SlideShare a Scribd company logo
1 of 41
Download to read offline
Nomura Research Institute
Nat Sakimura
Chairman of the Board, OpenID Foundation
Research Fellow, Nomura Research Institute
Foundation Financial API WG
•  OpenID® is a registered trademark of OpenID Foundation.
•  *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks. 	
June 2017	
Anoop Saxena
FAPI WG co-chair, OpenID Foundation
Architect, Intuit
http://openid.net/wg/fapi/
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2
?Do you use Personal Finance Software?
What are the current problems?
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3
When NRI started screen scraping in 2001,
we thought it will be a temporally solution.
3	
“There was OFX, and SAML was coming. SOAP was gaining momentum.
We should be able to get out of scraping business in a few years time!”
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
4
WRONG!
4
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
5
After 15 years, we are still screen scraping.
5
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
6
The situation is changing though.
6
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
7
Fintech is gaining a lot of interest lately
(SOURCE)Google Trends
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
8
API is known to be one of the three main component of FinTech
8	
Use cases for Identity Federation
API in Financial sector	
1. Account Opening (incl. KYC)
2. Personal Asset Managment
3. Payment, Sending Money
4. Loan Application
5. AI assisted portfolio management	
(Source) Nikkei BP: Fintech Revolution P.4
(Source)Nikkei BP: FinTech Yearbook
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
9
I
n JSON , XML + OAuth 2.0
INDUSTRY PUSH >
US: FS-ISAC Durable Data API
9
(Source) FS-ISAC FSDDA WG
OpenID Financial API
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
10
REGULATORY PUSH>
EU Payment Service Directive 2 mandates API availability by the end of 2017.
10	
(SOURCE) ODI OBWG: The Open Banking Standard (2016)
JSON REST
OAuth
OpenID Connect
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
11
“LEGO Model” provided by APIs creates
a new customer segment “B-to-D”
Laurens Hamerlinck
Innovation Manager
ABN AMRO Bank
@lhamerlinck
•  Open Banking APIs are drawing fintech companies to UK.
•  API creates Lego model. You do not need to build everything yourself.
•  OEaS:=Our Expertise as a Service
•  Financial sector becomes more Open. Not only in EU. Also in US and elsewhere.
•  iOS app platforms did not have any developers in the beginning but see
what happened by opening up the ecosystem.
•  What happened to a company who did not open it?
•  B-to-D: API = New Customer Segment.
『Bank as a Platform: Exploring a new Role in the Age of Technology』 (European Identity Summit 2017 講演より)
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
12
Automation through API makes it possible for financial institutions
to provide services to hitherto unreachable segment.
n  Operational loan provided to small
business.
l Banks providing operational loans to a
small business through automated credit
clearance based on the ledger data using
Artificial Intelligence.
n  Transaction insurance offered to
SME.
l Transaction insurance has only been
offered to large enterprises due to the low
insurance rate compared to the cost of the
evaluation of the deals.
l With APIs, the cost is significantly driven
down and now it can be offered to SMEs.
12	
42.5
57.5
Gross Value Add
Large SME
1
99
Number
Large SME
Reaching the hitherto inaccessible (due to benefit/cost)
market
(source) Eurostat:
Number of enterprises, persons employed and gross value added (GVA) and
the share of SMEs, 2012.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
13
Saying “use #oauth” does not
solve the problem.
13	
-- Mark O’Neill, Gartner
(SOURCE) Photo taken by Nat Sakimura @APIDays on 13th Dec. 2016
@APIDays Paris 2016
In the era of “Mobile First”, OAuth is an obvious
choice for API protection but …
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
14
Because OAuth 2.0 is a framework as the name indicates
14
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
15
and needs to be profiled to suit the circumstances and use case.
15	
Valueatstake
Environmental Control LevelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
Financial API
– Read & Write
For example:
Basic OAuth is good
enough
Bearer token Not
OK
Stock RFC6749 and
6750 is not
enough.
Not all security requirements need
to be fulfilled by OAuth.
Need to be careful in
the case of higher value
at stake in a low
environmental control
scenario, such as an
internet banking.
Financial API
– Read only
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
16
RFC6749 state of the source, destination, and message
authentication
16	
 	 Sender
Authentication	
Receiver
Authentication	
Message
Authentication	
Authorization
Request	
Indirect	 None	 None	
Authorization
Response	
None	 None	 None	
Token Request
	
