페이지 이동경로
  • Docs>
  • Kakao Login>
  • Security Event Subscription

Kakao Login

Security event subscription

This document explains how to use the security event subscription feature in Kakao Login.

Overview

Security event subscription is a feature that delivers users' security event information to services using Kakao Login. It is designed based on the OpenID Foundation's SSE (Shared Signals and Events) specification. It enables the service to take more active security actions. For example, you can receive information about a user's security events, such as linking and unlinking apps, changing passwords, and disabling accounts.

Security event information is passed to the service as a SET (Security Event Token). The service must process the SET passed through the callback URL as instructed in Receiving security events.

NOTE: SET delivery process of security event subscription system
  1. Receiving the users' security event information.
  2. Issuing a SET with the specified security event information.
  3. Pushing the SET to the service's callback URL.

Before you begin

How to use

To use the security event subscription feature, follow these steps to configure your app and implement the feature.

  1. Review Security event types and determine the required types for the service.
  2. Change the app settings.
  3. Request Get metadata to check the security event subscription specification of Kakao Login.
  4. Implement a feature to validate and process SETs delivered via callback URL. For more information, refer to Receiving security event.
  5. Test whether the settings and feature implementation are correct.

Set Security event subscription

You need to set the callback URL to receive security event information and the event type to subscribe to in [My Application] > [Kakao Login] > [Security Event]. For more information, refer to Prerequisites.

Set Consent items

Some categories require setting consent items and getting the users' consent to provide security event information. For more information, refer to User consent.

Category Consent items and users' consent Description
OAUTH Not required -
CAEP Required Sensitive information can only be provided to the service with the user's consent.
Contact DevTalk to obtain permission if needed.
After obtaining permission, set [Provision of security events information] as [Optional consent] in [My Application] > [Kakao Login] > [Consent items]. For more information, refer to Prerequisites.

NOTE:
[Provision of security events information] can only be set as [Optional consent], so a user may disagree.
CAEP and RISC security event information of users who have not agreed to [Provision of security event information] is not provided.
RISC

Get metadata

To check the security event subscription specification, request as below.

GET https://kauth.kakao.com/.well-known/sse-configuration

Below are response details and examples.

Name Type Description Required
issuer String SET issuer
Fixed to https://kauth.kakao.com		 O
jwks_uri String The URI to retrieve the public key used for SET encryption
A public key is required for SET verification		 O
delivery_methods_supported String Supported SSE event delivery methods
Only push is supported		 O 
HTTP/1.1 200 OK
{
    "issuer": "https://kauth.kakao.com",
    "jwks_uri": "https://kauth.kakao.com/.well-known/jwks.json",
    "delivery_methods_supported": "http://schemas.openid.net/secevent/risc/delivery-method/push"
}

Security event types

The security event subscription system delivers the following security event information to the service.

Category Description
OAUTH Security events for linking and unlinking apps, agreeing and revoking consent items, and tokens of Kakao Login users.
CAEP(Continuous Access Evaluation Protocol)* Security events for credentials (tokens) issued to a user's Kakao account.
RISC(Risk Incident Sharing and Coordination)* Security events for anomalies in a user's Kakao Account

* Not provided by default. Refer to Set Consent items.

The following is a list of Security event types by category.

Category Type Description
OAUTH Tokens Revoked Expiration of the user's all tokens issued through Kakao Login

Required security action: Protect user accounts by closing the currently open service session
Schema: https://schemas.openid.net/secevent/oauth/event-type/tokens-revoked
User Linked A user linked to the app

Recommended security action: If the app has [Auto-link with an app when logging in] set to [Disabled], take necessary actions in the service other than processing membership completion
Schema: https://schemas.openid.net/secevent/oauth/event-type/user-linked
User Unlinked A user unlinks from the app

Recommended security action: Unlink the user's information from Kakao Login, or delete an account if it is only available through Kakao Login. (Note: Unlink callback)
Schema: https://schemas.openid.net/secevent/oauth/event-type/user-unlinked
User Scope Consent A user agrees to the consent item

Schema: https://schemas.openid.net/secevent/oauth/event-type/user-scope-consent
User Scope Withdraw A user revokes the consent to a consent item.

Schema: https://schemas.openid.net/secevent/oauth/event-type/user-scope-withdraw
RISC Account Credential Change Required Password change required

Recommended security action: Check the service for suspicious activity to determine what follow-up is needed
Schema: https://schemas.openid.net/secevent/risc/event-type/account-credential-change-required
Account Disabled It occurs when a Kakao Account is protected, locked, or banned.
Includes the following property:
reason: Reason why account disabled

Required security action: If the reason is hijacking, protect the user's account by ending the currently open session.
Recommended security action: If the reason is bulk-account, analyze the user's activity and determines the necessary follow-up actions.
Schema: https://schemas.openid.net/secevent/risc/event-type/account-disabled
Account Enabled It occurs when a Kakao Account is recovered from a dormant or compromised state.

