FAPI 1 and 2 are security and interoperability profiles for OAuth. FAPI 1 patched OAuth security issues and added features like CIBA. FAPI 2 is a simpler evolution with broader scope, covering authorization, consent management, and secure API access. It uses mechanisms like PAR, RAR, and grant management to enable rich authorization and consent workflows. FAPI 2 provides the same security protections as FAPI 1 in a more versatile manner through alternative mechanisms like DPoP and PKCE. Adoption depends on existing vendor support and use case requirements around authorization complexity and consent lifecycle management.
Pushed authorization requests allow clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request.
Rich Authorization Requests allows clients to pass fine grained authorization data in the OAuth authorization request. It's been developed based on experiences in open banking and other security sensitive areas.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
This deck gives an overview of OpenID 4 Verifiable Credentials and shows how the specs can be tailored to the needs of a certain category of projects/ecosystems.
The document proposes extending OpenID Connect to support requesting and presenting W3C Verifiable Credentials in all OpenID Connect flows. It outlines the need for a standard way to do this given limitations of existing approaches. The proposal is to use existing OpenID Connect mechanisms like the "claims" parameter to request verifiable presentations, which could then be returned embedded in ID tokens or userinfo responses, or as a separate verifiable presentation token. Examples are provided and it discusses the relationship to other relevant work. The goal is to make OpenID Connect the preferred choice for obtaining and providing verifiable presentations.
OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
Keycloak supports WebAuthn and FAPI by implementing their features and passing conformance tests. Hitachi contributed WebAuthn support and worked with NRI to add FAPI compliance, addressing issues like supporting newer signature algorithms and the PKCE protocol. Further contributions are welcomed to resolve remaining FAPI test issues.
Pushed authorization requests allow clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request.
Rich Authorization Requests allows clients to pass fine grained authorization data in the OAuth authorization request. It's been developed based on experiences in open banking and other security sensitive areas.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
This deck gives an overview of OpenID 4 Verifiable Credentials and shows how the specs can be tailored to the needs of a certain category of projects/ecosystems.
The document proposes extending OpenID Connect to support requesting and presenting W3C Verifiable Credentials in all OpenID Connect flows. It outlines the need for a standard way to do this given limitations of existing approaches. The proposal is to use existing OpenID Connect mechanisms like the "claims" parameter to request verifiable presentations, which could then be returned embedded in ID tokens or userinfo responses, or as a separate verifiable presentation token. Examples are provided and it discusses the relationship to other relevant work. The goal is to make OpenID Connect the preferred choice for obtaining and providing verifiable presentations.
OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
Keycloak supports WebAuthn and FAPI by implementing their features and passing conformance tests. Hitachi contributed WebAuthn support and worked with NRI to add FAPI compliance, addressing issues like supporting newer signature algorithms and the PKCE protocol. Further contributions are welcomed to resolve remaining FAPI test issues.
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionFIWARE
This training camp teaches you how FIWARE technologies and iSHARE, brought together under the umbrella of the i4Trust initiative, can be combined to provide the means for creation of data spaces in which multiple organizations can exchange digital twin data in a trusted and efficient manner, collaborating in the development of innovative services based on data sharing and creating value out of the data they share. SMEs and Digital Innovation Hubs (DIHs) will be equipped with the necessary know-how to use the i4Trust framework for creating data spaces!
OpenID for SSI aims to specify protocols based on OpenID Connect and OAuth 2.0 to enable self-sovereign identity (SSI) applications. This initiative is conducted by the OpenID Foundation in collaboration with the Decentralized Identity Foundation. One specification builds upon the DID-SIOP and SIOPv1 standards. Using OpenID Connect allows for variety in SSI technology choices like identifiers, credentials, and cryptography while leveraging existing OpenID Connect implementations, libraries, and developer familiarity. Demonstrations show credential presentation and issuance via OIDC4SSI specifications.
What is a Verifiable Credential, and Why Does it Matter?
https://identiverse.com/idv2022/session/841421/
"A verifiable credential (VC) is an assertion with a secret weapon – called a verifiable presentation (VP). VCs and VPs are unique in that they enable users to directly hold and present claims about themselves, issued by many different authorities. This is an important addition to the domain-relative credentials that are presented today as part of federated sign-in or SSO contexts. You may ask – why is that direct presentation important? Kristina Yasuda will talk through how VCs and VPs work, what makes VCs different from common federated credentials, and what VCs could change about how we interact with data in the future."
