Submit Search
Upload
What API Specifications and Tools Help Engineers to Construct a High-Security API System?
•
Download as PPTX, PDF
•
0 likes
•
53 views
Hitachi, Ltd. OSS Solution Center.
Follow
API Specifications Conference 2019
Read less
Read more
Technology
Report
Share
Report
Share
1 of 28
Download now
Recommended
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
Hitachi, Ltd. OSS Solution Center.
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Hitachi, Ltd. OSS Solution Center.
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
Recommended
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
Hitachi, Ltd. OSS Solution Center.
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
Hitachi, Ltd. OSS Solution Center.
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Hitachi, Ltd. OSS Solution Center.
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
Enterprise Single Sign On
Enterprise Single Sign On
WSO2
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
Cisco DevNet
API Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management
ForgeRock
Open source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16
MikeLeszcz
API Security and Management Best Practices
API Security and Management Best Practices
CA API Management
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
Identiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
Edgar Silva
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
Sqreen
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
Nov Matake
Gateway/APIC security
Gateway/APIC security
Shiu-Fun Poon
Cloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSX
VMware Tanzu
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
WSO2
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
More Related Content
What's hot
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
Enterprise Single Sign On
Enterprise Single Sign On
WSO2
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
Cisco DevNet
API Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management
ForgeRock
Open source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16
MikeLeszcz
API Security and Management Best Practices
API Security and Management Best Practices
CA API Management
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
Identiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
Edgar Silva
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
Sqreen
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
Nov Matake
Gateway/APIC security
Gateway/APIC security
Shiu-Fun Poon
Cloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSX
VMware Tanzu
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
WSO2
What's hot
(20)
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Enterprise Single Sign On
Enterprise Single Sign On
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
API Security In Cloud Native Era
API Security In Cloud Native Era
The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management
Open source iam value, benefits, and risks
Open source iam value, benefits, and risks
OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16
API Security and Management Best Practices
API Security and Management Best Practices
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Identiverse - Microservices Security
Identiverse - Microservices Security
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
Gateway/APIC security
Gateway/APIC security
Cloud Foundry Networking with VMware NSX
Cloud Foundry Networking with VMware NSX
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
Similar to What API Specifications and Tools Help Engineers to Construct a High-Security API System?
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
CIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIs
CloudIDSummit
API Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
Managing Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
APIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
API, Integration, and SOA Convergence
API, Integration, and SOA Convergence
Kasun Indrasiri
Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN
kloia
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
Apigee | Google Cloud
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
Amazon Web Services
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apis
Teodoro Cipresso
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use case
Bahman Kalali
Application Development with API Manager
Application Development with API Manager
WSO2
Similar to What API Specifications and Tools Help Engineers to Construct a High-Security API System?
(20)
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
CIS14: Enterprise Identity APIs
CIS14: Enterprise Identity APIs
API Security Best Practices and Guidelines
API Security Best Practices and Guidelines
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Managing Identities in the World of APIs
Managing Identities in the World of APIs
APIConnect Security Best Practice
APIConnect Security Best Practice
API, Integration, and SOA Convergence
API, Integration, and SOA Convergence
Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
Z101666 best practices for delivering hybrid cloud capability with apis
Z101666 best practices for delivering hybrid cloud capability with apis
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use case
Application Development with API Manager
Application Development with API Manager
More from Hitachi, Ltd. OSS Solution Center.
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
Hitachi, Ltd. OSS Solution Center.
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
Hitachi, Ltd. OSS Solution Center.
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
Hitachi, Ltd. OSS Solution Center.
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Hitachi, Ltd. OSS Solution Center.
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
Hitachi, Ltd. OSS Solution Center.
NGINXでの認可について考える
NGINXでの認可について考える
Hitachi, Ltd. OSS Solution Center.
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
Hitachi, Ltd. OSS Solution Center.
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
Hitachi, Ltd. OSS Solution Center.
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
Hitachi, Ltd. OSS Solution Center.
Keycloakのステップアップ認証について
Keycloakのステップアップ認証について
Hitachi, Ltd. OSS Solution Center.
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
Hitachi, Ltd. OSS Solution Center.
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
Hitachi, Ltd. OSS Solution Center.
Apache con@home 2021_sha
Apache con@home 2021_sha
Hitachi, Ltd. OSS Solution Center.
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
Hitachi, Ltd. OSS Solution Center.
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hitachi, Ltd. OSS Solution Center.
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
Hitachi, Ltd. OSS Solution Center.
Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介
Hitachi, Ltd. OSS Solution Center.
Node-REDからREST APIに接続
Node-REDからREST APIに接続
Hitachi, Ltd. OSS Solution Center.
Node-RED v1.3新機能紹介
Node-RED v1.3新機能紹介
Hitachi, Ltd. OSS Solution Center.
More from Hitachi, Ltd. OSS Solution Center.
