SlideShare a Scribd company logo

Implementing WebAuthn & FAPI supports on Keycloak

Y
Yuichi Nakamura

Keycloak supports WebAuthn and FAPI by implementing their features and passing conformance tests. Hitachi contributed WebAuthn support and worked with NRI to add FAPI compliance, addressing issues like supporting newer signature algorithms and the PKCE protocol. Further contributions are welcomed to resolve remaining FAPI test issues.

1 of 22
Download to read offline
© Hitachi, Ltd. 2019. All rights reserved. Implementing Web Authentication API (WebAuthn) & Financial-Grade API (FAPI) supports on keycloak KeyConf 2019 @ STFC Hartree Centre, United Kingdom Hitachi, Ltd. OSS Solution Center 12 June 2019 Takashi Norimatsu
1© Hitachi, Ltd. 2019. All rights reserved. Self Introduction Engaging in : ◼ providing support services about OSS ◼ implementing and contributing promising features to OSS The current works :  contributing WebAuthn support to keycloak  making keycloak pass FAPI’s conformance tests to get FAPI Certificate Takashi Norimatsu (@tnorimat in github) : OSS Solution Center, Hitachi, Ltd. @ Yokohama, Japan * Yokohama : the 2nd largest city in Japan by population, about 35km south west from Tokyo
© Hitachi, Ltd. 2019. All rights reserved. 1. Overview 2. Web Authentication API (WebAuthn) Support 3. Financial-Grade API (FAPI) Support Contents 2
3© Hitachi, Ltd. 2019. All rights reserved. 1. Overview
4© Hitachi, Ltd. 2019. All rights reserved. 1-1 Overview: WebAuthn [ What’s WebAuthn ? ] Web standard as W3C Recommendation for achieving secure authentication (2FA, passwordless) resolving problems arising in password authentication. [ Motivation : Why we try to support WebAuthn for keycloak ? ] WebAuthn is promising technology. Therefore, it will be nothing special for IAM products to support it in the future.
5© Hitachi, Ltd. 2019. All rights reserved. 1-2 Overview: FAPI [ What’s FAPI ? ] OAuth 2.0’s security profile of APIs intended for financial institutes [ Motivation : Why we try to support FAPI for keycloak ? ] We would like to apply keycloak in financial sector requiring high security level for APIs. (*) Based on survey of Japanese Bankers Association as of Dec 2017 Quoted from Report about open API by the Japanese Bankers Association https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_3.pdf In Japan… ◆ The revised banking act was published in Jun 2017 to promote API. Similar to PSD2 in EU. ◆ 83% of banks (114 banks) answered they will open API by Jun 2020(*). ◆ OAuth 2.0 is recognized as a key technology to secure API. FAPI is also being required. In UK… ◆ UK OpenBanking security profile is based on FAPI. (https://bitbucket.org/openid/obuk/src/master/uk-openbanking-security-profile.md)
6© Hitachi, Ltd. 2019. All rights reserved. 2. Web Authentication API (WebAuthn) Support
7© Hitachi, Ltd. 2019. All rights reserved. 2-1 WebAuthn: Contribution Plan Hitachi, Ltd. and WebAuthn4j community(https://github.com/webauthn4j/) are working for it. Now still in “Develop” phase, working in https://github.com/webauthn4j/keycloak-webauthn- authenticator . We are happy if you could contribute to it. Develop ✓ Build a prototype for feasibility study ◼ Write and submit design documents to community to be reviewed and approved  Implement WebAuthn RP’s features to keycloak based on the approved design Merged  Issue pull requests to keycloak to be reviewed and approved  Make them merged onto keycloak Certified  Pass conformance Self-Validation Testing against keycloak  Get certificate confirming that keycloak complies with FIDO2 2.0 Specification for Servers (*) (*) managed and presented by FIDO Alliance
8© Hitachi, Ltd. 2019. All rights reserved. 2-3 WebAuthn: Current Status - Prototype You can actually try this prototype from https://github.com/webauthn4j/keycloak- webauthn-authenticator . You can experience the following 2 scenario using this prototype: ◼ 2 Factor Authentication (2FA) Scenario OS : Windows 10, macOS Mojave (ver 10.14.4) Browser : Google Chrome (ver 75), Mozilla Firefox (ver 66) Authenticator : Yubico Security Key, Touch ID (macOS) ◼ Authentication with Resident Key (passwordless) Scenario OS : Windows 10 Browser : Microsoft Edge (ver 44) Authenticator : Internal Fingerprint Authentication Device
