SlideShare a Scribd company logo

APIdays London 2020: Toward certifying Financial-grade API security profile with Keycloak

Download as PPTX, PDF
Hitachi, Ltd. OSS Solution Center.
Hitachi, Ltd. OSS Solution Center.

The presentation for APIdays London 2020.

Technology
1 of 26
© Hitachi, Ltd. 2020. All rights reserved. Toward certifying Financial-grade API security profile with Keycloak APIdays London 2020 Hitachi, Ltd. OSS Solution Center Yoshiyuki Tabata
1© Hitachi, Ltd. 2020. All rights reserved. About the speaker • Consultant of API system • For example, building a high-security banking API system. • Contributor of 3scale (OSS of API Management) • Developed functions around security and access control. • “Edge Limiting”, “RBAC”, “OAuth MTLS”, … • Contributor of Keycloak (OSS of Identity Management) • Developed functions required for API use cases based on OAuth/OIDC. • “Token Revocation”, “Refresh token setting per client”, … Yoshiyuki Tabata Software Engineer OSS Solution Center, Hitachi, Ltd. GitHub: @y-tabata
© Hitachi, Ltd. 2020. All rights reserved. Contents 2 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
© Hitachi, Ltd. 2020. All rights reserved. Contents 3 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
4© Hitachi, Ltd. 2020. All rights reserved. What is FAPI (Financial-grade API)? OAuth 2.0 OpenID Connect (OIDC) FAPI OAuth 2.0 is the de fact standard to secure API. However, lots are left to implementers, insecure usage can easily happen. OIDC standardizes user verification using ID token. FAPI standardizes secure usage of OAuth 2.0 and OIDC. Expected to be used mainly in the financial field. FAPI is a hardened standard of "OAuth 2.0" and "OpenID Connect (OIDC)". Formulated by the OpenID Foundation.
5© Hitachi, Ltd. 2020. All rights reserved. FAPI Milestone
6© Hitachi, Ltd. 2020. All rights reserved. FAPI: needs and difficulties However, since authorization server requires various functions/settings, and sometimes changes of implementation are required, it’s difficult to meet FAPI security profile. PSD2 (2015/11) revised Banking Act (2017/6) OBIE announced its collaboration with FAPI WG (2017/5) Japanese Bankers Association recommended conforming to FAPI (2017/7) Following this, the movement of open APIs had become active mainly in EU member states. The UK came to be recognized as a leader in this field. FAPI is gaining attention both in Japan and globally. In response to the above movements. Each bank was required to make efforts for open APIs. Japan UK Open Banking Standard (2016/2)
7© Hitachi, Ltd. 2020. All rights reserved. Keycloak Identity Federation (OpenID Connect, OAuth 2.0, SAML) Social Login (Identity Brokering) Identity Management Authentication LDAP Active Directory RDB OpenID SAML XML.org GitHub Twitter Facebook What is Keycloak? OSS for Identity Management, community is led by Red Hat: https://www.keycloak.org Keycloak provides single sign-on and authentication/authorization based on OAuth 2.0.
8© Hitachi, Ltd. 2020. All rights reserved. Keycloak acts as OAuth2 authorization server 3. API Request w/ Token 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server API Gateway Client Application Orthodox API system: Authorization Server + API Gateway + Resource Server e.g.) OAuth2 Authorization Code Grant
9© Hitachi, Ltd. 2020. All rights reserved. Our colleague @tnorimat is mainly working. We'd finished implementing all functions required for FAPI-RW. • KEYCLOAK-6767 FAPI (Financial API) Security Profile Support Our activities toward certifying FAPI security profile JIRA Description PR Opened by KEYCLOAK-2604 Support PKCE (RFC7636) 3831 tnorimat KEYCLOAK-5661 Return allowed scopes with access token 4527 tnorimat KEYCLOAK-5811 Support client_secret_jwt 4835 tnorimat KEYCLOAK-6700 Support s_hash 5022 tnorimat KEYCLOAK-6768 Support signed and encrypted ID token 5779 tnorimat KEYCLOAK-6770 Support signature algorithm ES256 5533 tnorimat KEYCLOAK-6771 Support holder of key (RFC8705) 5083 tnorimat
10© Hitachi, Ltd. 2020. All rights reserved. Next assignment: pass all conformance tests for FAPI-RW We'd finished implementing all functions required for FAPI. -> However, this is not enough to pass all conformance tests. To pass these tests, it's necessary to implement fine-grained checks to the authorization server, i.e. Keycloak. e.g.) • Check a client uses request objects at a sufficiently high-security level. (KEYCLOAK-14204) • Check a client uses suitable response types in OIDC Hybrid Flow. (KEYCLOAK-14205) There were difficulties:  Regarding usability  Settings for clients and realms (i.e. services) will increase too much.  Regarding implementation  Implementing check logics to each endpoint will increase conditional branches and impair readability. -> We proposed “Client Policy”!
© Hitachi, Ltd. 2020. All rights reserved. Contents 11 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
12© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – Concept A framework for applying security profiles to client applications.  Executor : “what action” Execute actions for security profiles.  Condition : “which client” Select client applications based on conditions.  Policy : Manage sets of executors and conditions.
13© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – Processing Flow Client Policy Manager monitors requests from client applications to each endpoint.  Determine if the client is subject to client policies.  Static characteristics Client application's metadata.  Dynamic characteristics Requests to endpoints.  Execute actions for security profiles.
14© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – How to implement Design Pattern: Abstract Factory Pattern All of Executor, Condition, Policy are implemented as Java interfaces.  Since client policies can be set separately from settings for clients and realms, the settings do not become complicated.  Since client policies can be implemented separately from each endpoint implementation, the readability of the endpoint implementation is not impaired. Security profiles other than FAPI, such as UK Open Banking, can be easily added without affecting Keycloak original source code.
15© Hitachi, Ltd. 2020. All rights reserved. Our colleague @tnorimat is mainly working. • Due to our contribution FAPI-SIG (Financial-grade API Security: Special Interest Group) was founded. • https://github.com/keycloak/kc-sig-fapi • Main activity is supporting FAPI and its related specifications to Keycloak. • Communication Channels: Google Group, Zulip, and Web meeting on a regular basis. • Anyone can join it anytime! • KEYCLOAK-10331 Pass All Conformance Tests for Certified Financial-grade API (FAPI) OpenID Providers by OpenID Foundation • This activity is being accelerated by client policy and FAPI-SIG. Our activities toward passing conformance tests for FAPI-RW JIRA Description Progress KEYCLOAK-10332 Conformance Tests for FAPI R/W OP w/ MTLS 30% KEYCLOAK-10333 Conformance Tests for FAPI R/W OP w/ Private Key 30%
16© Hitachi, Ltd. 2020. All rights reserved. Next assignment: considering whole API system 3. API Request w/ Token 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server MUST consider security! API Gateway MUST consider security! Client Application Security of the API system is not ensured only by the authorization server.
© Hitachi, Ltd. 2020. All rights reserved. Contents 17 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
18© Hitachi, Ltd. 2020. All rights reserved. Overview: whole API system 3. API Request w/ Token 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server 3scale API Gateway Hitachi’s Sample OIDC Client Application Client Application Implementing functions relating to FAPI to the client application and the API Gateway, and considering a kind of FAPI sandbox.
19© Hitachi, Ltd. 2020. All rights reserved. What is 3scale? OSS for API Management, community is led by Red Hat: https://github.com/3scale End User App Developer REST API Server Legacy Backend Applications (Web, Mobile) Admin Admin PortalDev Portal Container Platform Authorization Server API Gateway (APIcast) API Manager (Porta)
20© Hitachi, Ltd. 2020. All rights reserved. Our activities for API gateway Implemented necessary functions for FAPI. e.g.) OAuth MTLS (RFC8705) PR #1101 3. API Request w/ Token w/ Client Certificate 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server 3scale API Gateway Client Application Token includes hash value of Client Certificate. Calculate hash value of Client Certificate and compare it with token's one.
21© Hitachi, Ltd. 2020. All rights reserved. What is Hitachi’s Sample OIDC Client Application? A sample client application* created for testing a high-security API system we built. https://github.com/Hitachi/sample-oidc-client-application It follows OAuth 2.0 Security Best Practice. It has following functions, including FAPI-RW requirements:  Act as a client application of Keycloak  TLS  OAuth 2.0 (RFC6749) / OIDC  Authorization Code Grant  Scope claim  Audience claim  State value  Nonce value  Proof Key for Code Exchange by OAuth Public Clients (RFC7636)  OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC8705)  OAuth 2.0 Form Post Response Mode * This sample source code is just a sample and not intended for applying to the product directly.
22© Hitachi, Ltd. 2020. All rights reserved. Summary • Keycloak has already had all functions required for FAPI-RW. • We are actively moving toward passing all conformance tests for FAPI-RW with Keycloak. • We are also considering preparing a FAPI sandbox which is a demo set we can try FAPI with Keycloak easily. • Let's join FAPI-SIG! https://github.com/keycloak/kc-sig-fapi
23© Hitachi, Ltd. 2020. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Twitter is a trademark or registered trademark of Twitter, Inc. in the United States and other countries. • Facebook is a trademark or registered trademark of Facebook, Inc. in the United States and other countries. • Red Hat, and OpenShift are registered trademarks of Red Hat, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
25© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – Architecture Policy Condition Executor Realm Client Keycloak Attribute Request apply Client Policy 1 0..* 0..* 1 0..* 1 1 0..* 1 0..* 0..* 1 1 0..* Manager Framework “Client Policy Basics” Components hook & call  Separate security profile processing from Keycloak original source code and provide "Client Policy Basics" which is a framework for dynamically loading and unloading.  Separate the client from its settings, treat them as logical components (Executor), and apply them to the client (Condition).

