{"id":22281,"date":"2019-04-01T09:00:25","date_gmt":"2019-04-01T00:00:25","guid":{"rendered":"https:\/\/www.techscore.com\/blog\/?p=22281"},"modified":"2019-04-01T14:25:25","modified_gmt":"2019-04-01T05:25:25","slug":"hydra-microservice-auth","status":"publish","type":"post","link":"https:\/\/www.techscore.com\/blog\/2019\/04\/01\/hydra-microservice-auth\/","title":{"rendered":"ORY Hydra \u3067\u30de\u30a4\u30af\u30ed\u30b5\u30fc\u30d3\u30b9\u306e\u8a8d\u8a3c\u8a8d\u53ef\u3092\u8a66\u3059"},"content":{"rendered":"<p>\u3053\u3093\u306b\u3061\u306f\u3001\u767d\u5ddd\u3067\u3059\u3002<\/p>\n<p>\u4eca\u56de\u306f\u3001 <a href=\"https:\/\/github.com\/ory\/hydra\">ORY Hydra<\/a> \u3092\u4f7f\u3063\u305f OpenID Connect Provider \u306e\u69cb\u7bc9\u306b\u3064\u3044\u3066\u7d39\u4ecb\u3057\u307e\u3059\u3002<\/p>\n<h2>\u30de\u30a4\u30af\u30ed\u30b5\u30fc\u30d3\u30b9\u306b\u304a\u3051\u308b\u8a8d\u8a3c\u30fb\u8a8d\u53ef<\/h2>\n<p>\u30e2\u30ce\u30ea\u30b7\u30c3\u30af\u306a Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u306f\u3001\u901a\u5e38\u306f\u305d\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u81ea\u4f53\u304c\u30e6\u30fc\u30b6\u60c5\u5831\u3092\u4fdd\u6301\u3057\u3001\u30e6\u30fc\u30b6\u306e\u8a8d\u8a3c\u3068\u30bb\u30c3\u30b7\u30e7\u30f3\u306e\u751f\u6210\u3092\u884c\u306a\u3044\u307e\u3059\u3002<br \/>\n<a href=\"https:\/\/www.ibm.com\/developerworks\/jp\/cloud\/library\/cl-bluemix-microservices-in-action-part-1-trs\/\">\u30de\u30a4\u30af\u30ed\u30b5\u30fc\u30d3\u30b9<\/a>\u3092\u69cb\u6210\u3059\u308b\u5404\u30b5\u30fc\u30d3\u30b9\u304c\u3001\u30e2\u30ce\u30ea\u30b7\u30c3\u30af\u306a Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3068\u540c\u3058\u3088\u3046\u306b\u30e6\u30fc\u30b6\u60c5\u5831\u3092\u4fdd\u6301\u3059\u308b\u3068\u3001\u5229\u7528\u3059\u308b\u30e6\u30fc\u30b6\u306f\u30b5\u30fc\u30d3\u30b9\u9593\u3092\u79fb\u52d5\u3059\u308b\u969b\u306b\u5225\u3005\u306b\u30ed\u30b0\u30a4\u30f3\u3057\u306a\u3044\u3068\u3044\u3051\u306a\u304f\u306a\u308a\u307e\u3059\u3002<br \/>\n\u3057\u304b\u3057\u3001\u5358\u7d14\u306b\u5404\u30b5\u30fc\u30d3\u30b9\u9593\u3067\u30e6\u30fc\u30b6\u60c5\u5831\u3084\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u3067\u5171\u6709\u3059\u308b\u65b9\u6cd5\u3092\u3068\u3063\u305f\u5834\u5408\u3001\u30e6\u30fc\u30b6\u304c\u8a8d\u8a3c\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u77e5\u308b\u305f\u3081\u306b\u3001\u3059\u3079\u3066\u306e\u30b5\u30fc\u30d3\u30b9\u304c\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u306b\u30a2\u30af\u30bb\u30b9\u3057\u306a\u3044\u3068\u3044\u3051\u306a\u304f\u306a\u3063\u3066\u3057\u307e\u3044\u307e\u3059\u3057\u3001\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u30b9\u30ad\u30fc\u30de\u66f4\u65b0\u306e\u969b\u306f\u5168\u30b5\u30fc\u30d3\u30b9\u306b\u5f71\u97ff\u304c\u51fa\u3066\u3057\u307e\u3044\u307e\u3059\u3002<\/p>\n<p>\u305d\u306e\u305f\u3081\u3001\u30de\u30a4\u30af\u30ed\u30b5\u30fc\u30d3\u30b9\u30a2\u30fc\u30ad\u30c6\u30af\u30c1\u30e3\u3067\u306f\u5404\u30b5\u30fc\u30d3\u30b9\u5171\u901a\u3067\u4e00\u5ea6\u3067\u8a8d\u8a3c\u3057\u3001\u5404\u30b5\u30fc\u30d3\u30b9\u3067\u90fd\u5ea6\u8a8d\u8a3c\u3092\u884c\u306a\u308f\u305a\u306b\u30e6\u30fc\u30b6\u30fc\u304c\u8a8d\u8a3c\u6e08\u3067\u3042\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3067\u304d\u308b\u758e\u7d50\u5408\u306a\u4ed5\u7d44\u307f\u304c\u5fc5\u8981\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u3068\u304d\u3001\u5f93\u6765\u306e\u5358\u7d14\u306a\u30bb\u30c3\u30b7\u30e7\u30f3\u30d9\u30fc\u30b9\u3067\u306e\u8a8d\u8a3c\u3092\u63a1\u3063\u305f\u5834\u5408\u3001\u8a8d\u8a3c\u72b6\u614b\u3092\u30bb\u30c3\u30b7\u30e7\u30f3\u30b9\u30c8\u30a2\u306b\u90fd\u5ea6\u554f\u3044\u5408\u308f\u305b\u3059\u308b\u3088\u3046\u306a\u5b9f\u88c5\u304c\u591a\u3044\u3067\u3059\u3002<br \/>\n\u3053\u308c\u3092\u56de\u907f\u3059\u308b\u305f\u3081\u306b\u306f\u3001 <a href=\"https:\/\/openid.net\/connect\/\">OpenID Connect<\/a> \u306b\u3088\u308b <a href=\"https:\/\/openid-foundation-japan.github.io\/draft-ietf-oauth-json-web-token-11.ja.html\">JSON Web Token\uff08JWT\uff09<\/a> \u5f62\u5f0f\u306e ID \u30c8\u30fc\u30af\u30f3\u306b\u3088\u308b\u8a8d\u8a3c\u3092\u63a1\u7528\u3059\u308b\u306e\u304c\u826f\u3055\u305d\u3046\u3067\u3059\u3002<br \/>\nOpenID Connect \u30c8\u30fc\u30af\u30f3\u30d9\u30fc\u30b9\u306e\u8a8d\u8a3c\u3067\u306f\u3001 OpenID Connect Provider \u306b\u3088\u3063\u3066 JWT \u304c\u751f\u6210\u3055\u308c\u3001\u305d\u306e JWT \u306f\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b\u8fd4\u3055\u308c\u307e\u3059\u3002<br \/>\n\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306f\u30ea\u30af\u30a8\u30b9\u30c8\u3054\u3068\u306b JWT \u3092\u30d8\u30c3\u30c0\u306b\u542b\u3081\u3001\u5404\u30b5\u30fc\u30d3\u30b9\u306f\u30ea\u30af\u30a8\u30b9\u30c8\u30d8\u30c3\u30c0\u306e JWT \u306e\u691c\u8a3c\u3092\u884c\u306a\u3046\u3053\u3068\u3067\u8a8d\u8a3c\u3092\u884c\u306a\u3044\u307e\u3059\u3002<\/p>\n<p>\u305f\u3060\u3057\u3001 OpenID Connect \u306e\u95a2\u9023\u4ed5\u69d8\u306f\u591a\u3044\uff08<a href=\"https:\/\/qiita.com\/TakahikoKawasaki\/items\/185d34814eb9f7ac7ef3\">\u53c2\u8003\u30ea\u30f3\u30af<\/a>\uff09\u306e\u3067\u3001\u304d\u3061\u3093\u3068\u3057\u305f OpenID Connect Provider \u3092\u81ea\u524d\u3067\u5b9f\u88c5\u3059\u308b\u306e\u306f\u304b\u306a\u308a\u5927\u5909\u305d\u3046\u3067\u3059\u3002<br \/>\n\u305d\u3053\u3067\u3001<a href=\"https:\/\/openid.net\/developers\/libraries\/\">openid.net\u306eLibraries, Products, and Tools<\/a>\u306b\u3042\u308b\u30e9\u30a4\u30d6\u30e9\u30ea\u3092\u63a2\u3057\u305f\u307f\u305f\u3068\u3053\u308d\u3001 ORY Hydra \u3092\u898b\u3064\u3051\u307e\u3057\u305f\u3002<\/p>\n<h2>ORY Hydra \u306e\u7279\u5fb4<\/h2>\n<p>ORY Hydra \u306f\u3001 OpenID Foundation \u516c\u8a8d\u306e OpenID Connect Provider \u306e Go \u8a00\u8a9e\u3067\u306e\u5b9f\u88c5\u3067\u3059\u3002<\/p>\n<p>\u5927\u304d\u306a\u7279\u5fb4\u3068\u3057\u3066\u3001ORY Hydra \u81ea\u4f53\u306f\u72ec\u81ea\u306e Identity Provider (IdP) \u3092\u6301\u305f\u305a\u3001<br \/>\n\u30e6\u30fc\u30b6\u7ba1\u7406\u3084\u30ed\u30b0\u30a4\u30f3\u8a8d\u8a3c\u306e\u90e8\u5206\u306b\u95a2\u3057\u3066\u306f\u3001\u81ea\u524d\u5b9f\u88c5\u306e\u3082\u306e\u3092 API \u547c\u51fa\u3057\u3059\u308b\u4e8b\u3067\u8a8d\u8a3c\u3092\u884c\u306a\u3044\u307e\u3059\u3002<br \/>\n\u3053\u308c\u306f\u65e2\u5b58\u306e\u30e6\u30fc\u30b6\u60c5\u5831\u306e\u30c7\u30fc\u30bf\u30b9\u30c8\u30a2\u3092\u6301\u3063\u3066\u3044\u3066\u3001\u305d\u3053\u306b OpenID Connect \u306e\u30d5\u30ed\u30fc\u3092\u7d44\u307f\u8fbc\u307f\u305f\u3044\u5834\u5408\u306b\u3001\u975e\u5e38\u306b\u4fbf\u5229\u3067\u3059\u3002<br \/>\n\u4ee5\u4e0b ORY Hydra \u306e github \u306b\u3042\u308b <a href=\"https:\/\/github.com\/ory\/hydra\">README<\/a> \u304b\u3089\u306e\u5f15\u7528\u3067\u3059\u3002<\/p>\n<blockquote><p>\n  ORY Hydra is not an identity provider (user sign up, user log in, password reset flow), but connects to your existing identity provider through a consent app.