Ad（microsoftの方）のOpenId Connect対応

AD（Microsoftの方）の OpenID Connect対応 2014/04/25 #idcon vol.18 Naohiro Fujie @phr_eidentity http://idmlab.eidentity.jp

AD? Advertising Active Directory 越後屋のチラシ 出典：wikipedia

Active Directory •Windows Server Active Directory •Microsoft Azure Active Directory

Overview

Azure AD for Developers • Identity Provider • ディレクトリサービスとして : Users/Groups (sync with WSAD) • プロトコル・サポート : SAML, ws-federation, OpenID Connect • 外部IdPのサポート : SAML, ws-federation • その他機能 : Multi-Factor AuthN, Self-Service Password Reset • Authorization Server • Register WebApps/API as protected resource

Identity Provider Application SAML-SP Application ws-fed RP Application OpenID Connect RP Microsoft Account Azure AD Account https://login.windows.com https://login.microsoftonline.com 3rd Party SAML IdP SAML EndPoint ws-fed EndPoint Ext IdPs RPs Home Realm Discover OAuth2.0 AuthZ/Token EndPoint

Identity Provider Application SAML-SP Application ws-fed RP Application OpenID Connect RP Microsoft Account Azure AD Account https://login.windows.com https://login.microsoftonline.com 3rd Party SAML IdP SAML EndPoint ws-fed EndPoint Ext IdPs RPs Home Realm Discover OAuth2.0 AuthZ/Token EndPoint ws- fed ws- fed ws- fed SAML ws res SAML SP

OpenID Connect Support https://login.windows.net/nfujie2.onmicrosoft.com/.well-known/openid-configuration { "issuer":"https://sts.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/", "authorization_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/authorize", "token_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/token", "token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt"], "jwks_uri":"https://login.windows.net/common/discovery/keys", "response_types_supported":["code","id_token","code id_token"], "response_modes_supported":["query","fragment","form_post"], "subject_types_supported":["pairwise"], "scopes_supported":["openid"], "id_token_signing_alg_values_supported":["RS256"], "microsoft_multi_refresh_token":true, "check_session_iframe":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/checksession", "end_session_endpoint":"https://login.windows.net/b9a84eb8-a888-4f41-bb75-43447e36486a/oauth2/logout" }

Sequence(ASP.NET MVC5 App)

Authorization Server OAuth2.0 AuthZ/Token EndPoint OAuth2.0 Client WebAPI Registry Register as a protected resource (use manifest file) ClientID Resource Grant be6ddad6-…. http://hoge read,write aa5dd18u-… http://bar read cc45aa89-… Azure AD SSO,read,write

WebAPIの登録とパーミッションの登録 "appPermissions": [ { "claimValue": "user_impersonation", "description": "Allow the application full access to the Todo List service on behalf of the signed-in user", "directAccessGrantTypes": [], "displayName": "Have full access to the Todo List service", "impersonationAccessGrantTypes": [{"impersonated": "User","impersonator": "Application"}], "isDisabled": false, "origin": "Application", "permissionId": "b69ee3c9-c40d-4f2a-ac80-961cd1534e40", "resourceScopeType": "Personal", "userConsentDescription": "Allow the application full access to the todo service on your behalf", "userConsentDisplayName": "Have full access to the todo service" }],

クライアント・ライブラリ • OWIN : Open Web Interface for .NET(http://owin.org) • サーバを抽象化したインターフェースを提供 • IIS/ASP.NETだけでなくセルフホスト（ネイティブアプリ）への共通インターフェース • OWIN Security Component（例） • Microsoft.Owin.Security.OAuth • Microsoft.Own.Security.Google • Microsoft.Own.Security.Facebook • Microsoft.Own.Security.MicrosoftAccount • Microsoft.Own.Security.Twitter • Microsoft.Own.Security.Foursquare • Microsoft.Own.Security.OpenIdConnect

OWIN OpenIdConnect Middleware app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { Client_Id = "be6ddad6-3eca-433c-a00b-b5753c04c703", Authority = "https://login.windows.net/nfujie.onmicrosoft.com", Description = new Microsoft.Owin.Security.AuthenticationDescription() { Caption = "OpenID Connect" } });

OpenIdConnectAuthenticationNotifications 以下のイベントに応じて処理を記述 ※今のところPOSTにしか反応しない。response_mode=form_postがデフォルトの理由？ • AccessCodeReceived • AuthenticationFailed • MessageReceived • RedirectToIdentityProvider, • SecurityTokenReceived • SecurityTokenValidated • SignedIn • SignedOut

AccessCodeRecieved:code->token Notifications = new OpenIdConnectAuthenticationNotifications() { AccessCodeReceived = (context) => { var code = context.Code; ClientCredential credential = new ClientCredential(clientId, appKey); AuthenticationContext authContext = new AuthenticationContext(authority); AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode( code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId); } }

DEMO ASP.NET MVC Sign in : id_token Graph API access : code->access token

まとめ • Active Directoryにも2つあります • Windows Server Active Directory • Microsoft Azure Active Directory • Microsoft Azure Active Directoryには以下の機能があります（他に もあるけど） • Identity Provider（ディレクトリ、複数プロトコルサポート、MFA…） • Authorization Server • クライアント・ライブラリも用意されています • OpenID Connect対応はプレリリース。まだ汎用性は…？