amazonが内部でOpenIDを使っている件

twitterで誰かが見つけて誰かが反応していたのでメモメモ。

■ 何が言いたいのか

http://aws.amazon.com/ を訪れる
Sign up for a free AWS account.の下のボタンを押す
ログイン画面・・・と思いきやURLを見るとOpenIDっぽい！

で、amazonが内部でOpenIDを使っているらしい。となったわけですね。

■ リクエスト

https://www.amazon.com/ap/signin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
&openid.mode=checkid_setup
&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
&openid.pape.max_auth_age=600
&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Fgp%2Faws%2Fssop%2Fhandlers%2Fauth-portal.html%3Fie%3DUTF8%26wreply%3Dhttps%253A%252F%252Faws-portal.amazon.com%252Fgp%252Faws%252Fdeveloper%252Fregistration%252Findex.html%26awsrequestchallenge%3Dfalse%26wtrealm%3Durn%253Aaws%253AawsAccessKeyId%253A1QQFCEAYKJXP0J7S2T02%26wctx%3D%26wa%3Dwsignin1.0%26awsrequesttfa%3Dtrue
&openid.assoc_handle=ssop
&openid.pape.preferred_auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor-physical
&authCookies=1
&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0
&siteState=awsMode%3A%3AsignUp%3A%3A
&

なんか、、、パラメータの順番とかもバラバラなので並べ替えてみる。

https://www.amazon.com/ap/signin?
# OpenID Auth 2.0
openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
&openid.mode=checkid_setup
&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Fgp%2Faws%2Fssop%2Fhandlers%2Fauth-portal.html%3Fie%3DUTF8%26wreply%3Dhttps%253A%252F%252Faws-portal.amazon.com%252Fgp%252Faws%252Fdeveloper%252Fregistration%252Findex.html%26awsrequestchallenge%3Dfalse%26wtrealm%3Durn%253Aaws%253AawsAccessKeyId%253A1QQFCEAYKJXP0J7S2T02%26wctx%3D%26wa%3Dwsignin1.0%26awsrequesttfa%3Dtrue
&openid.assoc_handle=ssop
# PAPE 1.0
&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0
&openid.pape.max_auth_age=600
&openid.pape.preferred_auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fmulti-factor-physical
# こいつらはamazon独自のパラメータか
&authCookies=1
&siteState=awsMode%3A%3AsignUp%3A%3A
# こら！最後の&はいらんだろう！
&

■ レスポンス

https://www.amazon.com/gp/aws/ssop/handlers/auth-portal.html?ie=UTF8
&wreply=https%3A%2F%2Faws-portal.amazon.com%2Fgp%2Faws%2Fdeveloper%2Fregistration%2Findex.html
&awsrequestchallenge=false
&wtrealm=urn%3Aaws%3AawsAccessKeyId%3A1QQFCEAYKJXP0J7S2T02
&wctx=
&wa=wsignin1.0
&awsrequesttfa=true
&openid.assoc_handle=ssop
&aToken=3%7CotY1kqEkFYl5P7GE9rU7%2B9gGJ1%2Fv1KizPP4M3Cd2NJldkajpKjYcMCDSvZANPJuIDqsu2O16Ns%2B7y9uEj9FZL6cIW3I6OqaN7Hz4wIKcwx5qCJQ6mCTAERuZzYNctKOtyf3ZhKRcQAjlna8lnwt5iB1LlhsYsGL4UqGU3YOlqmRXU6YTnFynFg5cVs9yHGp1EGsvMtE7kP%2BpW1o4TLA5bm%2FC%2B0TtPds72tkMakRQwzkkORRA8O1vlw%3D%3D
&openid.claimed_id=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2FzDBZOeZNpe8thK%252BlsBhzszUzyoE%253D
&openid.identity=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2FzDBZOeZNpe8thK%252BlsBhzszUzyoE%253D
&openid.mode=id_res
&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
&openid.op_endpoint=https%3A%2F%2Fwww.amazon.com%2Fap%2Fsignin
&openid.response_nonce=2009-07-07T14%3A41%3A11Z8847736201729402084
&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Fgp%2Faws%2Fssop%2Fhandlers%2Fauth-portal.html%3Fie%3DUTF8%26wreply%3Dhttps%253A%252F%252Faws-portal.amazon.com%252Fgp%252Faws%252Fdeveloper%252Fregistration%252Findex.html%26awsrequestchallenge%3Dfalse%26wtrealm%3Durn%253Aaws%253AawsAccessKeyId%253A1QQFCEAYKJXP0J7S2T02%26wctx%3D%26wa%3Dwsignin1.0%26awsrequesttfa%3Dtrue
&openid.signed=assoc_handle%2CaToken%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Cpape.auth_policies%2Cpape.auth_time%2Cns.pape%2Csigned
&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0
&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fnone
&openid.pape.auth_time=2009-07-07T14%3A41%3A11Z
&openid.sig=0hE149qCxIdvo4cQQSuAOl6TyD0rBbLrAsscupJJ%2B88%3D
&

