ããŒãã 翻蚳ã: Okta ã«ãããã®çŽ æŽãããèšäºã§ã¯ãOAuth ãš OIDC (OpenID Connect) ãã©ã®ããã«æ©èœããããã·ã³ãã«ãã€æ確ãªæ¹æ³ã§èª¬æããŠããŸãã ãã®ç¥èã¯ãéçºè ãã·ã¹ãã 管çè ãããã«ã¯ä»ã®ãµãŒãã¹ãšæ©å¯ããŒã¿ã亀æããå¯èœæ§ãé«ã人æ°ã® Web ã¢ããªã±ãŒã·ã§ã³ã®ãéåžžã®ãŠãŒã¶ãŒãã«ã圹ç«ã¡ãŸãã
ã€ã³ã¿ãŒãããã®ç³åšæ代ã«ã¯ããµãŒãã¹éã§æ å ±ãå ±æããã®ã¯ç°¡åã§ããã ãããµãŒãã¹ããå¥ã®ãµãŒãã¹ã«ãã°ã€ã³åãšãã¹ã¯ãŒããæž¡ãã ãã§ããŠãŒã¶ãŒã¯ããªãã®ã¢ã«ãŠã³ããå ¥åããå¿ èŠãªæ å ±ãåãåãããšãã§ããŸãã
ãããªãã®éè¡å£åº§ãæããŠãã ãããã ããã¹ã¯ãŒããšãéãããã°ãã¹ãŠããŸãããããšãçŽæããŸãã æ£çŽã§ããæ£çŽã§ãïŒã *ããããã*
ãã©ãŒïŒ ãŠãŒã¶ãŒã«ãŠãŒã¶ãŒåãšãã¹ã¯ãŒãã®å ±æãèŠæ±ããŠã¯ãªããŸããã è³æ Œãå¥ã®ãµãŒãã¹ã§ã ãã®ãµãŒãã¹ã®èåŸã«ããçµç¹ãããŒã¿ãå®å šã«ä¿ç®¡ããå¿ èŠä»¥äžã®å人æ å ±ãåéããªããšããä¿èšŒã¯ãããŸããã ã¯ã¬ã€ãžãŒã«èããããããããŸããããäžéšã®ã¢ããªã§ã¯ä»ã§ããã®ææ³ã䜿çšãããŠããŸãã
çŸåšããããµãŒãã¹ãå¥ã®ãµãŒãã¹ã®ããŒã¿ãå®å šã«äœ¿çšã§ããããã«ããåäžã®æšæºããããŸãã æ®å¿µãªããããã®ãããªæšæºã§ã¯å€ãã®å°éçšèªãçšèªã䜿çšãããŠãããããç解ãè€éã«ãªã£ãŠããŸãã ãã®è³æã®ç®çã¯ãç°¡åãªã€ã©ã¹ãã䜿çšããŠããããã©ã®ããã«æ©èœãããã説æããããšã§ã (ç§ã®çµµã¯åäŸã®å¡ãçµµã«äŒŒãŠãããšæããŸãã? ããã§ãã!)ã
ã¡ãªã¿ã«ããã®ã¬ã€ãã¯ãããªåœ¢åŒã§ãå©çšã§ããŸãã
çæ§ããããã: OAuth 2.0
äŸãšããŠããUnlucky Pun of the Dayããšãããµã€ããçºèŠãããšããŸãã [ä»æ¥ã®ã²ã©ãããžã£ã¬] ãããŠãæ¯æ¥ã®ããžã£ã¬ãé»è©±ã®ããã¹ãã¡ãã»ãŒãžã®åœ¢ã§åãåãããã«ãããã«ç»é²ããããšã«ããŸããã ããªãã¯ãã®ãµã€ãããšãŠãæ°ã«å ¥ã£ãã®ã§ããããåéå šå¡ãšå ±æããããšã«ããŸããã çµå±ã®ãšããã誰ããäžæ°å³ãªããžã£ã¬ã奜ãã§ãããïŒ
