SlideShare a Scribd company logo

Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC Deployment #api

Tatsuo Kudo
Tatsuo Kudo
Tatsuo KudoDigital Identity Professional at Authlete

Prepared for API World 2019 https://sched.co/T4bw

Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC Deployment #api

1 of 35
Download to read offline
Authorization Architecture Patterns: How to
Avoid Pitfalls in OAuth/OIDC Deployment
Tatsuo Kudo
Authlete, Inc.
About Me
• Tatsuo Kudo https://www.linkedin.com/in/tatsuokudo
– Sun Microsystems (1998-2008)
– Nomura Research Institute (2008-2018)
– OpenID Foundation Japan (2013-2014)
– NRI SecureTechnologies (2014-2018)
– Authlete (2018-)
• VP of Solution Strategy
2
• A Tokyo / London based company
providing “API Authorization
Backend-as-a-Service” enabling
developers to quickly and securely
implement OAuth 2.0, OpenID
Connect, Financial-grade API and
CIBA.
https://www.authlete.com/
Who is Authlete?
3
4
• OAuth / OpenID Connect (OIDC) basics
• Deployment architecture patterns in the wild
• Future-proof API authorization services
In This Talk
OAuth / OIDC Basics
6
• Client credentials e.g. API Key (and API secret)
– Simple but not scalable
How API Servers Grant Access for Clients
1. API request with
client credentials
API Client API Server
2. API response
GET /items/12345 HTTP/1.1
x-api-key: <API Key>
Ad

Recommended

OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 

More Related Content

What's hot

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineTorin Sandall
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization Chalermpon Areepong
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 

What's hot (20)

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
 
OAuth
OAuthOAuth
OAuth
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
 
Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
REST API
REST APIREST API
REST API
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 

Similar to Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC Deployment #api

CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
How to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIsHow to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIsWSO2
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldSitaraman Lakshminarayanan
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 

Similar to Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC Deployment #api (20)

CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
How to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIsHow to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIs
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
 

More from Tatsuo Kudo

Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Tatsuo Kudo
 
金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性Tatsuo Kudo
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachTatsuo Kudo
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021Tatsuo Kudo
 
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizdayTatsuo Kudo
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteいまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteTatsuo Kudo
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideTatsuo Kudo
 
Financial-grade API Hands-on with Authlete
Financial-grade API Hands-on with AuthleteFinancial-grade API Hands-on with Authlete
Financial-grade API Hands-on with AuthleteTatsuo Kudo
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要Tatsuo Kudo
 
オープン API と Authlete のソリューション
オープン API と Authlete のソリューションオープン API と Authlete のソリューション
オープン API と Authlete のソリューションTatsuo Kudo
 
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションOAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションTatsuo Kudo
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...Tatsuo Kudo
 
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019Tatsuo Kudo
 
APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可Tatsuo Kudo
 
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...Tatsuo Kudo
 
Japan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOIJapan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOITatsuo Kudo
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIsTatsuo Kudo
 
銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisum銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisumTatsuo Kudo
 
アイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれからアイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれからTatsuo Kudo
 
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsOAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsTatsuo Kudo
 

More from Tatsuo Kudo (20)

Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
 
金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
 
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteいまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
 
Financial-grade API Hands-on with Authlete
Financial-grade API Hands-on with AuthleteFinancial-grade API Hands-on with Authlete
Financial-grade API Hands-on with Authlete
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要
 
オープン API と Authlete のソリューション
オープン API と Authlete のソリューションオープン API と Authlete のソリューション
オープン API と Authlete のソリューション
 
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションOAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
 
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
 
APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可
 
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
 
Japan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOIJapan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOI
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIs
 
銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisum銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisum
 
アイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれからアイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれから
 
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsOAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
 

Recently uploaded

UGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptxUGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptxRiteshsahu101
 
Earn 3000 dollars per month
Earn 3000 dollars per monthEarn 3000 dollars per month
Earn 3000 dollars per monthplaycorea108
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchainhackersuli
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....josephiigo
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetmatt806068
 

Recently uploaded (9)

UGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptxUGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptx
 
Earn 3000 dollars per month
Earn 3000 dollars per monthEarn 3000 dollars per month
Earn 3000 dollars per month
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain
 
Riesgos online
Riesgos onlineRiesgos online
Riesgos online
 
INTERNET
INTERNETINTERNET
INTERNET
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....
 
