¢ããããŒã¿ã«ã¢ã¯ã»ã¹ããããšèšã£ãŠããŸãïŒèŠæ±ãããã¹ã³ãŒãããŒã¯ã³ã衚瀺ãããŸãïŒããã®éç¥ããåæç»é¢ããšåŒã³ãŸãã
ãOKããã¯ãªãã¯ããç¬éã«ãåãèš±å¯ãããŒã¿ããŒã¹ã«å ¥ããŸãããã®ãããªãŠãŒã¶ãŒããã®ãããªãµãŒãã¹ãžã®ãã®ãããªã¢ã¯ã»ã¹ãèš±å¯ãããšããããŒã¿ãèšé²ãããŸããã¯ã©ã€ã¢ã³ãã¯ãããŒã¿ããŒã¹å ã®ããŒã¿ã«é¢é£ä»ããããŠããæååãªã©ãããçš®ã®æåããèªèšŒèå¥åãåãåããŸãã
å©æéãååŸããã«ã¯ã4 + 1ã®æ¹æ³ããããŸã-å©æéã®çš®é¡ïŒ
- Authorization code â confedencial â web-.
- Client credentials â confedential , , .
- Implicit â public-, redirection URI (, ), authorization code grant PKCE (Proof Key for Code Exchange â , , token , . â RFC 7636).
- ãªãœãŒã¹ææè
ã®ãã¹ã¯ãŒãè³æ Œæ
å ±ãã§OAuth 2.0ã®ã»ãã¥ãªãã£RFC 6819ããã®è£å©éã®çš®é¡ã¯ä¿¡é Œã§ããªããšèããããŸãã以åã¯OAuth2.0ãžã®ãµãŒãã¹ã®ç§»è¡ã«ã®ã¿äœ¿çšãèš±å¯ãããŠããŸããããçŸæç¹ã§ã¯ãŸã£ãã䜿çšã§ããŸããã
- ããã€ã¹èªèšŒïŒRFC 8628ã§è¿œå ïŒ-Webãã©ãŠã¶ãåããŠããªãå¯èœæ§ãããããã€ã³ã¿ãŒãããçµç±ã§åäœã§ããããã€ã¹ãèªèšŒããããã«äœ¿çšãããŸããããšãã°ããããã¯ã³ã³ãœãŒã«ã¢ããªã±ãŒã·ã§ã³ãã¹ããŒãããã€ã¹ããŸãã¯ã¹ããŒãTVã§ãã
é¢é£ãã ãšèŠãªãããšãã§ããã®ã¯ãèªèšŒã³ãŒãïŒPKCEã䜿çšïŒãã¯ã©ã€ã¢ã³ãè³æ Œæ å ±ãããã³ããã€ã¹èªèšŒä»äžã®ã¿ã§ããããã¹ãŠãèæ ®ããŸããç解ãè€éã«ãªãé ã«å©æéãæ€èšããŸãã
Client credentials grant flow
ãããŒã¯æãåçŽã§ããããããµãŒãã¹ã®å®æçãªæ¿èªã圷圿ãšãããŸããããã¯ãã¯ã©ã€ã¢ã³ãIDãšã¯ã©ã€ã¢ã³ãã·ãŒã¯ã¬ããã§ããã¯ã©ã€ã¢ã³ãã®è³æ Œæ å ±ã䜿çšããŠå®è¡ãããŸããããã¯ããŠãŒã¶ãŒã®ãã°ã€ã³ãšãã¹ã¯ãŒãã«é¡äŒŒããŠããŸããèªèšŒã«ã¯é©åã«ä¿åããå¿ èŠã®ããã¯ã©ã€ã¢ã³ãã·ãŒã¯ã¬ãããå¿ èŠãªããããã®ãããŒã¯æ©å¯ã¯ã©ã€ã¢ã³ãã®ã¿ã䜿çšã§ããŸãã
ã¹ããŒã ã¯åçŽã§ããã¯ã©ã€ã¢ã³ãã¯ãã¯ã©ã€ã¢ã³ãIDãšã¯ã©ã€ã¢ã³ãã·ãŒã¯ã¬ãããæž¡ãããšã«ãããèªèšŒãµãŒããŒã§èªèšŒãããŸããããã«å¿ããŠãã¢ã¯ã»ã¹ããŒã¯ã³ãåãåããŸãããã®ããŒã¯ã³ã䜿çšããŠãå¿ èŠãªãµãŒãã¹ã«ãã§ã«ã¢ã¯ã»ã¹ã§ããŸãã