Recommended

Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
Hitachi, Ltd. OSS Solution Center.
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 

Recommended

Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
Hitachi, Ltd. OSS Solution Center.
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Hitachi, Ltd. OSS Solution Center.
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
WSO2
 
WSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater ScalabilityWSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater Scalability
WSO2
 
OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16
MikeLeszcz
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahHow WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
WSO2
 
Criticality of identity
Criticality of identityCriticality of identity
Criticality of identity
Nordic APIs
 
MODRNA WG Update - April 2021
MODRNA WG Update - April 2021MODRNA WG Update - April 2021
MODRNA WG Update - April 2021
Bjorn Hjelm
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OpenIDFoundation
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
Edgar Silva
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
Case Study of Financial Web System Development and Operations with Oracle Web...
Case Study of Financial Web System Development and Operations with Oracle Web...Case Study of Financial Web System Development and Operations with Oracle Web...
Case Study of Financial Web System Development and Operations with Oracle Web...
Arshal Ameen
 
Swagger & OpenAPI Spec #openapi
Swagger & OpenAPI Spec #openapiSwagger & OpenAPI Spec #openapi
Swagger & OpenAPI Spec #openapi
Muhammad Siddiqi
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CloudIDSummit
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 
OpenID Foundation iGov Working Group Update - October 22, 2018
OpenID Foundation iGov Working Group Update - October 22, 2018OpenID Foundation iGov Working Group Update - October 22, 2018
OpenID Foundation iGov Working Group Update - October 22, 2018
OpenIDFoundation
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
WSO2
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 

More Related Content

What's hot

[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
WSO2
 
WSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater ScalabilityWSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater Scalability
WSO2
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahHow WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
WSO2
 
Case Study of Financial Web System Development and Operations with Oracle Web...
Case Study of Financial Web System Development and Operations with Oracle Web...Case Study of Financial Web System Development and Operations with Oracle Web...
Case Study of Financial Web System Development and Operations with Oracle Web...
Arshal Ameen
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CloudIDSummit
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 

What's hot (20)

Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
 
WSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater ScalabilityWSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater Scalability
 
OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahHow WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
 
Criticality of identity
Criticality of identityCriticality of identity
Criticality of identity
 
MODRNA WG Update - April 2021
MODRNA WG Update - April 2021MODRNA WG Update - April 2021
MODRNA WG Update - April 2021
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Case Study of Financial Web System Development and Operations with Oracle Web...
Case Study of Financial Web System Development and Operations with Oracle Web...Case Study of Financial Web System Development and Operations with Oracle Web...
Case Study of Financial Web System Development and Operations with Oracle Web...
 
