This document contains an agenda for a presentation on APIs and authorization. It discusses API definitions and types, the growth of APIs, examples of companies using APIs like Uber, and standards for financial-grade and open banking APIs. It also introduces Authlete as a backend as a service for API authorization, and how it can be used to add OAuth and OpenID Connect to APIs. Key topics covered include API definitions, trends, standards like FAPI and OAuth/OIDC, and an overview of Authlete's API authorization capabilities.

1. 2018-11-12
API

2. Agenda
• API /
• API
• Authlete
2

3. About Me
• https://www.linkedin.com/in/tatsuokudo
– (1998-2008)
– (2008-2018)
– OpenID (2013-2014)
– NRI (2014-2018)
– Authlete (2018-)
• VP of Solution Strategy
3

4. API /
4

5. API / Web API
• API (Application Programming Interface)
–
• Web API
– HTTP, TLS
API
– Web API API
5
Source: https://www.ibm.com/developerworks/jp/webservices/library/ws-restful/index.html

6. API
•
API
6
Source: https://www.boj.or.jp/announcements/release_2016/data/rel161107c4.pdf

7. API
7
Source: https://www.slideshare.net/BillConradDoerrfeld/api-world-2018-7-global-movements-evolving-the-story-of-apis
50% 28%
90% 60%
2014 2011
2012 2014
API
Source: Harvard Business Review

8. 8
API : Uber
• API Uber API
• API
Source: https://techcrunch.com/2016/06/07/software-is-eating-the-world-5-years-later/Source: https://developer.uber.com/showcase
API API

9. IT API
• :
– “API ”
• :
– “ API ”
• :
– “ API ”
• :
– “ API ”
9
Source: http://www.meti.go.jp/press/2018/05/20180530004/20180530004_03.pdf

10. API
• 2018 2018 6 15
– FinTech /
– API
• :
• :
10
Source: https://www.kantei.go.jp/jp/singi/keizaisaisei/pdf/miraitousi2018_zentai.pdf

11. API / Web API
• DX
IT 2025 DX
– 2.5.3
“DX SoR SoE
IT
–
–
– API/Web API
”
11
Source: https://www.kantei.go.jp/jp/singi/keizaisaisei/pdf/miraitousi2018_zentai.pdf

12. API
• API
–
?
• API
– ?
12

13. API ?
• IT
–
–
–
13
Source: http://ascii.jp/elem/000/000/312/312546/index.html

14. :
•
– API API
• API
– API
14
Source: https://sec.ipa.go.jp/users/events/events_tokyo_20170310-5.pdf

15. API
• API
•
15
API API
API
XYZ

16. API
16

17. API
API

18. API
?

19. API
ID
ID/
ID/

20. API ?
ü
ü
ü
ü
ü
ü
ü
ü
ü
20

21. 3 3
12
ü
ü
ü
ü
ü
ü
ü
ü
ü
4 * 5 :
*
21

22. 3 3
12
ü
ü
ü
ü
ü
ü
ü
ü
ü
4 * 5 DF I
*
P
c:
P
IF
3 3 a W b
F
22

23. API ?
ü
ü
ü
ü
ü
ü
ü
ü
ü
23

24. Fintech
ü
ü
ü
ü
ü
ü
ü
ü
ü
24

25. ü
ü
ü
ü
ü
ü
ü
ü
ü
25

26. API
ü
ü
ü
ü
ü
ü
ü
ü
ü
A
26

27. OAuth
P
n
u A
ID/PW,O App, I …
e
I
h
e F i
t h A
ü
ü
ü
ü
ü
ü
h
I
P A i
c A
ü
ü
ü
27

28. OAuth
Source: Connpass, Facebook
71 3 4
2
5
6
API
7 A API
A
25 31/.
D I
6
A
A 6P45 7
28

29. OAuth (2.0)
•
29
Source: https://www.slideshare.net/tkudo/oauth-oidc-api-security-yuzawaws

30. ?
30
Source: https://twitter.com/blhjelm/status/1055551254401736704

31. Financial-grade API (FAPI)
• API OAuth
• OpenID Foundation FAPI WG
– :
• Read Only API, Read Write API
– :
• JARM, CIBA
– API:
• Open Data, Read Only, Read Write
31
Source: https://openid.net/wg/fapi/