Weak	 Good	 Good	
Token Response
	
Good	 Good	 Good
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
17
OAuth 2.0 related options and the security levels
Security
Level
Authorization
types
Description
JWS Authz Req
w/Hybrid Flow
Authz Request protected
Hybrid Flow*1
(confidential client)
Authz Response protected
(ID Token acts as the detatched
signature for the response.)
Code Flow
(confidential client)
Client authentication
Implicit Flow No client authentication
Plain OAuth Anonymous
*1) state injection taken care of by including ‘s_hash’
Authorization Request/Response types and the security levels Token Types and the security levels
Security
Level
Token Type Description
Sender
Constrained
Token
Only the named
Party with a correct
Key can use the
token
Bearer Token Anyone can use
The token
17
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
18
e.g., tighten up the source, destination, and message
authentication
18	
 	 Sender
Authentication	
Receiver
Authentication	
Message
Authentication	
Authorization
Request	
Request Object	 Request Object	 Request object	
Authorization
Response	
Hybrid Flow	 Hybrid Flow	 Hybrid Flow	
Token Request
	
Good	 Good	 Good	
Token Response
	
Good	 Good	 Good
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
19
To create an appropriate OAuth profile for
financial API use, we need to consider multiple
factors:
19	
These are not taken into account too often
resulting in too many unsafe OAuth 2.0
implementations.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
20
Example of factors:
20	
n 1 Server/client assumption
n Message authentication
n Source authentication
n Desitination authentication
n User authentication
n Message confidentiality
n Token Phishing/Replay
Financial API Profile needs to
Solve them all.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
21
OAuth’s primary security assumption is that there
is only 1 Authz Server per client:
n In case of a Personal Finance Management Software/Client,
it will necessarily have multiple Authz Servers.
l Make sure to have virtual separation, i.e., having different redirect endpoints
for each server to avoid Authz server mix-up attack etc.
v.s.
C1O
C1R
UA
A1Z
C2R
C2O
A2Z
1 Authz Server / client Model
C2R
C1O
C1R UA
A1Z
C2O
A2Z
n Authz Server / client Model
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
22
Message Authentication Problems
n Communication through UA are not authenticated and thus can be tainted, but
often used without taint check.
n Neither ‘code’ nor ‘state’ can be taken at its face value, but we do...
C1O
C1R
UA A1Z
TLS terminates here.
Not authenticated
(response_type, client_id,
redirect_uri, scope, state)
Not authenticated
(code, state)
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
23
Message Source Authentication Problems
n Since the authorization request and response goes through the browser, the
receiving ends cannot be sure of who is the real sender.
C1O
C1R
UA A1Z
TLS terminates here.
A1Z cannot verify that the
Authz request is from C1O
C1R cannot verify that the
Authz response is from C1O
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
24
Message Destination Authentication Problems
n We are in a mobile app world, right?
n “Code phishing” on public clients a.k.a. mobile apps
n Custom scheme etc. can be hijacked by malware on the device.
l It has been exploited against popular apps.
l RFC7636 OAuth PKCE exists for the mitigation of this problem.
24	
Good
App
Bad App
UA A1Z
Redirect uri = goodapp://
I am
goodapp!
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
25
Identity and authentication problems
25	
n OAuth has no notion of user identity.
n User authentication is “out of scope”.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2626	Created by @nishantk
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
27
Message confidentiality problems
n Authorization request is not encrypted in the application layer thus can be seen by
the Man-in-the-browser etc.
n And we know that malware abounds.
l The most popular Online Banking attack in Japan since 2014 is man-in-the-browser.
C1O
C1R
UA A1Z
TLS terminates here.
Malware can see the payload
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
28
Token Phishing / Token Replay
n Clients sends token requests and resource requests to forged/compromised
servers. Then, these servers can act as a hostile client to replay the request.
l E.g.,
▪  Sending a fake email to developer that the endpoints has been changed. (We know that about 1 in 20
trained engineer gets phished.)
▪  Combination of TLS certs mis-issuances and DNS spoofing, etc. ß there seems to be real examples for
the attacks against banks.
28	
Client
XYZ
Attacke
r
ABC
Bank
Hi I am
ABC Bank
API
Hi I am
Client XYZ
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
29
To solve these problems, OpenID Foundation
Financial API (FAPI) WG was formed.
n Scope
l The goal of FAPI is to provide JSON data
schemas, REST APIs,
and security & privacy recommendations and
protocols to:
▪  applications to utilize the data stored in the
financial account,
▪  applications to interact with the financial
account, and
▪  users to control the security and privacy
settings.
n Both commercial and investment banking account
as well as insurance, and credit card accounts are
to be considered.
29	
(Source) OpenID Foundation Financial API WG draft
charter
JSON REST OAuth
OpenID Connect
(SOURCE) ODI OBWG: The Open Banking Standard (2016)
For details, see:
https://openid.net/wg/fapi/
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
30
Why OpenID Foundation?
• Authors of OAuth, JWT, JWS, OpenID
Connect are all here.
Right
People
• Royalty Free, Mutual Non-Assert, so
that everyone can use it freely.Right IPR
• Free to join WGs. (Sponsors welcome)
• WTO TBT Compliant Process.
Right
Structure
30
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
31
In a IPR safe and Completely Open Environment
n IPR regime
l Mutually assured patent non-assert
l Trademark (OpenID®) control against false claim of
the spec support
l Certification support to reinforce the interoperability
n Completely Open Environment
l Free of charge to join the WG as long as you file the
IPR agreement
l Bitbucket (git) to track the changes
▪  File an issue and send a pull request!
n Made possible by these sponsors!
31	
Sustaining corporate members (board members)
Corporate members
Non-profit members
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
32
WG works through the weekly conference calls (alternating times for the Atlantic and
the Pacific time zones), the mailing list, and the project repository (
https://bitbucket.org/openid/fapi/ )
32	
Issue Tracking
Meeting Notes etc.
Commit History
Pull Request
Draft Text
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
33
Working Together
33	
OpenID FAPI
(Chair)
(Co-Chair)(Co-Chair)
(UK OBIE Liaison)
Liaison Organizations
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
34
Current Specs.
n Financial Services – Financial API –
l Part 1: Read Only API Security Profile
http://openid.net/specs/openid-financial-api-part-1.html
▪  Implementer’s Draft (I-D) ~Implementations going on
l Part 2: Read and Write API Security Profile
http://openid.net/specs/openid-financial-api-part-2.html
▪  Under Public Review
l Part 3: Open Data API
▪  Waiting for the UK OBIE Contribution
l Part 4: Protected Data API and Schema - Read only
▪  Bank Account – Based on the US FS-ISAC Contribution
l Part 5: Protected Data API and Schema - Read and Write
▪  Waiting for UK OBIE Contribution
▪  Using Claims Request to obtain granular consent
34	
Swagger files are going to be provided
Probably need to be registry entries
rather than “Parts”
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
35
Financial Services – Financial API --
Part 1: Read Only API Security Profile
n Note: ISO Keywords, “shall”, “should”, “may”, “can” are used.
n Lots of “shall”s. Need to fulfill them all for an adequate security level.
35	
(出所)Financial Services – Financial API -- Part 1: Read Only API Security Profile Implementer’s Draft
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
36
Adoption among the industry is great!
36
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
37
Japanese Banker’s Association Recommendation
(16 March 2017)
37
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
38
Open Banking Implementation Entity Announcement (17 May 2017)
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
39
?How do you know that it has been
implemented correctly?
39
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
40
A certification test suite is being planned to be provided online
40	
For more details, see http://openid.net/certification/
Passing publicly
available test
suit
Self declaration
and public
listing
We currently only have a generic test for
Basic OpenID Connect capabilities.
We need to add tests for FAPI.
Directed funding is being sought now.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
41
Join the group!
https://openid.net/wg/fapi/
41