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
The document discusses selecting authenticators for FIDO2 registration. It provides an overview of the FIDO2 registration process and the steps involved. It describes using the Authenticator Attestation Identifier (AAGUID) to identify the authenticator model and obtaining additional metadata from the FIDO Metadata Service (MDS). The MDS can provide details about authenticators, including how user verification and key protection are implemented. Selecting authenticators allows relying parties to control which devices can be used for authentication.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
FAPI 1 and 2 are security and interoperability profiles for OAuth that address high security requirements. FAPI 1 patched OAuth security issues and added features like CIBA mode and conformance testing. FAPI 2 aims to be simpler to use with mechanisms like PAR and broader scope through features like RAR and grant management. While some ecosystems use FAPI 1, FAPI 2 covers additional authorization needs and fits better with OpenID Connect, though incremental adoption of FAPI 2 features with FAPI 1 is possible.
OpenID for Verifiable Credentials is the next generation of OpenID that enables issuing and presenting verifiable credentials in a decentralized manner. It uses an issuer-holder-verifier model where credentials are issued to a holder (digital wallet) and then presented to a verifier (website). This allows decoupling of issuance from presentation and reuse of credentials. OpenID for Verifiable Credentials specifications provide standards for credential issuance, presentation, and authentication that build upon OAuth 2.0 and OpenID Connect to enable a variety of decentralized identity use cases.
JSON Web Tokens (JWTs) are compact, self-contained tokens used to securely transmit information between parties as JSON objects. JWTs contain a header, payload, and signature. The header typically specifies the token type and signing algorithm being used. The payload contains claims about the user such as username, ID, and expiration time. The signature ensures the token integrity. JWTs are signed using a secret or public/private key pair to authenticate and securely exchange information.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
- The document discusses decentralized identity systems and verifiable credentials, and introduces OpenID for Verifiable Credentials as a standard for issuing and presenting verifiable credentials in a decentralized and interoperable way.
- OpenID for Verifiable Credentials uses existing protocols like OAuth 2.0 and OpenID Connect to build upon established security practices. It supports various credential formats, identifier methods, and trust models to accommodate different needs.
- Implementations of OpenID for Verifiable Credentials allow users to privately obtain and present verifiable credentials from multiple credential issuers to different verifiers through a digital wallet on their device or in the cloud. Standards and profiles continue to be developed to promote adoption and interoperability.
OpenID Connect 4 SSI aims at specifying a set of protocols based on OpenID Connect to enable SSI applications. The initiative is conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation (DIF). One of the specifications is built up on DID-SIOP in DIDAuth WG in DIF and SIOP v1 in OIDC Core.
OpenID for Verifiable Credentials provides a standardized way to issue, present, and authenticate credentials in a decentralized manner using existing OpenID Connect standards. It defines protocols for verifiable presentations and credential issuance that leverage OAuth 2.0 security mechanisms and can support different credential formats. Implementations are planned or underway across several companies and government initiatives to support use cases like mobile driving licenses and vaccination records.
This document summarizes a presentation about OpenID Connect. OpenID Connect is an identity layer on top of the OAuth 2.0 protocol that allows clients to verify the identity of the user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the user. It defines core functionality for modern identity frameworks by standardizing how clients and servers discover and use identity data exposed by identity providers and how clients can verify that identity data. The presenter discusses how OpenID Connect provides a simple yet powerful way to authenticate users and share attributes about them between websites and applications in an interoperable manner.
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionFIWARE
This training camp teaches you how FIWARE technologies and iSHARE, brought together under the umbrella of the i4Trust initiative, can be combined to provide the means for creation of data spaces in which multiple organizations can exchange digital twin data in a trusted and efficient manner, collaborating in the development of innovative services based on data sharing and creating value out of the data they share. SMEs and Digital Innovation Hubs (DIHs) will be equipped with the necessary know-how to use the i4Trust framework for creating data spaces!
OpenID for SSI aims to specify protocols based on OpenID Connect and OAuth 2.0 to enable self-sovereign identity (SSI) applications. This initiative is conducted by the OpenID Foundation in collaboration with the Decentralized Identity Foundation. One specification builds upon the DID-SIOP and SIOPv1 standards. Using OpenID Connect allows for variety in SSI technology choices like identifiers, credentials, and cryptography while leveraging existing OpenID Connect implementations, libraries, and developer familiarity. Demonstrations show credential presentation and issuance via OIDC4SSI specifications.
What is a Verifiable Credential, and Why Does it Matter?
https://identiverse.com/idv2022/session/841421/
"A verifiable credential (VC) is an assertion with a secret weapon – called a verifiable presentation (VP). VCs and VPs are unique in that they enable users to directly hold and present claims about themselves, issued by many different authorities. This is an important addition to the domain-relative credentials that are presented today as part of federated sign-in or SSO contexts. You may ask – why is that direct presentation important? Kristina Yasuda will talk through how VCs and VPs work, what makes VCs different from common federated credentials, and what VCs could change about how we interact with data in the future."