32. API FAPI
• 2018 9 25
API
• API
55
32
Source: https://twitter.com/UKOpenBanking/status/1049297812746358785

33. FAPI
33Source: https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_1.pdf
Source: https://docs.google.com/document/d/1-
6YF_Flj05tjwgVE4SrNWyBJ4zDFhPBfyxObuwhjENA/mobilebasic?fbclid=IwAR3aD4nk
a013FQLQUhPv6smMb6Q46_SCYaAi2bVoyuwDRamSMTOi_Q6q8BE#h.5wkobhage0
n6

34. P
A
A
I
OAuth
34
. 2
YD
A C
B
X 1 2
X Z
I

35. OpenID Connect ID
O
ID/PW,FD App, D …
O
c h e n
*
I
O ID
ü
ü
ü
*
c e
S
c
O
c i
ü
I
*
ü D
*
35

36. AUTHLETE
36

37. API
37
URI
2016 11
2017 8 API
URI
API
IT
•
•
OpenID Connect (OIDC)
• API

38. Authlete: BaaS for API Authorization Service
https://www.authlete.com/
ü BaaS (Backend as a Service)
ü OAuth 2.0 / OIDC
ü
ü
OAuth/OIDC
API
38

39. API
API
Authlete
39
Web
API
/data /function /transaction
Authlete
API
DB
API
API
( )
OAuth/OIDC /
/ / Authlete
API
OAuth/OIDC
/…
OSS

40. 1:
•
• OAuth/OIDC Authlete
40
Authorization Server
OAuth & OIDC Endpoints
DB
• User credentials
• User attributes
• etc.
DB for user data
User Authentication
DB
• Access tokens
• Client metadata
• etc.
DB for authorization data
Logic of OAuth & OIDC
AuthleteAuthorization Server
OAuth & OIDC Endpoints
DB
• User credentials
• User attributes
• etc.
DB for user data
User Authentication
DB
• Access tokens
• Client metadata
• etc.
DB for authorization data
Logic of OAuth & OIDC
Authlete Web APIs
Authlete Authlete

41. 2:
• Authlete
•
41
Authorization Server
OAuth & OIDC Endpoints
DB
• User credentials
• User attributes
• etc.
DB for user data
User Authentication
Authlete
DB
• Access tokens
• Client metadata
• etc.
DB for authorization data
Logic of OAuth & OIDC
Authlete Web APIs
User ID = 1234
User ID = 1234
* ID Authlete ID

42. 3: API
42
•
•
/

43. 4:
• 3
•
43
&
•
•
• &
•
&
• &
•
&
• &
•
&
O DIE B
C CAPL

44. 5:
•
•
44

45. 6:
• OpenID FAPI API
45
FAPI

46. 46
znm x
iTb W b Tdi
- DJs NiUi E zn
c h M A tB
PLR D Gzn
o r D Izn
p Js r E zn
u R Js R E zn
e aI zn
p Js r E zn

47. :
47
Source: https://www.isid.co.jp/news/release/2018/pdf/0919.pdf

48. AWS API Gateway
• Authlete API
Gateway API OAuth2
• OAuth2
API
→ API
48

49. Azure API Management
49

50. Authlete
50
2- 2 7 6 6
b nu 9 9 01
l
5 a5 5 ih 5F A 5 t 5 5
7 o 7
e

51. • Web /
– https://www.authlete.com/, https://www.facebook.com/authlete, https://twitter.com/authlete_jp
•
– https://so.authlete.com/accounts/signup, https://www.authlete.com/documents/getting_started
• API
– https://docs.authlete.com/, https://github.com/authlete, https://kb.authlete.com
• info@authlete.com
51

52. PR +IT
• API
https://www.sbbit.jp/article/cont1/35391
1. API API
2. API
3. API
4. API
5. API
6. API
7. API
8. API
9. API
52

53. Thanks!