More Related Content

What's hot

OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11Nov Matake
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24Nov Matake
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるエンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるMasaru Kurahayashi
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Hitachi, Ltd. OSS Solution Center.
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
ForgeRock Gartner 2016 Security & Risk Management Summit
ForgeRock Gartner 2016 Security & Risk Management Summit ForgeRock Gartner 2016 Security & Risk Management Summit
ForgeRock Gartner 2016 Security & Risk Management Summit ForgeRock
 
Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...
Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...
Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...ForgeRock
 
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Scott Brady
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016Nov Matake
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
The Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthThe Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthChris Adriaensen
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldForgeRock
 
Build a Trust Platform to Enable a Frictionless Customer Experience
Build a Trust Platform to Enable a Frictionless Customer Experience Build a Trust Platform to Enable a Frictionless Customer Experience
Build a Trust Platform to Enable a Frictionless Customer Experience ForgeRock
 
Code on the chain! An introduction in writing smart contracts and tooling for...
Code on the chain! An introduction in writing smart contracts and tooling for...Code on the chain! An introduction in writing smart contracts and tooling for...
Code on the chain! An introduction in writing smart contracts and tooling for...Codemotion
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 

What's hot (20)

OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるエンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考える
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
 
ForgeRock Gartner 2016 Security & Risk Management Summit
ForgeRock Gartner 2016 Security & Risk Management Summit ForgeRock Gartner 2016 Security & Risk Management Summit
ForgeRock Gartner 2016 Security & Risk Management Summit
 
Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...
Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...
Sydney Identity Summit: Doing Authorisation, Consent and Delegation Right wit...
 