ãã®ãããŒã¯ãã¯ã©ã€ã¢ã³ããèªèº«ã®ãªãœãŒã¹ãŸãã¯èªèšŒãµãŒããŒãšä»¥åã«åæãããªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããšãããšãã«å¿ èŠã§ããããšãã°ããµãŒãã¹Aã¯ãµãŒãã¹Bã«æã ã¢ã¯ã»ã¹ãããããã¯ãŒã¯å ã®ãããã§ãªã¢ã®æ°ã«é¢ããããŒã¿ãæŽæ°ããå¿ èŠããããŸãã
ãªãœãŒã¹ææè ã®ãã¹ã¯ãŒãè³æ Œæ å ±ãããŒ
ãã®RFC㧠説æãããŠããçŸåšã®ã»ãã¥ãªãã£ã®æšå¥šäºé ã«ãããšãæãããªã»ãã¥ãªãã£äžã®æžå¿µãããããããã®ãããŒã®äœ¿çšã¯ãŸã£ããæšå¥šãããŠããŸããã
ãã®ãããŒã®å³ã§ã¯ã2ã€ã®ã¯ã©ã€ã¢ã³ãããããçè«çã«ã¯ãã¯ã©ã€ã¢ã³ããšæ¿èªãµãŒããŒãå¿ èŠã§ãã
ãªãœãŒã¹ææè ã¯ãããšãã°ã¯ã©ã€ã¢ã³ãã®ãã©ãŒã ãä»ããŠããŠãŒã¶ãŒåãšãã¹ã¯ãŒããã¯ã©ã€ã¢ã³ãã«è»¢éããŸãã次ã«ãã¯ã©ã€ã¢ã³ãã¯ããã䜿çšããŠã¢ã¯ã»ã¹ããŒã¯ã³ïŒããã³ãªãã·ã§ã³ã§æŽæ°ããŒã¯ã³ïŒãååŸããŸãã
ããã«åé¡ããããŸãããªãœãŒã¹ã®ææè ã¯ããŠãŒã¶ãŒåãšãã¹ã¯ãŒããååŸããŠã¯ã©ã€ã¢ã³ãã«æ確ãªåœ¢åŒã§æäŸããã ãã§ãããããã¯å®å šã§ã¯ãããŸãããããšããšã¯ãä¿¡é Œã§ããã¯ã©ã€ã¢ã³ããŸãã¯ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã ã®äžéšã§ããã¯ã©ã€ã¢ã³ãå°çšã«äœæãããŸããããã®åŸããã°ã€ã³ããã³ãã¹ã¯ãŒãèªèšŒããOAuth2.0ãžã®ç§»è¡ã®ã¿ãèš±å¯ãããŸãããçŸåšã®å®å šã¬ã€ãã©ã€ã³ã¯ãã®äœ¿çšãçŠæ¢ããŠããŸãã
æ¿èªã³ãŒã
çŸæç¹ã§æãäžè¬çãªãããŒãäž»ã«æ©å¯ã¯ã©ã€ã¢ã³ãã«äœ¿çšãããŸãããPKCEã«ããè¿œå ã®æ€èšŒã®å°å ¥ã«ããããããªãã¯ã¯ã©ã€ã¢ã³ãã«ã䜿çšã§ããŸãã
ãã®ãããŒã§ã¯ãã¯ã©ã€ã¢ã³ãã¯ãŠãŒã¶ãŒãšãŒãžã§ã³ãïŒãã©ãŠã¶ïŒãä»ããŠãªãœãŒã¹ææè ãšå¯Ÿè©±ããŸãã user-agentã«ã¯1ã€ã®èŠä»¶ããããŸããããã¯ãHTTPãªãã€ã¬ã¯ããåŠçã§ããå¿ èŠããããšããããšã§ããããããªããšããªãœãŒã¹ææè ã¯èªèšŒãµãŒããŒã«ã¢ã¯ã»ã¹ããŠãèš±å¯ãåŸãŠæ»ãããšãã§ããŸããã
ãã®ãããŒã¯åã®ãããŒãããè€éãªã®ã§ã段éçã«åæããŸãããŸããç§ãã¡ããªãœãŒã¹ã®ææè ã§ãããåŠç¿çµæãã¯ã©ãŠãã«ä¿åããããªã³ã©ã€ã³åŠç¿ãµãŒãã¹ã®ããŒãžã«ç§»åãããšæ³åããŠã¿ãŸãããã圌ã¯ç§ãã¡ã®ãªãœãŒã¹ãããšãã°ã¯ã©ãŠãå ã®ç¹å®ã®ãã£ã¬ã¯ããªã«ã¢ã¯ã»ã¹ããå¿ èŠããããŸããããã°ã€ã³ããã¯ãªãã¯ãããšãæ¿èªã³ãŒãä»äžãããŒã®æ ãå§ãŸããŸãã
- æåã®ã¹ãããã§ã¯ãã¯ã©ã€ã¢ã³ãã¯user-agentã䜿çšããŠãªãœãŒã¹ææè