Recommended security action: Re-enable the user's Kakao Login and the account recovery feature via email.
Schema: https://schemas.openid.net/secevent/risc/event-type/account-enabled
Account Purged Deleting an account.

Recommended security action: Delete the user's account or provide an alternative login method.
Schema: https://schemas.openid.net/secevent/risc/event-type/account-purged
Credential Compromise Account credentials compromised, such as a successful login from a new environment where account compromise is suspected.

Recommended security action: Check the service for suspicious activity and determine the necessary follow-up actions.
Schema: https://schemas.openid.net/secevent/risc/event-type/credential-compromise
Identifier Changed It occurs when a user's email or phone number has changed.

Recommended security action: Destroy the old user's phone number or email and update it with the changed phone number or email.
Schema: https://schemas.openid.net/secevent/risc/event-type/identifier-changed
Identifier Recycled The existing account identifier is not available
It occurs when another user uses the email or phone number of a Kakao Account, and the email verification is in Expired or Suspended status.

Recommended security action: Process the user account's email and phone number to be no longer used, and collect the new email and phone number directly from the service.
Schema: https://schemas.openid.net/secevent/risc/event-type/identifier-recycled
Sessions Revoked All sessions of the account have expired
Caused by processing an existing device logout after a password change.

Required security action: Protect the user account by terminating current open sessions.
Schema: https://schemas.openid.net/secevent/risc/event-type/sessions-revoked
CAEP Assurance Level Change Authentication security level changed
It occurs when changing the security level, such as setting up two-factor authentication.

Recommended security action: Verify whether the current user satisfies the authentication security level required to use the service and take action as needed, such as re-authentication, to provide the service.
Schema: https://schemas.openid.net/secevent/caep/event-type/assurance-level-change
Credential Change Account password changed
It occurs when resetting a password or reissuing a Kakao Certificate

Schema: https://schemas.openid.net/secevent/caep/event-type/credential-change

Receiving security events

Callback information

Method URL Authorization
POST Callback URL registered in [My Application] > [Kakao Login] > [Security Event]. -
Permission Prerequisite Kakao Login User consent
- Activate Kakao Login
Security Event		 - -

When a user's security event occurs, the security event information is delivered as an HTTP POST request to the service's callback URL. Content-Type of the callback request header is application/secevent+jwt, and the body is a SET value containing the security event information.

Below is an example of the request that is delivered to the callback URL.

POST /kakao/events HTTP/1.1
Host: callback.example.com
Content-Type: application/secevent+jwt
Accept: application/json

eyJraWQiOiI2NjVhYmVlYzExOGRkZmMyZDNiZjNlMmFkYWU3OT...

The service must respond with success or failure after SET validation for the callback delivered to the callback URL.

Caution

If callback requests continue to fail or receive no response, your app's security event subscription status will be disabled, and security event delivery stop. In this case, you need to check whether the service can handle receiving security events and set up security event subscriptions again.

SET information

The service receives a SET containing security event information of the Kakao Account through the POST method. SET is a JWT (JSON Web Token) type token and consists of the following three areas.

SET configuration
Category Description
Header SET specification
Payload Security event information
Signature A value signed by the Kakao Authentication Server (KAUTH) with the public key corresponding to kid in the header.

Below are the details of the fields in the Header and Payload.

Header
Name Type Description
alg String The encryption applied to the SET, fixed to RS256
typ String Type of SET, fixed to secevent+jwt
kid String Public key ID used to encrypt the SET
Can be found through jwks_uri of Get metadata.
Payload
Name Type Description
iss String SET issuer, fixed to https://kauth.kakao.com.
aud String The REST API key of the app receiving the SET.
sub String Service user ID corresponding to the SET.
iat String The SET issue time.
jti String SET unique identification value
events Event Security event types and details
Event
Name Type Description
${SCHEMA} JSON Details by Security event type.
The key is Schema by Security event type.
The value is different for each Security event type. See Security event details below.
Security event details
Event Type Name Type Description
Common subject Subject Security event details
OAuth >
User Unlinked		 reason String Reason for unlinking, one of the following:
ACCOUNT_DELETE: The Kakao Account is deleted.
FORCED_ACCOUNT_DELETE: The Kakao Account is deleted by the Customer Service or dormant state.
INCOMPLETE_SIGN_UP: The Kakao Account is deleted because the user has not completed a signup.
UNLINK_FROM_ADMIN: The Kakao Account is unlinked by admin.
UNLINK_FROM_APPS: The Kakao Account is unlinked because a user selects [Disconnect] on [Manage Connected Services].
REVOKE_ACCOUNT_SERVICE_TERMS: The user revoked the consent to the integrated service terms.
UNLINK_FROM_SERVICE: The Kakao Account is unlinked from the service.
OAuth >
User Scope Consent,
User Scope Withdraw		 scope String The consent items the user agreed to or revoked.
A single string containing the ID of each consent item, separated by spaces.
(Example: email birthday age_range)
RISC >
Identifier Changed,
Identifier Recycled		 new-value String The phone number or email after the change
CAEP >
Assurance Level Change		 current_level String Current Kakao account authentication level
nist-aal1: The second authentication is not set.
nist-aal2: The second authentication is set.
change_direction String The action type of the change
increase: Increase authentication level
decrease: Decrease authentication level
previous_level String The previous Kakao account authentication level
nist-aal1: The second authentication disabled
nist-aal2: The second authentication enabled
CAEP >
Credential Change		 change_type String The action type of the change
update: Change password or reissue Kakao certificate
Subject
Event Type Name Type Description
Common subject_type String User Identifier Type
iss_sub: Service user ID
phone: Phone number
email: Email
iss String SET issuer
Fixed as https://kauth.kakao.com.

