More Related Content
Similar to APIdays London 2020: Toward certifying Financial-grade API security profile with Keycloak (20)
More from Hitachi, Ltd. OSS Solution Center. (20)
APIdays London 2020: Toward certifying Financial-grade API security profile with Keycloak
- 1. © Hitachi, Ltd. 2020. All rights reserved.
Toward certifying Financial-grade API security profile
with Keycloak
APIdays London 2020
Hitachi, Ltd.
OSS Solution Center
Yoshiyuki Tabata
- 2. 1© Hitachi, Ltd. 2020. All rights reserved.
About the speaker
• Consultant of API system
• For example, building a high-security banking API system.
• Contributor of 3scale (OSS of API Management)
• Developed functions around security and access control.
• “Edge Limiting”, “RBAC”, “OAuth MTLS”, …
• Contributor of Keycloak (OSS of Identity Management)
• Developed functions required for API use cases based on OAuth/OIDC.
• “Token Revocation”, “Refresh token setting per client”, …
Yoshiyuki Tabata
Software Engineer
OSS Solution Center, Hitachi, Ltd.
GitHub: @y-tabata
- 3. © Hitachi, Ltd. 2020. All rights reserved.
Contents
2
1. Introduction: Financial-grade API (FAPI) and Keycloak
2. "Client Policy": how to satisfy FAPI security profile easily
3. Other activities help engineers to build FAPI compliant
system
- 4. © Hitachi, Ltd. 2020. All rights reserved.
Contents
3
1. Introduction: Financial-grade API (FAPI) and Keycloak
2. "Client Policy": how to satisfy FAPI security profile easily
3. Other activities help engineers to build FAPI compliant
system
- 5. 4© Hitachi, Ltd. 2020. All rights reserved.
What is FAPI (Financial-grade API)?
OAuth 2.0
OpenID
Connect
(OIDC)
FAPI
OAuth 2.0 is the de fact standard to secure API.
However, lots are left to implementers,
insecure usage can easily happen.
OIDC standardizes user verification using
ID token.
FAPI standardizes secure usage of OAuth 2.0
and OIDC.
Expected to be used mainly in the financial field.
FAPI is a hardened standard of "OAuth 2.0" and "OpenID Connect (OIDC)".
Formulated by the OpenID Foundation.
- 7. 6© Hitachi, Ltd. 2020. All rights reserved.
FAPI: needs and difficulties
However, since authorization server requires various functions/settings, and sometimes
changes of implementation are required, it’s difficult to meet FAPI security profile.
PSD2 (2015/11)
revised Banking Act (2017/6)
OBIE announced its collaboration
with FAPI WG (2017/5)
Japanese Bankers Association
recommended conforming to FAPI (2017/7)
Following this, the movement of open APIs
had become active mainly in EU member states.
The UK came to be recognized as a leader in this field.
FAPI is gaining attention both in Japan and globally.
In response to the above movements.
Each bank was required to make efforts for open APIs.
Japan
UK
Open Banking Standard (2016/2)
- 8. 7© Hitachi, Ltd. 2020. All rights reserved.
Keycloak
Identity Federation
(OpenID Connect, OAuth 2.0, SAML)
Social Login
(Identity Brokering)
Identity Management
Authentication
LDAP
Active
Directory
RDB
OpenID SAML XML.org
GitHub
Twitter Facebook
What is Keycloak?
OSS for Identity Management, community is led by Red Hat: https://www.keycloak.org
Keycloak provides single sign-on and authentication/authorization based on OAuth 2.0.
- 9. 8© Hitachi, Ltd. 2020. All rights reserved.
Keycloak acts as OAuth2 authorization server
3. API Request w/ Token
5. Authorized
API Request
1. Authentication
Resource
Server
End User
4. Token Introspection
Keycloak
API systemAuthorization Server
API Gateway
Client
Application
Orthodox API system: Authorization Server + API Gateway + Resource Server
e.g.) OAuth2 Authorization Code Grant
- 10. 9© Hitachi, Ltd. 2020. All rights reserved.
Our colleague @tnorimat is mainly working.
We'd finished implementing all functions required for FAPI-RW.
