Successfully reported this slideshow.
Your SlideShare is downloading. ×

Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

Ad

@justin__richer
Authlete FAPI Enhancements
Justin Richer
July 2018
1

Ad

@justin__richer
Building an OAuth Infrastructure
2

Ad

@justin__richer
On-Prem Approach
AS	
RS	Client	
OAuth	
Customer’s	Systems	 Hosted	Services	
User	
User	Auth	
3

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Check these out next

1 of 15 Ad
1 of 15 Ad
Advertisement

More Related Content

Slideshows for you (19)

Similar to Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018 (20)

Advertisement
Advertisement

Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

  1. 1. @justin__richer Authlete FAPI Enhancements Justin Richer July 2018 1
  2. 2. @justin__richer Building an OAuth Infrastructure 2
  3. 3. @justin__richer On-Prem Approach AS RS Client OAuth Customer’s Systems Hosted Services User User Auth 3
  4. 4. @justin__richer Cloud-Hosted Approach AS RS Client OAuth Customer’s Systems Hosted Services User User Auth 4
  5. 5. @justin__richer Is there another option? 5
  6. 6. @justin__richer Authlete is Semi-hosted •  Customers run OAuth-speaking services •  These services call the API for processing •  Authlete tells the services what to do next 6
  7. 7. @justin__richer Authlete’s Approach API SO CO AS RS API Key Client Management OAuth Customer’s Systems Hosted Services User User Auth 7
  8. 8. @justin__richer Adding New Features •  New features built into API – Example: PKCE •  Customer code later adapted to use new features 8
  9. 9. @justin__richer New Features for FAPI •  Client authentication model beyond client secrets •  Mutual TLS certificates and validation •  Scope management for FAPI-R, FAPI-RW, and non- FAPI requests •  Strict processing of request objects 9
  10. 10. @justin__richer Previous Client Authentication API AS Client Client Secret Client Secret Customer Client Registration Client Configuration 10
  11. 11. @justin__richer New Client Authentication API AS Client Client Auth Client Auth None Secret Sym JWT Priv Key MTLS: SS MTLS: PKI Client Auth Type 11
  12. 12. @justin__richer Traditional MTLS CA AS Client Mutual TLS Root Certs 12
  13. 13. @justin__richer Authlete MTLS API AS Client Mutual TLS Certificate Customer Trusted Certificates 13
  14. 14. @justin__richer Customer’s AS •  Validates the TLS socket – Keys presented must be the ones used in the socket •  Does not validate the certificate against a CA •  Passes certificate to API 14
  15. 15. @justin__richer Authlete API •  Can not validate the TLS connection between client and AS – Has no insight into the original connection •  Verifies that the certificate sent to the API is the one expected for this transaction – Acts as a trust anchor 15

×