æ°ãæåãç§ã¯äœçŸãã®ç€Ÿå ã¢ããªã±ãŒã·ã§ã³ãžã®ã¢ã¯ã»ã¹ã管çããããã« OpenID Connect ãµãŒããŒãå®è£ ããŠããŸããã å°èŠæš¡ã§äŸ¿å©ãªç¬èªã®éçºãããäžè¬ã«åãå ¥ããããŠããæšæºã«ç§»è¡ããŸããã äžå€®ãµãŒãã¹ãä»ããã¢ã¯ã»ã¹ã«ãããå調ãªæäœãå€§å¹ ã«ç°¡çŽ åãããèªèšŒã®å®è£ ã³ã¹ããåæžãããå€ãã®æ¢è£œã®ãœãªã¥ãŒã·ã§ã³ãèŠã€ããŠãæ°ãããœãªã¥ãŒã·ã§ã³ã®éçºã«é ãæ©ãŸããå¿ èŠããªããªããŸãã ãã®èšäºã§ã¯ããã®ç§»è¡ãšãç§ãã¡ããªããšãåããããšãã§ããåé¡ã«ã€ããŠèª¬æããŸãã
é ãæ...ãã¹ãŠã¯ã©ã®ããã«å§ãŸã£ãã®ã
æ°å¹Žåãæåå¶åŸ¡ããã«ã¯ç€Ÿå ã¢ããªã±ãŒã·ã§ã³ãå€ããããšããç§ãã¡ã¯ç€Ÿå ã®ã¢ã¯ã»ã¹ãå¶åŸ¡ããã¢ããªã±ãŒã·ã§ã³ãäœæããŸããã ããã¯åŸæ¥å¡ã«é¢ããæ å ±ãå«ãããŒã¿ããŒã¹ã«æ¥ç¶ããåçŽãª Rails ã¢ããªã±ãŒã·ã§ã³ã§ãããŸããŸãªæ©èœãžã®ã¢ã¯ã»ã¹ãæ§æãããŠããŸããã åæã«ãã¯ã©ã€ã¢ã³ãåŽãšèªå¯ãµãŒããŒåŽããã®ããŒã¯ã³ã®æ€èšŒã«åºã¥ããæåã® SSO ã確ç«ããŸãããããŒã¯ã³ã¯ãããã€ãã®ãã©ã¡ãŒã¿ãŒã䜿çšããŠæå·åããã圢åŒã§éä¿¡ãããèªå¯ãµãŒããŒã§æ€èšŒãããŸããã ããã¯ãæã䟿å©ãªãªãã·ã§ã³ã§ã¯ãããŸããã§ãããåå éšã¢ããªã±ãŒã·ã§ã³ã¯ããªãã®ããžãã¯å±€ãèšè¿°ããå¿ èŠããããåŸæ¥å¡ããŒã¿ããŒã¹ã¯èªå¯ãµãŒããŒãšå®å šã«åæãããŠããããã§ãã
ãã°ããããŠãããéäžèªèšŒã®ã¿ã¹ã¯ãç°¡çŽ åããããšã«ããŸããã SSO ããã©ã³ãµãŒã«è»¢éãããŸããã OpenResty ã®å©ããåããŠãããŒã¯ã³ããã§ãã¯ãããªã¯ãšã¹ããã©ã®ã¢ããªã±ãŒã·ã§ã³ã«éä¿¡ãããããèªèããããã«ã¢ã¯ã»ã¹ããããã©ããã確èªã§ãããã³ãã¬ãŒãã Lua ã«è¿œå ãããŸããã ãã®ã¢ãããŒãã«ãããå éšã¢ããªã±ãŒã·ã§ã³ãžã®ã¢ã¯ã»ã¹ãå¶åŸ¡ããã¿ã¹ã¯ãå€§å¹ ã«ç°¡çŽ åãããåã¢ããªã±ãŒã·ã§ã³ã®ã³ãŒãã«è¿œå ã®ããžãã¯ãèšè¿°ããå¿ èŠããªããªããŸããã ãã®çµæãå€éšããã®ãã©ãã£ãã¯ãé®æããã¢ããªã±ãŒã·ã§ã³èªäœã¯èªå¯ã«ã€ããŠäœãç¥ããŸããã§ããã