B1 Evaluation.docx
B1 Evaluation.docxB1 Evaluation.docx
B1 Evaluation.docx
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budget
 

Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC Deployment #api

  • 1. Authorization Architecture Patterns: How to Avoid Pitfalls in OAuth/OIDC Deployment Tatsuo Kudo Authlete, Inc.
  • 2. About Me • Tatsuo Kudo https://www.linkedin.com/in/tatsuokudo – Sun Microsystems (1998-2008) – Nomura Research Institute (2008-2018) – OpenID Foundation Japan (2013-2014) – NRI SecureTechnologies (2014-2018) – Authlete (2018-) • VP of Solution Strategy 2
  • 3. • A Tokyo / London based company providing “API Authorization Backend-as-a-Service” enabling developers to quickly and securely implement OAuth 2.0, OpenID Connect, Financial-grade API and CIBA. https://www.authlete.com/ Who is Authlete? 3
  • 4. 4 • OAuth / OpenID Connect (OIDC) basics • Deployment architecture patterns in the wild • Future-proof API authorization services In This Talk
  • 5. OAuth / OIDC Basics
  • 6. 6 • Client credentials e.g. API Key (and API secret) – Simple but not scalable How API Servers Grant Access for Clients 1. API request with client credentials API Client API Server 2. API response GET /items/12345 HTTP/1.1 x-api-key: <API Key>
  • 7. 7 • Tokens in exchange for client credentials – More flexible but limited to client-server authentication How API Servers Grant Access for Clients 3. API request with token API Client API Server 4. API response Authorization Server (AS) 1. Token request with client credentials 2. Token response GET /items/12345 HTTP/1.1 Authorization: Bearer <Token> POST /token HTTP/1.1 Authorization: Basic <Key:Secret>
  • 8. 8 • Tokens in exchange for authorization proof – Resource owner / assertion issuer can participate access granting process How API Servers Grant Access for Clients 5. API request with token API Client API Server 6. API response 1. Authorization / assertion request Resource Owner / Assertion Issuer Authorization Server (AS) 3. Token request with authorization code / assertion 2. Authorization code / assertion 4. Token response User Organization HTTP/1.1 302 Found Location: https://as/authorize?... (User authentication and consent) GET /items/12345 HTTP/1.1 Authorization: Bearer <Token>
  • 9. 9 • Framework for API access delegation using tokens – RFC 6749 describes token granting process and essential grant flows such as authorization code and client credentials • Highly extensible for broad use cases – Extensible grant type – User-involved (with user agents) and unattended (service accounts for machines) • Sister standard: OpenID Connect – “ID Token” to convey user authentication event from Identity Provider to Relying Party OAuth at a Glance
  • 10. • Resource Owner e.g. end user • User Agent e.g. Web browser • Client e.g. Web application using APIs • Authorization Server e.g. user authentication server • Resource Server e.g. API server “OAuth Dance” Resource Owner User Agent Client Authorization Server Resource Server 10
  • 11. Basic OAuth/OIDC Authorization Code Grant Flow / Bearer Token Resource Owner User Agent Client Authorization Server Resource Server ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Authorization Request Authorization Code Authorization Code Access Token Access Token API Response • ReceiveAuthorization Request and return Authorization Code • ReceiveAuthorization Code and return Access Token • ReceiveAPI Request with Access Token and return API response 11
  • 12. Advanced OAuth/OIDC for High-StakesTransactions FAPI (Financial-grade API) 12 https://www.authlete.com/fapi Fintechs Adversaries Banks Authorization / token request Authorization / token response API requests with the token Preventing fraudulent token exchange by signing requests and responses Token theft Preventing fraudulent access by using mutual TLS to detect identity of the requester Stolen tokens won’t work as the adversaries can’t use the signing certificate bound to these tokens
  • 13. Advanced OAuth/OIDC for “Decoupled Authentication” CIBA (Client Initiated Backchannel Authentication) https://www.authlete.com/ciba 13 Send $50 to Bob Alice Alice’s smartphone Notify to the bank’s app Alice’s smart speaker Initiate a payment via pre- registered bank’s APIs Banking APIs with CIBA Use case 1: Voice-initiated money transfer Send Bob $50 ? Alice Alice’s smartphone Notify to the payment app Teleshopping’s call center Initiate a payment via pre- registered payment service’s APIs Payment’s APIs with CIBA Use case 2: Call-center-initiated payment Buy ? $50 $50
  • 14. 14 • Handmade OAuth server was valid in the good old days (circa early 2010’s) • It is no longer applicable nowadays – A lot of OAuth extensions are now emerging • Assertionframework, PKCE,JWT client authentication, device grant, … – Security considerations are frequently being updated for new use cases and threats • Mobile app ecosystem,microservices,high- stakes transactions, … Building Authorization Servers From Scratch Source: https://twitter.com/blhjelm/status/1055551254401736704, https://hackerone.com/hacktivity?order_direction=DESC&order_field=latest_disclosable_activity_at&filter=type%3Aall&querystring=oauth
  • 15. 15 • Identity and access management(IAM) • API management (e.g. API gateways) • Authorization decision service that decides “who has access to what in which context” for token requests Services Integrated with Authorization Server Client Protected Resources Resource Owner Authorization Server IAM Service Authorization DecisionService API Gateway User authentication and consent Token request API request Token introspection