Swagger & OpenAPI Spec #openapi
Swagger & OpenAPI Spec #openapiSwagger & OpenAPI Spec #openapi
Swagger & OpenAPI Spec #openapi
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
 
OpenID Foundation iGov Working Group Update - October 22, 2018
OpenID Foundation iGov Working Group Update - October 22, 2018OpenID Foundation iGov Working Group Update - October 22, 2018
OpenID Foundation iGov Working Group Update - October 22, 2018
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
 

Similar to APIdays London 2020: Toward certifying Financial-grade API security profile with Keycloak

Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform Awakens
ForgeRock
 
Case study - Using OSGi within the salesforce.com Data Center Automation Init...
Case study - Using OSGi within the salesforce.com Data Center Automation Init...Case study - Using OSGi within the salesforce.com Data Center Automation Init...
Case study - Using OSGi within the salesforce.com Data Center Automation Init...
mfrancis
 
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays
 

Similar to APIdays London 2020: Toward certifying Financial-grade API security profile with Keycloak (20)

apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Modernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIsModernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIs
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
 
Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform Awakens
 
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons LearntOracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
 
PSD2: Implementing APIs that interoperate with ISO 20022
PSD2: Implementing APIs that interoperate with ISO 20022PSD2: Implementing APIs that interoperate with ISO 20022
PSD2: Implementing APIs that interoperate with ISO 20022
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
 
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
 
WSO2 ITALIA SMART TALK #4 - Telefonica Use Case
WSO2 ITALIA SMART TALK #4 - Telefonica Use CaseWSO2 ITALIA SMART TALK #4 - Telefonica Use Case
WSO2 ITALIA SMART TALK #4 - Telefonica Use Case
 
MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019
 
Engineering Student MuleSoft Meetup#3 - API Implementation using APIKIT route...
Engineering Student MuleSoft Meetup#3 - API Implementation using APIKIT route...Engineering Student MuleSoft Meetup#3 - API Implementation using APIKIT route...
Engineering Student MuleSoft Meetup#3 - API Implementation using APIKIT route...
 
Presentation at the 2016 Linux Foundation Collab Summit
Presentation at the 2016 Linux Foundation Collab SummitPresentation at the 2016 Linux Foundation Collab Summit
Presentation at the 2016 Linux Foundation Collab Summit
 
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
[2015-11월 정기 세미나] Cloud Native Platform - Pivotal
 
Case study - Using OSGi within the salesforce.com Data Center Automation Init...
Case study - Using OSGi within the salesforce.com Data Center Automation Init...Case study - Using OSGi within the salesforce.com Data Center Automation Init...
Case study - Using OSGi within the salesforce.com Data Center Automation Init...
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
TechTalk: Extend Existing Architectures to Digital Endpoints with CA API Mana...
 
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...apidays Paris 2022 - Adding a mock as a service capability to your API strate...
apidays Paris 2022 - Adding a mock as a service capability to your API strate...
 
How to add stuff to MySQL
How to add stuff to MySQLHow to add stuff to MySQL
How to add stuff to MySQL
 

More from Hitachi, Ltd. OSS Solution Center.

More from Hitachi, Ltd. OSS Solution Center. (20)

Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
 
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みKeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
 
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakChallenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
 
NGINXでの認可について考える
NGINXでの認可について考えるNGINXでの認可について考える
NGINXでの認可について考える
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
 
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
 
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門するKeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
 
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using ElectronNode-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
 
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
 
Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介
 
Node-REDからREST APIに接続
Node-REDからREST APIに接続Node-REDからREST APIに接続
Node-REDからREST APIに接続
 
Node-RED v1.3新機能紹介
Node-RED v1.3新機能紹介Node-RED v1.3新機能紹介
Node-RED v1.3新機能紹介
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 

Recently uploaded (20)

Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

APIdays London 2020: Toward certifying Financial-grade API security profile with Keycloak