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
The document discusses selecting authenticators for FIDO2 registration. It provides an overview of the FIDO2 registration process and the steps involved. It describes using the Authenticator Attestation Identifier (AAGUID) to identify the authenticator model and obtaining additional metadata from the FIDO Metadata Service (MDS). The MDS can provide details about authenticators, including how user verification and key protection are implemented. Selecting authenticators allows relying parties to control which devices can be used for authentication.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
FAPI 1 and 2 are security and interoperability profiles for OAuth that address high security requirements. FAPI 1 patched OAuth security issues and added features like CIBA mode and conformance testing. FAPI 2 aims to be simpler to use with mechanisms like PAR and broader scope through features like RAR and grant management. While some ecosystems use FAPI 1, FAPI 2 covers additional authorization needs and fits better with OpenID Connect, though incremental adoption of FAPI 2 features with FAPI 1 is possible.
OpenID for Verifiable Credentials is the next generation of OpenID that enables issuing and presenting verifiable credentials in a decentralized manner. It uses an issuer-holder-verifier model where credentials are issued to a holder (digital wallet) and then presented to a verifier (website). This allows decoupling of issuance from presentation and reuse of credentials. OpenID for Verifiable Credentials specifications provide standards for credential issuance, presentation, and authentication that build upon OAuth 2.0 and OpenID Connect to enable a variety of decentralized identity use cases.
JSON Web Tokens (JWTs) are compact, self-contained tokens used to securely transmit information between parties as JSON objects. JWTs contain a header, payload, and signature. The header typically specifies the token type and signing algorithm being used. The payload contains claims about the user such as username, ID, and expiration time. The signature ensures the token integrity. JWTs are signed using a secret or public/private key pair to authenticate and securely exchange information.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
- The document discusses decentralized identity systems and verifiable credentials, and introduces OpenID for Verifiable Credentials as a standard for issuing and presenting verifiable credentials in a decentralized and interoperable way.
- OpenID for Verifiable Credentials uses existing protocols like OAuth 2.0 and OpenID Connect to build upon established security practices. It supports various credential formats, identifier methods, and trust models to accommodate different needs.
- Implementations of OpenID for Verifiable Credentials allow users to privately obtain and present verifiable credentials from multiple credential issuers to different verifiers through a digital wallet on their device or in the cloud. Standards and profiles continue to be developed to promote adoption and interoperability.
OpenID Connect 4 SSI aims at specifying a set of protocols based on OpenID Connect to enable SSI applications. The initiative is conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation (DIF). One of the specifications is built up on DID-SIOP in DIDAuth WG in DIF and SIOP v1 in OIDC Core.
OpenID for Verifiable Credentials provides a standardized way to issue, present, and authenticate credentials in a decentralized manner using existing OpenID Connect standards. It defines protocols for verifiable presentations and credential issuance that leverage OAuth 2.0 security mechanisms and can support different credential formats. Implementations are planned or underway across several companies and government initiatives to support use cases like mobile driving licenses and vaccination records.
This document summarizes a presentation about OpenID Connect. OpenID Connect is an identity layer on top of the OAuth 2.0 protocol that allows clients to verify the identity of the user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the user. It defines core functionality for modern identity frameworks by standardizing how clients and servers discover and use identity data exposed by identity providers and how clients can verify that identity data. The presenter discusses how OpenID Connect provides a simple yet powerful way to authenticate users and share attributes about them between websites and applications in an interoperable manner.
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/
This document provides an overview and examples of the NK API for developing mobile applications, websites, and OpenSocial applications. It describes REST and JS APIs for authentication, making requests, uploading photos, payments, inviting friends, adding shouts, and communicating with users. Code samples are given for common tasks like uploading photos, checking group membership, and sending messages between users. Developers can find full documentation and support for building applications on the NK platform.
Interoperability and APIs in OpenStackpiyush_harsh
This document discusses interoperability and APIs in OpenStack. It provides an overview of OpenStack and discusses how standardized APIs like CDMI and OCCI are being developed and implemented for OpenStack to improve interoperability between cloud software stacks and address concerns of customers, politicians, and regulators regarding proprietary implementations and potential for lock-in. Examples are given of how CDMI and OCCI have been implemented to provide standardized interfaces for object storage and infrastructure management in OpenStack.
OAuth is an open standard for token-based authorization that allows third-party applications to obtain limited access to a user's data without requiring them to share their passwords. It allows sites to exchange user-authorized tokens that can be revoked and have varying scopes and time limits. OAuth has gone through several versions to address vulnerabilities and inconsistencies, with OAuth 2.0 simplifying the protocol through the use of bearer tokens and authorization/resource server separation. While implementations are emerging, OAuth 2.0 continues to be refined as an IETF draft standard.
This document discusses various topics related to implementing web services using UDDI registries, including:
1) The four main types of web service implementations: simple services, composite services, middleware services, and service buses.