整形します。

https://www.amazon.com/gp/aws/ssop/handlers/auth-portal.html?
# amazon用
ie=UTF8
&wreply=https%3A%2F%2Faws-portal.amazon.com%2Fgp%2Faws%2Fdeveloper%2Fregistration%2Findex.html
&awsrequestchallenge=false
&wtrealm=urn%3Aaws%3AawsAccessKeyId%3A1QQFCEAYKJXP0J7S2T02
&wctx=
&wa=wsignin1.0
&awsrequesttfa=true
&aToken=3%7CotY1kqEkFYl5P7GE9rU7%2B9gGJ1%2Fv1KizPP4M3Cd2NJldkajpKjYcMCDSvZANPJuIDqsu2O16Ns%2B7y9uEj9FZL6cIW3I6OqaN7Hz4wIKcwx5qCJQ6mCTAERuZzYNctKOtyf3ZhKRcQAjlna8lnwt5iB1LlhsYsGL4UqGU3YOlqmRXU6YTnFynFg5cVs9yHGp1EGsvMtE7kP%2BpW1o4TLA5bm%2FC%2B0TtPds72tkMakRQwzkkORRA8O1vlw%3D%3D
# OpenID Auth 2.0
&openid.assoc_handle=ssop
&openid.claimed_id=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2F(意味ありげな文字列)%252B(意味ありげな文字列)%253D
&openid.identity=https%3A%2F%2Fwww.amazon.com%2Fap%2Fid%2F(意味ありげな文字列)%252B(意味ありげな文字列)%253D
&openid.mode=id_res
&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
&openid.op_endpoint=https%3A%2F%2Fwww.amazon.com%2Fap%2Fsignin
&openid.response_nonce=2009-07-07T14%3A41%3A11Z8847736201729402084
&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Fgp%2Faws%2Fssop%2Fhandlers%2Fauth-portal.html%3Fie%3DUTF8%26wreply%3Dhttps%253A%252F%252Faws-portal.amazon.com%252Fgp%252Faws%252Fdeveloper%252Fregistration%252Findex.html%26awsrequestchallenge%3Dfalse%26wtrealm%3Durn%253Aaws%253AawsAccessKeyId%253A1QQFCEAYKJXP0J7S2T02%26wctx%3D%26wa%3Dwsignin1.0%26awsrequesttfa%3Dtrue
&openid.signed=assoc_handle%2CaToken%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Cpape.auth_policies%2Cpape.auth_time%2Cns.pape%2Csigned
&openid.sig=0hE149qCxIdvo4cQQSuAOl6TyD0rBbLrAsscupJJ%2B88%3D
# PAPE
&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0
&openid.pape.auth_policies=http%3A%2F%2Fschemas.openid.net%2Fpape%2Fpolicies%2F2007%2F06%2Fnone
&openid.pape.auth_time=2009-07-07T14%3A41%3A11Z
# また最後に&が！！！
&

OpenIDは、

https://www.amazon.com/ap/id/(意味ありげな文字列)%2B(意味ありげな文字列2)%3D

という形のようです。
このURLを普通のRPで使おうとしてもDiscoveryできないので動きませんね。

■ PAPEのパラメータが気になる

久々に仕様見たんですが、、、
Final: OpenID Provider Authentication Policy Extension 1.0

pape.max_auth_age

(Optional) If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested policies,
the OP SHOULD authenticate the End User for this request using the requested policies.
The OP MUST actively authenticate the user and not rely on a browser cookie from a previous authentication.
Value: Integer value greater than or equal to zero in seconds.
If an OP does not satisfy a request for timely authentication,
the RP may decide not to grant the End User access to the services provided by the RP.
If this parameter is absent from the request, the OP should authenticate the user at its own discretion.

pape.preferred_auth_policies

Zero or more authentication policy URIs representing authentication policies that the OP SHOULD satisfy when authenticating the user.
If multiple policies are requested, the OP SHOULD satisfy as many of them as it can.
Value: Space separated list of authentication policy URIs.
If no policies are requested, the RP may be interested in other information such as the authentication age.

ということらしいです（怠慢）

■ return_toを変えてみる

return_toを自分用のテストRPに向けてみます。
http://r-weblife.sakura.ne.jp/libraries/php-openid-2.1.3/examples/consumer/
こんな感じですね。

https://www.amazon.com/ap/signin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
&openid.mode=checkid_setup
&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select
&openid.return_to=http%3A%2F%2Fr-weblife.sakura.ne.jp%2Flibraries%2Fphp-openid-2.1.3%2Fexamples%2Fconsumer%2Ffinish_auth.php
&openid.assoc_handle=ssop