ãAuthorizationserverèªèšŒããŒãžã«ãªãã€ã¬ã¯ãããŸããURIã§ã¯ãã¯ã©ã€ã¢ã³ãIDãšãªãã€ã¬ã¯ãURIãæå®ããŸãããªãã€ã¬ã¯ã·ã§ã³URIã¯ãæ¿èªãæåããåŸã«ãªãœãŒã¹ææè
ãè¿ãå Žæãç解ããããã«äœ¿çšãããŸãïŒãªãœãŒã¹ææè
ã¯ãã¯ã©ã€ã¢ã³ãã«ãã£ãŠèŠæ±ãããã¹ã³ãŒãã«èš±å¯ãä»äžããŸãïŒã
- user-agent, resource owner .
- Resource owner , consent screen .
- Resource owner user-agent URI, redirection URI. query- authorization code â , , resource owner .
- authorization code , access token ( refresh token, ).
- authorization code, , access token ( refresh token). .
ãªãœãŒã¹ææè ã®ä»£ããã«ç§ãã¡ãæ³åãããšãæ¿èªãµãŒããŒãžã®ãªãã€ã¬ã¯ãã衚瀺ãããèªèšŒããã[åæ]ç»é¢ãžã®ã¢ã¯ã»ã¹ã確èªããããã§ã«å®è¡ãããŠãããµãŒãã¹ã«éä¿¡ãããŸããããšãã°ãGoogleãFacebookããŸãã¯Appleã®ã¢ã«ãŠã³ãã§ãµãŒãã¹ã«ã¢ã¯ã»ã¹ãããšããããäœåºŠãçµéšããŸãã
次ã®ãããŒã¯ããã«åºã¥ããŠããŸãã
æé»ã®ä»äž
ããã¯ããªãã€ã¬ã¯ãURIã®æäœæ¹æ³ãç¥ã£ãŠãããããªãã¯ã¯ã©ã€ã¢ã³ãåãã®æ¿èªã³ãŒãä»äžãããŒã®æé©åã§ããããšãã°ãJavaScriptãã©ãŠã¶ã¢ããªã±ãŒã·ã§ã³ãã¢ãã€ã«ã¢ããªã±ãŒã·ã§ã³ã®å Žåã§ããã¯ã©ã€ã¢ã³ããšãªãœãŒã¹ææè ã察話ãããŠãŒã¶ãŒãšãŒãžã§ã³ãã®èŠä»¶ã¯å€ãããŸããã圌ã¯HTTPãªãã€ã¬ã¯ããåŠçã§ããå¿ èŠããããŸãã
æ¿èªã³ãŒããšæé»ã®äž»ãªéãããããŸããæ¿èªã³ãŒããšã¢ã¯ã»ã¹ããŒã¯ã³ãåãåã代ããã«ããªãœãŒã¹ææè ã®æ¿èªãæåãããšããã«ã¢ã¯ã»ã¹ããŒã¯ã³ãåãåããŸããããã«ãã»ãã¥ãªãã£äžã®çç±ãããããã§ã¯ã¯ã©ã€ã¢ã³ãã·ãŒã¯ã¬ããã¯äœ¿çšãããŠããŸãããã¢ããªã±ãŒã·ã§ã³ãéã¢ã»ã³ãã«ããŠååŸã§ããŸããä¿¡é Œæ§ã¯ããªãã€ã¬ã¯ãURIã«ãã£ãŠã®ã¿ãã§ãã¯ãããŸãã
ãã®å³ã®å€ãã®ã¹ãããã¯ãèªèšŒã³ãŒãã®ã¹ããããšäŒŒãŠããŸããããããã«ã€ããŠã詳现ã«åæããããšãææ¡ããŸãããã©ãŠã¶ã¢ããªã±ãŒã·ã§ã³ããã®èšå®ãGitãªããžããªã«ä¿åããããšããŸãããLogintoGitHubããã¯ãªãã¯ãããšããã®æ®µéã§æé»çãªãããŒãå§ãŸããŸãã
- ã¯ã©ã€ã¢ã³ãã¯ãuser-agentãšHTTPãªãã€ã¬ã¯ãã䜿çšããŠããªãœãŒã¹ææè
ãèªèšŒãµãŒããŒã«ãªãã€ã¬ã¯ãããŸãããªã¯ãšã¹ããã©ã¡ãŒã¿ã§ã¯ãã¯ã©ã€ã¢ã³ããèªèšŒããŠãããªãœãŒã¹ææè
ãè¿ãããã«å¿
èŠãªã¯ã©ã€ã¢ã³ãIDãšãªãã€ã¬ã¯ãURIãæž¡ããŸãã