9© Hitachi, Ltd. 2019. All rights reserved. 2-3 WebAuthn: Current Status - Design [ Objective ] 2FA scenario at first, passwordless scenario next. Major topics to be considered (picked up three here):  Verifying Attestation Statement and Authentication Assertion • On registration, an attestation certificate should be verified Need to manage trust anchor certificate sources (e.g. FIDO Metadata Service) • On registration and authentication, keycloak need to verify information returned from Web Authentication API (e.g. navigator.credentials.create(), .get()) Need to choose an appropriate library to treat them We adopted “webauthn4j” (https://github.com/webauthn4j/webauthn4j) as a core library where all mandatory test cases and optional Android Key attestation test cases of FIDO2 Test Tools provided by FIDO Alliance has been passed. We not only use “webauthn4j” but contribute to it.
10© Hitachi, Ltd. 2019. All rights reserved. 2-3 WebAuthn: Current Status - Design (cont.)  Public Key Credentials Management • Users might have multiple authenticators. (e.g. security key, fingerprint) Need to retain multiple public key credentials per user. • On authentication, the user can select which public key credentials are used. Need to retain Information the user can use to identify their credentials. • Administrator wants to restrict authenticators the user can use. Need to obtain authenticator’s metadata. (e.g. AAGUID)  Automated Functional Test (E2E Test) • Automate tests of registration and authentication flows including or emulating real entities (e.g. authenticator, browser) … our design document considering these topics can be found in https://github.com/keycloak/keycloak-community/pull/11
11© Hitachi, Ltd. 2019. All rights reserved. 3. Financial-Grade API (FAPI) Support
12© Hitachi, Ltd. 2019. All rights reserved. 3-1 FAPI: Contribution Plan (*) managed and presented by OpenID Foundation Develop ✓ Clarify FAPI’s requirements keycloak does not satisfy ✓ Implement features satisfying such FAPI’s requirements to keycloak Merged ✓ Issue pull requests to keycloak to be reviewed and approved ✓ Make them merged onto keycloak Certified ◼ Pass all of FAPI conformance tests against keycloak  Get certificate confirming that keycloak complies with Financial- grade API (FAPI) OpenID Providers (*) Hitachi, Ltd. has been working for it, and Nomura Research Institute, Ltd. joined it from “Certified” step. We are now already in “Certified” step, working in https://github.com/jsoss-sig/keycloak-fapi. We are happy if you could contribute to it.
13© Hitachi, Ltd. 2019. All rights reserved. 3-2 FAPI: Created and Merged Pull Requests Content Slide # JIRA Ticket Description Pull Request Included Version 1 KEYCLOAK-2604 Support RFC 7636 Proof Key for Code Exchange (PKCE) 3831 3.1.0 2 KEYCLOAK-5661 Return the list of allowed scopes with the issued access token 4527 3.4.0 3 KEYCLOAK-5811 Support client authentication in client_secret_jwt 4835 4.0.0 4 KEYCLOAK-6700 Support s_hash 5022 4.0.0 5 KEYCLOAK-6771 Support Holder of Key mechanism for tokens 5083 4.0.0 6 KEYCLOAK-6768 Support signed and encrypted ID token 5779 Now reviewed by maintainers 7 KEYCLOAK-6770 Support signature algorithm ES256/384/512 for tokens 5533 4.5.0 8 KEYCLOAK-7451 Support server metadata for PKCE 5228 4.0.0 9 KEYCLOAK-7959 Support Holder of Key mechanism for tokens in reverse proxy deployed environment 5418 4.2.0 10 KEYCLOAK-8460 Support signature algorithm ES256/384/512 for request object 5603 4.7.0 11 KEYCLOAK-9756 Support signature algorithm PS256/384/512 for tokens and request object 5974 6.0.0
14© Hitachi, Ltd. 2019. All rights reserved. 3-3 Featured FAPI function : Proof Key for Code Exchange (PKCE) Safeguard against Fraudulent Token Acquisition If an attacker steals a victim’s authorization code… ⚫ Without PKCE Client gets Access Token in return to Authorization Code The attacker can get the victim’s access token in return to the victim’s authorization code. ⚫ With PKCE Client gets Access Token in return to Authorization Code + Code Verifier The attacker can NOT get the victim’s access token in return to the victim’s authorization code alone. We has already contributed supporting PKCE (Included in Keycloak 3.1.0)