NOTE: Not included in Identifier Changed and Identifier Recycled type security event information.
sub String Service user ID corresponding to the SET

NOTE: Not included in Identifier Changed and Identifier Recycled type security event information.
RISC >
Identifier Changed,
Identifier Recycled		 phone_number String Existing phone number value that has been changed or disabled.
email String Existing email value that has been changed or disabled.

The SET is generated as a single string of three parts that are Base64-encoded and concatenated with the period (.). The contents can be verified by Base64-decoding after separating each part based on the period. After SET validation, the service can verify the payload contents to perform any necessary user account protection actions. Below is an example of a decoded SET header and payload.

Header
Payload
{
    "kid": "665abeec118ddfc2d3bf3e2adae799",
    "typ": "secevent+jwt",
    "alg": "RS256"
}

{
    "iss": "https://kauth.kakao.com",
    "aud": "${REST_API_KEY}",
    "sub": "${USER_ID}",
    "txm": "92a79799-3ae3-4112-8fe2-921c710daa38",
    "iat": 1674702636,
    "jti": "6a1a7a3e-b923-4eb8-886c-cbcbd1621fb0",
    "events": {
        "https://schemas.openid.net/secevent/oauth/event-type/user-linked": {
            "subject": {
                "sub": "1376016924429759243",
                "subject_type": "iss-sub",
                "iss": "https://kauth.kakao.com"
            }
        }
    }
}

SET validation

The service must check and validate the contents of the SET before performing user account protection actions based on security event information. You can check and verify the SET contents in the following order:

  1. Separate the header, payload, and signature based on the period (.).
  2. Decode the payload in Base64.
  3. Verify that the iss value in the payload matches https://kauth.kakao.com.
  4. Verify that the aud value in the payload matches the service app's REST API key.
  5. Verify the signature

Signature verification proceeds in the following order.

  1. Decode the header in Base64.
  2. Request OIDC: Get public key to get the list of public keys used by the Kakao authentication server for signing.
  3. Check the public key value corresponding to the kid of the header in the public key list.
    • Caching the public key for a certain period is recommended, and note that requests may be blocked if they are too frequent.
  4. Verify the signature with the public key using a library that supports JWT signature verification.
    • NOTE: OpenID Foundation, jwt.io
    • When implementing signature verification directly without using a library, the signature verification process can be performed according to the RFC7515 specification.

Success response

If the SET receiving server receives a callback request via the callback URL and the SET validation is successful, you should respond with the HTTP response code 202 Accepted with no response body. See the example below.

HTTP/1.1 202 Accepted

Failure response

If the SET receiving server received a callback request via the callback URL but failed the SET validation, you should respond with HTTP response code 400 Bad Request. The Content-Type of the response header should be application/json, and the body should contain the error code (err) and the reason (description) in JSON format according to RFC8935. See the example below.

HTTP/1.1 400 Bad Request 
Content-Type: application/json
{
    "err": "invalid_key",
    "description": "Key ID 12345 has been revoked."
}
Failure response error codes
Error Code Description
invalid_request When the delivered SET does not comply with the JWT specification.
invalid_key When failed to decrypt the delivered SET with Kakao's public key.
invalid_issuer If the issuer of the delivered SET is not Kakao.
invalid_audience If the aud value of the delivered SET does not match the service app ID.

Test

You can send a security event for the test in [Tools] > [Security Event Test]. You can use this feature to check whether the security event receiving is implemented correctly.

Test sending screen of security event

🅐 App: Select the app to test. 🅑 Callback URL: If you have finished setting up the Security event, output the set callback URL. 🅒 Category: Select a security event category. All categories can be selected for testing. 🅓 Event type: Select a security event type to send. All types can be selected for testing.

After selecting [Send], the test information appears at the bottom of the page, as shown below.

Test sending information screen of security event

🅐 Security event request: Full text of the test request. Host and URL are excluded in the output when the callback URL is not set. 🅑 SET: The decoded value of the SET contained in the request is in 🅐. The header and payload are output respectively. Refer to this when debugging.

Kakao Login> Security Event Subscription