<br \/>\n  (ORY Hydra \u306f identity provider (\u30e6\u30fc\u30b6\u30fc\u30b5\u30a4\u30f3\u30a2\u30c3\u30d7\u3001\u30ed\u30b0\u30a4\u30f3\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u30ea\u30bb\u30c3\u30c8\u51e6\u7406\u3092\u884c\u306a\u3046) \u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002 \u3057\u304b\u3057\u65e2\u5b58\u306e identity provider \u306b\u540c\u610f\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u901a\u3057\u3066\u63a5\u7d9a\u3057\u307e\u3059\u3002)\n<\/p><\/blockquote>\n<p>\u672c\u8a18\u4e8b\u3092\u57f7\u7b46\u3059\u308b\u306b\u3042\u305f\u308a\u3001 ORY Hydra \u3067 OpenID Connect Provider \u3092\u69cb\u7bc9\u3057\u3001 kubernetes \u4e0a\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u8a8d\u8a3c\u30fb\u8a8d\u53ef\u3059\u308b\u3068\u3053\u308d\u307e\u3067\u3092\u8a66\u3057\u3066\u307f\u307e\u3057\u305f\u3002<br \/>\n\u4eca\u56de\u8a66\u3057\u305f\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u306f<a href=\"https:\/\/github.com\/techscore\/experimental-openidconnect\">\u3053\u3061\u3089<\/a>\u306b\u30a2\u30c3\u30d7\u3057\u3066\u3044\u307e\u3059\u306e\u3067\u3001\u69cb\u7bc9\u624b\u9806\u306e\u8a73\u7d30\u306f\u305d\u3061\u3089\u3092\u3054\u78ba\u8a8d\u3044\u305f\u3060\u3051\u308c\u3070\u3068\u601d\u3044\u307e\u3059\u3002<br \/>\n\u30ed\u30b0\u30a4\u30f3\u8a8d\u8a3c\u306e\u5b9f\u88c5\u306b\u95a2\u3057\u3066\u306f\u3001\u4eca\u56de\u306f\u516c\u5f0f\u306b\u7528\u610f\u3055\u308c\u305f<a href=\"https:\/\/github.com\/ory\/hydra-login-consent-node\">\u30b5\u30f3\u30d7\u30eb<\/a>\u3092\u5229\u7528\u3057\u307e\u3057\u305f\u3002<\/p>\n<h2>ORY Hydra \u3067\u306e OpenID Connect \u306e\u30d5\u30ed\u30fc<\/h2>\n<p><a href=\"https:\/\/www.ory.sh\/docs\/hydra\">\u516c\u5f0f\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8<\/a>\u304b\u3089\u56f3\u3092\u5f15\u7528\u3057\u307e\u3059\u3002<br \/>\n\u8a8d\u53ef\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3078\u306e\u30a2\u30af\u30bb\u30b9 \u2192 \u30ed\u30b0\u30a4\u30f3\u753b\u9762 \u2192 \u540c\u610f\u753b\u9762\u8868\u793a  \u2192 \u30c8\u30fc\u30af\u30f3\u767a\u884c \u3068\u3044\u3046\u30d5\u30ed\u30fc\u3068\u306a\u308a\u307e\u3059\u3002<br \/>\n\u56f3\u306e\u4e2d\u306e <strong>Login Provider<\/strong> \u3068 <strong>Consent Provider<\/strong> \u304c\u3053\u3061\u3089\u3067\u5b9f\u88c5\u304c\u5fc5\u8981\u306a\u3082\u306e\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>\u203b\u5f15\u7528\uff1a <a href=\"https:\/\/www.ory.sh\/docs\/hydra\">\u516c\u5f0f\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8<\/a><br \/>\n<img src=\"https:\/\/www.ory.sh\/images\/docs\/hydra\/login-consent-flow.png\" width=\"640px\"><\/p>\n<h3>OpenID Connect Relying Party \u306e\u767b\u9332<\/h3>\n<p>\u307e\u305a\u3001OpenID Connect \u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3067\u3042\u308b Relying Party \u3092\u767b\u9332\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\uff08\u4e0a\u8a18\u30b7\u30fc\u30b1\u30f3\u30b9\u56f3\u306e <code>OAuth2 Client<\/code> \u306b\u5f53\u305f\u308b\u90e8\u5206\u3067\u3059\u3002\uff09<br \/>\n\u4eca\u56de\u306f\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u3067\u767b\u9332\u3057\u307e\u3059\u3002<br \/>\n<a href=\"https:\/\/www.ory.sh\/docs\/hydra\/sdk\/api#create-an-oauth-20-client\">API<\/a> \u3082\u7528\u610f\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u3053\u308c\u3089\u306f\u7ba1\u7406\u7528 API \u3092\u4fdd\u8b77\u3059\u308b\u624b\u6bb5\u306f ORY Hydra \u3067\u306f\u7528\u610f\u3057\u3066\u3044\u306a\u3044\u306e\u3067\u3001\u672c\u756a\u904b\u7528\u3067\u306f\u5916\u90e8\u304b\u3089\u30b3\u30fc\u30eb\u3055\u308c\u306a\u3044\u3088\u3046\u306b\u5225\u9014\u4fdd\u8b77\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<pre><code class=\"bash\">.\/hydra-darwin-amd64 clients create \\\n    --skip-tls-verify --endpoint http:\/\/hydra-admin-api.synergy-example.com:30080  \\\n    --id test-client  \\\n    --secret test-secret \\\n    --response-types code,id_token \\\n    --grant-types refresh_token,authorization_code  \\\n    --scope openid,offline  \\\n    --callbacks http:\/\/localhost:4446\/callback\n<\/code><\/pre>\n<h2>Authorization Code Flow \u306e\u958b\u59cb<\/h2>\n<p>\u4eca\u56de\u306f <a href=\"https:\/\/tools.ietf.org\/html\/rfc6749\">RFC 6749 (The OAuth 2.0 Authorization Framework)<\/a> \u3067\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308b\u8a8d\u53ef\u30d5\u30ed\u30fc\u306e\u3046\u3061\uff0c Authorization Code Flow (\u8a8d\u53ef\u30b3\u30fc\u30c9\u30d5\u30ed\u30fc) \u3092\u8a66\u3057\u307e\u3059\u3002<br \/>\nRelying Party \u304c ORY Hydra \u306e<a href=\"https:\/\/www.ory.sh\/docs\/hydra\/sdk\/api#the-oauth-20-authorize-endpoint\">\u8a8d\u53ef\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8<\/a>\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u3067\u3001 Authorization Code Flow \u3092\u958b\u59cb\u3057\u307e\u3059\u3002<br \/>\n\u672c\u6765\u306f Relying Party \u306e\u5b9f\u88c5\u3082\u5fc5\u8981\u3067\u3059\u304c\u3001\u4eca\u56de\u306f Hydra \u304c\u7528\u610f\u3057\u3066\u3044\u308b <a href=\"https:\/\/github.com\/ory\/hydra\/blob\/master\/cmd\/token_user.go#L49\">\u30d8\u30eb\u30d1\u30fc\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3<\/a>\u3092\u5229\u7528\u3059\u308b\u3053\u3068\u3067\u4ee3\u7528\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"bash\">.