15© Hitachi, Ltd. 2019. All rights reserved. 3-4 Featured FAPI function : Holder-of-Key Mechanism Safeguard against Fraudulent Token Exercise If an attacker steals an access token that enable to access victim’s resource … ⚫ Bearer Token Any party possessing a token can exercise this token (e.g., train ticket) The attacker can access a victim’s resource by the access token. ⚫ Holder-of-Key Token Only certain party can exercise a token (e.g. passport) The attacker can NOT access a victim’s resource by the access token. We have contributed supporting Holder-of-Key Token “OAuth2 Certificate Bound Access Tokens” (Included in Keycloak 4.0.0)
16© Hitachi, Ltd. 2019. All rights reserved. 3-5 Featured FAPI function : Secure Signature Algorithm ⚫ Refactor sign/verify mechanism keycloak before 4.5.0 supported only RS256 and it was hardcoded. We’ve made some part of contribution to refactor sign/verify mechanism with community and now signature algorithm is pluggable (Signature SPI). ⚫ Signature algorithms other than RS256 keycloak before 4.5.0 supported only RS256 for signature. Crypto specialists say RS256 is not strong enough. Either PS256 or ES256 is required in FAPI. We’ve made some part of contribution to support secure signature algorithms : 4.5.0(Tokens) / 4.7.0(Request Object) ES256, ES384, ES512, HS256, HS384,HS512 are supported. 6.0.0(Tokens, Request Object) PS256, PS384, PS512 are supported.
17© Hitachi, Ltd. 2019. All rights reserved. 3-5 FAPI Conformance Tests : Issues to be resolved # Item Description 1 OAuth2 Client Authentication in [MTLS] : support Server Metadata and Client Registration keycloak(6.0.0) has already implemented OAuth2 Client Authentication in the way defined in Section 2 of [MTLS]. However, it has not yet supported its Server Metadata advertisement and Client Registration. 2 OAuth2 Client Authentication in private_key_jwt : support ES256 or PS256 keycloak(6.0.0) has already supported private_key_jwt, but only supported RS256 in private_key_jwt. 3 Advertise "acr" claim in "claims_supported" Server Metadata keycloak(6.0.0) has already support "acr" claim in ID token, but not advertise "acr" in "claims_supported" in Server Metadata. … and so on. All issues and their details can be found in https://github.com/jsoss-sig/keycloak-fapi [why so many issues arise]  Implementer's Draft version 1 (2 Feb, 2017) Read-Only : https://openid.net/specs/openid-financial-api-part-1-ID1.html Read and Write : https://openid.net/specs/openid-financial-api-part-2-ID1.html We worked with this version. ◼ Implementer's Draft version 2 (17 Oct, 2018) Read-Only : https://openid.net/specs/openid-financial-api-part-1-ID2.html Read and Write : https://openid.net/specs/openid-financial-api-part-2-ID2.html Conformance test checks requirements on this version.
18© Hitachi, Ltd. 2019. All rights reserved. Concluding Remarks ⚫ We try to support WebAuthn RP’s feature onto keycloak. Prototype : https://github.com/webauthn4j/keycloak-webauthn-authenticator Design Document : https://github.com/keycloak/keycloak-community/pull/11 … but not yet completed. ⚫ We try to make keycloak satisfy FAPI’s requirements and get FAPI’s certificate. Conformance Test Execution : https://github.com/jsoss-sig/keycloak-fapi … but not yet completed. We are very happy if you make some contributions to those work.
© Hitachi, Ltd. 2019. All rights reserved. Takashi Norimatsu 12 June 2019 Hitachi, Ltd. OSS Solution Center END KeyConf 2019 @ STFC Hartree Centre, United Kingdom Implementing Web Authentication API (WebAuthn) & Financial-Grade API (FAPI) supports on keycloak 19
20© Hitachi, Ltd. 2019. All rights reserved. Trademark • FIDO is a trademark or registered trademark of FIDO Alliance, Inc. in the United States and other countries. • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • Github is a trademark or registered trademark of Github, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
Implementing WebAuthn & FAPI supports on Keycloak