ãä»æ¥ã®æ®å¿µãªããžã£ã¬: å·Šå身ã倱ã£ãç·ã®ããšãèãã? ä»ã§ã¯åœŒã¯åžžã«æ£ããã§ãïŒã (åæã«ã¯ç¬èªã®èªååããããããããããããã®ç¿»èš³ã§ãã)
é£çµ¡å ãªã¹ãããå人ã«æçŽãæžããšããéžæè¢ããªãããšã¯æããã§ãã ãããŠãããªããå°ãã§ãç§ãšåãã§ããã°ãäžå¿ èŠãªä»äºãé¿ããããã«ã¯ã©ããªæ段ã䜿ã£ãŠãããã§ãããã 幞ããªããšã«ããTerrible Pun of the Dayãã ãã§ãã¹ãŠã®åéãæåŸ ã§ããŸãã ãããè¡ãã«ã¯ãé£çµ¡å ã®é»åã¡ãŒã«ãžã®ã¢ã¯ã»ã¹ãéãã ãã§ãããµã€ãèªäœããé£çµ¡å ãžã®æåŸ ç¶ãéä¿¡ãããŸã (OAuth ã«ãŒã«)ã
ãã¿ããªããžã£ã¬ã倧奜ãïŒ - ãã°ã€ã³æžã¿ïŒ ãä»æ¥ã®ã²ã©ãããžã£ã¬ Web ãµã€ããããªãã®é£çµ¡å
ãªã¹ãã«ã¢ã¯ã»ã¹ããããšãèš±å¯ããŸãã? - ããããšãïŒ ããããã¯ãæéãçµãããŸã§ãããªãã®ç¥ãåãå
šå¡ã«æ¯æ¥ãªãã€ã³ããŒãéä¿¡ããŸãã ããªãã¯æé«ã®åéã§ãïŒã
- ã¡ãŒã«ãµãŒãã¹ãéžæããŠãã ããã
- å¿ èŠã«å¿ããŠãã¡ãŒã« ãµã€ãã«ã¢ã¯ã»ã¹ããã¢ã«ãŠã³ãã«ãµã€ã³ã€ã³ããŸãã
- Terrible Pun of the Day ã«é£çµ¡å ã«ã¢ã¯ã»ã¹ããèš±å¯ãäžããŸãã
- ãä»æ¥ã®ã²ã©ãããžã£ã¬ããµã€ãã«æ»ããŸãã
æ°ãå€ãã£ãå Žåã«åããŠãOAuth ã䜿çšããã¢ããªã±ãŒã·ã§ã³ã«ã¯ã¢ã¯ã»ã¹ãåãæ¶ãæ¹æ³ãçšæãããŠããŸãã Terrible Pun of the Day ãšé£çµ¡å ãå ±æããããªããšå€æããããã¡ãŒã« ãµã€ãã«ã¢ã¯ã»ã¹ããŠãèš±å¯ãããã¢ããªã±ãŒã·ã§ã³ã®ãªã¹ããããã®ããžã£ã¬ ãµã€ããåé€ã§ããŸãã
OAuth ãããŒ
ç§ãã¡ã¯äžè¬çã«åŒã°ãããã®ãééããã ãã§ã ãã㌠[ãããŒ] OAuthã ãã®äŸã§ã¯ããã®ãããŒã¯ç®ã«èŠããã¹ããããšã2.0 ã€ã®ãµãŒãã¹ãæ å ±ã®å®å šãªäº€æã«ã€ããŠåæããããã€ãã®ç®ã«èŠããªãã¹ãããã§æ§æãããŠããŸãã åã®ãä»æ¥ã®ã²ã©ãããžã£ã¬ãã®äŸã§ã¯ããèªèšŒã³ãŒãããããŒãšããŠç¥ãããæãäžè¬ç㪠OAuth XNUMX ãããŒã䜿çšããŠããŸãã ããèªå¯ã³ãŒããã®æµãã.