2) Extending UDDI registries to add additional elements like discovery URLs.
3) Using private UDDI registries within organizations for purposes like application integration and as marketplace or portal registries.
On Tuesday 18th March, the MongoDB team held on online Cloud Workshop in place of the in-person event which was planned.
Attendees learnt how to build modern, event driven applications powered by MongoDB Atlas in Google Cloud Platform (GCP) and were shown relevant operational and security best practices, to get started immediately with their own digital transformations.
This document describes a test data value store approach for handling test data needs in behavior-driven development (BDD) automated tests. It involves storing test data in a JSON file organized by feature, scenario, example case, page, and language. The data store is initialized by resolving keys to the current test from Cucumber scenario tags. Test code can then retrieve data values from the store as needed to validate page elements for each test case execution. The approach aims to provide flexibility in retrieving test-dependent data while avoiding cluttering the clean BDD syntax with data tables or excessive scenario outlines.
To view recording of this webinar please use below URL:
http://wso2.com/library/webinars/2015/09/resource-oriented-architecture/
Any given business, organization or entity is built with resources. It can be human capital, digital assets, services or products among other things. These activities often interact with each other creating a value network. A good example of this is when human resources interact with digital assets to perform a service. We as computer scientists, have been trying to simplify this interaction flow for quite some time.
The field of distributed systems and semantic web are dedicated to solving problems in this domain. RESTful services and the ecosystem around it have now simplified this interaction to a great level. Being able to interact with a resource with basic actions in a secure manner is a great achievement.
This webinar will discuss
The of history of ROA
Its current landscape
ROA and microservices
New development around the architecture pattern
The document discusses blockchain technology and its potential uses. It describes how hashing works to create a unique fingerprint for digital content. It then explains how distributed ledger technology can be used to maintain a decentralized record of transactions in a trustless environment. Specific applications discussed include using the blockchain to register documents, track supply chain processes, and implement smart contracts.
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
This document provides an overview of OAuth 2.0 and OpenID Connect (OIDC) for authentication and authorization. It begins with introducing the speaker, Matt Raible, and his background. It then discusses direct authentication vs federated identity and standards like SAML and OAuth. The document explains the key concepts of OAuth including actors, scopes and consent, tokens, flows, and common security issues. It outlines some enterprise use cases for OAuth and key facts about it being an authorization framework rather than protocol.
Automating Cloud Operations - Everything you wanted to know about cURL and RE...Revelation Technologies
All cloud service providers support seamless cloud automation and management through a REST API architecture allowing for single tasks or complex multi-step orchestrations to be created. REST has become the de facto standard for these cloud interfaces because of its ease of us, communication over HTTP, and wide support of nearly all programming languages and operating systems.
Where do you start? How do you decipher the API documentation? Where do you authenticate? And how do you create cloud resources programmatically?
This presentation walks through the fundamentals of REST, how its invoked through cURL, as well as a live demonstration of the automated provisioning of Oracle Cloud services through cURL/REST.
The document discusses how companies can use customer data and analytics to improve their business. It recommends using a big data platform to collect and analyze customer transaction logs and events. Basic analytics like Hive can be used to build customer profiles and identify high-value customers. More advanced techniques like complex event processing and predictive modeling can help with targeted marketing, understanding competition, optimizing operations, and predicting outcomes. The overall goal is to gain insights from data to better understand customers, markets, and how to adapt the business.
The Holy Grail of IAM: Getting to Grips with AuthorizationDavid Brossard
Tackling authorization in your apps and APIs shouldn't be hard. Learn how to decouple your app code from your authorization code, externalize to an authorization framework, leverage a policy language e.g. ALFA, and enable secure access to your APIs. In this presentation we compare and contrast different authorization approaches such as ABAC, ReBAC, Zanzibar, and more.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
The document discusses WS-Discovery, a protocol that allows devices and services to advertise themselves and discover other devices and services on a network. It describes the key message exchanges in WS-Discovery including Hello, Bye, Probe, and ProbeMatch. It also summarizes the metadata included in messages and how matching is performed. Finally, it provides examples of how WS-Discovery could be used for device discovery and integration scenarios.
This document provides an overview of cloud forensics and describes tools called ClouDIAN that were developed to access cloud storage data through APIs. ClouDIAN scripts were created for Dropbox and Google Drive to retrieve metadata rather than just files. The scripts utilize the API interfaces and SDKs provided by each service. Metadata collected includes file modification times, sizes, hashes, and sharing details. Analyzing this metadata can provide useful insights for forensic investigations.