Recommended

Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
Tatsuo Kudo
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
FIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 

Recommended

Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
Tatsuo Kudo
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
FIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Tatsuo Kudo
 
#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage
Nov Matake
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセスVPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
FIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
実装して理解するLINE LoginとOpenID Connect入門
実装して理解するLINE LoginとOpenID Connect入門実装して理解するLINE LoginとOpenID Connect入門
実装して理解するLINE LoginとOpenID Connect入門
Naohiro Fujie
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
FIDO Alliance
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
FIDO Alliance
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
FIDO Alliance
 
認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜
Masaru Kurahayashi
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
FIDO Alliance
 
これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用
Masaru Kurahayashi
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
FIDO Alliance
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
Hitachi, Ltd. OSS Solution Center.
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
FIDO Alliance
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 

More Related Content

What's hot

Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Tatsuo Kudo
 
#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage
Nov Matake
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセスVPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
FIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
実装して理解するLINE LoginとOpenID Connect入門
実装して理解するLINE LoginとOpenID Connect入門実装して理解するLINE LoginとOpenID Connect入門
実装して理解するLINE LoginとOpenID Connect入門
Naohiro Fujie
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
FIDO Alliance
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
FIDO Alliance
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
FIDO Alliance
 
認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜
Masaru Kurahayashi
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
FIDO Alliance
 
これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用
Masaru Kurahayashi
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
FIDO Alliance
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
Hitachi, Ltd. OSS Solution Center.
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
FIDO Alliance
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 

What's hot (20)

Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
 
#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセスVPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
 
実装して理解するLINE LoginとOpenID Connect入門
実装して理解するLINE LoginとOpenID Connect入門実装して理解するLINE LoginとOpenID Connect入門
実装して理解するLINE LoginとOpenID Connect入門
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
 
認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜認証の課題とID連携の実装 〜ハンズオン〜
認証の課題とID連携の実装 〜ハンズオン〜
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
 
これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
 
OAuth
OAuthOAuth
OAuth
 
Fido認証概要説明
Fido認証概要説明Fido認証概要説明
Fido認証概要説明
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 

Similar to Implementing WebAuthn & FAPI supports on Keycloak

APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
Hitachi, Ltd. OSS Solution Center.
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
IRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and EthereumIRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and Ethereum
IRJET Journal
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
Hitachi, Ltd. OSS Solution Center.
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
20190523 archiver fim
20190523 archiver fim20190523 archiver fim
20190523 archiver fim
Archiver
 
Trust Data Sharing and Utilization Infrastructure for Sensitive Data Using Hy...
Trust Data Sharing and Utilization Infrastructure for Sensitive Data Using Hy...Trust Data Sharing and Utilization Infrastructure for Sensitive Data Using Hy...
Trust Data Sharing and Utilization Infrastructure for Sensitive Data Using Hy...
Koshi Ikegawa
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
ForgeRock
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
 
DeveloperWeek2018 - Let's Build a Chatbot
DeveloperWeek2018 - Let's Build a ChatbotDeveloperWeek2018 - Let's Build a Chatbot
DeveloperWeek2018 - Let's Build a Chatbot
Tessa Mero
 
WebAuthn & FIDO2
WebAuthn & FIDO2WebAuthn & FIDO2
WebAuthn & FIDO2
Leonard Moustacchis
 
SecureIoT Programming Support Service
SecureIoT Programming Support ServiceSecureIoT Programming Support Service
SecureIoT Programming Support Service
Mariza Konidi
 
04 - Blockchain Technology - Hyperledger Fabric
04 - Blockchain Technology - Hyperledger Fabric04 - Blockchain Technology - Hyperledger Fabric
04 - Blockchain Technology - Hyperledger Fabric
ITROOS
 