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
Modern Authentication with OpenID Connect and IdentityServer 4 (umBristol - J...
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID Connect
 
The Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthThe Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuth
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
 
NYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern WorldNYC Identity Summit Tech Day: Authorization for the Modern World
NYC Identity Summit Tech Day: Authorization for the Modern World
 
Build a Trust Platform to Enable a Frictionless Customer Experience
Build a Trust Platform to Enable a Frictionless Customer Experience Build a Trust Platform to Enable a Frictionless Customer Experience
Build a Trust Platform to Enable a Frictionless Customer Experience
 
Code on the chain! An introduction in writing smart contracts and tooling for...
Code on the chain! An introduction in writing smart contracts and tooling for...Code on the chain! An introduction in writing smart contracts and tooling for...
Code on the chain! An introduction in writing smart contracts and tooling for...
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
 

Similar to OpenID Foundation FAPI WG: June 2017 Update

OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...MikeLeszcz
 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGNat Sakimura
 
Delivering a commercially successful end-to end IoT Solution.
Delivering a commercially successful end-to end IoT Solution.Delivering a commercially successful end-to end IoT Solution.
Delivering a commercially successful end-to end IoT Solution.Miriam O'Brien
 
The Cloudification of Capital Markets
The Cloudification of Capital MarketsThe Cloudification of Capital Markets
The Cloudification of Capital MarketsStephane Dubois
 
Accelerate IoT Development with KnowThings.io
Accelerate IoT Development with KnowThings.ioAccelerate IoT Development with KnowThings.io
Accelerate IoT Development with KnowThings.ioCA Technologies
 
How Houwzer Speeds Growth and Innovation by Gaining Insights Into API Use and...
How Houwzer Speeds Growth and Innovation by Gaining Insights Into API Use and...How Houwzer Speeds Growth and Innovation by Gaining Insights Into API Use and...
How Houwzer Speeds Growth and Innovation by Gaining Insights Into API Use and...Dana Gardner
 
Internet of Things Security & Privacy
Internet of Things Security & PrivacyInternet of Things Security & Privacy
Internet of Things Security & PrivacyChris Adriaensen
 
How should startups embrace the trend of IoT and Big Data
How should startups embrace the trend of IoT and Big DataHow should startups embrace the trend of IoT and Big Data
How should startups embrace the trend of IoT and Big DataRuvento Ventures
 
IoTivity Connects RVI from GENIVI's Develoment Platform to Tizen devices
IoTivity Connects RVI from GENIVI's Develoment Platform to Tizen devicesIoTivity Connects RVI from GENIVI's Develoment Platform to Tizen devices
IoTivity Connects RVI from GENIVI's Develoment Platform to Tizen devicesSamsung Open Source Group
 
Why and-how-to-choose-an-iot-platforms-201701
Why and-how-to-choose-an-iot-platforms-201701Why and-how-to-choose-an-iot-platforms-201701
Why and-how-to-choose-an-iot-platforms-201701Omar Nawaz
 
ISTA 2017 - Blockchain, beyond Bitcoin
ISTA 2017 - Blockchain, beyond BitcoinISTA 2017 - Blockchain, beyond Bitcoin
ISTA 2017 - Blockchain, beyond BitcoinVladimir Savchenko
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentCA Technologies
 
Blockchain Ethereum Solutions with AWS & ConsenSys
Blockchain Ethereum Solutions with AWS & ConsenSysBlockchain Ethereum Solutions with AWS & ConsenSys
Blockchain Ethereum Solutions with AWS & ConsenSysAmazon Web Services
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsTom Freestone
 
Getting your Internet of Things #IoT concept to a concrete project in production
Getting your Internet of Things #IoT concept to a concrete project in productionGetting your Internet of Things #IoT concept to a concrete project in production
Getting your Internet of Things #IoT concept to a concrete project in productionMiriam O'Brien
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security –  What’s in...Leveraging open banking specifications for rigorous API security –  What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Rogue Wave Software
 
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...FinTechLabs.io
 
Connected World in android - Local data sharing and service discovery
Connected World in android - Local data sharing and service discoveryConnected World in android - Local data sharing and service discovery
Connected World in android - Local data sharing and service discoveryTalentica Software
 

Similar to OpenID Foundation FAPI WG: June 2017 Update (20)

OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
 
The Swisscom APi journey
The Swisscom APi journeyThe Swisscom APi journey
The Swisscom APi journey
 
Delivering a commercially successful end-to end IoT Solution.
Delivering a commercially successful end-to end IoT Solution.Delivering a commercially successful end-to end IoT Solution.
Delivering a commercially successful end-to end IoT Solution.
 