- ãªãœãŒã¹ææè
ã¯ããŠãŒã¶ãŒãšãŒãžã§ã³ããä»ããŠèªèšŒãµãŒããŒãšéä¿¡ããããšã«ãã£ãŠèªèšŒãããŸããåæã«ãã¯ã©ã€ã¢ã³ãIDãæã£ãŠæ¥ãã¯ã©ã€ã¢ã³ããžã®å©æéã®çºè¡ã確èªããŸãã
- grant ( «allow» consent screen), user-agent resource owner redirection URI. , URI fragment access token (URI fragment â , URI â#â).
- user-agent. User-agent redirection URI web-, access token . , , , CDN.
- Web- web- ( ), redirection URI, , .
- User-agent , , web-hosted client resource, access token.
- çµæã®ã¢ã¯ã»ã¹ããŒã¯ã³user-agentã¯ãåã«ã¯ã©ã€ã¢ã³ãã«è»¢éãããŸãã
ããã¯è€éãªãããŒã§ããå®éã®ã·ããªãªã§ã¯ã»ãšãã©äœ¿çšãããŸãããããããããã¯ãŸã ã¬ã¬ã·ãŒãããžã§ã¯ãã§èŠã€ããããšãã§ããŸãã
ããã€ã¹èªèšŒïŒRFC 8628ïŒ
2012幎ãã2019幎ã«ãããŠããã°ã€ã³ã«äžäŸ¿ãªå€ãã®ã¹ããŒãããã€ã¹ãç»å ŽããŸãããããšãã°ããªãœãŒã¹ãéããã³ã«ãã¬ãã§è€éãªãŠãŒã¶ãŒåãšãã¹ã¯ãŒããå ¥åããã®ã¯äžäŸ¿ã§ããããã¯ãã°ã©ãã£ã«ã«ã€ã³ã¿ãŒãã§ã€ã¹ã®ãªããµãŒããŒOSãªã©ãäžéšã®ããã€ã¹ã§ã¯äžå¯èœã§ãã2019幎8æããã®ãããŒã¯ãã®ãããªã·ããªãªã®ããã ãã«ç»å ŽããŸããã
ããã€ã¹èªèšŒä»äžãããŒã䜿çšã§ããããã«ããã«ã¯ãããã€ã¹ã«å°ãªããšã3ã€ã®èŠä»¶ããããŸãã
- ããã€ã¹ã¯ãçºä¿¡HTTPSèŠæ±ãè¡ãããšãã§ããå¿
èŠããããŸãã
- ããã€ã¹ã¯ãURIãšIDããŠãŒã¶ãŒã«è¡šç€ºã§ããå¿
èŠããããŸãã
- æ¿èªãããåããã€ã¹ã¯ãªãœãŒã¹ææè
ã«å±ããŸãããªãœãŒã¹ææè
ã¯ãæ¿èªãæåãããããã«ãæå®ãããURIã«ç§»åããŠæå®ãããã³ãŒããå
¥åããããã«ããã©ãŠã¶ãŒãåããå¥ã®ããã€ã¹ãæã£ãŠããå¿
èŠããããŸãã
ç¢å°ãè±å¯ãªãããã¹ããŒã ãè€éã«èŠãããããããŸããããã®åã«è€éãªãããŒã解æããã®ã§ã段éçã«åæããŠã¿ãŸãããã
TVã䜿çšããŠWebãµãŒãã¹ã«ãã°ã€ã³ããããšããŠãããšããŸãããããããã€ã¹ãšããŠãã°ã€ã³ããã¿ã³ã衚瀺ããããããã¯ãªãã¯ããŸãããã®æç¹ã§ãããã€ã¹ãããŒãå§ãŸããŸãã
- TVã¯èªèšŒãµãŒããŒã«èŠæ±ãåºããã¯ã©ã€ã¢ã³ãIDãäžããŸãã
- æ¿èªãµãŒããŒã¯ããã®ãããªã¯ã©ã€ã¢ã³ããç»é²ãããŠãããé©åãªä»äžã¿ã€ããæã£ãŠããããšã確èªããŸãã
- , Authorization server device code, user code verification URI. Device code â , .