ããããXNUMX ã€ã®åé¡ãæªè§£æ±ºã®ãŸãŸæ®ãããŸããã åŸæ¥å¡ã«é¢ããæ å ±ãå¿ èŠãªã¢ããªã±ãŒã·ã§ã³ã«ã€ããŠã¯ã©ãã§ãããã? èªå¯ãµãŒãã¹çšã® API ãäœæããããšã¯å¯èœã§ããããã®å Žåããã®ãããªã¢ããªã±ãŒã·ã§ã³ããšã«è¿œå ã®ããžãã¯ãè¿œå ããå¿ èŠããããŸãã ããã«ã瀟å ã®èªèšŒãµãŒããŒäžã§ãåŸã«ãªãŒãã³ãœãŒã¹ã«å€æãããèªç€Ÿäœæã¢ããªã±ãŒã·ã§ã³ã® XNUMX ã€ãžã®äŸåã解æ¶ããããšèããŠããŸããã ããã«ã€ããŠã¯ãŸãå¥ã®æ©äŒã«ã話ããŸãã äž¡æ¹ã®åé¡ã«å¯Ÿãã解決ç㯠OAuth ã§ããã
å ±éã®åºæºã«åãããŠ
OAuth ã¯ç解ãããããäžè¬ã«åãå ¥ããããŠããèªèšŒæšæºã§ããããã®æ©èœã ãã§ã¯ååã§ã¯ãªããããããã« OpenID Connect (OIDC) ã®æ€èšãéå§ããŸããã OIDC èªäœã¯ããªãŒãã³èªèšŒæšæºã® 2.0 çªç®ã®å®è£ ã§ãããOAuth XNUMX ãããã³ã« (ãªãŒãã³èªå¯ãããã³ã«) äžã®ã¢ããªã³ã«çµã¿èŸŒãŸããŸããã ãã®ãœãªã¥ãŒã·ã§ã³ã«ããããšã³ã ãŠãŒã¶ãŒã«é¢ããããŒã¿ã®æ¬ åŠã®åé¡ã解決ãããèªå¯ãããã€ããŒã®å€æŽãå¯èœã«ãªããŸãã
ãã ããç¹å®ã®ãããã€ããŒãéžæããââãæ¢åã®èªå¯ãµãŒããŒã« OIDC ãšã®çµ±åãè¿œå ããããšã«ããŸããã ãã®æ±ºå®ãæ¯æããã®ã¯ãOIDC ããšã³ã ãŠãŒã¶ãŒã®èªèšŒã«é¢ããŠéåžžã«æè»ã§ãããšããäºå®ã§ããã ãããã£ãŠãçŸåšã®èªå¯ãµãŒããŒã« OIDC ãµããŒããå®è£ ããããšãã§ããŸããã
ç¬èªã® OIDC ãµãŒããŒã®å®è£ æ¹æ³
1) ããŒã¿ãåžæã®åœ¢åŒã«å€æããŸã
OIDC ãçµ±åããã«ã¯ãçŸåšã®ãŠãŒã¶ãŒ ããŒã¿ãæšæºã§ç解ã§ãã圢åŒã«ããå¿
èŠããããŸãã OIDC ã§ã¯ããããã¯ã¬ãŒã ãšåŒã³ãŸãã ã¯ã¬ãŒã ã¯åºæ¬çã«ãŠãŒã¶ãŒ ããŒã¿ããŒã¹ã®æçµãã£ãŒã«ã (ååãé»åã¡ãŒã«ãé»è©±çªå·ãªã©) ã§ãã ååšãã
ããŒã«ããŒã¯ã®ã°ã«ãŒãã¯ã次ã®ãµãã»ããã§ããã¹ã³ãŒãã«çµåãããŸãã èªå¯äžã¯ãã¹ã³ãŒãå ã®äžéšã®ãã©ã³ããå¿ èŠãªãå Žåã§ããç¹å®ã®ãã©ã³ãã§ã¯ãªãã¹ã³ãŒããžã®ã¢ã¯ã»ã¹ãèŠæ±ãããŸãã