The Cloudification of Capital Markets
The Cloudification of Capital MarketsThe Cloudification of Capital Markets
The Cloudification of Capital Markets
 
Accelerate IoT Development with KnowThings.io
Accelerate IoT Development with KnowThings.ioAccelerate IoT Development with KnowThings.io
Accelerate IoT Development with KnowThings.io
 
How Houwzer Speeds Growth and Innovation by Gaining Insights Into API Use and...
How Houwzer Speeds Growth and Innovation by Gaining Insights Into API Use and...How Houwzer Speeds Growth and Innovation by Gaining Insights Into API Use and...
How Houwzer Speeds Growth and Innovation by Gaining Insights Into API Use and...
 
Internet of Things Security & Privacy
Internet of Things Security & PrivacyInternet of Things Security & Privacy
Internet of Things Security & Privacy
 
How should startups embrace the trend of IoT and Big Data
How should startups embrace the trend of IoT and Big DataHow should startups embrace the trend of IoT and Big Data
How should startups embrace the trend of IoT and Big Data
 
IoTivity Connects RVI from GENIVI's Develoment Platform to Tizen devices
IoTivity Connects RVI from GENIVI's Develoment Platform to Tizen devicesIoTivity Connects RVI from GENIVI's Develoment Platform to Tizen devices
IoTivity Connects RVI from GENIVI's Develoment Platform to Tizen devices
 
Why and-how-to-choose-an-iot-platforms-201701
Why and-how-to-choose-an-iot-platforms-201701Why and-how-to-choose-an-iot-platforms-201701
Why and-how-to-choose-an-iot-platforms-201701
 
ISTA 2017 - Blockchain, beyond Bitcoin
ISTA 2017 - Blockchain, beyond BitcoinISTA 2017 - Blockchain, beyond Bitcoin
ISTA 2017 - Blockchain, beyond Bitcoin
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of Deployment
 
Blockchain Ethereum Solutions with AWS & ConsenSys
Blockchain Ethereum Solutions with AWS & ConsenSysBlockchain Ethereum Solutions with AWS & ConsenSys
Blockchain Ethereum Solutions with AWS & ConsenSys
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation Apps
 
Getting your Internet of Things #IoT concept to a concrete project in production
Getting your Internet of Things #IoT concept to a concrete project in productionGetting your Internet of Things #IoT concept to a concrete project in production
Getting your Internet of Things #IoT concept to a concrete project in production
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security –  What’s in...Leveraging open banking specifications for rigorous API security –  What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
 
Connected World in android - Local data sharing and service discovery
Connected World in android - Local data sharing and service discoveryConnected World in android - Local data sharing and service discovery
Connected World in android - Local data sharing and service discovery
 

More from Nat Sakimura

FAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにFAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにNat Sakimura
 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureNat Sakimura
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WGNat Sakimura
 
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革Nat Sakimura
 
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴールNat Sakimura
 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91Nat Sakimura
 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problemsNat Sakimura
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extensionNat Sakimura
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nat Sakimura
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OPNat Sakimura
 
Open idとcyber空間
Open idとcyber空間Open idとcyber空間
Open idとcyber空間Nat Sakimura
 
サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済Nat Sakimura
 
20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告Nat Sakimura
 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Nat Sakimura
 
国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワークNat Sakimura
 
Introduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionIntroduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionNat Sakimura
 
Sharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan SuccessSharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan SuccessNat Sakimura
 

More from Nat Sakimura (19)

FAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにFAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのために
 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
 
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
 
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91
 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problems
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OP
 
Open idとcyber空間
Open idとcyber空間Open idとcyber空間
Open idとcyber空間
 
サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済
 
Closing Note
Closing NoteClosing Note
Closing Note
 
20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告
 
Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011Open id specifications_work_update-tokyo_2011
Open id specifications_work_update-tokyo_2011
 
国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク国民ID制度とトラスト・フレームワーク
国民ID制度とトラスト・フレームワーク
 
Introduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extensionIntroduction to OpenID TX proposed extension
Introduction to OpenID TX proposed extension
 
Sharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan SuccessSharing the Success of OpenID Japan Success
Sharing the Success of OpenID Japan Success
 

