oauth 2.0 web messaging response mode - openid summit tokyo 2015

Copyright (C) DeNA Co.,Ltd. All Rights Reserved.

OAuth 2.0 Web Messaging Response Mode

OpenID Summit 2015

November 10, 2015

Toru Yamaguchi Senior Architect Sub Business Unit Head Open Pla=orm Business Unit DeNA Co., Ltd.


! ( )

! HN @zigorou

!

!

!

! Mobage

2


! OAuth 2.0 Authorization Endpoint OAuth 2.0 Web Messaging Response Mode ! OAuth 2.0 Redirect URI ! OAuth 2.0 Form Post Response Mode ! OAuth 2.0 Web Messaging Response Mode

3


OAuth 2.0 Redirect URI


4


OAuth 2.0

! Client (End User ) Access Token Authorization Server OAuth 2.0 Access Token Protected Resource (

API)

5

End User

AuthorizaDon Server Client

1. Redierct to AuthorizaDon Request 2. AuthorizaDon Request

3. AuthorizaDon Response 4. Redirect to Redirect URI

5. Token Request

6. Token Response


AuthorizaGon Code Grant

! Authorization Response Redirect URI UserAgent HTTP

6

hQp://goo.gl/kfZTNY


AuthorizaGon Request

! RFC 6749 Authorization Code Grant Authorization Request

7

GET /authorize? response_type=code& client_id=s6BhdRkqt3& state=xyz& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com


AuthorizaGon Response

! RFC 6749 Authorization Code Grant Authorization Response

8

HTTP/1.1 302 Found Location: https://client.example.com/cb? code=SplxlOBeZQQYbYS6WxSbIA& state=xyz


Implicit Grant

! Implicit Grant Token Response Authorization Endpoint HTTP Access Token URI Fragment (# )

JavaScript parse

9

hQp://goo.gl/95ddOd


Redirect URI

! User Agent HTTP

HTTP UX Single Page

Application Implicit Protected Resource

Access Token JavaScript XSS Access Token

! Web Message Response Mode

10


OAuth 2.0 Form Post Response Mode


11


Form Post Response Mode

! Spec https://openid.net/specs/oauth-v2-form-post-response-

mode-1_0.html ! Authorization Endpoint HTTP

JavaScript form POST !

12


AuthorizaGon Code Grant /w form post

! Authorization Response form submit

13

hQp://goo.gl/3ci98I



! Authorization Request response_mode form_post

14

GET /authorize? response_type=id_token &response_mode=form_post &client_id=some_client &scope=openid &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcallback &state=DcP7csa3hMlvybERqcieLHrRzKBra &nonce=2T1AgaeRTGTMAJyeDMN9IJbgiUG HTTP/1.1 Host: server.example.com



! Authorization Request response_mode form_post

15

GET /authorize? response_type=id_token &response_mode=form_post &client_id=some_client &scope=openid &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcallback &state=DcP7csa3hMlvybERqcieLHrRzKBra &nonce=2T1AgaeRTGTMAJyeDMN9IJbgiUG HTTP/1.1 Host: server.example.com


AuthorizaGon Response (1)

! Redirect URI HTTP POST Submit

16

HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 Cache-Control: no-cache, no-store Pragma: no-cache

Submit This Form


AuthorizaGon Response (2)

! JavaScript UserAgent Redirect URI

17

POST /callback HTTP/1.1 Host: client.example.org Content-Type: application/x-www-form-urlencoded

id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzdWIiOiJqb2huIiwiYX VkIjoiZmZzMiIsImp0aSI6ImhwQUI3RDBNbEo0c2YzVFR2cllxUkIiLCJpc 3MiOiJodHRwczpcL1wvbG9jYWxob3N0OjkwMzEiLCJpYXQiOjEzNjM5MDMx MTMsImV4cCI6MTM2MzkwMzcxMywibm9uY2UiOiIyVDFBZ2FlUlRHVE1BSnl lRE1OOUlKYmdpVUciLCJhY3IiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTD oyLjA6YWM6Y2xhc3NlczpQYXNzd29yZCIsImF1dGhfdGltZSI6MTM2MzkwM Dg5NH0.c9emvFayy-YJnO0kxUNQqeAoYu7sjlyulRSNrru1ySZs2qwqqwwq -Qk7LFd3iGYeUWrfjZkmyXeKKs_OtZ2tI2QQqJpcfrpAuiNuEHII-_fkIuf bGNT_rfHUcY3tGGKxcvZO9uvgKgX9Vs1v04UaCOUfxRjSVlumE6fWGcqXVE KhtPadj1elk3r4zkoNt9vjUQt9NGdm1OvaZ2ONprCErBbXf1eJb4NW_hnrQ 5IKXuNsQ1g9ccT5DMtZSwgDFwsHMDWMPFGax5Lw6ogjwJ4AQDrhzNCFc0uV AwBBb772-86HpAkGWAKOK-wTC6ErRTcESRdNRe0iKb47XRXaoz5acA& state=DcP7csa3hMlvybERqcieLHrRzKBra