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...HostedbyConfluent
Saxo Bank is on a growth journey and Kafka is a critical component to that success. Securing our financial event streams is a top priority for us and initially we started with an on-prem Kafka cluster secured with (the de-facto) Kerberos. However, as we modernize and scale, the demands of hybrid cloud, multiple domains, polyglot computing and Data Mesh require us to also modernize our approach to security. In this talk, we will describe how we took the default (non-production ready) Kafka OAuth implementation and productionized it to work with Kafka in Azure Cloud, including the Kafka stack and clients. By enabling both Kerberos and OAuth running on-prem and in the cloud, we now plan to gracefully retire Kerberos from our estate.
The document discusses MongoDB's transactions feature. It provides an overview of MongoDB's journey to implementing transactions from versions 3.0 to 4.0. It describes how transactions will work in MongoDB 4.0, including examples of atomic operations across multiple documents using sessions and commit_transaction. The presentation encourages joining the beta program for MongoDB transactions and concludes with announcements about the next session and lunch break.
Similar to Comprehensive overview FAPI 1 and FAPI 2 (20)
The European Union’s regulation on Digital Identity, eIDAS, is currently being overhauled to adopt decentralized identity principles. The goal is to provide all citizens and residents across the EU with highly secure and privacy preserving digital wallets that can be used to manage various digital credentials, from eIDs to diplomas to payment instruments. Decentralized identity principles aim at giving freedom of choice and control to the end-user. Ensuring security and interoperability, however, will be challenging — especially in the enormous scale in terms of users and use cases the EU is aiming at. The choices made in eIDAS will have a huge impact on digital identity in the EU and beyond.
The so-called “Architecture and Reference Framework” (ARF) defines the technical underpinnings of eIDAS v2. Many experts from the member states and the Commission have been working on this framework over the last year, trying to select the best combination of technologies and standards out of the enormous number available in the market today. This talk will introduce the ARF and explain what architectural patterns and technical standards are adopted and how the challenges mentioned above are addressed in order to leverage on the vision of the eIDAS v2 regulation.
GAIN is a shared vision for an interoperable global identity network to bridge existing "islands of trust". It emerged from a need to address issues like financial crime, misinformation, and privacy concerns resulting from increased anonymity and lack of control online. GAIN is guided by 5 non-profits and aims to be global in scale, technology agnostic, and built upon open standards. Its Proof of Concept community group is currently connecting identity providers and relying parties from different jurisdictions to test GAIN's technical hypotheses, such as supporting diverse identity architectures and cross-border participation, through 2022.
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
This presentation gives an overview on the work that is going on at OpenID Foundation in Liaison with Decentralized Identity Foundation to enable SSI applications based on OpenID Connect.
This document proposes extensions to OpenID Connect to enable identity assurance and verification of identity claims. It discusses representing verification details explicitly, distinguishing verified from non-verified claims, and supporting verification across different contexts. Key concepts include attaching metadata about the verification process, trust framework, and evidence to verified claims. Requests can specify desired claims and verification attributes for privacy. The proposal aims to clarify representation of verified identity data and support use across channels while preserving privacy.
This document discusses proposals for supporting the request and presentation of verifiable credentials in OpenID Connect. It presents three options for delivering verifiable credentials/presentations: 1) embedding the entire credential/presentation in a JWT claim in the ID token, 2) using aggregated or distributed claims to include the credential/presentation, or 3) using a separate "VP token" artifact containing the credential/presentation along with an ID token. The document analyzes the pros and cons of each approach and seeks feedback on the best option to pursue as well as next steps like discussing with the Connect working group and incorporating encryption.
The talk gives an introduction to the NextGenPSD2 OAuth SCA mode and explains security considerations implementors should take into account when implementing it. This advice will go beyond the text of the NextGenPSD2 Spec and will be based on the latest OAuth Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) and work being conducted at OpenID Foundations FAPI working group.
OpenID Connect for Identity Assurance allows IDPs explicit attestation of verification status of
Claims (what, how, when, according to what rules, using what evidence). It's intended to be used for use cases requiring strong identity assurance, such as Anti-money Laundering, eGovernment & eSigning.
The document discusses security recommendations for OAuth SCA mode authentication in PSD2 open banking. It recommends adhering to OAuth 2.0 security best practices and using mutual TLS client authentication and certificate bound access tokens to protect against replay and authentication attacks. It also recommends measures like CSRF tokens, nonce values, and checking redirect URIs to prevent attacks like cross-site request forgery, code injection, mix-up attacks, and session fixation. Detailed checks and validations are described to secure the authorization request, response, token request and API requests in the OAuth flow.
Identiverse: PSD2, Open Banking, and Technical InteroperabilityTorsten Lodderstedt
The Payment Service Directive 2 (PSD2) is a huge leap forward for Open Banking as it obliges every financial institution operating in the European Union to provide APIs for Access to Account Information and Payment Initiation. The need for more then six thousand financial institutions to provide APIs caused a tremendous push forward for financial API design and accompanying authorization and authentication technologies. Based on the experiences gathered while supporting some of the PSD2 API initiatives in the context of OpenID Foundation’s FAPI working group, this talk will give an introduction to PSD2 and related technical standards, dig into some remarkable aspects of authorization for financial APIs and points out the potential impact on the future of OAuth.
