Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Nomura Research Institute
Nat Sakimura(@_nat_en)
Introduction to
the FAPI Read & Write OAuth Profile
• OpenID® is a regist...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2
Using iTunes?
Using Android?
Using...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3
Over 3 Billion served.
3
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
4
International standards
4
OpenID C...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
5
An international standardization e...
Copyright(C) Nomura Research Institute, Ltd. All rights reserved. 6
Nat Sakimura
(Co-)Author of:
OpenID Connect Core 1.0...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
7
FAPI Updates
Copyright(C) Nomura Research Institute, Ltd. All rights reserved.
A year ago in APIDays Paris
Introduced FAPI WG
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
9
OAuth is a framework – needs to be...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
10
Which OAuth?
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
1111
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
12
That creates specification to tak...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
13
That can serve all financial tran...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
14
FAPI Security Profile is a genera...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
15
It has been adopted by Open Banki...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
16
9 Major banks in UK goes live on ...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
17
It is also recommended by the Jap...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
18
US FS-ISAC aligning their securit...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
19
… and major IAM vendors are
imple...
Copyright(C) Nomura Research Institute, Ltd. All rights reserved. 20
II. What is OpenID Foundation
A WG can be spun up by...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
21
II. What is OpenID Foundation
At ...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
22
II. What is OpenID Foundation
Wor...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
23
II. What is OpenID Foundation
The...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
24
We have issued two implementer’s ...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
25
Which are redirect approach
Part...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
26
While RFC6749 is not complete wit...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
27
 By using OpenID Connect’s Hybri...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
28
Tokens are Sender Constrained ins...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
29
These are in the form of check li...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
30
Crypto Requirements are tightened...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
31
And now working on the decoupled ...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
32
We are not working on Embedded Ap...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
33
We have other works as well…
E.g...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
34
How can we tell that the implemen...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
35
II. What is OpenID Foundation
Onc...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
36
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3737
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3838
* Not Invented Here
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
39
But work together in the open, IP...
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
40
uestions?
40
Upcoming SlideShare
Loading in …5
×

Introduction to the FAPI Read & Write OAuth Profile

1,954 views

Published on

It the presentation used in APIDays Berlin (2017-11-08) to explain the Financial API Read & Write Security profile's rationale and how it fulfilled the requirements.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Introduction to the FAPI Read & Write OAuth Profile

