This document discusses Authlete's semi-hosted approach to OAuth and API security. Authlete provides an API that customers can call from their own OAuth-speaking services to handle OAuth processing and management. The API allows customers to add new features to their services over time, such as PKCE, and supports various client authentication methods including mutual TLS with certificates. For mutual TLS, the customer validates the TLS connection but Authlete verifies the certificate to act as a trust anchor.

1. @justin__richer
Authlete FAPI Enhancements
Justin Richer
July 2018
1

2. @justin__richer
Building an OAuth Infrastructure
2

3. @justin__richer
On-Prem Approach
AS
RS Client
OAuth
Customer’s Systems Hosted Services
User
User Auth
3

4. @justin__richer
Cloud-Hosted Approach
AS
RS Client
OAuth
Customer’s Systems Hosted Services
User
User Auth
4

5. @justin__richer
Is there another option?
5

6. @justin__richer
Authlete is Semi-hosted
• Customers run OAuth-speaking services
• These services call the API for processing
• Authlete tells the services what to do next
6

7. @justin__richer
Authlete’s Approach
API
SO CO
AS
RS
API Key
Client
Management OAuth
Customer’s Systems Hosted Services
User
User Auth
7

8. @justin__richer
Adding New Features
• New features built into API
– Example: PKCE
• Customer code later adapted to use new features
8

9. @justin__richer
New Features for FAPI
• Client authentication model beyond client secrets
• Mutual TLS certificates and validation
• Scope management for FAPI-R, FAPI-RW, and non-
FAPI requests
• Strict processing of request objects
9

10. @justin__richer
Previous Client Authentication
API AS Client
Client Secret Client Secret
Customer
Client Registration
Client Configuration
10

11. @justin__richer
New Client Authentication
API AS Client
Client Auth Client Auth
None
Secret
Sym JWT
Priv Key
MTLS: SS
MTLS: PKI
Client Auth Type
11

12. @justin__richer
Traditional MTLS
CA AS Client
Mutual TLS Root Certs
12

13. @justin__richer
Authlete MTLS
API AS Client
Mutual TLS Certificate
Customer
Trusted Certificates
13

14. @justin__richer
Customer’s AS
• Validates the TLS socket
– Keys presented must be the ones used in the socket
• Does not validate the certificate against a CA
• Passes certificate to API
14

15. @justin__richer
Authlete API
• Can not validate the TLS connection between client
and AS
– Has no insight into the original connection
• Verifies that the certificate sent to the API is the one
expected for this transaction
– Acts as a trust anchor
15