The OAuth working group recently decided to discourage use of the implicit grant. But that’s just the most prominent recommendation the working group is about to publish in the upcoming OAuth 2.0 Security Best Current Best Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics), which will elevate OAuth security to the next level. The code flow shall be used with PKCE only and tokens should be sender constraint to just mention a few. Development of this enhanced recommendations was driven by several factors, including experiences gathered in the field, security research results, the increased dynamics and sensitivity of the use cases OAuth is used protect and technological changes. This session will present the new security recommendations in detail along with the underlying rationales.
The document discusses identity proofing using OpenID Connect. It provides examples of use cases that require identity verification like opening a bank account or accessing health data. It proposes representing verified identity claims in a composite JSON Web Token claim that includes metadata about the verification process and the verified claims. An example token is given that verifies a user's name, date of birth, place of birth and nationality according to a specified assurance level by referencing an existing bank verification. The document also describes how to request specific verified claims from the identity provider.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
2. What is FAPI?
● A security and interoperability profile for OAuth for open banking and other
use cases with high security requirements
● Includes new specifications as required
3. FAPI Family Tree
Baseline
Advanced
FAPI
1
2016-06 2017-07 2018-10
I
D
1
I
D
2
2019-08 2021-07*
Baseline
Advanced
2021-02
I
D
1
* Projection Only
F
I
N
A
L
uses existing OpenID Connect security
mechanisms to patch OAuth security
issues
Adopted by UK OpenBanking, FDX
(US/CA), CDR (Australia), and Brasil
FAPI
2
Open Banking
Survey
OAuth Security Best Current Practice (BCP)
the next evolutionary step, simpler to use
and with a broader scope
Adopted in yes open banking scheme
(~1000 banks)
5. FAPI 1 vs Plain OAuth
● Patches OAuth security issues, e.g. code replay, authorization request
tampering, and mix-up
● Formal security analysis by University Stuttgart
● Adds CIBA (Decoupled) interaction mode (beside Redirect)
● Defines interoperable OAuth profile that can be tested for conformance
● Introduces conformance testing
6. Signed Requests
{
"scope":"openid consent:urn-amazingbank-0be7a3bb-33e6-4d73-b60a-9523aee6cc0d accounts",
"response_type":"code id_token",
"redirect_uri":"https://tpp.localhost/cb",
"code_challenge":"0q5idWeuyFAGeHHpawD3k4mjE7WzPhw6hOdKbnAQY7s",
"code_challenge_method":"S256",
"state":"19a1456013b8be71e6ce89916c9723e0642e1eb42a9360146cc84178f2bc928e",
"nonce":"8dedaf2c53f7ba7294825ca25e45aa544c3feda8fd4ac16220c216e973ad5fd7",
"claims":{
"id_token":{
"auth_time":{
"essential":true
},
"cpf":{
"values":[
"16386335767"
],
"essential":true
},
"given_name":{
"essential":true
},
"acr":{
"values":[
"brasil:openbanking:standard"
],
"essential":true
}
}
},
"max_age":300,
"iss":"clientIdFromAmazingBank",
"aud":"https://auth.amazingbank.com.br",
"client_id":"clientIdFromAmazingBank",
"jti":"_fj7iamgC1wDzh8KXaJ7XzJiEK_s25DhoDs7uAxpU-k",
"iat":1618672338,
"exp":1618672638,
"nbf":1618672338
}
● Protect integrity and
authenticity of request
● Request can also be
encrypted to protect
confidentiality
https://server.example.com/authorize?
response_type=code%20id_token
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb&
&request=eyJhbGciOiJSU...zCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzw
7. ID Token as Detached Signature
HTTP/1.1 302 Found
Location: https://tpp.localhost/cb#
code=SplxlOBeZQQYbYS6WxSbIA
&id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
&state=af0ifjsldkj
{
"iss": "http://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"c_hash": "LDktKdoQak3Pk0cnXxCltA"
"s_hash": "Zjk2Y2VhMTk4YWQxZGQ1Nj"
}
● Protects against
○ code replay
(nonce+c_hash)
○ mix-up (iss)
○ CSRF
● Requires “sub” (even if no
federated id is required)
● End-User claims might be
released in front channel
(additional encryption might
be required)
8. JARM (JWT Secured Authorization Response Mode)
● Response parameters
are wrapped in a signed
(optionally encrypted)
JWT
● No user claims required
● works with plain OAuth {
"iss":"https://accounts.example.com",
"aud":"s6BhdRkqt3",
"exp":1311281970,
"code":"PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA",
"state":"S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw"
}
HTTP/1.1 302 Found
Location: https://client.example.com/cb?