Similar to Implementing WebAuthn & FAPI supports on Keycloak (20)

APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
IRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and EthereumIRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and Ethereum
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 
20190523 archiver fim
20190523 archiver fim20190523 archiver fim
20190523 archiver fim
 
Trust Data Sharing and Utilization Infrastructure for Sensitive Data Using Hy...
Trust Data Sharing and Utilization Infrastructure for Sensitive Data Using Hy...Trust Data Sharing and Utilization Infrastructure for Sensitive Data Using Hy...
Trust Data Sharing and Utilization Infrastructure for Sensitive Data Using Hy...
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
 
DeveloperWeek2018 - Let's Build a Chatbot
DeveloperWeek2018 - Let's Build a ChatbotDeveloperWeek2018 - Let's Build a Chatbot
DeveloperWeek2018 - Let's Build a Chatbot
 
WebAuthn & FIDO2
WebAuthn & FIDO2WebAuthn & FIDO2
WebAuthn & FIDO2
 
SecureIoT Programming Support Service
SecureIoT Programming Support ServiceSecureIoT Programming Support Service
SecureIoT Programming Support Service
 
04 - Blockchain Technology - Hyperledger Fabric
04 - Blockchain Technology - Hyperledger Fabric04 - Blockchain Technology - Hyperledger Fabric
04 - Blockchain Technology - Hyperledger Fabric
 

More from Yuichi Nakamura

Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向
Yuichi Nakamura
 
About secure oss_sig_20190607
About secure oss_sig_20190607About secure oss_sig_20190607
About secure oss_sig_20190607
Yuichi Nakamura
 
OAuthのHolder of Key Token
OAuthのHolder of Key TokenOAuthのHolder of Key Token
OAuthのHolder of Key Token
Yuichi Nakamura
 
OSSセキュリティ技術の会について
OSSセキュリティ技術の会についてOSSセキュリティ技術の会について
OSSセキュリティ技術の会について
Yuichi Nakamura
 
Open shiftmeetup 3scalelt_3
Open shiftmeetup 3scalelt_3Open shiftmeetup 3scalelt_3
Open shiftmeetup 3scalelt_3
Yuichi Nakamura
 
Keycloak開発入門
Keycloak開発入門Keycloak開発入門
Keycloak開発入門
Yuichi Nakamura
 
Keycloakの動向
Keycloakの動向Keycloakの動向
Keycloakの動向
Yuichi Nakamura
 
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティKeycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Yuichi Nakamura
 
OSSセキュリティ技術の会について
OSSセキュリティ技術の会について OSSセキュリティ技術の会について
OSSセキュリティ技術の会について
Yuichi Nakamura
 

More from Yuichi Nakamura (9)

Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向
 
About secure oss_sig_20190607
About secure oss_sig_20190607About secure oss_sig_20190607
About secure oss_sig_20190607
 
OAuthのHolder of Key Token
OAuthのHolder of Key TokenOAuthのHolder of Key Token
OAuthのHolder of Key Token
 
OSSセキュリティ技術の会について
OSSセキュリティ技術の会についてOSSセキュリティ技術の会について
OSSセキュリティ技術の会について
 
Open shiftmeetup 3scalelt_3
Open shiftmeetup 3scalelt_3Open shiftmeetup 3scalelt_3
Open shiftmeetup 3scalelt_3
 
Keycloak開発入門
Keycloak開発入門Keycloak開発入門
Keycloak開発入門
 
Keycloakの動向
Keycloakの動向Keycloakの動向
Keycloakの動向
 
Keycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティKeycloak入門-OpenID ConnectによるAPIセキュリティ
Keycloak入門-OpenID ConnectによるAPIセキュリティ
 
OSSセキュリティ技術の会について
OSSセキュリティ技術の会について OSSセキュリティ技術の会について
OSSセキュリティ技術の会について
 

Recently uploaded

Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 

Recently uploaded (20)

Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 

Implementing WebAuthn & FAPI supports on Keycloak

  • 1. © Hitachi, Ltd. 2019. All rights reserved. Implementing Web Authentication API (WebAuthn) & Financial-Grade API (FAPI) supports on keycloak KeyConf 2019 @ STFC Hartree Centre, United Kingdom Hitachi, Ltd. OSS Solution Center 12 June 2019 Takashi Norimatsu
  • 2. 1© Hitachi, Ltd. 2019. All rights reserved. Self Introduction Engaging in : ◼ providing support services about OSS ◼ implementing and contributing promising features to OSS The current works :  contributing WebAuthn support to keycloak  making keycloak pass FAPI’s conformance tests to get FAPI Certificate Takashi Norimatsu (@tnorimat in github) : OSS Solution Center, Hitachi, Ltd. @ Yokohama, Japan * Yokohama : the 2nd largest city in Japan by population, about 35km south west from Tokyo
  • 3. © Hitachi, Ltd. 2019. All rights reserved. 1. Overview 2. Web Authentication API (WebAuthn) Support 3. Financial-Grade API (FAPI) Support Contents 2
  • 4. 3© Hitachi, Ltd. 2019. All rights reserved. 1. Overview
  • 5. 4© Hitachi, Ltd. 2019. All rights reserved. 1-1 Overview: WebAuthn [ What’s WebAuthn ? ] Web standard as W3C Recommendation for achieving secure authentication (2FA, passwordless) resolving problems arising in password authentication. [ Motivation : Why we try to support WebAuthn for keycloak ? ] WebAuthn is promising technology. Therefore, it will be nothing special for IAM products to support it in the future.
  • 6. 5© Hitachi, Ltd. 2019. All rights reserved. 1-2 Overview: FAPI [ What’s FAPI ? ] OAuth 2.0’s security profile of APIs intended for financial institutes [ Motivation : Why we try to support FAPI for keycloak ? ] We would like to apply keycloak in financial sector requiring high security level for APIs. (*) Based on survey of Japanese Bankers Association as of Dec 2017 Quoted from Report about open API by the Japanese Bankers Association https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_3.pdf In Japan… ◆ The revised banking act was published in Jun 2017 to promote API. Similar to PSD2 in EU. ◆ 83% of banks (114 banks) answered they will open API by Jun 2020(*). ◆ OAuth 2.0 is recognized as a key technology to secure API. FAPI is also being required. In UK… ◆ UK OpenBanking security profile is based on FAPI. (https://bitbucket.org/openid/obuk/src/master/uk-openbanking-security-profile.md)
  • 7. 6© Hitachi, Ltd. 2019. All rights reserved. 2. Web Authentication API (WebAuthn) Support
  • 8. 7© Hitachi, Ltd. 2019. All rights reserved. 2-1 WebAuthn: Contribution Plan Hitachi, Ltd. and WebAuthn4j community(https://github.com/webauthn4j/) are working for it. Now still in “Develop” phase, working in https://github.com/webauthn4j/keycloak-webauthn- authenticator . We are happy if you could contribute to it. Develop ✓ Build a prototype for feasibility study ◼ Write and submit design documents to community to be reviewed and approved  Implement WebAuthn RP’s features to keycloak based on the approved design Merged  Issue pull requests to keycloak to be reviewed and approved  Make them merged onto keycloak Certified  Pass conformance Self-Validation Testing against keycloak  Get certificate confirming that keycloak complies with FIDO2 2.0 Specification for Servers (*) (*) managed and presented by FIDO Alliance
  • 9. 8© Hitachi, Ltd. 2019. All rights reserved. 2-3 WebAuthn: Current Status - Prototype You can actually try this prototype from https://github.com/webauthn4j/keycloak- webauthn-authenticator . You can experience the following 2 scenario using this prototype: ◼ 2 Factor Authentication (2FA) Scenario OS : Windows 10, macOS Mojave (ver 10.14.4) Browser : Google Chrome (ver 75), Mozilla Firefox (ver 66) Authenticator : Yubico Security Key, Touch ID (macOS) ◼ Authentication with Resident Key (passwordless) Scenario OS : Windows 10 Browser : Microsoft Edge (ver 44) Authenticator : Internal Fingerprint Authentication Device