  • 1. © Hitachi, Ltd. 2020. All rights reserved. Toward certifying Financial-grade API security profile with Keycloak APIdays London 2020 Hitachi, Ltd. OSS Solution Center Yoshiyuki Tabata
  • 2. 1© Hitachi, Ltd. 2020. All rights reserved. About the speaker • Consultant of API system • For example, building a high-security banking API system. • Contributor of 3scale (OSS of API Management) • Developed functions around security and access control. • “Edge Limiting”, “RBAC”, “OAuth MTLS”, … • Contributor of Keycloak (OSS of Identity Management) • Developed functions required for API use cases based on OAuth/OIDC. • “Token Revocation”, “Refresh token setting per client”, … Yoshiyuki Tabata Software Engineer OSS Solution Center, Hitachi, Ltd. GitHub: @y-tabata
  • 3. © Hitachi, Ltd. 2020. All rights reserved. Contents 2 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
  • 4. © Hitachi, Ltd. 2020. All rights reserved. Contents 3 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
  • 5. 4© Hitachi, Ltd. 2020. All rights reserved. What is FAPI (Financial-grade API)? OAuth 2.0 OpenID Connect (OIDC) FAPI OAuth 2.0 is the de fact standard to secure API. However, lots are left to implementers, insecure usage can easily happen. OIDC standardizes user verification using ID token. FAPI standardizes secure usage of OAuth 2.0 and OIDC. Expected to be used mainly in the financial field. FAPI is a hardened standard of "OAuth 2.0" and "OpenID Connect (OIDC)". Formulated by the OpenID Foundation.
  • 6. 5© Hitachi, Ltd. 2020. All rights reserved. FAPI Milestone
  • 7. 6© Hitachi, Ltd. 2020. All rights reserved. FAPI: needs and difficulties However, since authorization server requires various functions/settings, and sometimes changes of implementation are required, it’s difficult to meet FAPI security profile. PSD2 (2015/11) revised Banking Act (2017/6) OBIE announced its collaboration with FAPI WG (2017/5) Japanese Bankers Association recommended conforming to FAPI (2017/7) Following this, the movement of open APIs had become active mainly in EU member states. The UK came to be recognized as a leader in this field. FAPI is gaining attention both in Japan and globally. In response to the above movements. Each bank was required to make efforts for open APIs. Japan UK Open Banking Standard (2016/2)
  • 8. 7© Hitachi, Ltd. 2020. All rights reserved. Keycloak Identity Federation (OpenID Connect, OAuth 2.0, SAML) Social Login (Identity Brokering) Identity Management Authentication LDAP Active Directory RDB OpenID SAML XML.org GitHub Twitter Facebook What is Keycloak? OSS for Identity Management, community is led by Red Hat: https://www.keycloak.org Keycloak provides single sign-on and authentication/authorization based on OAuth 2.0.
  • 9. 8© Hitachi, Ltd. 2020. All rights reserved. Keycloak acts as OAuth2 authorization server 3. API Request w/ Token 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server API Gateway Client Application Orthodox API system: Authorization Server + API Gateway + Resource Server e.g.) OAuth2 Authorization Code Grant
  • 10. 9© Hitachi, Ltd. 2020. All rights reserved. Our colleague @tnorimat is mainly working. We'd finished implementing all functions required for FAPI-RW. • KEYCLOAK-6767 FAPI (Financial API) Security Profile Support Our activities toward certifying FAPI security profile JIRA Description PR Opened by KEYCLOAK-2604 Support PKCE (RFC7636) 3831 tnorimat KEYCLOAK-5661 Return allowed scopes with access token 4527 tnorimat KEYCLOAK-5811 Support client_secret_jwt 4835 tnorimat KEYCLOAK-6700 Support s_hash 5022 tnorimat KEYCLOAK-6768 Support signed and encrypted ID token 5779 tnorimat KEYCLOAK-6770 Support signature algorithm ES256 5533 tnorimat KEYCLOAK-6771 Support holder of key (RFC8705) 5083 tnorimat
  • 11. 10© Hitachi, Ltd. 2020. All rights reserved. Next assignment: pass all conformance tests for FAPI-RW We'd finished implementing all functions required for FAPI. -> However, this is not enough to pass all conformance tests. To pass these tests, it's necessary to implement fine-grained checks to the authorization server, i.e. Keycloak. e.g.) • Check a client uses request objects at a sufficiently high-security level. (KEYCLOAK-14204) • Check a client uses suitable response types in OIDC Hybrid Flow. (KEYCLOAK-14205) There were difficulties:  Regarding usability  Settings for clients and realms (i.e. services) will increase too much.  Regarding implementation  Implementing check logics to each endpoint will increase conditional branches and impair readability. -> We proposed “Client Policy”!
  • 12. © Hitachi, Ltd. 2020. All rights reserved. Contents 11 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
  • 13. 12© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – Concept A framework for applying security profiles to client applications.  Executor : “what action” Execute actions for security profiles.  Condition : “which client” Select client applications based on conditions.  Policy : Manage sets of executors and conditions.
  • 14. 13© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – Processing Flow Client Policy Manager monitors requests from client applications to each endpoint.  Determine if the client is subject to client policies.  Static characteristics Client application's metadata.  Dynamic characteristics Requests to endpoints.  Execute actions for security profiles.