\/hydra-darwin-amd64 token user \\\n    --skip-tls-verify \\\n    --token-url http:\/\/hydra-public-api.synergy-example.com:30080\/oauth2\/token \\\n    --auth-url http:\/\/hydra-public-api.synergy-example.com:30080\/oauth2\/auth \\\n    --scope openid,offline \\\n    --client-id test-client \\\n    --client-secret test-secret \\\n    --redirect http:\/\/localhost:4446\/callback\n<\/code><\/pre>\n<p>\u4e0a\u8a18\u3092\u5b9f\u884c\u3059\u308b\u3068\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u8868\u793a\u3055\u308c\u3066 \u8a8d\u8a3c\u5b8c\u4e86\u306e\u30b3\u30fc\u30eb\u30d0\u30c3\u30af\u3092\u53d7\u3051\u53d6\u308b Web \u30b5\u30fc\u30d0\u304c\u7acb\u3061\u4e0a\u304c\u308a\u307e\u3059\u3002<\/p>\n<pre><code class=\"bash\">Setting up home route on http:\/\/127.0.0.1:4446\/\nSetting up callback listener on http:\/\/127.0.0.1:4446\/callback\nPress ctrl + c on Linux \/ Windows or cmd + c on OSX to end the process.\nIf your browser does not open automatically, navigate to:\n\n    http:\/\/127.0.0.1:4446\/\n<\/code><\/pre>\n<p><em>http:\/\/127.0.0.1:4446<\/em> \u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u753b\u9762\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n<hr \/>\n<p><a href=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/03\/rp.png\" rel=\"facebox\" rel=\"attachment wp-att-22343\"><img loading=\"lazy\" src=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/03\/rp-1024x399.png\" alt=\"Relying Party Example\" width=\"640\" height=\"307\" class=\"alignleft size-large wp-image-22343\" \/><\/a><\/p>\n<hr \/>\n<p><em>Authorize Application<\/em> \u306e\u30ea\u30f3\u30af\u5148\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002 <strong><code>oauth2\/auth<\/code><\/strong> \u306f ORY Hydra \u306e\u8a8d\u53ef\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3067\u3059\u3002<\/p>\n<p style=\"word-break: break-all;\">http:\/\/hydra-public-api.synergy-example.com:30080\/oauth2\/auth?audience=&client_id=test-client&max_age=0&nonce=clhxrbtyijycgfonbxmxflhl&prompt=&redirect_uri=http%3A%2F%2Flocalhost%3A4446%2Fcallback&response_type=code&scope=openid+offline&state=mxamrvdrwnucqjfytkeqzbkw<\/p>\n<p>\u4e0a\u8a18\u30ea\u30f3\u30af\u3092\u62bc\u4e0b\u3059\u308b\u524d\u306b\u3001 <a href=\"https:\/\/www.ory.sh\/images\/docs\/hydra\/login-consent-flow.png\" rel=\"facebox\">\u30b7\u30fc\u30b1\u30f3\u30b9\u56f3<\/a>\u306b\u304a\u3051\u308b Login Provider \u3068 Consent Provider \u3092\u8d77\u52d5\u3055\u305b\u307e\u3059\u3002<br \/>\n\u4eca\u56de\u306f\u3001\u516c\u5f0f\u306b\u7528\u610f\u3055\u308c\u3066\u3044\u308b Node.js \u88fd\u306e<a href=\"https:\/\/github.com\/ory\/hydra-login-consent-node\">\u30b5\u30f3\u30d7\u30eb\u5b9f\u88c5<\/a>\u3092\u5229\u7528\u3057\u307e\u3059\u3002<\/p>\n<pre><code>cd \/path\/to\/login-provider\nnpm i\nNODE_TLS_REJECT_UNAUTHORIZED=0 HYDRA_ADMIN_URL=http:\/\/hydra-admin-api.synergy-example.com:30080 npm start\n<\/code><\/pre>\n<p><em>Authorize Application<\/em> \u30ea\u30f3\u30af\u3092\u62bc\u4e0b\u3059\u308b\u3068\u3001 ORY Hydra \u306e\u8a8d\u53ef\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306b\u9077\u79fb\u3057\u307e\u3059\u3002<br \/>\nORY Hydra \u306f Cookie \u3092\u30c1\u30a7\u30c3\u30af\u3057\u3066\u30e6\u30fc\u30b6\u306e\u8a8d\u8a3c\u72b6\u614b\u3092\u5224\u65ad\u3057\u3066\u3001 Login Provider \u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3057\u307e\u3059\u3002\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u5148\u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306f\u901a\u5e38 <em>https:\/\/login-provider\/login<\/em> \u3067\u8868\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u6642\u3001ORY Hydra \u304b\u3089 LoginProvider \u3078\u306e\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u30d1\u30b9\u306e\u30af\u30a8\u30ea\u30d1\u30e9\u30e1\u30fc\u30bf\u306blogin_challenge \u304c\u4ed8\u4e0e\u3055\u308c\u307e\u3059\u3002<\/p>\n<h3>\u30ed\u30b0\u30a4\u30f3<\/h3>\n<p>Login Provider \u306f\u30ed\u30b0\u30a4\u30f3\u753b\u9762\u3092\u8868\u793a\u3057\u307e\u3059\u3002<\/p>\n<hr \/>\n<p><a href=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/03\/login.png\" rel=\"facebox\" rel=\"attachment wp-att-22342\"><img loading=\"lazy\" src=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/03\/login-1024x456.png\" alt=\"login\" width=\"640\" height=\"336\" class=\"alignleft size-large wp-image-22342\" \/><\/a><\/p>\n<hr \/>\n<p>\u30b5\u30f3\u30d7\u30eb\u3067\u306fID\u304c \"foo@bar.com\"\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u304c \"foobar\" \u56fa\u5b9a\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<br \/>\n\u30ed\u30b0\u30a4\u30f3\u753b\u9762\u306b\u3042\u308b \"remember me\" \u306f\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3053\u3068\u3067\u3001\u30ed\u30b0\u30a4\u30f3\u30ea\u30af\u30a8\u30b9\u30c8\u53d7\u7406\u306e\u969b\u3001 ORY Hydra \u306b\u5bfe\u3057\u3066\u8a8d\u8a3c\u72b6\u614b\u3092\u4fdd\u6301\u3059\u308b\u3088\u3046\u306b\u4f9d\u983c\u3057\u307e\u3059\u3002<br \/>\n\u3053\u308c\u306f\u518d\u5ea6\u8a8d\u53ef\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306b\u30e6\u30fc\u30b6\u304c\u30a2\u30af\u30bb\u30b9\u3057\u305f\u5834\u5408\u306b\u3001\u518d\u5ea6\u8a8d\u8a3c\u3092\u3055\u305b\u306a\u3044\u305f\u3081\u306e\u3082\u306e\u3068\u3057\u3066\u50cd\u304d\u307e\u3059\u3002<\/p>\n<p>\u6b63\u3057\u3044ID\/\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u5165\u529b\u3055\u308c\u305f\u5834\u5408\u3001Login Provider \u306f <code>login_challenge<\/code> \u3092URL\u30d1\u30b9\u306b\u542b\u3081\u3066 <a href=\"https:\/\/www.ory.sh\/docs\/hydra\/sdk\/api#accept-an-login-request\">ORY Hydra \u306e\u30ed\u30b0\u30a4\u30f3\u30ea\u30af\u30a8\u30b9\u30c8\u53d7\u7406\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8<\/a> \u306b\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u9001\u308a\u307e\u3059\u3002<\/p>\n<p>\u30ec\u30b9\u30dd\u30f3\u30b9\u306b\u306f\u3001\u30e6\u30fc\u30b6\u304c\u6b21\u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3055\u308c\u308b\u3079\u304dURL\u3092\u542b\u3080 <code>redirect_to<\/code>\u30ad\u30fc\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<br \/>\n<code>redirect_to<\/code>\u30ad\u30fc \u306b\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306aURL\u304c\u6307\u5b9a\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p style=\"word-break: break-all;\">http:\/\/hydra-public-api.synergy-example.com:30080\/oauth2\/auth?audience=&client_id=test-client&login_verifier=524e532413924f33a479738e9ebd756d&max_age=0&nonce=clhxrbtyijycgfonbxmxflhl&prompt=&redirect_uri=http%3A%2F%2Flocalhost%3A4446%2Fcallback&response_type=code&scope=openid+offline&state=mxamrvdrwnucqjfytkeqzbkw<\/p>\n<p>\u3053\u306e URL \u306f ORY Hydra \u306e\u8a8d\u53ef\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3067\u3059\u304c\u3001<code>login_verifier<\/code> \u3068\u3044\u3046\u30d1\u30e9\u30e1\u30fc\u30bf\u304c\u8ffd\u52a0\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002<br \/>\n\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3055\u308c\u305f ORY Hydra \u304c\u3001 <code>login_verifier<\/code> \u3092\u898b\u3066\u30e6\u30fc\u30b6\u304c\u8a8d\u8a3c\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u6b21\u306e\u540c\u610f\u30d5\u30ed\u30fc\u306b\u9032\u3093\u3067\u3088\u3044\u3001\u3068\u5224\u65ad\u3057\u307e\u3059\u3002<\/p>\n<h3>\u540c\u610f<\/h3>\n<p>\u6b21\u306e\u540c\u610f\u30d5\u30ed\u30fc\u306b\u9032\u3093\u3067\u3088\u3044\u3001\u3068\u5224\u65ad\u3057\u305f ORY Hydra \u306f Consent Provider \u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3057\u307e\u3059\u3002<br \/>\n\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u5148\u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306f\u901a\u5e38 <em>https:\/\/consent-provider\/consent<\/em> \u3067\u8868\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u6642\u30af\u30a8\u30ea\u30d1\u30e9\u30e1\u30fc\u30bf\u306b <code>consent_challenge<\/code> \u304c\u4ed8\u4e0e\u3055\u308c\u3066\u304d\u307e\u3059\u3002<\/p>\n<p>Consent Provider \u306f \u540c\u610f\u753b\u9762\u3092\u8868\u793a\u3057\u307e\u3059\u3002<br \/>\n\u30e6\u30fc\u30b6\u304c Relying Party \u306b\u4ee5\u524d\u306b\u6a29\u9650\u3092\u4ed8\u4e0e\u3057\u305f\u3053\u3068\u304c\u306a\u3044\u5834\u5408\u306b\u3001\u30e6\u30fc\u30b6\u306b\u305d\u306e\u8981\u6c42\u3092\u78ba\u8a8d\u3055\u305b\u308b\u305f\u3081\u306b\u753b\u9762\u3092\u8868\u793a\u3057\u307e\u3059\u3002<\/p>\n<hr \/>\n<p><a href=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/03\/consent.png\" rel=\"facebox\" rel=\"attachment wp-att-22341\"><img loading=\"lazy\" src=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/03\/consent-1024x516.png\" alt=\"consent\" width=\"630\" height=\"367\" class=\"alignleft size-large wp-image-22341\" \/><\/a><\/p>\n<hr \/>\n<p>\u30b5\u30f3\u30d7\u30eb\u3067\u306f\u3001<code>openid<\/code> \u3068 <code>offline<\/code> \u3068\u3044\u30462\u3064\u306e\u30b9\u30b3\u30fc\u30d7\u306b\u5bfe\u3059\u308b\u8981\u6c42\u3092\u78ba\u8a8d\u3057\u3066\u3044\u307e\u3059\u3002<br \/>\n<code>openid<\/code> \u306f ID \u30c8\u30fc\u30af\u30f3\u3092\u767a\u884c\u3059\u308b\u304b\u3001<code>offline<\/code> \u306f<a href=\"https:\/\/tools.ietf.org\/html\/rfc6749#section-1.5\">\u30ea\u30d5\u30ec\u30c3\u30b7\u30e5\u30c8\u30fc\u30af\u30f3<\/a>\u3092\u767a\u884c\u3059\u308b\u304b\u3001\u3068\u3044\u3046\u70b9\u306b\u95a2\u308f\u3063\u3066\u304d\u307e\u3059\u3002<\/p>\n<p><code>Do not ask me again<\/code> \u306f\u3001\u540c\u610f\u3057\u305f\u72b6\u614b\u3092 ORY Hydra \u304c\u4fdd\u6301\u3057\u3066\u304a\u304f\u304b\u3069\u3046\u304b\u306b\u95a2\u308f\u308a\u307e\u3059\u3002<br \/>\n\u30c1\u30a7\u30c3\u30af\u3057\u305f\u5834\u5408\u306f\u3001\u518d\u5ea6\u30ed\u30b0\u30a4\u30f3\u3057\u305f\u5f8c\u306b\u540c\u610f\u753b\u9762\u3092\u30b9\u30ad\u30c3\u30d7\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>\u4ed5\u7d44\u307f\u3068\u3057\u3066\u306f\u3001Consent Provider \u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u5f8c\u3001 Consent Provider \u306f <a href=\"https:\/\/www.ory.sh\/docs\/hydra\/sdk\/api#get-consent-request-information\">consent_challenge \u3092\u5143\u306b\u540c\u610f\u30ea\u30af\u30a8\u30b9\u30c8\u3092 ORY Hydra \u306b\u78ba\u8a8d\u3059\u308b API<\/a> \u3092\u30b3\u30fc\u30eb\u3057\u307e\u3059\u304c\u3001<br \/>\n\u4ee5\u524d\u306b\u540c\u610f\u3057\u305f\u5834\u5408\u306f\u3001\u3053\u306e\u6642\u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u306e\u4e2d\u306b\u542b\u307e\u308c\u308b <code>skip<\/code> \u30ad\u30fc\u304c<code>true<\/code> \u3067\u8fd4\u3063\u3066\u304f\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<br \/>\nConsent Provider \u306f <code>skip<\/code> \u30ad\u30fc\u3092\u5143\u306b\u540c\u610f\u753b\u9762\u3092\u51fa\u3055\u305a\u306b\u3001\u6b21\u306e\u540c\u610f\u30ea\u30af\u30a8\u30b9\u30c8\u53d7\u7406\u306b\u9032\u3080\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>\u30e6\u30fc\u30b6\u306e\u540c\u610f\u304c\u5f97\u3089\u308c\u308b\u3068\u3001<br \/>\nConsent Provider \u306f <code>consent_challenge<\/code> \u3092URL\u30d1\u30b9\u306b\u542b\u3081\u3066 <a href=\"https:\/\/www.ory.sh\/docs\/hydra\/sdk\/api#accept-an-consent-request\">ORY Hydra \u306e\u540c\u610f\u30ea\u30af\u30a8\u30b9\u30c8\u53d7\u7406\u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8<\/a> \u306b\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u9001\u308a\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u540c\u610f\u30ea\u30af\u30a8\u30b9\u30c8\u53d7\u7406\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u9001\u4fe1\u6642\u306b\u3001<code>session<\/code> \u30ad\u30fc\u306b ID \u30c8\u30fc\u30af\u30f3\u306b\u8ffd\u52a0\u3059\u308b\u4efb\u610f\u306e claim \u3092\u6307\u5b9a\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<br \/>\nclaim \u306fOpenID Connect \u3067\u5b9a\u7fa9\u3055\u308c\u305f ID \u30c8\u30fc\u30af\u30f3\u306b\u542b\u307e\u308c\u308b\u30e6\u30fc\u30b6\u30fc\u60c5\u5831\u5c5e\u6027\u7fa4\u3067\u3059\u3002<br \/>\n\u4ee5\u4e0b\u306f\u3001\u30b5\u30f3\u30d7\u30eb\u306e Consent Provider \u306e\u5b9f\u88c5\u3067\u3059\u3002<\/p>\n<pre><code>  \/\/ Seems like the user authenticated! Let's tell hydra...