1. @justin__richer
Authlete FAPI Enhancements
Justin Richer
July 2018
1

2. @justin__richer
Building an OAuth Infrastructure
2

3. @justin__richer
On-Prem Approach
AS
RS Client
OAuth
Customer’s Systems Hosted Services
User
User Auth
3

4. @justin__richer
Cloud-Hosted Approach
AS
RS Client
OAuth
Customer’s Systems Hosted Services
User
User Auth
4

5. @justin__richer
Is there another option?
5

6. @justin__richer
Authlete is Semi-hosted
• Customers run OAuth-speaking services
• These services call the API for processing
• Authlete tells the services what to do next
6

7. @justin__richer
Authlete’s Approach
API
SO CO
AS
RS
API Key
Client
Management OAuth
Customer’s Systems Hosted Services
User
User Auth
7

8. @justin__richer
Adding New Features
• New features built into API
– Example: PKCE
• Customer code later adapted to use new features
8

9. @justin__richer
New Features for FAPI
• Client authentication model beyond client secrets
• Mutual TLS certificates and validation
• Scope management for FAPI-R, FAPI-RW, and non-
FAPI requests
• Strict processing of request objects
9

10. @justin__richer
Previous Client Authentication
API AS Client
Client Secret Client Secret
Customer
Client Registration
Client Configuration
10

11. @justin__richer
New Client Authentication
API AS Client
Client Auth Client Auth
None
Secret
Sym JWT
Priv Key
MTLS: SS
MTLS: PKI
Client Auth Type
11

12. @justin__richer
Traditional MTLS
CA AS Client
Mutual TLS Root Certs
12

13. @justin__richer
Authlete MTLS
API AS Client
Mutual TLS Certificate
Customer
Trusted Certificates
13

14. @justin__richer
Customer’s AS
• Validates the TLS socket
– Keys presented must be the ones used in the socket
• Does not validate the certificate against a CA
• Passes certificate to API
14

15. @justin__richer
Authlete API
• Can not validate the TLS connection between client
and AS
– Has no insight into the original connection
• Verifies that the certificate sent to the API is the one
expected for this transaction
– Acts as a trust anchor
15