• KEYCLOAK-6767 FAPI (Financial API) Security Profile Support
Our activities toward certifying FAPI security profile
JIRA Description PR Opened by
KEYCLOAK-2604 Support PKCE (RFC7636) 3831 tnorimat
KEYCLOAK-5661 Return allowed scopes with access token 4527 tnorimat
KEYCLOAK-5811 Support client_secret_jwt 4835 tnorimat
KEYCLOAK-6700 Support s_hash 5022 tnorimat
KEYCLOAK-6768 Support signed and encrypted ID token 5779 tnorimat
KEYCLOAK-6770 Support signature algorithm ES256 5533 tnorimat
KEYCLOAK-6771 Support holder of key (RFC8705) 5083 tnorimat
- 11. 10© Hitachi, Ltd. 2020. All rights reserved.
Next assignment: pass all conformance tests for FAPI-RW
We'd finished implementing all functions required for FAPI.
-> However, this is not enough to pass all conformance tests.
To pass these tests, it's necessary to implement fine-grained checks to the authorization
server, i.e. Keycloak.
e.g.)
• Check a client uses request objects at a sufficiently high-security level. (KEYCLOAK-14204)
• Check a client uses suitable response types in OIDC Hybrid Flow. (KEYCLOAK-14205)
There were difficulties:
Regarding usability
Settings for clients and realms (i.e. services) will increase too much.
Regarding implementation
Implementing check logics to each endpoint will increase conditional branches and
impair readability.
-> We proposed “Client Policy”!
- 12. © Hitachi, Ltd. 2020. All rights reserved.
Contents
11
1. Introduction: Financial-grade API (FAPI) and Keycloak
2. "Client Policy": how to satisfy FAPI security profile easily
3. Other activities help engineers to build FAPI compliant
system
- 13. 12© Hitachi, Ltd. 2020. All rights reserved.
What is Client Policy? – Concept
A framework for applying security
profiles to client applications.
Executor : “what action”
Execute actions for security
profiles.
Condition : “which client”
Select client applications based on
conditions.
Policy :
Manage sets of executors and
conditions.
- 14. 13© Hitachi, Ltd. 2020. All rights reserved.
What is Client Policy? – Processing Flow
Client Policy Manager monitors requests
from client applications to each endpoint.
Determine if the client is subject to
client policies.
Static characteristics
Client application's metadata.
Dynamic characteristics
Requests to endpoints.
Execute actions for security profiles.
- 15. 14© Hitachi, Ltd. 2020. All rights reserved.
What is Client Policy? – How to implement
Design Pattern: Abstract Factory Pattern
All of Executor, Condition, Policy are
implemented as Java interfaces.
Since client policies can be set separately
from settings for clients and realms, the
settings do not become complicated.
Since client policies can be implemented
separately from each endpoint
implementation, the readability of the
endpoint implementation is not impaired.
Security profiles other than FAPI, such as
UK Open Banking, can be easily added
without affecting Keycloak original source
code.
- 16. 15© Hitachi, Ltd. 2020. All rights reserved.
Our colleague @tnorimat is mainly working.
• Due to our contribution FAPI-SIG (Financial-grade API Security: Special Interest Group) was
founded.
• https://github.com/keycloak/kc-sig-fapi
• Main activity is supporting FAPI and its related specifications to Keycloak.
• Communication Channels: Google Group, Zulip, and Web meeting on a regular basis.
• Anyone can join it anytime!
• KEYCLOAK-10331 Pass All Conformance Tests for Certified Financial-grade API (FAPI)
OpenID Providers by OpenID Foundation
• This activity is being accelerated by client policy and FAPI-SIG.
Our activities toward passing conformance tests for FAPI-RW
JIRA Description Progress
KEYCLOAK-10332 Conformance Tests for FAPI R/W OP w/ MTLS 30%
KEYCLOAK-10333 Conformance Tests for FAPI R/W OP w/ Private Key 30%
- 17. 16© Hitachi, Ltd. 2020. All rights reserved.
Next assignment: considering whole API system
3. API Request w/ Token
5. Authorized
API Request
1. Authentication
Resource
Server
End User
4. Token Introspection
Keycloak
API systemAuthorization Server
MUST
consider
security!