Recently uploaded

Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Eric Johnson
 
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...hasimatwork
 
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?krc0yvm5
 
Generalities about NFT , as a new technology
Generalities about NFT , as a new technologyGeneralities about NFT , as a new technology
Generalities about NFT , as a new technologysoufianbouktaib1
 
overview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualizationoverview of Virtualization, concept of Virtualization
overview of Virtualization, concept of VirtualizationRajan yadav
 
Benefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxBenefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxlibertyuae uae
 
Google-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfGoogle-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfMaria Adalfio
 
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondTungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondContinuent
 
SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxJustineGarcia32
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 

Recently uploaded (10)

Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019Mary Meeker Internet Trends Report for 2019
Mary Meeker Internet Trends Report for 2019
 
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
Section 3 - Technical Sales Foundations for IBM QRadar for Cloud (QRoC)V1 P10...
 
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?如何办理朴茨茅斯大学毕业证书学位证书成绩单?
如何办理朴茨茅斯大学毕业证书学位证书成绩单?
 
Generalities about NFT , as a new technology
Generalities about NFT , as a new technologyGeneralities about NFT , as a new technology
Generalities about NFT , as a new technology
 
overview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualizationoverview of Virtualization, concept of Virtualization
overview of Virtualization, concept of Virtualization
 
Benefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptxBenefits of Fiber Internet vs. Traditional Internet.pptx
Benefits of Fiber Internet vs. Traditional Internet.pptx
 
Google-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdfGoogle-Next-Madrid-BBVA-Research inv.pdf
Google-Next-Madrid-BBVA-Research inv.pdf
 
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and BeyondTungsten Webinar: v6 & v7 Release Recap, and Beyond
Tungsten Webinar: v6 & v7 Release Recap, and Beyond
 
SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptx
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 