  • 10. 9© Hitachi, Ltd. 2019. All rights reserved. 2-3 WebAuthn: Current Status - Design [ Objective ] 2FA scenario at first, passwordless scenario next. Major topics to be considered (picked up three here):  Verifying Attestation Statement and Authentication Assertion • On registration, an attestation certificate should be verified Need to manage trust anchor certificate sources (e.g. FIDO Metadata Service) • On registration and authentication, keycloak need to verify information returned from Web Authentication API (e.g. navigator.credentials.create(), .get()) Need to choose an appropriate library to treat them We adopted “webauthn4j” (https://github.com/webauthn4j/webauthn4j) as a core library where all mandatory test cases and optional Android Key attestation test cases of FIDO2 Test Tools provided by FIDO Alliance has been passed. We not only use “webauthn4j” but contribute to it.
  • 11. 10© Hitachi, Ltd. 2019. All rights reserved. 2-3 WebAuthn: Current Status - Design (cont.)  Public Key Credentials Management • Users might have multiple authenticators. (e.g. security key, fingerprint) Need to retain multiple public key credentials per user. • On authentication, the user can select which public key credentials are used. Need to retain Information the user can use to identify their credentials. • Administrator wants to restrict authenticators the user can use. Need to obtain authenticator’s metadata. (e.g. AAGUID)  Automated Functional Test (E2E Test) • Automate tests of registration and authentication flows including or emulating real entities (e.g. authenticator, browser) … our design document considering these topics can be found in https://github.com/keycloak/keycloak-community/pull/11
  • 12. 11© Hitachi, Ltd. 2019. All rights reserved. 3. Financial-Grade API (FAPI) Support
  • 13. 12© Hitachi, Ltd. 2019. All rights reserved. 3-1 FAPI: Contribution Plan (*) managed and presented by OpenID Foundation Develop ✓ Clarify FAPI’s requirements keycloak does not satisfy ✓ Implement features satisfying such FAPI’s requirements to keycloak Merged ✓ Issue pull requests to keycloak to be reviewed and approved ✓ Make them merged onto keycloak Certified ◼ Pass all of FAPI conformance tests against keycloak  Get certificate confirming that keycloak complies with Financial- grade API (FAPI) OpenID Providers (*) Hitachi, Ltd. has been working for it, and Nomura Research Institute, Ltd. joined it from “Certified” step. We are now already in “Certified” step, working in https://github.com/jsoss-sig/keycloak-fapi. We are happy if you could contribute to it.
  • 14. 13© Hitachi, Ltd. 2019. All rights reserved. 3-2 FAPI: Created and Merged Pull Requests Content Slide # JIRA Ticket Description Pull Request Included Version 1 KEYCLOAK-2604 Support RFC 7636 Proof Key for Code Exchange (PKCE) 3831 3.1.0 2 KEYCLOAK-5661 Return the list of allowed scopes with the issued access token 4527 3.4.0 3 KEYCLOAK-5811 Support client authentication in client_secret_jwt 4835 4.0.0 4 KEYCLOAK-6700 Support s_hash 5022 4.0.0 5 KEYCLOAK-6771 Support Holder of Key mechanism for tokens 5083 4.0.0 6 KEYCLOAK-6768 Support signed and encrypted ID token 5779 Now reviewed by maintainers 7 KEYCLOAK-6770 Support signature algorithm ES256/384/512 for tokens 5533 4.5.0 8 KEYCLOAK-7451 Support server metadata for PKCE 5228 4.0.0 9 KEYCLOAK-7959 Support Holder of Key mechanism for tokens in reverse proxy deployed environment 5418 4.2.0 10 KEYCLOAK-8460 Support signature algorithm ES256/384/512 for request object 5603 4.7.0 11 KEYCLOAK-9756 Support signature algorithm PS256/384/512 for tokens and request object 5974 6.0.0
  • 15. 14© Hitachi, Ltd. 2019. All rights reserved. 3-3 Featured FAPI function : Proof Key for Code Exchange (PKCE) Safeguard against Fraudulent Token Acquisition If an attacker steals a victim’s authorization code… ⚫ Without PKCE Client gets Access Token in return to Authorization Code The attacker can get the victim’s access token in return to the victim’s authorization code. ⚫ With PKCE Client gets Access Token in return to Authorization Code + Code Verifier The attacker can NOT get the victim’s access token in return to the victim’s authorization code alone. We has already contributed supporting PKCE (Included in Keycloak 3.1.0)
