Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

872 views

Published on

By Justin Richer (Authlete)

Published in: Internet
  • Be the first to comment

Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

  1. 1. @justin__richer Authlete FAPI Enhancements Justin Richer July 2018 1
  2. 2. @justin__richer Building an OAuth Infrastructure 2
  3. 3. @justin__richer On-Prem Approach AS RS Client OAuth Customer’s Systems Hosted Services User User Auth 3
  4. 4. @justin__richer Cloud-Hosted Approach AS RS Client OAuth Customer’s Systems Hosted Services User User Auth 4
  5. 5. @justin__richer Is there another option? 5
  6. 6. @justin__richer Authlete is Semi-hosted •  Customers run OAuth-speaking services •  These services call the API for processing •  Authlete tells the services what to do next 6
  7. 7. @justin__richer Authlete’s Approach API SO CO AS RS API Key Client Management OAuth Customer’s Systems Hosted Services User User Auth 7
  8. 8. @justin__richer Adding New Features •  New features built into API – Example: PKCE •  Customer code later adapted to use new features 8
  9. 9. @justin__richer New Features for FAPI •  Client authentication model beyond client secrets •  Mutual TLS certificates and validation •  Scope management for FAPI-R, FAPI-RW, and non- FAPI requests •  Strict processing of request objects 9
  10. 10. @justin__richer Previous Client Authentication API AS Client Client Secret Client Secret Customer Client Registration Client Configuration 10
  11. 11. @justin__richer New Client Authentication API AS Client Client Auth Client Auth None Secret Sym JWT Priv Key MTLS: SS MTLS: PKI Client Auth Type 11
  12. 12. @justin__richer Traditional MTLS CA AS Client Mutual TLS Root Certs 12
  13. 13. @justin__richer Authlete MTLS API AS Client Mutual TLS Certificate Customer Trusted Certificates 13
  14. 14. @justin__richer Customer’s AS •  Validates the TLS socket – Keys presented must be the ones used in the socket •  Does not validate the certificate against a CA •  Passes certificate to API 14
  15. 15. @justin__richer Authlete API •  Can not validate the TLS connection between client and AS – Has no insight into the original connection •  Verifies that the certificate sent to the API is the one expected for this transaction – Acts as a trust anchor 15

×