\n  hydra.getConsentRequest(challenge)\n  \/\/ This will be called if the HTTP request was successful\n    .then(function (response) {\n      return hydra.acceptConsentRequest(challenge, {\n        \/\/ We can grant all scopes that have been requested - hydra already checked for us that no additional scopes\n        \/\/ are requested accidentally.\n        grant_scope: grant_scope,\n\n        \/\/ The session allows us to set session data for id and access tokens \n        session: {\n            \/\/ This data will be available when introspecting the token. Try to avoid sensitive information here,\n            \/\/ unless you limit who can introspect tokens.\n            access_token: { groups: ['foo', 'bar'] },\n\n            \/\/ This data will be available in the ID token. \u2605\u3053\u308c\n            id_token: { groups: ['foo', 'bar'] },\n        },\n\n        \/\/ ORY Hydra checks if requested audiences are allowed by the client, so we can simply echo this.\n        grant_access_token_audience: response.requested_access_token_audience,\n\n        \/\/ This tells hydra to remember this consent request and allow the same client to request the same\n        \/\/ scopes from the same user, without showing the UI, in the future.\n        remember: Boolean(req.body.remember),\n\n        \/\/ When this \"remember\" sesion expires, in seconds. Set this to 0 so it will never expire.\n        \/\/ remember_for: 3600,\n        remember_for: 0,\n      })\n        .then(function (response) {\n          \/\/ All we need to do now is to redirect the user back to hydra!\n          console.log(response.redirect_to);\n          res.redirect(response.redirect_to);\n        })\n    })\n    \/\/ This will handle any error that happens when making HTTP calls to hydra\n    .catch(function (error) {\n      next(error);\n    });\n<\/code><\/pre>\n<p>\u30ec\u30b9\u30dd\u30f3\u30b9\u306b\u306f\u3001\u30e6\u30fc\u30b6\u304c\u6b21\u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3055\u308c\u308b\u3079\u304dURL\u3092\u542b\u3080 <code>redirect_to<\/code>\u30ad\u30fc\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<br \/>\n\u3053\u306e URL \u306f ORY Hydra \u306e\u8a8d\u53ef\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3067\u3059\u304c\u3001<code>consent_verifier<\/code> \u3068\u3044\u3046\u30d1\u30e9\u30e1\u30fc\u30bf\u304c\u8ffd\u52a0\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002<\/p>\n<p style=\"word-break: break-all;\">http:\/\/hydra-public-api.synergy-example.com:30080\/oauth2\/auth?audience=&client_id=test-client&consent_verifier=8c33536a584d4443aa25ac226167785c&max_age=0&nonce=clhxrbtyijycgfonbxmxflhl&prompt=&redirect_uri=http%3A%2F%2Flocalhost%3A4446%2Fcallback&response_type=code&scope=openid+offline&state=mxamrvdrwnucqjfytkeqzbkw<\/p>\n<h3>\u30c8\u30fc\u30af\u30f3\u767a\u884c<\/h3>\n<p>\u8a8d\u53ef\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306b <code>consent_verifier<\/code> \u30d1\u30e9\u30e1\u30fc\u30bf\u4ed8\u304d\u3067\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3055\u308c\u308b\u3068\u3001 Authorization Code (\u8a8d\u53ef\u30b3\u30fc\u30c9)\u3092\u767a\u884c\u3057\u3066\u3001 Relying Party \u306e\u30b3\u30fc\u30eb\u30d0\u30c3\u30af URL \u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3055\u308c\u307e\u3059\u3002<br \/>\n\u4ee5\u4e0b\u306f\u30b5\u30f3\u30d7\u30eb\u306b\u304a\u3051\u308b\u30b3\u30fc\u30eb\u30d0\u30c3\u30afURL\u3067\u3059\u3002<\/p>\n<p style=\"word-break: break-all;\">http:\/\/localhost:4446\/callback?code=zRgk-QWsIOUKHsFTU1PREaY6WldH7rvjrtaa39yRQxM.9PcRUjQz437I7sT_2CoFsRnONjx2onZCx-8LKI36M98&scope=openid%20offline&state=ldhfjtraoocpxiyenhkvchxr<\/p>\n<p>Authorization Code \u3092\u53d7\u3051\u53d6\u3063\u305f Relying Party \u306f state \u306e\u691c\u8a3c\u3092\u884c\u306a\u3063\u305f\u306e\u3061\u3001<a href=\"https:\/\/www.ory.sh\/docs\/hydra\/sdk\/api#the-oauth-20-token-endpoint\">ORY Hydra \u306e\u30c8\u30fc\u30af\u30f3\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8<\/a> \u306b Authorization Code \u3092 Post \u3057\u3066\u3001 \u767a\u884c\u3055\u308c\u305f ID \u30c8\u30fc\u30af\u30f3\u7b49\u3092\u53d6\u5f97\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<br \/>\n\uff08 state \u306f\u3069\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5bfe\u3057\u3066\u3069\u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u304c\u5e30\u3063\u3066\u304d\u305f\u304b\u6b63\u3057\u304f\u5bfe\u5fdc\u3065\u3051\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u4fdd\u8a3c\u3059\u308b\u3053\u3068\u3067 CSRF \u653b\u6483\u3092\u9632\u5fa1\u3059\u308b\u305f\u3081\u306e\u30e9\u30f3\u30c0\u30e0\u306a\u5024\u3067\u3059\u3002\uff09<\/p>\n<p>\u30b5\u30f3\u30d7\u30eb\u3067\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u767a\u884c\u3055\u308c\u305f\u30a2\u30af\u30bb\u30b9\u30c8\u30fc\u30af\u30f3\u3001\u30ea\u30d5\u30ec\u30c3\u30b7\u30e5\u30c8\u30fc\u30af\u30f3\u3001ID \u30c8\u30fc\u30af\u30f3\u304c\u3001\u753b\u9762\u306b\u8868\u793a\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n<hr \/>\n<p><a href=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/03\/token.png\" rel=\"facebox\" rel=\"attachment wp-att-22344\"><img loading=\"lazy\" src=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/03\/token-1024x203.png\" alt=\"token\" width=\"640\" height=\"155\" class=\"alignleft size-large wp-image-22344\" \/><\/a><\/p>\n<hr \/>\n<p>ID \u30c8\u30fc\u30af\u30f3\u3092\u8a66\u3057\u306b <a href=\"https:\/\/jwt.io\">jwt.io<\/a> \u3067\u30c7\u30b3\u30fc\u30c9\u3057\u3066\u307f\u308b\u3068\u3001\u30da\u30a4\u30ed\u30fc\u30c9\u90e8\u5206\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u611f\u3058\u306b\u306a\u3063\u3066\u3044\u307e\u3057\u305f\u3002 ID \u30c8\u30fc\u30af\u30f3\u306b\u8ffd\u52a0\u3059\u308b\u4efb\u610f\u306e claim \u3068\u3057\u3066 groups \u30ad\u30fc\u3082\u78ba\u8a8d\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre><code class=\"json\">{\n  \"at_hash\": \"XsTiS1xujVf_MJgKihRJZQ\",\n  \"aud\": [\n    \"test-client\"\n  ],\n  \"auth_time\": 