(20)
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
NGINXでの認可について考える
NGINXでの認可について考える
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
Keycloakのステップアップ認証について
Keycloakのステップアップ認証について
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
Apache con@home 2021_sha
Apache con@home 2021_sha
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介
Node-REDからREST APIに接続
Node-REDからREST APIに接続
Node-RED v1.3新機能紹介
Node-RED v1.3新機能紹介
Recently uploaded
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Neo4j
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
null - The Open Security Community
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
OnBoard
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Softradix Technologies
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Hyundai Motor Group
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
LBM Solutions
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Recently uploaded
(20)
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Slack Application Development 101 Slides
Slack Application Development 101 Slides
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
What API Specifications and Tools Help Engineers to Construct a High-Security API System?
1.
© Hitachi, Ltd.
2019. All rights reserved. What API Specifications and Tools Help Engineers to Construct a High-Security API System? API Specifications Conference 2019 Hitachi, Ltd. OSS Solution Center Yoshiyuki Tabata
2.
1 © Hitachi, Ltd.
2019. All rights reserved. About the speaker Yoshiyuki Tabata : OSS Solution Center, Hitachi, Ltd. @Yokohama, Japan https://github.com/y-tabata • Software engineer • Building high-security banking API systems • API Management & Identity Management • 3scale, Keycloak • Contributor of 3scale • Developed “Edge Limiting policy”, “Keycloak Role Check policy”, “OAuth MTLS policy”
3.
© Hitachi, Ltd.
2019. All rights reserved. Contents 2 1. Introduction: HIGH-SECURITY API System Overview 2. Standards and features surrounding high-security API system 3. Other useful features help engineers to test the high- security API system
4.
3 © Hitachi, Ltd.
2019. All rights reserved. API System API System Overview API Gateway / API Management Product For example... • 3scale • NGINX Identity Management Product For example... • Keycloak API Backend Client Application API Request Authorized API Request API Response API Response Authorize API Request in cooperation with Identity Management Product
5.
4 © Hitachi, Ltd.
2019. All rights reserved. API System Testing API System API Gateway / API Management Product For example... • 3scale • NGINX Identity Management Product For example... • Keycloak API Backend Client Application API Request Authorized API Request API Response API Response Authorize API Request in cooperation with Identity Management Product Use Swagger UI as a mock client! Swagger UI is very useful because it supports OAuth 2.0 Authorization Grant Create a mock server! “Generate Server” feature of Swagger UI is one of the candidates
6.
5 © Hitachi, Ltd.
2019. All rights reserved. HIGH-SECURITY API System HIGH-SECURITY API System Overview API Gateway / API Management Product For example... • 3scale • NGINX Identity Management Product For example... • Keycloak API Backend Client Application Authorized API Request API Response API Response Authorize API Request in cooperation with Identity Management Product API Request with Challenge and Client Cert with Client Cert in compliance with high-security standards such as: - PKCE - OAuth MTLS
7.
6 © Hitachi, Ltd.
2019. All rights reserved. HIGH-SECURITY API System Testing HIGH-SECURITY API System API Gateway / API Management Product For example... • 3scale • NGINX Identity Management Product For example... • Keycloak API Backend Client Application API Request Authorized API Request API Response API Response Authorize API Request in cooperation with Identity Management Product with Challenge and Client Cert with Client Cert CANNOT Use Swagger UI as a mock client! Swagger UI does NOT support high-security features such as PKCE and OAuth MTLS Create a mock server! “Generate Server” feature of Swagger UI is one of the candidates in compliance with high-security standards such as: - PKCE - OAuth MTLS
8.
7 © Hitachi, Ltd.
2019. All rights reserved. HIGH-SECURITY API System Testing HIGH-SECURITY API System API Gateway / API Management Product For example... • 3scale • NGINX Identity Management Product For example... • Keycloak API Backend Client Application API Request Authorized API Request API Response API Response Authorize API Request in cooperation with Identity Management Product with Challenge and Client Cert with Client Cert CANNOT Use Swagger UI as a mock client! Swagger UI does NOT support high-security features such as PKCE and OAuth MTLS Create a mock server! “Generate Server” feature of Swagger UI is one of the candidates I created a mock! in compliance with high-security standards such as: - PKCE - OAuth MTLS
9.
© Hitachi, Ltd.
2019. All rights reserved. Contents 8 1. Introduction: HIGH-SECURITY API System Overview 2. Standards and features surrounding high-security API system 3. Other useful features help engineers to test the high- security API system
10.
9 © Hitachi, Ltd.