2) å¿ èŠãªå©æéã®å®æœ
OIDC çµ±åã®æ¬¡ã®éšåã¯ãèªå¯ã¿ã€ããããããã°ã©ã³ãã®éžæãšå®è£ ã§ãã éžæããã¢ããªã±ãŒã·ã§ã³ãšèªå¯ãµãŒããŒéã®å¯Ÿè©±ã®ãããªãã·ããªãªã¯ãéžæããèš±å¯ã«ãã£ãŠç°ãªããŸãã é©åãªèš±å¯ãéžæããããã®äŸç€ºçãªã¹ããŒã ã以äžã®å³ã«ç€ºããŸãã
æåã®ã¢ããªã±ãŒã·ã§ã³ã§ã¯ãæãäžè¬çãªèš±å¯ã§ããèªèšŒã³ãŒãã䜿çšããŸããã ä»ã®ãã®ãšã®éãã¯ãXNUMX ã€ã®ã¹ãããã§ããããšã§ãã è¿œå ã®æ€æ»ãåããŠããŸãã ãŸãããŠãŒã¶ãŒã¯èªèšŒèš±å¯ãèŠæ±ããããŒã¯ã³ (èªèšŒã³ãŒã) ãåãåããŸãã次ã«ããã®ããŒã¯ã³ã䜿çšããŠãæ
è¡ã®ãã±ãããšåæ§ã«ãã¢ã¯ã»ã¹ ããŒã¯ã³ãèŠæ±ããŸãã ãã®èªå¯ã¹ã¯ãªããã®äž»ãªå¯Ÿè©±ã¯ãã¹ãŠãã¢ããªã±ãŒã·ã§ã³ãšèªå¯ãµãŒããŒéã®ãªãã€ã¬ã¯ãã«åºã¥ããŠããŸãã ãã®å©æéã«ã€ããŠè©³ããèªãããšãã§ããŸã
OAuth ã¯ãèªå¯åŸã«ååŸãããã¢ã¯ã»ã¹ ããŒã¯ã³ã¯äžæçãªãã®ã§ãããã§ããã°å¹³åã㊠10 åããšã«å€æŽãããã¹ãã§ãããšããæŠå¿µã«æºæ ããŠããŸãã èªèšŒã³ãŒãã®ä»äžã¯ããªãã€ã¬ã¯ãã«ãã 10 段éã®æ€èšŒã§ãããXNUMX åããšã«ãã®ãããªæ®µéãå®è¡ããã®ã¯ãæ£çŽèšã£ãŠãããŸãå¿«é©ãªäœæ¥ã§ã¯ãããŸããã ãã®åé¡ã解決ããããã«ãå¥ã®è£å©éãã€ãŸãæãåœã§ã䜿çšãããªãã¬ãã·ã¥ ããŒã¯ã³ããããŸãã ããã§ã¯ãã¹ãŠãç°¡åã§ãã å¥ã®èš±å¯ããã®æ€èšŒäžã«ãã¡ã€ã³ã®ã¢ã¯ã»ã¹ ããŒã¯ã³ã«å ããŠãå¥ã®ã¢ã¯ã»ã¹ ããŒã¯ã³ãçºè¡ãããŸãããªãã¬ãã·ã¥ ããŒã¯ã³ã¯ XNUMX åã ã䜿çšã§ããéåžžã¯ãã®æå¹æéãã¯ããã«é·ããªããŸãã ãã®ãªãã¬ãã·ã¥ ããŒã¯ã³ã䜿çšãããšãã¡ã€ã³ ã¢ã¯ã»ã¹ ããŒã¯ã³ã® TTL (Time to Live) ãçµäºãããšãæ°ããã¢ã¯ã»ã¹ ããŒã¯ã³ã®ãªã¯ãšã¹ããå¥ã®ã°ã©ã³ãã®ãšã³ããã€ã³ãã«å±ããŸãã 䜿çšããããªãã¬ãã·ã¥ ããŒã¯ã³ã¯ããã«ãŒãã«ãªã»ãããããŸãã ãã®ãã§ãã¯ã¯ XNUMX 段éã§è¡ããããŠãŒã¶ãŒã«ã¯æ°ã¥ãããªãããã«ããã¯ã°ã©ãŠã³ãã§å®è¡ã§ããŸãã
3) ã«ã¹ã¿ã ããŒã¿åºå圢åŒãèšå®ãã