OAuth ã®ä»çµã¿ã®è©³çŽ°ã«å ¥ãåã«ãããã€ãã®çšèªã®æå³ã«ã€ããŠèª¬æããŸãããã
- ãªãœãŒã¹ææè
:
ããªãã ïŒ ããªãã¯èªåã®è³æ Œæ å ±ãšããŒã¿ãææããèªåã®ã¢ã«ãŠã³ãã§å®è¡ãããå¯èœæ§ã®ãããã¹ãŠã®ã¢ã¯ãã£ããã£ãå¶åŸ¡ããŸãã - ã¯ã©ã€ã¢ã³ã:
ã«ä»£ãã£ãŠã¢ã¯ã»ã¹ãŸãã¯ç¹å®ã®ã¢ã¯ã·ã§ã³ãå®è¡ãããã¢ããªã±ãŒã·ã§ã³ (ããšãã°ããä»æ¥ã®ã²ã©ãããžã£ã¬ããµãŒãã¹) ãªãœãŒã¹ææè ' ã - èªå¯ãµãŒããŒ:
ç¥ã£ãŠããã¢ããªã±ãŒã·ã§ã³ ãªãœãŒã¹ææè 'aããããŠãã®äžã§ããªã㯠ãªãœãŒã¹ææè ããã§ã«ã¢ã«ãŠã³ããæã£ãŠããŸãã - ãªãœãŒã¹ãµãŒããŒ:
ã¢ããªã±ãŒã·ã§ã³ ããã°ã©ãã³ã° ã€ã³ã¿ãŒãã§ã€ã¹ (API) ãŸãã¯ãµãŒãã¹ ã¯ã©ã€ã¢ã³ã 代çã§å©çšããã ãªãœãŒã¹ææè ' ã - URIããªãã€ã¬ã¯ããã:
ãã®ãªã³ã¯ã¯ã èªå¯ãµãŒã㌠ãªãã€ã¬ã¯ãããŸã ãªãœãŒã¹ææè 'ãããŠèš±å¯ãäžããåŸ ã¯ã©ã€ã¢ã³ã'ã§ã ãã³ãŒã«ãã㯠URLããšåŒã°ããããšããããŸãã - å¿çã¿ã€ã:
åä¿¡ãæåŸ ãããæ å ±ã®çš®é¡ ã¯ã©ã€ã¢ã³ãã æãäžè¬ç㪠å¿çã¿ã€ãããªãŒã ã¯ã³ãŒãã§ããã€ãŸã ã¯ã©ã€ã¢ã³ã åãåãããšãæåŸ ããŠããŸã æ¿èªã³ãŒã. - 察象é å:
ããã¯ãå¿ èŠãªæš©éã®è©³çŽ°ãªèª¬æã§ãã ã¯ã©ã€ã¢ã³ãããŒã¿ãžã®ã¢ã¯ã»ã¹ãç¹å®ã®ã¢ã¯ã·ã§ã³ã®å®è¡ãªã©ã - åæ:
èªå¯ãµãŒã㌠ãã€ã¯ ã¹ã³ãŒãèŠæ±ããã ã¯ã©ã€ã¢ã³ãããããããŠå°ãã ãªãœãŒã¹ææè ããã圌ã¯æäŸããæºåãã§ããŠããŸãã ã¯ã©ã€ã¢ã³ã' é©åãªæš©éãæã£ãŠããŸãã - 顧客ID:
ãã®IDã¯èå¥ããããã«äœ¿çšãããŸã ã¯ã©ã€ã¢ã³ã'a on èªå¯ãµãŒããŒããã - ã¯ã©ã€ã¢ã³ãã·ãŒã¯ã¬ãã:
ããã¯å¯äžç¥ãããŠãããã¹ã¯ãŒãã§ã ã¯ã©ã€ã¢ã³ãããªããš èªå¯ãµãŒããŒ'ã§ã ããã«ãããæ å ±ããã©ã€ããŒãã«å ±æã§ããããã«ãªããŸãã - æ¿èªã³ãŒã:
æå¹æéãçãäžæã³ãŒãã§ãã ã¯ã©ã€ã¢ã³ã æäŸããŠããŸã èªå¯ãµãŒããŒä»£ããã« ã¢ã¯ã»ã¹ããŒã¯ã³. - ã¢ã¯ã»ã¹ããŒã¯ã³:
ã¯ã©ã€ã¢ã³ããéä¿¡ã«äœ¿çšããã㌠ãªãœãŒã¹ãµãŒããŒããã ãããžãŸãã¯ããŒã«ãŒãã®ãããªãã®ã§ã ã¯ã©ã€ã¢ã³ã'ããŒã¿ããªã¯ãšã¹ãããããã¢ã¯ã·ã§ã³ãå®è¡ããæš©éãæã£ãŠããŸã ãªãœãŒã¹ãµãŒããŒããªãã«ä»£ãã£ãŠã
泚æ: èªå¯ãµãŒããŒãšãªãœãŒã¹ãµãŒããŒãåããµãŒããŒã§ããå ŽåããããŸãã ãã ããå Žåã«ãã£ãŠã¯ãåãçµç¹ã«å±ããŠããªããŠãããããã¯ç°ãªããµãŒããŒã§ããå¯èœæ§ããããŸãã ããšãã°ãèªå¯ãµãŒããŒã¯ããªãœãŒã¹ ãµãŒããŒã«ãã£ãŠä¿¡é ŒãããŠãããµãŒãããŒã㣠ãµãŒãã¹ã§ããå ŽåããããŸãã
OAuth 2.0 ã®äžå¿çãªæŠå¿µã説æããã®ã§ãäŸã«æ»ããOAuth ãããŒã§äœãèµ·ãããã詳ããèŠãŠã¿ãŸãããã
- ããªã㯠ãªãœãŒã¹ææè ããä»æ¥ã®ã²ã©ãããžã£ã¬ããµãŒãã¹ (ã¯ã©ã€ã¢ã³ãy) é£çµ¡å ã«ã¢ã¯ã»ã¹ããŠããã¹ãŠã®åéã«æåŸ ç¶ãéä¿¡ã§ããããã«ããŸãã
- ã¯ã©ã€ã¢ã³ã ãã©ãŠã¶ãããŒãžã«ãªãã€ã¬ã¯ãããŸã èªå¯ãµãŒããŒ'a ãã¯ãšãªã«å«ããŸã 顧客ID, URIããªãã€ã¬ã¯ããã, å¿çã¿ã€ã ãããŠXNUMXã€ä»¥äžã® ã¹ã³ãŒã ïŒèš±å¯ïŒãå¿ èŠã§ãã
- èªå¯ãµãŒããŒ å¿ èŠã«å¿ããŠãŠãŒã¶ãŒåãšãã¹ã¯ãŒããèŠæ±ãããŠãŒã¶ãŒã確èªããŸãã
- èªå¯ãµãŒã㌠ãã©ãŒã ã衚瀺ããŸã åæ (確èª) ãã¹ãŠã®ãªã¹ãä»ã ã¹ã³ãŒãèŠæ±ããã ã¯ã©ã€ã¢ã³ãããã åæãããæåŠãããã§ãã
- èªå¯ãµãŒã㌠ãµã€ãã«ãªãã€ã¬ã¯ãããŸã ã¯ã©ã€ã¢ã³ã'aã䜿çšã㊠URIããªãã€ã¬ã¯ããã äžç·ã« æ¿èªã³ãŒã (èªèšŒã³ãŒã)ã
- ã¯ã©ã€ã¢ã³ã ïœãšçŽæ¥éä¿¡ãã èªå¯ãµãŒããŒããïŒãã©ãŠã¶ããã€ãã¹ããïŒ ãªãœãŒã¹ææè 'a) å®å šã«éä¿¡ããŸã 顧客ID, ã¯ã©ã€ã¢ã³ãã·ãŒã¯ã¬ãã О æ¿èªã³ãŒã.