2019. All rights reserved. Standards for high-security API system OAuth 2.0 OIDC, PKCE FAPI OAuth 2.0 is the common standard to secure API. Almost all API systems are in compliance with OAuth 2.0. However, lots are left to implementers, insecure usage can easily happen. OIDC (OpenID Connect) standardizes user verification using ID token. PKCE (Proof Key for Code Exchange) standardizes how to mitigate the authorization code interception attack. FAPI (Financial-grade API) standardizes secure usage of OAuth 2.0 and OIDC. OAuth MTLS is said to be required by FAPI. hardened OAuth MTLS
11.
10 © Hitachi, Ltd.
2019. All rights reserved. OAuth 2.0 Authorization Grant OAuth 2.0 (RFC 6749) defines 4 types of authorization grants. - Authorization code grant - Resource owner password credentials grant - Client credentials grant - Implicit grant Authorization code grant is the most suitable grant for high-security API system. End-user Identity Management Server Application API Gateway Use Authenticate user (username, password) Issue tokens API request with token End-user does NOT need to tell the password to the application.
12.
11 © Hitachi, Ltd.
2019. All rights reserved. Authorization Code Grant End-user Application Identity Management Server Browser Use application Redirect browser to the identity management server Redirect browser to application and issue authorization code Authenticate user Request tokens using authorization code Issue tokens API Gateway API request with token
13.
12 © Hitachi, Ltd.
2019. All rights reserved. Issues of Authorization Code Grant End-user Application Identity Management Server Browser Use application Redirect browser to the identity management server Redirect browser to application and issue authorization code Authenticate user Request tokens using authorization code Issue tokens API Gateway API request with token Intercepting the authorization code, the attacker can request tokens. Intercepting the tokens, the attacker can call API.
14.
13 © Hitachi, Ltd.
2019. All rights reserved. PKCE End-user Application Identity Management Server Browser Redirect browser to the identity management server and send code challenge Redirect browser to application and issue authorization code Authenticate user Request tokens using authorization code and send code verifier Issue tokens PKCE mitigates the authorization code interception attack. Code challenge is a hash value of code verifier. The server calculates code challenge from code verifier and if matches, issues tokens.
15.
14 © Hitachi, Ltd.
2019. All rights reserved. PKCE implementation in our mock (1/2) String url = session.getRealm().getAuthorizationEndpoint() + "?response_type=code" + "&redirect_uri=" + session.getClientApplication().getRedirectUri() + "&client_id=" + session.getClientApplication().getClientId() + "&scope=" + session.getClientApplication().getScope() + "&state=" + session.getState(); if (session.getClientApplication().isPkce()) { url += "&code_challenge=" + session.getClientApplication().getCodeChallenge() + "&code_challenge_method=S256"; } Implement PKCE just as defined at RFC 7636. - Create code_verifier. (43 <= character length <= 128) - Generate code_challenge from code_verifier. # code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) - Attach code_challenge to URL which application redirects to the authorization server. code_challenge_method is allowed to be selected "S256" or "plain", but "S256" is mandatory for security.
16.
15 © Hitachi, Ltd.
2019. All rights reserved. PKCE implementation in our mock (2/2) Form form = new Form(); form.param("grant_type", "authorization_code"); form.param("code", request.getParameter("code")); form.param("redirect_uri", session.getClientApplication().getRedirectUri()); form.param("client_id", session.getClientApplication().getClientId()); form.param("client_secret", session.getClientApplication().getClientSecret()); if (session.getClientApplication().isPkce()) { form.param("code_verifier", session.getClientApplication().getCodeVerifier()); } Implement PKCE just as defined at RFC 7636. - When requesting tokens, attach code_verifier to form parameter. Regarding Swagger UI, PKCE implementation is discussed in Issue #5348 and implemented in PR #5361, so I hope it is merged.
17.
16 © Hitachi, Ltd.
2019. All rights reserved. OAuth MTLS End-user Application Identity Management Server Browser Redirect browser to the identity management server Redirect browser to application and issue authorization code Authenticate user Request tokens using authorization code and send client cert Issue tokens API Gateway API request with token and send client cert OAuth MTLS mitigates the token interception attack. Register client cert information of the application in advance. Check the client cert and mitigate the interception attack. The token includes a hash value of the client cert. The gateway calculates the hash value from the client cert and if matches, allows calling API.
18.
17 © Hitachi, Ltd.
2019. All rights reserved. OAuth MTLS implementation in our mock SslConfigurator sslConfig = SslConfigurator.newInstance() .trustStoreFile(“Trust Store File").trustStorePassword(“pass") .keyStoreFile(“Key Store File").keyPassword(“pass"); sslContext = sslConfig.createSSLContext(); ... Client client; if (isMtls) { client = ClientBuilder.newBuilder().sslContext(sslContext).build(); } else { client = ClientBuilder.newClient(); } Including application server layer, it is necessary to set to be able to send client cert. In the case of Jersey, setting SSLContext to ClientBuilder leads to be able to send client cert.
19.
18 © Hitachi, Ltd.