1553186222,\n  \"exp\": 1553189938,\n  \"groups\": [\n    \"foo\",\n    \"bar\"\n  ],\n  \"iat\": 1553186338,\n  \"iss\": \"http:\/\/hydra-public-api.synergy-example.com:30080\/\",\n  \"jti\": \"75309150-0504-4be2-861d-c5db70360648\",\n  \"nonce\": \"nfyfjvkmtqrdttmgfqkpaqcz\",\n  \"rat\": 1553186252,\n  \"sub\": \"foo@bar.com\"\n}\n<\/code><\/pre>\n<h3>\u30ed\u30b0\u30a2\u30a6\u30c8<\/h3>\n<p><a href=\"https:\/\/www.ory.sh\/docs\/hydra\/sdk\/api#logs-user-out-by-deleting-the-session-cookie\">ORY Hydra \u306e\u30ed\u30b0\u30a2\u30a6\u30c8\u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8<\/a> \u306b GET \u3067\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u3067\u30ed\u30b0\u30a2\u30a6\u30c8\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>\u305f\u3060\u3057\u3001\u30ed\u30b0\u30a2\u30a6\u30c8\u3057\u3066\u3082\u4ee5\u524d\u767a\u884c\u3057\u305f\u30a2\u30af\u30bb\u30b9\u30c8\u30fc\u30af\u30f3\u7b49\u3005\u306f\u6709\u52b9\u306a\u307e\u307e\u306a\u306e\u3067\u3001<a href=\"https:\/\/www.ory.sh\/docs\/hydra\/sdk\/api#revoke-oauth2-tokens\">\u30c8\u30fc\u30af\u30f3\u3092\u53d6\u308a\u6d88\u3059\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8<\/a> \u306e API \u3082\u30b3\u30fc\u30eb\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<br \/>\n\u30c8\u30fc\u30af\u30f3\u306e\u7121\u52b9\u5316\u306f\u3001\u30a2\u30af\u30bb\u30b9\u30c8\u30fc\u30af\u30f3\u3068\u30ea\u30d5\u30ec\u30c3\u30b7\u30e5\u30c8\u30fc\u30af\u30f3\u306e\u307f\u6709\u52b9\u3067\u3059\u3002 ID \u30c8\u30fc\u30af\u30f3\u306e\u7121\u52b9\u5316\u306f\u3067\u304d\u305a\u3001 ID \u30c8\u30fc\u30af\u30f3\u306e <code>exp<\/code>\u30ad\u30fc\u304c\u6301\u3064\u6709\u52b9\u671f\u9650\u307e\u3067\u306f\u6709\u52b9\u3068\u306a\u308b\u305f\u3081\u3001\u4e0a\u8a18\u3068\u30ed\u30b0\u30a2\u30a6\u30c8\u3068\u9023\u52d5\u3057\u306a\u3044\u3068\u3044\u3046\u70b9\u306f\u6ce8\u610f\u304c\u5fc5\u8981\u3067\u3059\u3002<\/p>\n<h2>\u30c8\u30fc\u30af\u30f3\u3092\u7528\u3044\u305f kubernetes \u4e0a\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u306e\u8a8d\u8a3c\u30fb\u8a8d\u53ef<\/h2>\n<h3>kube-apiserver \u306e\u8a8d\u8a3c\u30fb\u8a8d\u53ef<\/h3>\n<p>\u3053\u3053\u304b\u3089\u306f \u4eca\u56de\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u5229\u7528\u3057\u305f\u30b3\u30f3\u30c6\u30ca\u30aa\u30fc\u30b1\u30b9\u30c8\u30ec\u30fc\u30b7\u30e7\u30f3\u3067\u3042\u308b kubernetes \u3067\u306e OpenID Connect \u3078\u306e\u5bfe\u5fdc\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n<p>kubernetes\uff08kube-apiserver) \u306e\u8a8d\u8a3c\u306f OpenID Connect \u306b\u5bfe\u5fdc\u3057\u3066\u304a\u308a\u3001 <a href=\"https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\/\">RBAC(Role Based Access Control)<\/a> \u3092\u8a2d\u5b9a\u3059\u308b\u3053\u3068\u3067\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u304c\u53ef\u80fd\u3067\u3059\u3002<\/p>\n<p>OpenID Connect \u306b\u3088\u308b\u8a8d\u8a3c\u30fb\u8a8d\u53ef\u306b\u5bfe\u5fdc\u3059\u308b\u305f\u3081\u306b\u3001 kube-apiserver \u8d77\u52d5\u6642\u306b\u3044\u304f\u3064\u304b\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u6307\u5b9a\u3057\u3066\u8d77\u52d5\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"left\">\u30d1\u30e9\u30e1\u30fc\u30bf\u540d<\/th>\n<th align=\"left\">\u6307\u5b9a\u3059\u308b\u5185\u5bb9<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"left\">--oidc-issuer-url<\/td>\n<td align=\"left\">ID\u30c8\u30fc\u30af\u30f3\u306eiss \u203b https\u5fc5\u9808<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">--oidc-client-id<\/td>\n<td align=\"left\">Relying Party\u306eclient_id<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">--oidc-groups-claim<\/td>\n<td align=\"left\">RBAC\u306eGroup\u3068\u3057\u3066\u6271\u3046claim\u306e\u30ad\u30fc<\/td>\n<\/tr>\n<tr>\n<td align=\"left\">--oidc-ca-file<\/td>\n<td align=\"left\">IdP\u306e\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306b\u7f72\u540d\u3057\u305fCA\u8a3c\u660e\u66f8<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Docker for Mac \u306e\u5834\u5408\u3001 kube-apiserver \u306f Moby VM \u4e0a\u3067\u30b3\u30f3\u30c6\u30ca\u3068\u3057\u3066\u52d5\u4f5c\u3057\u3066\u3044\u308b\u306e\u3067\u3001<br \/>\n<a href=\"https:\/\/gist.github.com\/BretFisher\/5e1a0c7bcca4c735e716abf62afad389\">\u3053\u3061\u3089\u306e\u65b9\u6cd5<\/a>\u3067\u3001 Docker for Mac \u306e tty \u306b\u63a5\u7d9a\u3057\u3066\u3001<br \/>\n<code>\/etc\/kubernetes\/manifests\/kube-apiserver.yaml<\/code> \u3092\u4e0b\u8a18\u306e\u3088\u3046\u306b\u7de8\u96c6\u3057\u305f\u5f8c\u306b kubernetes \u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"yaml\">(\u4e2d\u7565)\nspec:\n  containers:\n  - command:\n    - kube-apiserver\n    - --authorization-mode=Node,RBAC\n    (\u4e2d\u7565)\n    - --oidc-issuer-url=https:\/\/hydra-public-api.synergy-example.com:30443\/\n    - --oidc-client-id=test-client\n    - --oidc-groups-claim=groups\n    - --oidc-ca-file=\/path\/to\/cafile\n(\u4e2d\u7565)\n    - mountPath: \/usr\/share\/ca-certificates\n      name: usr-share-ca-certificates\n      readOnly: true\n    # \u8ffd\u8a18\n    - mountPath: \/path\/to\/cafile\n      name: oidc-ca-certificates\n      readOnly: true\n  hostNetwork: true\n(\u4e2d\u7565)\n  - hostPath:\n      path: \/usr\/share\/ca-certificates\n      type: DirectoryOrCreate\n    name: usr-share-ca-certificates\n  # \u8ffd\u8a18\n  - hostPath:\n      path: \/path\/to\/cafile\n      type: DirectoryOrCreate\n    name: oidc-ca-certificates\nstatus: {}\n<\/code><\/pre>\n<p>\u6b21\u306b\u3001\u5148\u307b\u3069 Hydra \u304b\u3089\u767a\u884c\u3055\u308c\u305f ID \u30c8\u30fc\u30af\u30f3\u3092 kubernetes \u306b\u767b\u9332\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"bash\">kubectl config set-credentials synergy-admin --token=[YOUR ID TOKEN]\nkubectl config set-context oidc-example --cluster=docker-desktop --user=synergy-admin\n<\/code><\/pre>\n<p>\u6b21\u306b\u3001 <code>Role<\/code> \u3068 <code>RoleBinding<\/code> \u3092 kubernetes \u306b \u767b\u9332\u3057\u307e\u3059\u3002\u767b\u9332\u5185\u5bb9\u3068\u3057\u3066\u306f <code>namespace<\/code> \u304c