OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureNat Sakimura
Digital identity has been under a constant evolution for the last 30 years. It started from a simple access control via user account within a system to a shared credential among the systems, then to the federated identity and bring-your-own-identity (BYOI). Modern usages are not only for access control but include such purposes like digital on-boarding (account opening), employee and customer relationship management. Among the many technologies out there, OpenID seems to have gained popularity in the market that you are probably using it without knowing it. This session explains the positioning of OpenID in the digital ID landscape and explores the future potential for both corporations and individuals.
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureNat Sakimura
Digital identity has been under a constant evolution for the last 30 years. It started from a simple access control via user account within a system to a shared credential among the systems, then to the federated identity and bring-your-own-identity (BYOI). Modern usages are not only for access control but include such purposes like digital on-boarding (account opening), employee and customer relationship management. Among the many technologies out there, OpenID seems to have gained popularity in the market that you are probably using it without knowing it. This session explains the positioning of OpenID in the digital ID landscape and explores the future potential for both corporations and individuals.
Introduction to the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesNat Sakimura
APIDays Paris 2018 presentaion by Nat Sakimura.
Talking about Part 1, 2, and new Part 3 with examples.
My twitter: @_nat_en
Follow me on Youtube: https://www.youtube.com/NatSakimura
Blog: https://nat.sakimura.org/
Introduction to the FAPI Read & Write OAuth ProfileNat Sakimura
It the presentation used in APIDays Berlin (2017-11-08) to explain the Financial API Read & Write Security profile's rationale and how it fulfilled the requirements.
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Nat Sakimura
OAuth 2.0 Authorization Framework, while achieved an extremely large adoption, has been exposed to various attacks and a num- ber of additional specifications to patch the problem has been created. It is expected that other attacks would come in the future requiring yet another patch specification. To avoid such future problems, a more systematic approach is needed.
This paper attempts to do it by applying BCM principles on OAuth (RFC6749). It demonstrates that additional parameters in all four messages are needed as well as the integrity protection of both authorization request and response.
API Days 2016 Day 1: OpenID Financial API WGNat Sakimura
The presentation introduces the Financial API Working Group at the OpenID Foundation. The presentation was made at the API Days 2016 on December 13, 2016 in Paris.
1. In the era of mobile, OAuth 2.0 is the protocol of the choice. 2. However, RFC6749 is a framework and needs to be profiled appropriately for use cases.
3. FAPI WG @ OIDF is taking such task for Financial APIs and securing it using RFC7636, JWT Client Authentication/TLS Client Authentication, OpenID Connect, etc.
4. FAPI WG is collaborating with many stakeholders including financial institutions and fintech companies, etc.
5. Read only security profile going to OIDF votes.
6. Overview of the requirements for Read Only and Write Access security profiles are discussed.
As part of exercise to test the extensibility of OpenID Connect to other protocols than HTTP, we have created a custom scheme binding. This is still a rough sketch but should give you some ideas on what it is. It may seem to be a bit of stretch, but has a niche characteristics that it does not "leak" information to external OPs.
There will be a companion RP side as well, which would be a more normal case.
80. おすすめ Reading List Identity and Privacy Strategies In-Depth Research Overview http://www.burtongroup.com/Download/Privacy1933.pdf Burton Group の Bob Blackley, Ian Glazer によるIdentityとPrivacyに関するペーパー。 無情社会と番号制度〜ビクトル・ユーゴー「ああ無情」に見る名寄せの危険性 http://www.sakimura.org/2010/12/686/ Identifier and Privacy http://nat.sakimura.org/2010/12/09/identifier-and-privacy/ 異なるコンテキスト、異なる時点の間での名寄せによるプライバシー侵害の危険について The Laws of Identity http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf Privacy by Design http://www.privacybydesign.ca/ 国民ID制度とトラスト・フレームワーク 第三回堀部政男情報法研究会資料