id & it 2013 - openid connect hands-on
TRANSCRIPT
![Page 1: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/1.jpg)
OpenID ConnectHands-on
@nov, @kura_lab, @lef
![Page 2: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/2.jpg)
OAuth 2.0x
Authentication
![Page 3: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/3.jpg)
![Page 4: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/4.jpg)
Your Server
GET /me
User Info
![Page 5: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/5.jpg)
GET /me
User Info
:Different User Data
Token ReplaceYour Server
![Page 6: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/6.jpg)
OAuth 2.0 + Identity Layer= OpenID Connect
![Page 7: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/7.jpg)
OpenID Connect IdPs
Google+ Sign-in
by Google
YConnect
by Yahoo! Japan
Ping Federate
by Ping Identity
![Page 8: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/8.jpg)
Debug: Google+ Sign-inhttps://developers.google.com/oauthplayground/
![Page 9: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/9.jpg)
Google OAuth 2.0 Playground
Google が Developer に提供している OAuth 2.0 体験サイト
https://developers.google.com/oauthplayground/
HTTP レベルで OAuth 2.0 の各フローを体験できる
Access Token 取得
API アクセス
OpenID Connect も基本的なフローは OAuth 2.0 と共通なので
ここで OpenID Connect のフローも体験できる
![Page 10: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/10.jpg)
Try Google+ Sign-inOpenID Connect Flow
![Page 11: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/11.jpg)
STEP 1: scope に “openid email profile” を指定
![Page 12: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/12.jpg)
STEP 2: ボタン押すだけ
![Page 13: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/13.jpg)
STEP 3: Request URI に “https://www.googleapis.com/oauth2/v3/userinfo”
![Page 14: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/14.jpg)
Try YConnect Integration
![Page 15: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/15.jpg)
YConnect: Application 登録
OAuth 2.0 対応 API を使うには, ほとんどの場合, 事前に
Developer サイト等から Application の登録が必要
「アプリケーションID登録手順」参照
..hopefully already done..
![Page 16: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/16.jpg)
YConnect: Obtain Access Token
UserInfo (プロフィール情報) 取得 API にアクセスするために
OAuth 2.0 の Access Token を取得
同時に ID Token も取得
ID Token の取得タイミングは response_type によって変わる
「YConnect 利用ガイド」参照
まずは Authorization Code フロー
それができたら Implicit フローを
![Page 17: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/17.jpg)
YConnect: Get UserInfo
「UserInfo API リファレンス」参照
![Page 18: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/18.jpg)
YConnect: ID Token Verification
Check Token API を使う方法
「YConnect 利用ガイド」参照
この方法は現時点では標準化されていないので注意
Client サイドで署名検証を実施する方法
YConnect の場合は client_secret を鍵に HMAC-SHA256 で署名されている
![Page 19: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/19.jpg)
Try Ping Federate
![Page 20: ID & IT 2013 - OpenID Connect Hands-on](https://reader033.vdocument.in/reader033/viewer/2022052523/55615036d8b42aa20d8b4df3/html5/thumbnails/20.jpg)
Ping Federate Integration Steps
ユーザー登録