AD(Microsoftの方)の OpenID Connect対応 2014/04/25 #idcon vol.18 Naohiro Fujie @phr_eidentity http://idmlab.eidentity.jp
AD? Advertising Active Directory 越後屋のチラシ 出典:wikipedia
Active Directory •Windows Server Active Directory •Microsoft Azure Active Directory
Overview
Azure AD for Developers • Identity Provider • ディレクトリサービスとして : Users/Groups (sync with WSAD) • プロトコル・サポート : SAML, ws-federation, OpenID Connect • 外部IdPのサポート : SAML, ws-federation • その他機能 : Multi-Factor AuthN, Self-Service Password Reset • Authorization Server • Register WebApps/API as protected resource
Identity Provider Application SAML-SP Application ws-fed RP Application OpenID Connect RP Microsoft Account Azure AD Account https://login.windows.com https://login.microsoftonline.com 3rd Party SAML IdP SAML EndPoint ws-fed EndPoint Ext IdPs RPs Home Realm Discover OAuth2.0 AuthZ/Token EndPoint
Identity Provider Application SAML-SP Application ws-fed RP Application OpenID Connect RP Microsoft Account Azure AD Account https://login.windows.com https://login.microsoftonline.com 3rd Party SAML IdP SAML EndPoint ws-fed EndPoint Ext IdPs RPs Home Realm Discover OAuth2.0 AuthZ/Token EndPoint ws- fed ws- fed ws- fed SAML ws res SAML SP
OpenID Connect Support https://login.windows.net/nfujie2.onmicrosoft.com/.well-known/openid-configuration { "issuer":"https://sts.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/", "authorization_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/authorize", "token_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/token", "token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt"], "jwks_uri":"https://login.windows.net/common/discovery/keys", "response_types_supported":["code","id_token","code id_token"], "response_modes_supported":["query","fragment","form_post"], "subject_types_supported":["pairwise"], "scopes_supported":["openid"], "id_token_signing_alg_values_supported":["RS256"], "microsoft_multi_refresh_token":true, "check_session_iframe":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/checksession", "end_session_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/logout" }
Sequence(ASP.NET MVC5 App)
Authorization Server OAuth2.0 AuthZ/Token EndPoint OAuth2.0 Client WebAPI Registry Register as a protected resource (use manifest file) ClientID Resource Grant be6ddad6-…. http://hoge read,write aa5dd18u-… http://bar read cc45aa89-… Azure AD SSO,read,write
WebAPIの登録とパーミッションの登録 "appPermissions": [ { "claimValue": "user_impersonation", "description": "Allow the application full access to the Todo List service on behalf of the signed-in user", "directAccessGrantTypes": [], "displayName": "Have full access to the Todo List service", "impersonationAccessGrantTypes": [{"impersonated": "User","impersonator": "Application"}], "isDisabled": false, "origin": "Application", "permissionId": "b69ee3c9-c40d-4f2a-ac80-961cd1534e40", "resourceScopeType": "Personal", "userConsentDescription": "Allow the application full access to the todo service on your behalf", "userConsentDisplayName": "Have full access to the todo service" }],
クライアント・ライブラリ • OWIN : Open Web Interface for .NET(http://owin.org) • サーバを抽象化したインターフェースを提供 • IIS/ASP.NETだけでなくセルフホスト(ネイティブアプリ)への共通インターフェース • OWIN Security Component(例) • Microsoft.Owin.Security.OAuth • Microsoft.Own.Security.Google • Microsoft.Own.Security.Facebook • Microsoft.Own.Security.MicrosoftAccount • Microsoft.Own.Security.Twitter • Microsoft.Own.Security.Foursquare • Microsoft.Own.Security.OpenIdConnect
OWIN OpenIdConnect Middleware app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { Client_Id = "be6ddad6-3eca-433c-a00b-b5753c04c703", Authority = "https://login.windows.net/nfujie.onmicrosoft.com", Description = new Microsoft.Owin.Security.AuthenticationDescription() { Caption = "OpenID Connect" } });
OpenIdConnectAuthenticationNotifications 以下のイベントに応じて処理を記述 ※今のところPOSTにしか反応しない。response_mode=form_postがデフォルトの理由? • AccessCodeReceived • AuthenticationFailed • MessageReceived • RedirectToIdentityProvider, • SecurityTokenReceived • SecurityTokenValidated • SignedIn • SignedOut
AccessCodeRecieved:code->token Notifications = new OpenIdConnectAuthenticationNotifications() { AccessCodeReceived = (context) => { var code = context.Code; ClientCredential credential = new ClientCredential(clientId, appKey); AuthenticationContext authContext = new AuthenticationContext(authority); AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode( code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId); } }
DEMO ASP.NET MVC Sign in : id_token Graph API access : code->access token
まとめ • Active Directoryにも2つあります • Windows Server Active Directory • Microsoft Azure Active Directory • Microsoft Azure Active Directoryには以下の機能があります(他に もあるけど) • Identity Provider(ディレクトリ、複数プロトコルサポート、MFA…) • Authorization Server • クライアント・ライブラリも用意されています • OpenID Connect対応はプレリリース。まだ汎用性は…?
Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...
In this presentation we will describe our experience developing with a highly dyna...
Presentation to the LITA Forum 7th November 2014 Albuquerque, NM
Un recorrido por los cambios que nos generará el wearabletech en el futuro
Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...
Microsoft finally joins the smartwatch and fitness tracker game by introducing the...
Ad(microsoftの方)のOpenId Connect対応 from Naohiro Fujie. 概要としては、OpenID Connectに対応(Preview)したAAD ...
Read more
Ad(microsoftの方)のOpenId Connect対応
Read more
Ad(microsoftの方)の OpenId? Connect対応 http://www.slideshare.net/naohiro.fujie/admicrosoftopen-id-connect ...
Read more
Ad(microsoftの方)の OpenId? Connect対応 http://www.slideshare.net/naohiro.fujie/admicrosoftopen-id-connect Last-modified: 2016-04 ...
Read more
Ad(microsoftの方)のOpenId Connect対応 from Naohiro Fujie. 概要としては、OpenID Connectに対応(Preview)したAAD ...
Read more
Add a comment