- èªå¯ãµãŒã㌠ããŒã¿ããã§ãã¯ããŠæ¬¡ã®ããã«å¿çããŸã ã¢ã¯ã»ã¹ããŒã¯ã³'om (ã¢ã¯ã»ã¹ããŒã¯ã³)ã
- ä» ã¯ã©ã€ã¢ã³ã 䜿ãã ã¢ã¯ã»ã¹ããŒã¯ã³ ã«ãªã¯ãšã¹ããéä¿¡ãã ãªãœãŒã¹ãµãŒã㌠é£çµ¡å ã®ãªã¹ããååŸããŸãã
ã¯ã©ã€ã¢ã³ãIDãšã·ãŒã¯ã¬ãã
Terrible Pun of the Day ã«é£çµ¡å ãžã®ã¢ã¯ã»ã¹ãèš±å¯ãããã£ãšåã«ãã¯ã©ã€ã¢ã³ããšèªå¯ãµãŒããŒã¯é£æºé¢ä¿ã確ç«ããŠããŸããã èªå¯ãµãŒããŒã¯ã¯ã©ã€ã¢ã³ã ID ãšã¯ã©ã€ã¢ã³ã ã·ãŒã¯ã¬ãã (ã¯ã©ã€ã¢ã³ã ã·ãŒã¯ã¬ãããšåŒã°ããããšããããŸã) ãçæããŸããã ã¢ããªã±ãŒã·ã§ã³ID О ã¢ããªã·ãŒã¯ã¬ãã) ãäœæããOAuth å ã§ããã«ããåãããããã«ã¯ã©ã€ã¢ã³ãã«éä¿¡ããŸãã
"- ããã«ã¡ã¯ïŒ äžç·ã«åããããšæã£ãŠããŸãïŒ - ãã¡ãããåé¡ãããŸãã! ãããããªãã®ã¯ã©ã€ã¢ã³ãIDãšã·ãŒã¯ã¬ããã§ãïŒã
ãã®ååã¯ãã¯ã©ã€ã¢ã³ã ã·ãŒã¯ã¬ãããã¯ã©ã€ã¢ã³ããšèªå¯ãµãŒããŒã®ã¿ã«ç¥ãããããã«ç§å¯ã«ããŠããå¿ èŠãããããšã瀺åããŠããŸãã çµå±ã®ãšãããèªå¯ãµãŒããŒãã¯ã©ã€ã¢ã³ãã®çå®æ§ã確èªã§ããã®ã¯åœŒã®å©ãã«ãããã®ã§ãã
ããããããã ãã§ã¯ãããŸãã...OpenID Connect ãæè¿ããŠãã ããã
OAuth 2.0 ã¯ä»¥äžã®ããã«ã®ã¿èšèšãããŠããŸãã èªå¯ - ããã¢ããªã±ãŒã·ã§ã³ããå¥ã®ã¢ããªã±ãŒã·ã§ã³ãžã®ããŒã¿ããã³æ©èœãžã®ã¢ã¯ã»ã¹ãæäŸããŸãã
OpenID Connect ã䜿çšãããšãåäžã®ãã°ã€ã³ãè€æ°ã®ã¢ããªã±ãŒã·ã§ã³ã§äœ¿çšã§ããã·ããªãªãå®è£ ã§ããŸãããã®ã¢ãããŒãã¯ããšãåŒã°ããŸãã single sign-on (SSO)ã ããšãã°ãã¢ããªã±ãŒã·ã§ã³ã¯ Facebook ã Twitter ãªã©ã®ãœãŒã·ã£ã« ãããã¯ãŒã¯ãšã® SSO çµ±åããµããŒããããŠãŒã¶ãŒããã§ã«ææããŠããã䜿çšãããã¢ã«ãŠã³ãã䜿çšã§ããããã«ããå ŽåããããŸãã
OpenID Connect ã®ãã㌠(flow) 㯠OAuth ã®å Žåãšåãã§ãã å¯äžã®éãã¯ããã©ã€ããªãªã¯ãšã¹ãã§äœ¿çšãããç¹å®ã®ã¹ã³ãŒãã openid
ã - A ã¯ã©ã€ã¢ã³ã æçµçã«ã¯æ¬¡ã®ããã«ãªããŸã ã¢ã¯ã»ã¹ããŒã¯ã³ãš IDããŒã¯ã³.