2019. All rights reserved. OAuth MTLS implementation for access control Implement just as defined at "draft-ietf-oauth-mtls-17". - Check the "cnf" claim in access token and the hash value of client cert are the same. API System API Gateway / API Management Product Identity Management Product Mock Server Mock Client API Request with Client Cert { ..., "cnf": { "x5t#S256": "xUcKf..." }, ... } Calculate the hash value: # BASE64URL-ENCODE(SHA256(DER-ENCODED(X.509 cert))) And compare with the "cnf" claim. cf. PR #1101 of 3scale (APIcast), which I submitted.
20.
© Hitachi, Ltd.
2019. All rights reserved. Contents 19 1. Introduction: HIGH-SECURITY API System Overview 2. Standards and features surrounding high-security API system 3. Other useful features help engineers to test the high- security API system
21.
20 © Hitachi, Ltd.
2019. All rights reserved. Common challenge for testing API system API System API Gateway / API Management Product Identity Management Product Mock Server Mock Client Test API Request 403 !? The issued token is ok? The logic of access control is ok? It's troublesome to confirm: - whether it was expected behavior or not and - where the problem is. For example, we need to check each product's log each time.
22.
21 © Hitachi, Ltd.
2019. All rights reserved. Useful feature 1: Decode tokens Mock Client If we can decode token using the mock, we can check whether the issued token is ok or not right there. {"access_token":"eyJhb...“ , ...} { "jti": "937e192...", "exp": 1568012060, ... "iss": "https://server...", ... "azp": "sample_client", ... "cnf": { "x5t#S256": "xUcKf..." }, "scope": "openid sample_scope“ } Identity Management Product Issue tokens Decode! With encoded, the token is not readable. With decoded, the token is readable. We can check: - expiry time - user/client information - hashed client cert - scope etc.
23.
22 © Hitachi, Ltd.
2019. All rights reserved. How to implement decoding tokens var accessTokenRegex = /^([^ .]+).([^ .]+).([^ .]+)[ ]*$/i; var accessTokenResult = accessTokenRegex.exec(accessToken); var payload = accessTokenResult[2]; var decodedPayload = decodeURIComponent(escape(atob(payload))); var dataPayload = JSON.parse(decodedPayload); In the access token, there are 2 kinds, "self-contained" and "reference/opaque" token. The token we can decode is "self-contained" token and which format is JSON Web Token (JWT). # JWT = BASE64URL(Header).BASE64URL(Payload).BASE64URL(Signature) Important information is included in "Payload", so extract it using regex, and decode it.
24.
23 © Hitachi, Ltd.
2019. All rights reserved. Useful feature 2: Call endpoints of the authorization server Endpoints Description Authorization Endpoint Issues authorization code. Token Endpoint Issues tokens. Token Introspection Endpoint Checks token validity. (RFC 7662) UserInfo Endpoint Shows the authenticated user information. (OIDC) Well-Known Endpoint Shows the authorization server metadata. (RFC 8414) Logout Endpoint / Token Revocation Endpoint Logs out from the client. (RFC 7009) If we can call endpoints using the mock, we can check whether the access control (e.g. token introspection) is worked correctly or not right there. Calling these endpoints is already supported. Calling these endpoints is not supported, but it is important to know what these endpoints response to the client. Mock Client Identity Management Product Call endpoints
25.
24 © Hitachi, Ltd.
2019. All rights reserved. How to implement calling endpoints This is not difficult. These endpoints are usually published officially. What we do is only calling endpoints according to the specification. Endpoints Description Example of Keycloak Authorization Endpoint Issues authorization code. /realms/{realm-name}/protocol/openid- connect/auth Token Endpoint Issues tokens. /realms/{realm-name}/protocol/openid- connect/token Token Introspection Endpoint Checks token validity. (RFC 7662) /realms/{realm-name}/protocol/openid- connect/token/introspect UserInfo Endpoint Shows the authenticated user information. (OIDC) /realms/{realm-name}/protocol/openid- connect/userinfo Well-Known Endpoint Shows the authorization server metadata. (RFC 8414) /realms/{realm-name}/.well- known/openid-configuration Logout Endpoint / Token Revocation Endpoint Logs out from the client. (RFC 7009) /realms/{realm-name}/protocol/openid- connect/logout
26.
25 © Hitachi, Ltd.
2019. All rights reserved. Summary • Key features for high-security API system. • PKCE • OAuth MTLS • Useful features to test the high-security API system. • Decode tokens • Call endpoints of the authorization server • These features are not only necessary for engineers to test the API system but also valuable for every application developer! • Can check high-security requirements of APIs. • Can check the issued tokens detail. • Can check how-to-use of the authorization server endpoints. • It would be great to be able to hear your suggestion where we should propose this.
27.
26 © Hitachi, Ltd.
2019. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • NGINX is a registered trademark of NGINX Inc. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
Download now