  • 16. 15© Hitachi, Ltd. 2019. All rights reserved. 3-4 Featured FAPI function : Holder-of-Key Mechanism Safeguard against Fraudulent Token Exercise If an attacker steals an access token that enable to access victim’s resource … ⚫ Bearer Token Any party possessing a token can exercise this token (e.g., train ticket) The attacker can access a victim’s resource by the access token. ⚫ Holder-of-Key Token Only certain party can exercise a token (e.g. passport) The attacker can NOT access a victim’s resource by the access token. We have contributed supporting Holder-of-Key Token “OAuth2 Certificate Bound Access Tokens” (Included in Keycloak 4.0.0)
  • 17. 16© Hitachi, Ltd. 2019. All rights reserved. 3-5 Featured FAPI function : Secure Signature Algorithm ⚫ Refactor sign/verify mechanism keycloak before 4.5.0 supported only RS256 and it was hardcoded. We’ve made some part of contribution to refactor sign/verify mechanism with community and now signature algorithm is pluggable (Signature SPI). ⚫ Signature algorithms other than RS256 keycloak before 4.5.0 supported only RS256 for signature. Crypto specialists say RS256 is not strong enough. Either PS256 or ES256 is required in FAPI. We’ve made some part of contribution to support secure signature algorithms : 4.5.0(Tokens) / 4.7.0(Request Object) ES256, ES384, ES512, HS256, HS384,HS512 are supported. 6.0.0(Tokens, Request Object) PS256, PS384, PS512 are supported.
  • 18. 17© Hitachi, Ltd. 2019. All rights reserved. 3-5 FAPI Conformance Tests : Issues to be resolved # Item Description 1 OAuth2 Client Authentication in [MTLS] : support Server Metadata and Client Registration keycloak(6.0.0) has already implemented OAuth2 Client Authentication in the way defined in Section 2 of [MTLS]. However, it has not yet supported its Server Metadata advertisement and Client Registration. 2 OAuth2 Client Authentication in private_key_jwt : support ES256 or PS256 keycloak(6.0.0) has already supported private_key_jwt, but only supported RS256 in private_key_jwt. 3 Advertise "acr" claim in "claims_supported" Server Metadata keycloak(6.0.0) has already support "acr" claim in ID token, but not advertise "acr" in "claims_supported" in Server Metadata. … and so on. All issues and their details can be found in https://github.com/jsoss-sig/keycloak-fapi [why so many issues arise]  Implementer's Draft version 1 (2 Feb, 2017) Read-Only : https://openid.net/specs/openid-financial-api-part-1-ID1.html Read and Write : https://openid.net/specs/openid-financial-api-part-2-ID1.html We worked with this version. ◼ Implementer's Draft version 2 (17 Oct, 2018) Read-Only : https://openid.net/specs/openid-financial-api-part-1-ID2.html Read and Write : https://openid.net/specs/openid-financial-api-part-2-ID2.html Conformance test checks requirements on this version.
  • 19. 18© Hitachi, Ltd. 2019. All rights reserved. Concluding Remarks ⚫ We try to support WebAuthn RP’s feature onto keycloak. Prototype : https://github.com/webauthn4j/keycloak-webauthn-authenticator Design Document : https://github.com/keycloak/keycloak-community/pull/11 … but not yet completed. ⚫ We try to make keycloak satisfy FAPI’s requirements and get FAPI’s certificate. Conformance Test Execution : https://github.com/jsoss-sig/keycloak-fapi … but not yet completed. We are very happy if you make some contributions to those work.
  • 20. © Hitachi, Ltd. 2019. All rights reserved. Takashi Norimatsu 12 June 2019 Hitachi, Ltd. OSS Solution Center END KeyConf 2019 @ STFC Hartree Centre, United Kingdom Implementing Web Authentication API (WebAuthn) & Financial-Grade API (FAPI) supports on keycloak 19
  • 21. 20© Hitachi, Ltd. 2019. All rights reserved. Trademark • FIDO is a trademark or registered trademark of FIDO Alliance, Inc. in the United States and other countries. • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • Github is a trademark or registered trademark of Github, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.