  • 15. 14© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – How to implement Design Pattern: Abstract Factory Pattern All of Executor, Condition, Policy are implemented as Java interfaces.  Since client policies can be set separately from settings for clients and realms, the settings do not become complicated.  Since client policies can be implemented separately from each endpoint implementation, the readability of the endpoint implementation is not impaired. Security profiles other than FAPI, such as UK Open Banking, can be easily added without affecting Keycloak original source code.
  • 16. 15© Hitachi, Ltd. 2020. All rights reserved. Our colleague @tnorimat is mainly working. • Due to our contribution FAPI-SIG (Financial-grade API Security: Special Interest Group) was founded. • https://github.com/keycloak/kc-sig-fapi • Main activity is supporting FAPI and its related specifications to Keycloak. • Communication Channels: Google Group, Zulip, and Web meeting on a regular basis. • Anyone can join it anytime! • KEYCLOAK-10331 Pass All Conformance Tests for Certified Financial-grade API (FAPI) OpenID Providers by OpenID Foundation • This activity is being accelerated by client policy and FAPI-SIG. Our activities toward passing conformance tests for FAPI-RW JIRA Description Progress KEYCLOAK-10332 Conformance Tests for FAPI R/W OP w/ MTLS 30% KEYCLOAK-10333 Conformance Tests for FAPI R/W OP w/ Private Key 30%
  • 17. 16© Hitachi, Ltd. 2020. All rights reserved. Next assignment: considering whole API system 3. API Request w/ Token 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server MUST consider security! API Gateway MUST consider security! Client Application Security of the API system is not ensured only by the authorization server.
  • 18. © Hitachi, Ltd. 2020. All rights reserved. Contents 17 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
  • 19. 18© Hitachi, Ltd. 2020. All rights reserved. Overview: whole API system 3. API Request w/ Token 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server 3scale API Gateway Hitachi’s Sample OIDC Client Application Client Application Implementing functions relating to FAPI to the client application and the API Gateway, and considering a kind of FAPI sandbox.
  • 20. 19© Hitachi, Ltd. 2020. All rights reserved. What is 3scale? OSS for API Management, community is led by Red Hat: https://github.com/3scale End User App Developer REST API Server Legacy Backend Applications (Web, Mobile) Admin Admin PortalDev Portal Container Platform Authorization Server API Gateway (APIcast) API Manager (Porta)
  • 21. 20© Hitachi, Ltd. 2020. All rights reserved. Our activities for API gateway Implemented necessary functions for FAPI. e.g.) OAuth MTLS (RFC8705) PR #1101 3. API Request w/ Token w/ Client Certificate 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server 3scale API Gateway Client Application Token includes hash value of Client Certificate. Calculate hash value of Client Certificate and compare it with token's one.
  • 22. 21© Hitachi, Ltd. 2020. All rights reserved. What is Hitachi’s Sample OIDC Client Application? A sample client application* created for testing a high-security API system we built. https://github.com/Hitachi/sample-oidc-client-application It follows OAuth 2.0 Security Best Practice. It has following functions, including FAPI-RW requirements:  Act as a client application of Keycloak  TLS  OAuth 2.0 (RFC6749) / OIDC  Authorization Code Grant  Scope claim  Audience claim  State value  Nonce value  Proof Key for Code Exchange by OAuth Public Clients (RFC7636)  OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC8705)  OAuth 2.0 Form Post Response Mode * This sample source code is just a sample and not intended for applying to the product directly.
  • 23. 22© Hitachi, Ltd. 2020. All rights reserved. Summary • Keycloak has already had all functions required for FAPI-RW. • We are actively moving toward passing all conformance tests for FAPI-RW with Keycloak. • We are also considering preparing a FAPI sandbox which is a demo set we can try FAPI with Keycloak easily. • Let's join FAPI-SIG! https://github.com/keycloak/kc-sig-fapi
  • 24. 23© Hitachi, Ltd. 2020. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Twitter is a trademark or registered trademark of Twitter, Inc. in the United States and other countries. • Facebook is a trademark or registered trademark of Facebook, Inc. in the United States and other countries. • Red Hat, and OpenShift are registered trademarks of Red Hat, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
  • 25.
  • 26. 25© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – Architecture Policy Condition Executor Realm Client Keycloak Attribute Request apply Client Policy 1 0..* 0..* 1 0..* 1 1 0..* 1 0..* 0..* 1 1 0..* Manager Framework “Client Policy Basics” Components hook & call  Separate security profile processing from Keycloak original source code and provide "Client Policy Basics" which is a framework for dynamically loading and unloading.  Separate the client from its settings, treat them as logical components (Executor), and apply them to the client (Condition).