éžæããä»äžãå®è£ ãããåŸãæ¿èªãæ©èœããŸãããšã³ã ãŠãŒã¶ãŒã«é¢ããããŒã¿ã®ååŸã«ã€ããŠèšåãã䟡å€ããããŸãã OIDC ã«ã¯ãã®ããã®å¥ã®ãšã³ããã€ã³ãããããããã§çŸåšã®ã¢ã¯ã»ã¹ ããŒã¯ã³ãšãããææ°ã§ãããã©ããã䜿çšããŠãŠãŒã¶ãŒ ããŒã¿ããªã¯ãšã¹ãã§ããŸãã ãŸãããŠãŒã¶ãŒã®ããŒã¿ãããã»ã©é »ç¹ã«å€æŽããããçŸåšã®ããŒã¿ãäœåºŠã远跡ããå¿ èŠãããå Žåã¯ãJWT ããŒã¯ã³ãªã©ã®ãœãªã¥ãŒã·ã§ã³ãå©çšã§ããŸãã ãããã®ããŒã¯ã³ã¯æšæºã§ããµããŒããããŠããŸãã JWT ããŒã¯ã³èªäœã¯ãããã㌠(ããŒã¯ã³ã«é¢ããæ å ±)ããã€ããŒã (å¿ èŠãªããŒã¿)ã眲å (眲åãããŒã¯ã³ã¯ãµãŒããŒã«ãã£ãŠçœ²åãããåŸã§ãã®çœ²åã®ãœãŒã¹ã確èªã§ããŸã) ã® XNUMX ã€ã®éšåã§æ§æãããŸãã
OIDC å®è£
ã§ã¯ãJWT ããŒã¯ã³ã¯ id_token ãšåŒã°ããŸãã éåžžã®ã¢ã¯ã»ã¹ ããŒã¯ã³ãšäžç·ã«ãªã¯ãšã¹ãããããšãã§ããããšã¯çœ²åãæ€èšŒããã ãã§ãã èªå¯ãµãŒããŒã«ã¯ã次ã®åœ¢åŒã®å
¬ééµãå«ãå¥ã®ãšã³ããã€ã³ãããããŸãã
ããšãã°ãGoogle ã§ã¯æ¬¡ã®ããã«ãªããŸãã
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
]
}
ãããã£ãŠãid_token ã䜿çšãããšãå¿ èŠãªãã¹ãŠã®ããŒã«ããŒã¯ãããŒã¯ã³ã®ãã€ããŒãã«è»¢éã§ãããŠãŒã¶ãŒ ããŒã¿ãèŠæ±ãããã³ã«èªå¯ãµãŒããŒã«æ¥ç¶ããå¿ èŠããªããªããŸãã ãã®ã¢ãããŒãã®æ¬ ç¹ã¯ããµãŒããŒããã®ãŠãŒã¶ãŒ ããŒã¿ã®å€æŽãããã«åæ ããããæ°ããã¢ã¯ã»ã¹ ããŒã¯ã³ãšãšãã«åæ ãããããšã§ãã
å®æœçµæ
ããã§ãç¬èªã® OIDC ãµãŒããŒãå®è£
ããã¢ããªã±ãŒã·ã§ã³åŽã§ãã®ãµãŒããŒãžã®æ¥ç¶ãæ§æããåŸããŠãŒã¶ãŒã«é¢ããæ
å ±ã®è»¢éã®åé¡ã解決ããŸããã
OIDC ã¯ãªãŒãã³ã¹ã¿ã³ããŒãã§ãããããæ¢åã®ãããã€ããŒãŸãã¯ãµãŒããŒå®è£
ãéžæãããªãã·ã§ã³ããããŸãã Keycloak ãè©ŠããŠã¿ãŸããããèšå®ãéåžžã«äŸ¿å©ã§ããããšãå€æããŸãããã¢ããªã±ãŒã·ã§ã³åŽã§æ¥ç¶èšå®ãèšå®ããã³å€æŽãããšãæºåãæŽããŸãã ã¢ããªã±ãŒã·ã§ã³åŽã§æ®ã£ãŠããã®ã¯ãæ¥ç¶æ§æãå€æŽããããšã ãã§ãã