OpenID Foundation FAPI WG: June 2017 Update

  • 1. Nomura Research Institute Nat Sakimura Chairman of the Board, OpenID Foundation Research Fellow, Nomura Research Institute Foundation Financial API WG •  OpenID® is a registered trademark of OpenID Foundation. •  *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks. June 2017 Anoop Saxena FAPI WG co-chair, OpenID Foundation Architect, Intuit http://openid.net/wg/fapi/
  • 2. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2 ?Do you use Personal Finance Software? What are the current problems?
  • 3. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 3 When NRI started screen scraping in 2001, we thought it will be a temporally solution. 3 “There was OFX, and SAML was coming. SOAP was gaining momentum. We should be able to get out of scraping business in a few years time!”
  • 4. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 4 WRONG! 4
  • 5. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 5 After 15 years, we are still screen scraping. 5
  • 6. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 6 The situation is changing though. 6
  • 7. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 7 Fintech is gaining a lot of interest lately (SOURCE)Google Trends
  • 8. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 8 API is known to be one of the three main component of FinTech 8 Use cases for Identity Federation API in Financial sector 1. Account Opening (incl. KYC) 2. Personal Asset Managment 3. Payment, Sending Money 4. Loan Application 5. AI assisted portfolio management (Source) Nikkei BP: Fintech Revolution P.4 (Source)Nikkei BP: FinTech Yearbook
  • 9. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 9 I n JSON , XML + OAuth 2.0 INDUSTRY PUSH > US: FS-ISAC Durable Data API 9 (Source) FS-ISAC FSDDA WG OpenID Financial API
  • 10. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 10 REGULATORY PUSH> EU Payment Service Directive 2 mandates API availability by the end of 2017. 10 (SOURCE) ODI OBWG: The Open Banking Standard (2016) JSON REST OAuth OpenID Connect
  • 11. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 11 “LEGO Model” provided by APIs creates a new customer segment “B-to-D” Laurens Hamerlinck Innovation Manager ABN AMRO Bank @lhamerlinck •  Open Banking APIs are drawing fintech companies to UK. •  API creates Lego model. You do not need to build everything yourself. •  OEaS:=Our Expertise as a Service •  Financial sector becomes more Open. Not only in EU. Also in US and elsewhere. •  iOS app platforms did not have any developers in the beginning but see what happened by opening up the ecosystem. •  What happened to a company who did not open it? •  B-to-D: API = New Customer Segment. 『Bank as a Platform: Exploring a new Role in the Age of Technology』 (European Identity Summit 2017 講演より)
  • 12. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 12 Automation through API makes it possible for financial institutions to provide services to hitherto unreachable segment. n  Operational loan provided to small business. l Banks providing operational loans to a small business through automated credit clearance based on the ledger data using Artificial Intelligence. n  Transaction insurance offered to SME. l Transaction insurance has only been offered to large enterprises due to the low insurance rate compared to the cost of the evaluation of the deals. l With APIs, the cost is significantly driven down and now it can be offered to SMEs. 12 42.5 57.5 Gross Value Add Large SME 1 99 Number Large SME Reaching the hitherto inaccessible (due to benefit/cost) market (source) Eurostat: Number of enterprises, persons employed and gross value added (GVA) and the share of SMEs, 2012.
  • 13. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 13 Saying “use #oauth” does not solve the problem. 13 -- Mark O’Neill, Gartner (SOURCE) Photo taken by Nat Sakimura @APIDays on 13th Dec. 2016 @APIDays Paris 2016 In the era of “Mobile First”, OAuth is an obvious choice for API protection but …
  • 14. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 14 Because OAuth 2.0 is a framework as the name indicates 14
  • 15. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 15 and needs to be profiled to suit the circumstances and use case. 15 Valueatstake Environmental Control LevelHigh Low High Low Social sharing Closed circuit Factory application Financial API – Read & Write For example: Basic OAuth is good enough Bearer token Not OK Stock RFC6749 and 6750 is not enough. Not all security requirements need to be fulfilled by OAuth. Need to be careful in the case of higher value at stake in a low environmental control scenario, such as an internet banking. Financial API – Read only
  • 16. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 16 RFC6749 state of the source, destination, and message authentication 16   Sender Authentication Receiver Authentication Message Authentication Authorization Request Indirect None None Authorization Response None None None Token Request Weak Good Good Token Response Good Good Good
  • 17. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 17 OAuth 2.0 related options and the security levels Security Level Authorization types Description JWS Authz Req w/Hybrid Flow Authz Request protected Hybrid Flow*1 (confidential client) Authz Response protected (ID Token acts as the detatched signature for the response.) Code Flow (confidential client) Client authentication Implicit Flow No client authentication Plain OAuth Anonymous *1) state injection taken care of by including ‘s_hash’ Authorization Request/Response types and the security levels Token Types and the security levels Security Level Token Type Description Sender Constrained Token Only the named Party with a correct Key can use the token Bearer Token Anyone can use The token 17
  • 18. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 18 e.g., tighten up the source, destination, and message authentication 18   Sender Authentication Receiver Authentication Message Authentication Authorization Request Request Object Request Object Request object Authorization Response Hybrid Flow Hybrid Flow Hybrid Flow Token Request Good Good Good Token Response Good Good Good
  • 19. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 19 To create an appropriate OAuth profile for financial API use, we need to consider multiple factors: 19 These are not taken into account too often resulting in too many unsafe OAuth 2.0 implementations.
  • 20. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 20 Example of factors: 20 n 1 Server/client assumption n Message authentication n Source authentication n Desitination authentication n User authentication n Message confidentiality n Token Phishing/Replay Financial API Profile needs to Solve them all.
  • 21. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 21 OAuth’s primary security assumption is that there is only 1 Authz Server per client: n In case of a Personal Finance Management Software/Client, it will necessarily have multiple Authz Servers. l Make sure to have virtual separation, i.e., having different redirect endpoints for each server to avoid Authz server mix-up attack etc. v.s. C1O C1R UA A1Z C2R C2O A2Z 1 Authz Server / client Model C2R C1O C1R UA A1Z C2O A2Z n Authz Server / client Model