- user code verification URI â resource owner. Redirection URI , QR- â .
- , user code verification URI, .
- resource owner. verification URI, user code, , scope . resource owner .
- ãã®éãã£ãšãããã€ã¹ïŒãã€ã³ã3ïŒã¯ãã®æåã«ã€ããŠèªèšŒãµãŒããŒãããŒãªã³ã°ããŸãããä»åã®èªèšŒãééããããšãæåŸ
ããŠãããã€ã¹ã¯ããã€ã¹ã³ãŒããšã¯ã©ã€ã¢ã³ãIDã䜿çšããŠèªèšŒãµãŒããŒã«å床ã¢ã¯ã»ã¹ããŸãã
- ä»åã¯ããªãœãŒã¹ææè
ãããã€ã¹ãžã®å¿
èŠãªæš©éã®è»¢éã確èªãããšãæ¿èªãµãŒããŒã¯èŠæ±ã«å¿çããŠã¢ã¯ã»ã¹ããŒã¯ã³ãè¿ããŸãïŒãµãŒããŒèšå®ãšæŽæ°ããŒã¯ã³ã«ãã£ãŠæäŸãããå ŽåïŒããããŠãããŒã¯ã³ã®å©ããåããŠãããã€ã¹ã¯ãã§ã«ãªãœãŒã¹ã§åäœãç¶ããããšãã§ããŸãã
ç¢å°ã®æãããªè€éãã«ããããããããã®ãããŒãéåžžã«åçŽã§ããããã€ã¹ãæäœããå¿ èŠãããå ŽåïŒãã©ãã«ãŒããã£ãã·ã¥ã¬ãžã¹ã¿ãŒãã¹ãã¢ããã³ãããã®ä»ã®ããã€ã¹ãªã©ãå€ãã®ããã€ã¹ããããŸãïŒããã®ãããŒã䜿çšããå¿ èŠããããŸãã
åºåã®ä»£ããã«
ãã®èšäºã§ã¯ãæãéèŠãªããšãæãç°¡åã§ã¢ã¯ã»ã¹ããããæ¹æ³ã§èª¬æããããã«ãå€ãã®è©³çŽ°ãçç¥ããŸãããããšãã°ãã¯ãšãªã®çš®é¡ããã©ã¡ãŒã¿ãæž¡ãæ¹æ³ãšåœ¢åŒããã®å€ãšããŠèš±å¯ãããæåãªã©ã§ãã
ãã®ãããã¯ã«ã€ããŠããã«è©³ããç¥ãããå Žåã¯ãRFC 6749ïŒOAuth 2.0ã®å ŽåïŒããã³RFC 8628ïŒããã€ã¹ãããŒã®å ŽåïŒããå§ãããŸããOAuthãªãœãŒã¹ã§ææ°ã®RFCã確èªããããšãã§ããŸãã
èšäºã圹ã«ç«ã¡ã詳现ãå¿ èŠãªå Žåã¯ãã³ã¡ã³ãã«æžã蟌ãã§ãã ããã次ã®èšäºã§ã¯ãPKCEãOpenID Connect 1.0èªèšŒãããã³ã«ãèªèšŒãµãŒããŒã®å®è£ ãªã©ã«ã€ããŠèª¬æããŸãã
䟿å©ãªãªã³ã¯ïŒ