response=eyJraWQiOiJsYWViIiwiYWxnIjoiRVMyNTYifQ.eyAgImlzcyI6ICJodHRwczov
L2FjY291bnRzLmV4YW1wbGUuY29tIiwgICJhdWQiOiAiczZCaGRSa3F0MyIsICAiZXhwIjog
MTMxMTI4MTk3MCwgICJjb2RlIjogIlB5eUZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4
YWt2OUNlUkRTZDBRQSIsICAic3RhdGUiOiAiUzhOSjd1cWs1Zlk0RWpOdlBfR19GdHlKdTZw
VXN2SDlqc1luaTlkTUFKdyJ9.4VdtknVZ9zFYDVLagJpVBD436bjPMcSgOaPDPFgTEkNyCs2
uIHYJ2XML6d2w1AUsm5GBG77DBisZNhLWfug6dA
9. CIBA: Client Initiated Back
Channel Authentication
● Use when User
interacts with the RP
and OP (Bank) on
different physical
devices.
● Examples payment
Kiosk, Alexa,
Connected Cars.
Bank
2. Please Authenticate
and Authorise + id_token
5. Authorisation Complete
6. AT/RT/ID Token
7. Refresh
TPP
1. Give Consent
+ mcdonalds_id +
Bank Name
4. Authorise
3. Do you
want to
authorise?
10. Open Banking Survey ...
… revealed that Open Banking Use Cases require:
(1) authorization beyond scope values
and
(2) grant management capabilities
Examples:
- Lodging Intent (UK OB & NextGenPSD2)
- Scope value + JSON object (Polish API)
{
"instructedAmount":{
"currency":"EUR",
"amount":"123.50"
},
"debtorAccount":{
"iban":"DE40100100103307118608"
},
"creditorName":"Merchant123",
"creditorAccount":{
"iban":"DE02100100109307118603"
},
"remittanceInformationUnstructured":"Ref Number Merchant"
}
see https://cutt.ly/oauth-transaction-authorization for details
12. FAPI 2 as next step
● Broader interoperability
○ through coverage of rich authorization / consent management and secure access to APIs
● Simpler to use
○ through new mechanisms (e.g. Pushed Authorization Requests/PAR, no ID Token as
detached signature required)
● Well-understood and better-defined security
○ Formal attacker model
○ FAPI 2 Baseline fully protects against attacker model
○ FAPI 2 Baseline has same protection level as FAPI 1 Advanced
● More versatile
○ through alternative mechanism for token replay protection (DPoP)
13. Pushed Authorization Requests (PAR)
Authorization request data is pushed to the
AS before user dialog is startet
→ Can replace signed authorization
requests
→ Simplified development through vendor
support and reliance on TLS (signed
requests possible)
→ Minimize data in front-channel to improve
security and increase robustness
POST /as/par HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0Mzo3Rmp..
response_type=code
&client_id=s6BhdRkqt3&state=af0ifjsldkj
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
<voluminous payload goes here>
HTTP/1.1 201 Created
Cache-Control: no-cache, no-store
Content-Type: application/json
{
"request_uri":"urn:example:bwc4JK-ESC0w8acc1...",
"expires_in": 90
}
https://server.example.com/authorize?
client_id=s6BhdRkqt3&
request_uri=urn:example:bwc4JK-ESC0w8acc1...
14. Rich Authorization Requests (RAR)
enable fine-grained and complex consents
captured as JSON objects.
● Structure of authorization details can
be defined as needed (e.g. per
jurisdiction and AAP)
● Supports Multi-Consents
→ Can replace scopes + related
authorization data (e.g. in lodging intents)
[
{
"type":"payment_initiation",
"instructedAmount":{
"currency":"AUD",
"amount":"123.50"
},
"creditorName":"Merchant123",
"creditorAccount":{
"bsb":"123-456",
"accountNumber":"1234567890"
},
"paymentDescription":"INV123456 Description123"
}
]
[
{
"type":"brasil:openbanking:standard:data",
"permissions":[
"ACCOUNTS_READ"
],
"expirationDateTime":"2021-05-21T08:30:00Z",
"transactionFromDateTime":"2021-01-01T00:00:00Z",
"transactionToDateTime":"2021-02-01T23:59:59Z"
}
]
15. Grant Management
Grant Management enables support for
● consent state synchronization
● consent revocation
● concurrent consents
● consent update & renewal
● Dashboards
17. Grant Management (API)
GET /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383
Host: as.example-bank.com
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Content-Type: application/json
{
"authorization_details":[...]