Form Post Response Mode

! GET URI RFC UserAgent HTTP Server

! Authorization Request response_type

id_token POST URI Fragment (OpenID Connect 1.0) Browser JavaScript parse

ID Token JWT JWS or JWE

Form Post Implicit ID

Token Server ! response_mode

18




19



! Spec https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00

! postMessage() response_mode

web_message Google+ SignIn

Mobage Connect simple, relay relay Access Token

20


Redirect URI ()

! User Agent HTTP

HTTP UX Single Page

Application Implicit Protected Resource

Access Token JavaScript XSS Access Token

! Web Message Response Mode

21


SPA UX

! Single Page Application

submit

! window.open() window

window Authorization Grant Authorization Response Web Messaging Response Mode window window frame

(window.postMessage())

22


UnauthenGcated Window Messaging (simple mode)

! Unauthenticated Window window End User Authorization window

23

Main Window (Public Client)

UnauthenDcated Window

AuthorizaDon Server

window.addEventListener( message, authorizationResponseListener, false ); var win = window.open( https://as.example.com/authorize?..., _new );

window.opener.postMessage( authorizationResponse, redirectURI );

1. Window AuthorizaDon Request

2. AuthorizaDon Request

3. AuthorizaDon Response 4. AuthorizaDon Response


Immediate Login [1]

! OpenID Connect AuthZ Request prompt none Immediate Login

24

GET /authorize? response_type=code& scope=openid%20profile& client_id=s6BhdRkqt3& state=xyz123& prompt=none& redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1

HTTP/1.1 302 Found Location: https://client.example.org/cb? error=login_required& state=xyz123




Immediate Login [2]

! Immediate Login iframe iframe load iframe src

Redirect URI Redirect URI postMessage Main Window

25


AuthenDcated Window

1. iframe AuthorizaDon Request

4. AuthorizaDon Response load ()

AuthorizaDon Server

var iframe = document.createElement(iframe); iframe.addEventListener( load, authorizationResponseListener, false ); iframe.src = https://as.example.com/authorize?...;


3. AuthorizaDon Response


AuthenGcated Window Messaging (simple mode)

! Authenticated Window iframe End User Authorization window

26


AuthenDcated Window

AuthorizaDon Server

window.addEventListener( message, authorizationResponseListener, false ); var win = document.createElement(iframe); iframe.src = https://as.example.com/authorize?..;

window.parent.postMessage( authorizationResponse, redirectURI );

1. iframe AuthorizaDon Request


3. AuthorizaDon Response 4. AuthorizaDon Response


! Response Mode window.open() Redirect

SPA Mobage JavaScript SDK

(Unauthenticated Window) Immediate Login (Authenticated Window) Response Mode

! relay mode

27


Hybrid Flow scope [1]

! Hybrid Flow OpenID Connect Implicit Authorization Code response_type

28

Redirect Endpoint

(public client)

AuthorizaDon Server


AuthorizaDon Endpoint

Token Endpoint

Client Server (confidenDal client)

2. Token Request

3. Token Response

code, access_token(implicit), id_token(implicit)

access_token(authorizaDon_code)

Protected Resource Server API

access

API access


Hybrid Flow scope [2]

! Authorization Request scope Authorization Code/Implicit Implicit access token

confidential client public client

! public client access token

access token API access token

Hybrid Flow scope

29


UnauthenGcated Window Messaging (relay mode)

! Main Window Relay Request/Response Main Window window window frames origin

30


UnauthenDcated Window

Protected Resource Server

2. Window AuthorizaDon Request 2. AuthorizaDon Request

3. AuthorizaDon Response 4. Relay Request 5. Relay Response

Message Targeted Window

1. iframe

AuthorizaDon Server


API Access


Relay Mode JavaScript SDK

! Authorization Response ( access token) Message Targeted Window Main Window access token

! Main Window Message Targeted Window window.postMessage() API request/response access token API

31


! IE11 window.postMessage() Edge

32


! draft Message window Web Worker UI

33


! Web Message Response Mode Redirect SPA UX Immediate Login

! relay mode

Main Window access token

Message Targeted Window API

34


!

35

oauth 2.0 web messaging response mode - openid summit tokyo 2015

Technology