OAuth ãããŒãšåæ§ã«ã ã¢ã¯ã»ã¹ããŒã¯ã³ OpenID Connect ã§ã¯ãããã¯æ確ã§ã¯ãªãå€ã§ã ã¯ã©ã€ã¢ã³ã'ã§ã 芳ç¹ããèŠããš ã¯ã©ã€ã¢ã³ã'а ã¢ã¯ã»ã¹ããŒã¯ã³ åãªã¯ãšã¹ããšãšãã«æž¡ãããæååãè¡šããŸãã ãªãœãŒã¹ãµãŒããŒ'yãããŒã¯ã³ãæå¹ãã©ããã決å®ããŸãã IDããŒã¯ã³ å
šãç°ãªããã®ãè¡šããŸãã
IDããŒã¯ã³ã¯JWTã§ã
IDããŒã¯ã³ JSON Web Token ãŸã㯠JWT ãšããŠç¥ãããç¹å¥ã«ãã©ãŒããããããæååã§ãã (JWT ããŒã¯ã³ã¯ããžã§ãããã®ããã«çºé³ãããå ŽåããããŸã)ã å€éšã®èŠ³å¯è ã«ãšã£ãŠãJWT ã¯ç解ã§ããªãæå³äžæãªãã®ã«èŠãããããããŸãããã ã¯ã©ã€ã¢ã³ã IDããŠãŒã¶ãŒåããã°ã€ã³æå»ãæå¹æéãªã©ã®ããŸããŸãªæ å ±ã JWT ããæœåºã§ããŸã IDããŒã¯ã³'aãJWT ã«å¹²æžããããšããè©Šã¿ã®ååšã å éšã®ããŒã¿ IDããŒã¯ã³' ãšåŒã°ããŸã ã¢ããªã±ãŒã·ã§ã³ [è«æ±].
OIDC ã®å Žåã次ã®æšæºçãªæ¹æ³ããããŸãã ã¯ã©ã€ã¢ã³ã å人ã«é¢ããè¿œå æ
å ±ãèŠæ±ããå ŽåããããŸã [身å
] ãã èªå¯ãµãŒããŒ'aãããšãã°ã次ã®ãããªé»åã¡ãŒã« ã¢ãã¬ã¹ ã¢ã¯ã»ã¹ããŒã¯ã³.
OAuth ãš OIDC ã«ã€ããŠè©³ããèŠã
ããã§ãOAuth ãš OIDC ãã©ã®ããã«æ©èœããããç°¡åã«ç¢ºèªããŸããã ããã«æ·±ãæãäžããæºåã¯ã§ããŠããŸãã? OAuth 2.0 ãš OpenID Connect ã«ã€ããŠè©³ããåŠã¶ã®ã«åœ¹ç«ã€è¿œå ãªãœãŒã¹ã次ã«ç€ºããŸãã
-
OAuth ãšã¯äžäœäœã§ãã? -
誰ã OAuth ã OpenID Connect ãæ°ã«ããŸãã -
PKCE ãããŒã䜿çšãã OAuth 2.0 èªèšŒã³ãŒãã®å®è£ -
OAuth 2.0 ã®èš±å¯ã¿ã€ããšã¯äœã§ãã? -
ã³ãã³ãã©ã€ã³ããã® OAuth 2.0 -
SQL Server ã䜿çšããŠå®å šãª Node.js ã¢ããªãæ§ç¯ãã
ãã€ãã®ããã«ããæ°è»œã«ã³ã¡ã³ãããŠãã ããã ææ°ãã¥ãŒã¹ãå
¥æããã«ã¯ã賌èªããŠãã ãã
翻蚳è ããã®è¿œäŒž
ç§ãã¡ã®ããã°ããèªã¿ãã ãã:
- «
Kubernetes ã®ã»ãã¥ãªãã£ã® ABC: èªèšŒãèªå¯ãç£æ» "; - «
Kubernetes ã®ãŠãŒã¶ãŒãšèªå¯ RBAC "; - «
33 以äžã® Kubernetes ã»ãã¥ãªã㣠ããŒã« "; - «
Dockerã³ã³ããã®ã»ãã¥ãªã㣠'ã
åºæïŒ habr.com