kube-system \u306e pod \u306b\u5bfe\u3059\u308b get\/watch\/list \u306e\u64cd\u4f5c\u3092\u8a31\u53ef\u3059\u308b\u5185\u5bb9\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<pre><code class=\"yaml\">apiVersion: rbac.authorization.k8s.io\/v1\nkind: Role\nmetadata:\n  name: test-role\n  namespace: kube-system\nrules:\n- apiGroups: [\"\"]\n  resources: [\"pods\"]\n  verbs: [\"get\", \"watch\", \"list\"]\n---\nkind: RoleBinding\napiVersion: rbac.authorization.k8s.io\/v1\nmetadata:\n  name: test-rolebinding\n  namespace: kube-system\nsubjects:\n- kind: Group\n  name: foo # Name is case sensitive\n  apiGroup: rbac.authorization.k8s.io\nroleRef:\n  kind: Role #this must be Role or ClusterRole\n  name: test-role # this must match the name of the Role or ClusterRole you wish to bind to\n  apiGroup: rbac.authorization.k8s.io\n<\/code><\/pre>\n<p>\u5b9f\u969b\u306b\u8a66\u3057\u3066\u307f\u308b\u3068\u3001namespace \u672a\u6307\u5b9a\u306e\u5834\u5408\u306f pod \u306e\u60c5\u5831\u53d6\u5f97\u304c\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f\u304c\u3001 kube-system \u3092\u6307\u5b9a\u3057\u305f\u5834\u5408\u306f pod \u306e\u60c5\u5831\u53d6\u5f97\u304c\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n<pre><code class=\"bash\">$ kubectl config use-context oidc-example\n$ kubectl get pods\nError from server (Forbidden): pods is forbidden: User \"https:\/\/hydra-public-api.synergy-example.com:30443\/#foo@bar.com\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"\n$ kubectl get pod -n kube-system\nNAME                                     READY   STATUS    RESTARTS   AGE\ncoredns-86c58d9df4-9sdb9                 1\/1     Running   7          66d\ncoredns-86c58d9df4-f288f                 1\/1     Running   7          66d\netcd-docker-desktop                      1\/1     Running   25         66d\nkube-apiserver-docker-desktop            1\/1     Running   0          2m45s\nkube-controller-manager-docker-desktop   1\/1     Running   82         66d\nkube-proxy-nswq7                         1\/1     Running   7          66d\nkube-scheduler-docker-desktop            1\/1     Running   75         66d\ntiller-deploy-dbb85cb99-bjrnr            1\/1     Running   7          3d8h\n<\/code><\/pre>\n<h3>istio \u306b\u3088\u308b\u8a8d\u8a3c\u30fb\u8a8d\u53ef<\/h3>\n<p><a href=\"https:\/\/istio.io\/\">istio<\/a> \u306f\u30de\u30a4\u30af\u30ed\u30b5\u30fc\u30d3\u30b9\u306e\u30b5\u30fc\u30d3\u30b9\u30e1\u30c3\u30b7\u30e5\u3092\u5b9f\u73fe\u3059\u308b\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u3067\u3059\u3002<br \/>\nkubernetes \u306e pod \u5185\u306b Envoy \u3068\u3044\u3046\u30d7\u30ed\u30ad\u30b7\u3092\u30b5\u30a4\u30c9\u30ab\u30fc\u3068\u3057\u3066\u52d5\u304b\u3059\u3053\u3068\u3067\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u30b3\u30fc\u30c9\u306b\u624b\u3092\u5165\u308c\u305a\u306b\u3001\u30de\u30a4\u30af\u30ed\u30b5\u30fc\u30d3\u30b9\u9593\u306e\u901a\u4fe1\u306b\u95a2\u3059\u308b\u8ab2\u984c\uff08\u30ea\u30c8\u30e9\u30a4\u3001\u30b5\u30fc\u30ad\u30c3\u30c8\u30d6\u30ec\u30fc\u30ab\u30fc\u3001\u8ca0\u8377\u5206\u6563\u3001\u5206\u6563\u30c8\u30ec\u30fc\u30b7\u30f3\u30b0\uff09\u3092\u89e3\u6c7a\u3059\u308b\u305f\u3081\u306e\u4ed5\u7d44\u307f\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002<\/p>\n<p>\u5148\u307b\u3069\u898b\u305f kube-apiserver \u306e\u4f8b\u306f\u3042\u304f\u307e\u3067 kube-apiserver \u306b\u5bfe\u3059\u308b\u64cd\u4f5c\u306e\u8a8d\u8a3c\u30fb\u8a8d\u53ef\u3067\u3059\u304c\u3001<br \/>\nistio \u306b\u3088\u3063\u3066\u3001OpenID Connect \u306b\u3088\u308b\u8a8d\u8a3c\u30fb\u8a8d\u53ef\u3092\u5404\u30de\u30a4\u30af\u30ed\u30b5\u30fc\u30d3\u30b9\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3084 HTTP \u30e1\u30bd\u30c3\u30c9\u5358\u4f4d\u3067\u5b9f\u65bd\u3059\u308b\u3053\u3068\u3082\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p><a href=\"https:\/\/github.com\/techscore\/experimental-openidconnect\">\u30b5\u30f3\u30d7\u30eb<\/a> \u3067\u306f\u3001 httpbin \u306e\u30b5\u30fc\u30d3\u30b9\u3092\u7acb\u3066\u3066\u3001\u8a8d\u8a3c\u30fb\u8a8d\u53ef\u306e\u30dd\u30ea\u30b7\u30fc\u3092\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u8a8d\u8a3c\u306b\u95a2\u3057\u3066\u306f\u3001<code>Policy<\/code> \u3092 kubernetes \u30ea\u30bd\u30fc\u30b9\u3068\u3057\u3066\u767b\u9332\u3057\u307e\u3059\u3002<br \/>\n<code>targets<\/code> \u306b\u5bfe\u8c61\u306e\u30b5\u30fc\u30d3\u30b9\u3001<code>origins<\/code> \u306b OpenID Connect \u306e issuer \u3068 JWKs\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u6307\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<pre><code class=\"yaml\">apiVersion: authentication.istio.io\/v1alpha1\nkind: Policy\nmetadata:\n  name: jwt-example\n  namespace: foo\nspec:\n  targets:\n  - name: httpbin\n  origins:\n  - jwt:\n      issuer: http:\/\/hydra-public-api.synergy-example.com:30080\/\n      jwksUri: http:\/\/hydra-public-api.synergy-example.com:30080\/.well-known\/jwks.json\n  principalBinding: USE_ORIGIN\n<\/code><\/pre>\n<p>\u8a8d\u53ef\u306b\u3064\u3044\u3066\u306f\u3001<code>RbacConfig<\/code>\u3001<code>ServiceRole<\/code>\u3001<code>ServiceRoleBinding<\/code> \u3092 kubernetes \u30ea\u30bd\u30fc\u30b9\u3068\u3057\u3066\u767b\u9332\u3057\u307e\u3059\u3002<br \/>\n\u4ee5\u4e0b\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u306f\u3001JWT \u306b\u30da\u30a4\u30ed\u30fc\u30c9\u306b\u6307\u5b9a\u3055\u308c\u305f groups \u30af\u30ec\u30fc\u30e0\u304c  <code>foo<\/code> \u306e\u30e6\u30fc\u30b6\u306b\u5bfe\u3057\u3066\u3001namespace \u304c <code>foo<\/code> \u306e\u5168\u30b5\u30fc\u30d3\u30b9\u3001\u5168\u30e1\u30bd\u30c3\u30c9\u3092\u8a31\u53ef\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre><code class=\"yaml\">apiVersion: rbac.istio.io\/v1alpha1\nkind: RbacConfig\nmetadata:\n  name: default\n  namespace: istio-system\nspec:\n  mode: ON_WITH_INCLUSION\n  inclusion:\n    namespaces:\n    - foo\n---\napiVersion: rbac.istio.io\/v1alpha1\nkind: ServiceRole\nmetadata:\n  name: trusted-visitor\n  namespace: foo\nspec:\n  rules:\n  - methods:\n    - '*'\n    services:\n    - '*'\n---\napiVersion: rbac.istio.io\/v1alpha1\nkind: ServiceRoleBinding\nmetadata:\n  name: jwt-binding\n  namespace: foo\nspec:\n  roleRef:\n    kind: ServiceRole\n    name: trusted-visitor\n  subjects:\n  - properties:\n      request.auth.claims[groups]: \"foo\"\n<\/code><\/pre>\n<p>\u3067\u306f\u3001\u5b9f\u969b\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u3066\u8a66\u3057\u3066\u307f\u307e\u3059\u3002<br \/>\nBearer \u30c8\u30fc\u30af\u30f3\u3067 ID \u30c8\u30fc\u30af\u30f3\u6307\u5b9a\u306a\u3057\u3060\u3068 API \u30b3\u30fc\u30eb\u3067\u304d\u305a\u3001\u6b63\u3057\u3044 ID \u30c8\u30fc\u30af\u30f3\u3092\u6307\u5b9a\u3057\u305f\u5834\u5408\u306f API \u30b3\u30fc\u30eb\u304c\u901a\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3067\u304d\u307e\u3057\u305f\u3002<\/p>\n<pre><code class=\"bash\"># ID \u30c8\u30fc\u30af\u30f3\u6307\u5b9a\u306a\u3057\u306e\u30a2\u30af\u30bb\u30b9\n$ curl -i http:\/\/localhost\/status\/200\n\n  # \u51fa\u529b\u7d50\u679c\n  HTTP\/1.1 401 Unauthorized\n  content-length: 29\n  content-type: text\/plain\n  date: Thu, 21 Mar 2019 19:29:10 GMT\n  server: istio-envoy\n  x-envoy-upstream-service-time: 0\n\n  Origin authentication failed.\n\n---\n# ID \u30c8\u30fc\u30af\u30f3\u6307\u5b9a\u3057\u305f\u30a2\u30af\u30bb\u30b9\n$ curl -i -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo0MDU1N2YzNC1jZGRjLTRmMjItYmY3Yi0zZWI4OWJkOGZmMTEiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiSjMwYkJEYkpLNHdFdzBodkdLRWRLQSIsImF1ZCI6WyJ0ZXN0LWNsaWVudCJdLCJhdXRoX3RpbWUiOjE1NTMxOTYzNzUsImV4cCI6MTU1MzE5OTk4MSwiZ3JvdXBzIjpbImZvbyIsImJhciJdLCJpYXQiOjE1NTMxOTYzODEsImlzcyI6Imh0dHA6Ly9oeWRyYS1wdWJsaWMtYXBpLnN5bmVyZ3ktZXhhbXBsZS5jb206MzAwODAvIiwianRpIjoiZGYyOGYzMmMtZWE0ZS00N2NlLWJlZWItYTQ5MjFmNjVmMmQ3Iiwibm9uY2UiOiJpeHBsdWV2ZGZyeXJ1emptbnhrdnd1ZWgiLCJyYXQiOjE1NTMxOTYzNjQsInN1YiI6ImZvb0BiYXIuY29tIn0.EK4h5_dnbXIe-WdC5VmEfrD7AXIw2i1bmLBXMbssJD70TFlhkYQ4oUTZBQiUQJwsLGMufPzpUqvI16r_UHSl9oR4dfDljDO08sr_WhCy5HxVHg-uX8-ZZ2t-E1cb6_Jj8Rk7NACefuRWpCE7tU-jKsanI_Yq4etCUn9voPM6mwM3ga9A9bmr1qyCykaE-EFraqAJ3JC0X6b8Rfiho62hM5vxFxhU6SAFHfqj06vyeqi7vk925loiL0XoY4XD0D0Bf8m_TcJNbwVb4sOphwHOIL280qDCpr4AFemLTWsujNCV2v0X8_LryDVVBex_FPC5q5uOVTBWRqhPONYTBCjJj8f7zdAnYqUhSQah-43BkvLUaXtWiMk4EwgRsMqxo7rVOKYF88nlIThZ3eWxut501WKZSYzUN6EDeCJCU-g0E-Cy18Ht0vToWmAKo5KXpvypwEYit8HLpTIqorYmlwXtuzHE_LOGZNSNIvaNg9YieL53Afmx7HI3E_HsDZ8AO-pXPqmA35-6FMZ-wCOLMbwWuulsOS1VcCXM0G86EsHMMbSMUtm9hnHww9ZLAZMOw-jqgIGYpcetPnJww3UqvjwxdW5W-cqlU3wQpb3d-3Dls34nRaoqLie8lkvOjkJl2A8WTf5GNT2ncTfo5LQGpvWPrG1ucf8du8iEjqblhQx9Aiw' http:\/\/localhost\/status\/200\n\n  # \u51fa\u529b\u7d50\u679c\n  HTTP\/1.1 200 OK\n  server: istio-envoy\n  date: Thu, 21 Mar 2019 19:37:49 GMT\n  content-type: text\/html; charset=utf-8\n  access-control-allow-origin: *\n  access-control-allow-credentials: true\n  content-length: 0\n  x-envoy-upstream-service-time: 7\n<\/code><\/pre>\n<h2>\u304a\u308f\u308a\u306b<\/h2>\n<p>\u5b9f\u904b\u7528\u306b\u5165\u308b\u524d\u306b\u306f\u3001\u4eca\u56de\u306e\u30b5\u30f3\u30d7\u30eb\u5b9f\u88c5\u306b\u304f\u308f\u3048\u3066<a href=\"https:\/\/www.ory.sh\/docs\/hydra\/production#exposing-administrative-and-public-api-endpoints\"> API \u306e\u4fdd\u8b77<\/a>\u3067\u3042\u3063\u305f\u308a\u3001<a href=\"https:\/\/www.ory.sh\/docs\/hydra\/advanced#key-rotation\"> ID \u30c8\u30fc\u30af\u30f3\u306e\u7f72\u540d\u306b\u4f7f\u7528\u3059\u308b\u9375\u306e\u30ed\u30fc\u30c6\u30fc\u30b7\u30e7\u30f3<\/a>\u306e\u8003\u616e\u306e\u306a\u3069\u3092\u884c\u306a\u3046\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<br \/>\n\u3068\u306f\u3044\u3048\u3001 ORY Hydra \u3092\u5229\u7528\u3059\u308b\u3053\u3068\u3067\u3001\u72ec\u81ea\u306e\u30ed\u30b0\u30a4\u30f3\u8a8d\u8a3c\u3092\u884c\u306a\u3044\u3064\u3064\u3001 OpenID Connect \u306b\u5bfe\u5fdc\u3057\u3066\u3001 kubernetes \u3084 istio \u3067\u306e\u8a8d\u8a3c\u30fb\u8a8d\u53ef\u306b\u5bfe\u5fdc\u3067\u304d\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3057\u305f\u3002<br \/>\n\u5b9f\u88c5\u30b3\u30b9\u30c8\u3092\u6291\u3048\u306a\u304c\u3089\u3001\u65e2\u5b58\u306e\u30e6\u30fc\u30b6\u30b9\u30c8\u30a2\u3084\u8a8d\u8a3c\u51e6\u7406\u3092 OpenID Connect \u306b\u5bfe\u5fdc\u3055\u305b\u308b\u5834\u5408\u306a\u3069\u306b\u3001\u975e\u5e38\u306b\u9b45\u529b\u7684\u306a\u9078\u629e\u3067\u3042\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3057\u305f\u3002<\/p>\n<p>\u6700\u5f8c\u306b\u53c2\u8003\u6587\u732e\u3092\u8f09\u305b\u3066\u304a\u304d\u307e\u3059\u3002<\/p>\n<ul>\n<li><a href=\"https:\/\/qiita.com\/TakahikoKawasaki\/items\/200951e5b5929f840a1f\">OAuth 2.0 \u5168\u30d5\u30ed\u30fc\u306e\u56f3\u89e3\u3068\u52d5\u753b<\/a><\/li>\n<li><a href=\"https:\/\/qiita.com\/TakahikoKawasaki\/items\/185d34814eb9f7ac7ef3\">OAuth &amp; OpenID Connect \u95a2\u9023\u4ed5\u69d8\u307e\u3068\u3081<\/a><\/li>\n<li><a href=\"https:\/\/www.ibm.com\/developerworks\/library\/se-bootstrap-hydra-oauth2\/index.html?mhq=OAuth2\">Learn how to bootstrap Hydra<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u3053\u3093\u306b\u3061\u306f\u3001\u767d\u5ddd\u3067\u3059\u3002<\/p>\n<p>\u4eca\u56de\u306f\u3001 ORY Hydra \u3092\u4f7f\u3063\u305f OpenID Connect Provider \u306e\u69cb\u7bc9\u306b\u3064\u3044\u3066\u7d39\u4ecb\u3057\u307e\u3059\u3002<br \/><a href=\"https:\/\/www.techscore.com\/blog\/2019\/04\/01\/hydra-microservice-auth\/\">\u7d9a\u304d\u3092\u8aad\u3080...<\/a><\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[18],"tags":[309,325],"_links":{"self":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts\/22281"}],"collection":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/comments?post=22281"}],"version-history":[{"count":50,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts\/22281\/revisions"}],"predecessor-version":[{"id":22473,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts\/22281\/revisions\/22473"}],"wp:attachment":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/media?parent=22281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/categories?post=22281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/tags?post=22281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}