Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
@justin__richer
Authlete FAPI Enhancements
Justin Richer
July 2018
1
@justin__richer
Building an OAuth Infrastructure
2
@justin__richer
On-Prem Approach
AS	
RS	Client	
OAuth	
Customer’s	Systems	 Hosted	Services	
User	
User	Auth	
3
@justin__richer
Cloud-Hosted Approach
AS	
RS	Client	
OAuth	
Customer’s	Systems	 Hosted	Services	
User	
User	Auth	
4
@justin__richer
Is there another option?
5
@justin__richer
Authlete is Semi-hosted
•  Customers run OAuth-speaking services
•  These services call the API for proces...
@justin__richer
Authlete’s Approach
API	
SO	 CO	
AS	
RS	
API	Key	
Client	
Management	OAuth	
Customer’s	Systems	 Hosted	Ser...
@justin__richer
Adding New Features
•  New features built into API
– Example: PKCE
•  Customer code later adapted to use n...
@justin__richer
New Features for FAPI
•  Client authentication model beyond client secrets
•  Mutual TLS certificates and ...
@justin__richer
Previous Client Authentication
API	AS	Client	
Client	Secret	 Client	Secret	
Customer	
Client	Registration	...
@justin__richer
New Client Authentication
API	AS	Client	
Client	Auth	 Client	Auth	
None	
Secret	
Sym	JWT	
Priv	Key	
MTLS:	...
@justin__richer
Traditional MTLS
CA	AS	Client	
Mutual	TLS	 Root	Certs	
12
@justin__richer
Authlete MTLS
API	AS	Client	
Mutual	TLS	 Certificate	
Customer	
Trusted	Certificates	
13
@justin__richer
Customer’s AS
•  Validates the TLS socket
– Keys presented must be the ones used in the socket
•  Does not...
@justin__richer
Authlete API
•  Can not validate the TLS connection between client
and AS
– Has no insight into the origin...
You’ve finished this document.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next

2

Share

Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

By Justin Richer (Authlete)

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

  1. 1. @justin__richer Authlete FAPI Enhancements Justin Richer July 2018 1
  2. 2. @justin__richer Building an OAuth Infrastructure 2
  3. 3. @justin__richer On-Prem Approach AS RS Client OAuth Customer’s Systems Hosted Services User User Auth 3
  4. 4. @justin__richer Cloud-Hosted Approach AS RS Client OAuth Customer’s Systems Hosted Services User User Auth 4
  5. 5. @justin__richer Is there another option? 5
  6. 6. @justin__richer Authlete is Semi-hosted •  Customers run OAuth-speaking services •  These services call the API for processing •  Authlete tells the services what to do next 6
  7. 7. @justin__richer Authlete’s Approach API SO CO AS RS API Key Client Management OAuth Customer’s Systems Hosted Services User User Auth 7
  8. 8. @justin__richer Adding New Features •  New features built into API – Example: PKCE •  Customer code later adapted to use new features 8
  9. 9. @justin__richer New Features for FAPI •  Client authentication model beyond client secrets •  Mutual TLS certificates and validation •  Scope management for FAPI-R, FAPI-RW, and non- FAPI requests •  Strict processing of request objects 9
  10. 10. @justin__richer Previous Client Authentication API AS Client Client Secret Client Secret Customer Client Registration Client Configuration 10
  11. 11. @justin__richer New Client Authentication API AS Client Client Auth Client Auth None Secret Sym JWT Priv Key MTLS: SS MTLS: PKI Client Auth Type 11
  12. 12. @justin__richer Traditional MTLS CA AS Client Mutual TLS Root Certs 12
  13. 13. @justin__richer Authlete MTLS API AS Client Mutual TLS Certificate Customer Trusted Certificates 13
  14. 14. @justin__richer Customer’s AS •  Validates the TLS socket – Keys presented must be the ones used in the socket •  Does not validate the certificate against a CA •  Passes certificate to API 14
  15. 15. @justin__richer Authlete API •  Can not validate the TLS connection between client and AS – Has no insight into the original connection •  Verifies that the certificate sent to the API is the one expected for this transaction – Acts as a trust anchor 15
  • ganeshbala7777

    Apr. 21, 2020
  • DrSebastianRies

    Aug. 8, 2018

By Justin Richer (Authlete)

Views

Total views

9,464

On Slideshare

0

From embeds

0

Number of embeds

9,009

Actions

Downloads

0

Shares

0

Comments

0

Likes

2

×