}
DELETE /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383
Host: as.example-bank.com
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
HTTP/1.1 204 No Content
Query Revoke
18. Grant Management (request use of certain grant)
POST /as/par HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0Mzo3Rm...
response_type=code&
client_id=s6BhdRkqt3
&grant_management_action=update
&grant_id=0a15a804-b5b4-4a45-9cd9-18b1a44f3383
&state=af0ifjsldkj
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&code_challenge_method=S256
&code_challenge=K2-ltc83acc4h...
&authorization_details=%5B%7B%2...
(Pushed) Authorization Request)
Use cases
● Renew grant (because it is about
to be expire)
● Update existing grant
● Ensure authorization process is
performed with same user
● Allows identification of user
(alternative login hint for CIBA)
19. PKCE
POST /as/par HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0Mzo3Rmp..
response_type=code
&client_id=s6BhdRkqt3&state=af0ifjsldkj
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&code_challenge_method=S256
&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
...
POST /as/par HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0Mzo3Rmp..
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
PKCE (RFC 7636) is used to detect
code replay and CSRF
Dynamically generated
cryptographically random key used
to bind transaction to browser/device
→ simple and robust
→ security check moved to AS
→ Can replace ID token as detached
signature
20. Feature Comparison
Topic FAPI 1 FAPI 2
Request Integrity Signed Request Objects PAR
CSRF state + s_hash in ID Token PKCE
Code Replay ID Token as detached signature or JARM
or PKCE
PKCE
Mix-Up iss claim in ID token or JARM iss response parameter
Access Token Replay mTLS mTLS or DPoP
Rich authorizations data custom solutions, e.g. Lodging Intent PAR+RAR
Consent management custom solutions, e.g. Lodging Intent Grant Management
Non-repudiation Signed Request Objects, ID Token as
detached signature
API not covered
JAR, JARM, Signed Introspection
Response, Simple HTTP Message
Integrity Protocol
B
a
s
e
l
i
n
e
A
d
v
22. MTLS
FAPI Family Tree
Baseline
Advanced
ver.1
2016-06 2017-07 2018-10
I
D
1
I
D
2
JARM
I
D
1
FAPI-CIBA
2019-08 2021-07*
“Public” Client Prof.
I
D
1
Baseline=JAR+PAR+RAR
Advanced
PAR
RFC8705
2021-02
F
I
N
A
L
I
D
1
* Projection Only
ver.2
F
I
N
A
L
RAR L
C
24. FAPI adoption in new ecosystems
● Reasons to use FAPI 1
○ If vendors in an ecosystem already support FAPI 1
○ FAPI 1 is a mature and widely supported security profile.
● Reasons to use FAPI 2
○ FAPI 2 is easier to implement
○ FAPI 2 covers complex authorization requests and grant lifecycle management aspects
○ FAPI 2 (as profile for API access authorization) better fits with OpenID Connect (for identity
claims provisioning) then FAPI 1
25. Ecosystems already using FAPI 1
● Benefit for adoption:
○ Simpler protocol and improved interoperability
○ Specification aligned with the latest OAuth best practices and security advice
● Incremental adoption of FAPI 2 modules possible:
○ Example: Australia adopted PAR with FAPI 1
○ RAR + Grant Management as full lifecycle consent management solution for FAPI 1
● Running both profile in parallel is possible
○ Would allow new clients to utilize the simpler protocol (and existing clients to migrate)
Editor's Notes
OAUth is framework not protocol! Does not lead to interoperability! No mandatory to implement
Initially, we started with two rather simple security profile: RO and RW.
We thought it would be reasonably simple to specify the protocol but it was not.
There were whole bunch of necessary but non-existing components in OAuth 2.0 World.
Thus, we have started to create necessary components on the way. I.e., MTLS, JARM, FAPI-CIBA, in order to support increasingly more secure and risk sensitive use cases and to support alternative methods of obtaining authorisation including decoupled flows.
Just like we as an industry have created JWT, JWS, etc. on the way to create OpenID Connect. But we are getting there. Ver. 1 has just been finalised mode. There will not be normative changes to the used portion.
At the same time, we are starting to create Ver.2
No signed requests
No lodging intent
Initially, we started with two rather simple security profile: RO and RW.
We thought it would be reasonably simple to specify the protocol but it was not.
There were whole bunch of necessary but non-existing components in OAuth 2.0 World.
Thus, we have started to create necessary components on the way. I.e., MTLS, JARM, FAPI-CIBA, in order to support increasingly more secure and risk sensitive use cases and to support alternative methods of obtaining authorisation including decoupled flows.
Just like we as an industry have created JWT, JWS, etc. on the way to create OpenID Connect. But we are getting there. Ver. 1 has just been finalised mode. There will not be normative changes to the used portion.
At the same time, we are starting to create Ver.2