API Gateway
MUST consider
security!
Client
Application
Security of the API system is not ensured only by the authorization server.
- 18. © Hitachi, Ltd. 2020. All rights reserved.
Contents
17
1. Introduction: Financial-grade API (FAPI) and Keycloak
2. "Client Policy": how to satisfy FAPI security profile easily
3. Other activities help engineers to build FAPI compliant
system
- 19. 18© Hitachi, Ltd. 2020. All rights reserved.
Overview: whole API system
3. API Request w/ Token
5. Authorized
API Request
1. Authentication
Resource
Server
End User
4. Token Introspection
Keycloak
API systemAuthorization Server
3scale
API Gateway
Hitachi’s Sample OIDC
Client Application
Client
Application
Implementing functions relating to FAPI to the client application and the API Gateway,
and considering a kind of FAPI sandbox.
- 20. 19© Hitachi, Ltd. 2020. All rights reserved.
What is 3scale?
OSS for API Management, community is led by Red Hat: https://github.com/3scale
End User
App
Developer
REST API
Server
Legacy
Backend
Applications
(Web, Mobile)
Admin
Admin PortalDev Portal
Container Platform
Authorization
Server
API Gateway
(APIcast)
API Manager
(Porta)
- 21. 20© Hitachi, Ltd. 2020. All rights reserved.
Our activities for API gateway
Implemented necessary functions for FAPI.
e.g.) OAuth MTLS (RFC8705) PR #1101
3. API Request w/ Token
w/ Client Certificate
5. Authorized
API Request
1. Authentication
Resource
Server
End User
4. Token Introspection
Keycloak
API systemAuthorization Server
3scale
API Gateway
Client
Application
Token includes hash value
of Client Certificate.
Calculate hash value of Client Certificate
and compare it with token's one.
- 22. 21© Hitachi, Ltd. 2020. All rights reserved.
What is Hitachi’s Sample OIDC Client Application?
A sample client application* created for testing a high-security API system we built.
https://github.com/Hitachi/sample-oidc-client-application
It follows OAuth 2.0 Security Best Practice.
It has following functions, including FAPI-RW requirements:
Act as a client application of Keycloak
TLS
OAuth 2.0 (RFC6749) / OIDC
Authorization Code Grant
Scope claim
Audience claim
State value
Nonce value
Proof Key for Code Exchange by OAuth Public Clients (RFC7636)
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC8705)
OAuth 2.0 Form Post Response Mode
* This sample source code is just a sample and not intended for applying to the product directly.
- 23. 22© Hitachi, Ltd. 2020. All rights reserved.
Summary
• Keycloak has already had all functions required for FAPI-RW.
• We are actively moving toward passing all conformance tests for FAPI-RW
with Keycloak.
• We are also considering preparing a FAPI sandbox which is a demo set we
can try FAPI with Keycloak easily.
• Let's join FAPI-SIG!
https://github.com/keycloak/kc-sig-fapi
- 24. 23© Hitachi, Ltd. 2020. All rights reserved.
Trademarks
• OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other
countries.
• GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other
countries.
• Twitter is a trademark or registered trademark of Twitter, Inc. in the United States and other countries.
• Facebook is a trademark or registered trademark of Facebook, Inc. in the United States and other
countries.
• Red Hat, and OpenShift are registered trademarks of Red Hat, Inc. in the United States and other
countries.
• Other brand names and product names used in this material are trademarks, registered trademarks,
or trade names of their respective holders.
- 26. 25© Hitachi, Ltd. 2020. All rights reserved.
What is Client Policy? – Architecture
Policy
Condition
Executor
Realm
Client
Keycloak
Attribute
Request
apply
Client Policy
1
0..*
0..*
1
0..*
1
1 0..*
1
0..*
0..*
1
1
0..*
Manager Framework
“Client Policy Basics”
Components
hook & call
Separate security profile
processing from
Keycloak original source
code and provide "Client
Policy Basics" which is a
framework for
dynamically loading and
unloading.
Separate the client from
its settings, treat them
as logical components
(Executor), and apply
them to the client
(Condition).