  • 22. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 22 Message Authentication Problems n Communication through UA are not authenticated and thus can be tainted, but often used without taint check. n Neither ‘code’ nor ‘state’ can be taken at its face value, but we do... C1O C1R UA A1Z TLS terminates here. Not authenticated (response_type, client_id, redirect_uri, scope, state) Not authenticated (code, state)
  • 23. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 23 Message Source Authentication Problems n Since the authorization request and response goes through the browser, the receiving ends cannot be sure of who is the real sender. C1O C1R UA A1Z TLS terminates here. A1Z cannot verify that the Authz request is from C1O C1R cannot verify that the Authz response is from C1O
  • 24. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 24 Message Destination Authentication Problems n We are in a mobile app world, right? n “Code phishing” on public clients a.k.a. mobile apps n Custom scheme etc. can be hijacked by malware on the device. l It has been exploited against popular apps. l RFC7636 OAuth PKCE exists for the mitigation of this problem. 24 Good App Bad App UA A1Z Redirect uri = goodapp:// I am goodapp!
  • 25. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 25 Identity and authentication problems 25 n OAuth has no notion of user identity. n User authentication is “out of scope”.
  • 26. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2626 Created by @nishantk
  • 27. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 27 Message confidentiality problems n Authorization request is not encrypted in the application layer thus can be seen by the Man-in-the-browser etc. n And we know that malware abounds. l The most popular Online Banking attack in Japan since 2014 is man-in-the-browser. C1O C1R UA A1Z TLS terminates here. Malware can see the payload
  • 28. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 28 Token Phishing / Token Replay n Clients sends token requests and resource requests to forged/compromised servers. Then, these servers can act as a hostile client to replay the request. l E.g., ▪  Sending a fake email to developer that the endpoints has been changed. (We know that about 1 in 20 trained engineer gets phished.) ▪  Combination of TLS certs mis-issuances and DNS spoofing, etc. ß there seems to be real examples for the attacks against banks. 28 Client XYZ Attacke r ABC Bank Hi I am ABC Bank API Hi I am Client XYZ
  • 29. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 29 To solve these problems, OpenID Foundation Financial API (FAPI) WG was formed. n Scope l The goal of FAPI is to provide JSON data schemas, REST APIs, and security & privacy recommendations and protocols to: ▪  applications to utilize the data stored in the financial account, ▪  applications to interact with the financial account, and ▪  users to control the security and privacy settings. n Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered. 29 (Source) OpenID Foundation Financial API WG draft charter JSON REST OAuth OpenID Connect (SOURCE) ODI OBWG: The Open Banking Standard (2016) For details, see: https://openid.net/wg/fapi/
  • 30. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 30 Why OpenID Foundation? • Authors of OAuth, JWT, JWS, OpenID Connect are all here. Right People • Royalty Free, Mutual Non-Assert, so that everyone can use it freely.Right IPR • Free to join WGs. (Sponsors welcome) • WTO TBT Compliant Process. Right Structure 30
  • 31. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 31 In a IPR safe and Completely Open Environment n IPR regime l Mutually assured patent non-assert l Trademark (OpenID®) control against false claim of the spec support l Certification support to reinforce the interoperability n Completely Open Environment l Free of charge to join the WG as long as you file the IPR agreement l Bitbucket (git) to track the changes ▪  File an issue and send a pull request! n Made possible by these sponsors! 31 Sustaining corporate members (board members) Corporate members Non-profit members
  • 32. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 32 WG works through the weekly conference calls (alternating times for the Atlantic and the Pacific time zones), the mailing list, and the project repository ( https://bitbucket.org/openid/fapi/ ) 32 Issue Tracking Meeting Notes etc. Commit History Pull Request Draft Text
  • 33. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 33 Working Together 33 OpenID FAPI (Chair) (Co-Chair)(Co-Chair) (UK OBIE Liaison) Liaison Organizations
  • 34. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 34 Current Specs. n Financial Services – Financial API – l Part 1: Read Only API Security Profile http://openid.net/specs/openid-financial-api-part-1.html ▪  Implementer’s Draft (I-D) ~Implementations going on l Part 2: Read and Write API Security Profile http://openid.net/specs/openid-financial-api-part-2.html ▪  Under Public Review l Part 3: Open Data API ▪  Waiting for the UK OBIE Contribution l Part 4: Protected Data API and Schema - Read only ▪  Bank Account – Based on the US FS-ISAC Contribution l Part 5: Protected Data API and Schema - Read and Write ▪  Waiting for UK OBIE Contribution ▪  Using Claims Request to obtain granular consent 34 Swagger files are going to be provided Probably need to be registry entries rather than “Parts”
  • 35. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 35 Financial Services – Financial API -- Part 1: Read Only API Security Profile n Note: ISO Keywords, “shall”, “should”, “may”, “can” are used. n Lots of “shall”s. Need to fulfill them all for an adequate security level. 35 (出所)Financial Services – Financial API -- Part 1: Read Only API Security Profile Implementer’s Draft
  • 36. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 36 Adoption among the industry is great! 36
  • 37. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 37 Japanese Banker’s Association Recommendation (16 March 2017) 37
  • 38. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 38 Open Banking Implementation Entity Announcement (17 May 2017)
  • 39. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 39 ?How do you know that it has been implemented correctly? 39
  • 40. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 40 A certification test suite is being planned to be provided online 40 For more details, see http://openid.net/certification/ Passing publicly available test suit Self declaration and public listing We currently only have a generic test for Basic OpenID Connect capabilities. We need to add tests for FAPI. Directed funding is being sought now.
  • 41. © 2017 by Nat Sakimura. CC-BY-SA. Copyright © 2016 Nat Sakimura. All Rights Reserved. 41 Join the group! https://openid.net/wg/fapi/ 41