  1. 1. Nomura Research Institute Nat Sakimura(@_nat_en) Introduction to the FAPI Read & Write OAuth Profile • OpenID® is a registered trademark of the OpenID Foundation. • *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks. 2017-11-08 Foundation Research FellowChairman of the board
  2. 2. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2 Using iTunes? Using Android? Using Google? Using MS Office 365? … 2
  3. 3. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 3 Over 3 Billion served. 3
  4. 4. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 4 International standards 4 OpenID Connect JSON Web Token (JWT) JSON Web Signature (JWS) OAuth PKCE(RFC7636) OAuth JAR (RFC TBD) ISO/IEC 29184 ISO/IEC 29100 AMD1 JIS X 9250 Etc.
  5. 5. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 5 An international standardization expert and a protocol designer on identity, access management, and privacy 5
  6. 6. Copyright(C) Nomura Research Institute, Ltd. All rights reserved. 6 Nat Sakimura (Co-)Author of: OpenID Connect Core 1.0 JSON Web Token [RFC7519] JSON Web Signature [7515] OAuth PKCE [RFC7636] OAuth JAR [IETF Last Call] Etc. (Co-)Editor of: ISO/IEC 29184 Guidelines for online notice and consent ISO/IEC 29100 AMD: Privacy Framework – Amendment 1 ISO/IEC 27551 Requirements for attribute based unlinkable entity authentication Etc. • Chairman, OpenID Foundation • Chair, Financial API WG • Head of delegate from Japanese National Body to ISO/IEC JTC 1/SC 27/WG5 • WG5〜OECD/SPDE Liaison • Research Fellow @ Nomura Research Institute (NRI) • https://www.sakimura.org • https://nat.sakimura.org • @_nat_en (English) • @_nat (Japanese) • https://www.linkedin.com/in/ natsakimura • https://ja.wikipedia.org/wiki/ 崎村夏彦 6
  7. 7. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 7 FAPI Updates
  8. 8. Copyright(C) Nomura Research Institute, Ltd. All rights reserved. A year ago in APIDays Paris Introduced FAPI WG
  9. 9. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 9 OAuth is a framework – needs to be profiled  This framework was designed with the clear expectation that future  work will define prescriptive profiles and extensions necessary to  achieve full web-scale interoperability.
  10. 10. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 10 Which OAuth?
  11. 11. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 1111
  12. 12. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 12 That creates specification to take care of medium to high risk API access security. 12 Valueoftheresource Environment control levelHigh Low High Low Social sharing Closed circuit Factory application Financial API – Read & Write e.g., Basic choices ok. Bearer token Not OK Basic choices NOT OK No need to satisfy all the security requirments by OAuth Financial API – Read only
  13. 13. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 13 That can serve all financial transactions including PSD2, but not limited to.
  14. 14. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 14 FAPI Security Profile is a general purpose higher security API protection mechanism based on OAuth framework. 14
  15. 15. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 15 It has been adopted by Open Banking UK 15
  16. 16. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 16 9 Major banks in UK goes live on January, 2018 (Source) Chris Mitchel, “Banking is now more open”, Identify 2017
  17. 17. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 17 It is also recommended by the Japanese Banker’s association 17 (source) https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_1.pdf
  18. 18. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 18 US FS-ISAC aligning their security requirements 18
  19. 19. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 19 … and major IAM vendors are implementing it 19
  20. 20. Copyright(C) Nomura Research Institute, Ltd. All rights reserved. 20 II. What is OpenID Foundation A WG can be spun up by more than three members proposing and by the approval by the Specs Council and the Board review (2 weeks). Specs Council is composed by the current editors of the specs and checks the overlaps with other WGs or SDOs. The board checks that it will not cause IPR threats to the foundation. It has been developed within OpenID Foundation 20
  21. 21. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 21 II. What is OpenID Foundation At FAPI WG since there are right people, IPR, and structure • All the authors of OAuth, JWT, JWS, OpenID Connect are here. Right People • Loyalty free, mutual non-assert IPR: •  Anyone can freely implement. Right IPR • No fee for joining a WG (Sponsors welcome) • WTO TBT Treaty compliant process. Right Structure 21
  22. 22. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 22 II. What is OpenID Foundation Working Together 22 OpenID FAPI (Chair) (Co-Chair)(Co-Chair) (UK OBIE Liaison) Liaison Organizations TC 68 JTC 1/SC 27/WG 5 Nat Sakimura Tony NadalinAnoop Saxena fido 2.0 WG Chair W3C Web Authn WG Chair
  23. 23. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 23 II. What is OpenID Foundation The work progresses with a weekly tele-conferences, mailing list discussions and project repository (https://bitbucket.org/openid/fapi/ ) 23 Issue Tracker Meeting notes Commit History Pull Requests Draft Text
  24. 24. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 24 We have issued two implementer’s drafts Valueoftheresource Environment control levelHigh Low High Low Social sharing Closed circuit Factory application Financial API – Read & Write e.g., Basic choices ok. Financial API – Read only
  25. 25. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 25 Which are redirect approach Part 1: Read Only Security Profile Part 2: Read and Write Security Profile 25 Redirect Approach Decoupled Approach Embedded Approach
  26. 26. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 26 While RFC6749 is not complete with source, destination, and message authentication, UA Clien t AS TLS Protected TLS ProtectedTLS Protected TLS Terminated Sender AuthN Receiver AuthN Message AuthN AuthZ Req Indirect None None AuthZ Res None None None Token Req Weak Good Good Token Res Good Good Good
  27. 27. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 27  By using OpenID Connect’s Hybrid Flow and Request Object, you are pretty well covered. FAPI Part 2 is complete with source, destination, and message authentication. 27 Sender AuthN Receiver AuthN Message AuthN AuthZ Req Request Object Request Object Request object AuthZ Res Hybrid Flow Hybrid Flow Hybrid Flow Token Req Good Good Good Token Res Good Good Good
  28. 28. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 28 Tokens are Sender Constrained instead of being bearer Security Levels Token Types Notes Sender Constrained Token Only the entity that was issued can used the token. Bearer Token Stolen tokens can also be used
  29. 29. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 29 These are in the form of check lists. (source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
  30. 30. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 30 Crypto Requirements are tightened for interoperability and security (source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
  31. 31. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 31 And now working on the decoupled approach … CIBA (client initiated backchannel authentication) profile. 31 Redirect Approach Decoupled Approach Embedded Approach https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md
  32. 32. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 32 We are not working on Embedded Approach Since we do not know how it can be phishing resistant  W3C Web Authentication will not work. Come to the WG if you know how ▪ IPR release is necessary though. GDPR explicit consent for third party data transfer? What would be the liability implications? 32 Redirect Approach Decoupled Approach Embedded Approach
  33. 33. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 33 We have other works as well… E.g. The OpenBanking OpenID Dynamic Client Registration Specification 33
  34. 34. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 34 How can we tell that the implementation conforms to the specification? 34
  35. 35. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 35 II. What is OpenID Foundation Once it passes the test, the implementer can self-certify and publish. • That gets the implementers under the premise of the article 5 of the FTC Act. • The log will be openly available so others can also find out false claims. See http://openid.net/certification/ for details OpenID Foundation provides the online test environment for the implementers to test their conformance. 35
  36. 36. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 36
  37. 37. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 3737
  38. 38. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 3838 * Not Invented Here
  39. 39. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 39 But work together in the open, IPR safe environment. 39
  40. 40. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 40 uestions? 40

×