æ¢åã®ãœãªã¥ãŒã·ã§ã³ã«ã€ããŠè©±ã
ç§ãã¡ã®çµç¹å ã§ã¯ãæåã® OIDC ãµãŒããŒãšããŠç¬èªã®å®è£ ãçµã¿ç«ãŠãå¿ èŠã«å¿ããŠè£è¶³ããŸããã ä»ã®æ¢è£œã®ãœãªã¥ãŒã·ã§ã³ã詳现ã«æ€èšããçµæãããã¯è°è«ã®äœå°ããããšèšããŸãã ç¬èªã®ãµãŒããŒãå®è£ ãããšãã決å®ãæ¯æããäžæ¹ã§ããããã€ããŒåŽââã«ã¯ãå¿ èŠãªæ©èœããªãããšãããã³äžéšã®ãµãŒãã¹ã«å¯ŸããŠç°ãªãã«ã¹ã¿ã èªèšŒãååšããå€ãã·ã¹ãã ãååšããããšãžã®æžå¿µããããŸãããã®åŸæ¥å¡ã«é¢ããããŒã¿ããã§ã«ä¿åãããŠããŸããã ãã ããæ¢è£œã®å®è£ ã«ã¯çµ±åã«äŸ¿å©ãªæ©èœããããŸãã ããšãã°ãKeycloak ã«ã¯ç¬èªã®ãŠãŒã¶ãŒç®¡çã·ã¹ãã ããããããŒã¿ã¯ããã«çŽæ¥ä¿åããããããããã«ãããŠãŒã¶ãŒãè¿œãæãããšã¯é£ãããããŸããã ãããè¡ãããã«ãKeycloak ã«ã¯ãå¿ èŠãªãã¹ãŠã®è»¢éã¢ã¯ã·ã§ã³ãå®å šã«å®è¡ã§ãã API ãçšæãããŠããŸãã
ç§ã®æèŠã§ã¯ãèªå®ãããèå³æ·±ãå®è£ ã®ãã XNUMX ã€ã®äŸã¯ãOry Hydra ã§ãã ããŸããŸãªã³ã³ããŒãã³ãã§æ§æãããŠããã®ã§èå³æ·±ãã§ãã çµ±åããã«ã¯ããŠãŒã¶ãŒç®¡çãµãŒãã¹ãèªèšŒãµãŒãã¹ã«ãªã³ã¯ããå¿ èŠã«å¿ããŠæ¡åŒµããå¿ èŠããããŸãã
Keycloak ãš Ory Hydra ã ããæ¢è£œã®ãœãªã¥ãŒã·ã§ã³ã§ã¯ãããŸããã OpenID Foundation ã«ãã£ãŠèªå®ãããå®è£ ãéžæããã®ãæåã§ãã ãããã®ãœãªã¥ãŒã·ã§ã³ã«ã¯éåžžãOpenID èªå®ãããžãä»ããŠããŸãã
OIDC ãµãŒããŒãç¶æããããªãå Žåã¯ãæ¢åã®ææãããã€ããŒã«ã€ããŠãå¿ããªãã§ãã ããã ä»ã§ã¯è¯ãéžæè¢ããããããããŸãã
次ã®ã¹ããã
è¿ãå°æ¥ãå¥ã®æ¹æ³ã§å
éšãµãŒãã¹ãžã®ãã©ãã£ãã¯ãééããäºå®ã§ãã OpenResty ã䜿çšããŠãã©ã³ãµãŒäžã®çŸåšã® SSO ã OAuth ããŒã¹ã®ãããã·ã«è»¢éããäºå®ã§ãã ããã«ã¯ãã§ã«å€ãã®æ¢è£œã®ãœãªã¥ãŒã·ã§ã³ããããŸããããšãã°ã次ã®ãšããã§ãã
è¿œå è³æ
åºæïŒ habr.com