  • 17. 17 • Authorization server provides at least two functionalities – Protocol operations (OAuth, OIDC and their extensions) – Token management (life cycle, clients, scopes etc.) • Authorization server would often be a part of other system – Application runtime – IAM system – API gateways Where Authorization Server Belongs Authorization Server Protocol Operations Token Management
  • 18. 18 • Pros – Application developers don’t need to handle OAuth • Cons – Runtime vendors usually don’t consider OAuth functionality with high priority; sometimes obsolete AS Embedded in Application Runtime Client Applications Resource Owner Authorization Server Subsystem IAM Service Authorization Decision Implementation API Endpoints Application Runtime User authentication and consent Token request API request
  • 19. IAM System 19 • Pros – Usually IAM vendors are serious (and competing)in adopting open standards • Cons – User management and authentication services are tightly integrated with AS – Authorization decision needs to be implemented on the vendor’s proprietary extension framework AS Separated as IAM System Client Protected Resources Resource Owner Authorization Server Subsystem User Authentication Subsystem Authorization Decision Subsystem API Gateway User authentication and consent Token request API request Token introspection
  • 20. 20 • Pros – Familiar with API operations • Cons – API gateway vendors usually don’t consider OAuth functionality with high priority; sometimesobsolete – Authorization decision needs to be implemented on the vendor’s proprietary extension framework AS Integrated with API Gateways Client Protected Resources Resource Owner Authorization Server Subsystem IAM Service Authorization Decision Subsystem API Endpoint Subsystem API Gateway User authentication and consent Token request API request
  • 21. 21 • Freedom of choice for development • Offloading cumbersome protocol operations and token management • Leveraging the most suited solutions and/or other subsystems within organizations What Developers Really Needed Client Protected Resources Resource Owner Authorization Server IAM Service Authorization DecisionService API Gateway
  • 23. 23 • Deploying a “backend” behind your authorization server • Your authorization server acting as “frontend” • No need to consider “what to do next with what methods” on OAuth/OIDC protocol processing Introducing Semi-hosted Pattern Client Protected Resources Resource Owner Authorization Server Frontend IAM Service Authorization DecisionService API Gateway Authorization Server Backend User authentication and consent Token request API request Token introspection
  • 24. Solution Example: Authlete Semi-Hosted Authorization Server Solution 24 Authlete Customer’s EnvironmentAPI Clients Existing Services © 2018 Authlete, Inc. Websites Mobile Networked Devices Authorization Server Authorization Decision User Authentication Consent Management Entitlement Management API Servers / Gateways /data /f unction /transaction Authlete Authorization BackendAPIs Authorization Information (e.g. Tokens) Database Authorization Request API Access Authorization Status Check OAuth/OIDC Processing Request Authorization Frontend Leveraging existing services Authorization decision logic with no dependency on Authlete Separation of operation between authorization server and API servers Externalizing cumbersome OAuth/OIDC processing and token management /… OSS components available via GitHub
  • 25. Sequence is Simple - Implementation is Not 25 Resource Owner User Agent Client Authorization Server Resource Server Processing Authorization Request Issuing Authorization Code Processing Token Request Access Token Introspection ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent
  • 26. Offloading These Tasks to Authlete Resource Owner User Agent Client Authorization Server Resource Server Authlete API Processing Authorization Request Issuing Authorization Code Processing Token Request Access Token Intro- spection /auth/authorizationPOST /auth/authorization/issuePOST /auth/tokenPOST /auth/introspectionPOST (Start) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent 26
  • 27. 1. Processing Authorization Request Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "parameters": "response_type=code&client_id=57297408867&red irect_uri=https%3A%2F%2Fapi.authlete.com%2Fap i%2Fmock%2Fredirection%2F10167240235" }' Send query parameters “as is” to Authlete /auth/authorizationPOST Authlete { "action": "INTERACTION", "client": { (OAuth Client information) }, "service": { (Authlete Service information) }, "ticket": "c4iy3TWGn74UMO7ihRl0ZS8OEUzV9axBlBbJbqxH-9Q" […] } Return a ticket and information for authentication and consent ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Processing Authorization Request 27
  • 28. 2. Issuing Authorization Code Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "ticket": "FFgB9gwb_WXh6g1u-UQ8ZI-d_k4B-o- cm7RkVzI8Vnc", "subject": "78yM7DpDNgUTF7h4” } Send the ticket and frontend- generated user identifier /auth/authorization/issuePOST Authlete { "action": "LOCATION", "responseContent": "https://api.authlete.com/api/mock/redirectio n/10167240235?code=_VSzpgug3OpdUymcbLYJjH1v9t E4hSPaxX_pSkxUUyk" […] } Return response contentto be sent back to the client ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Issuing Authorization Code and Tokens 28
  • 29. 3. Processing Token Request Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "parameters": "grant_type=authorization_code&code=DkKMvKzrR AsWErsWCChNX_gydqqgA55AW2OJlXmNTQI&redirect_u ri=https%3A%2F%2Fapi.authlete.com%2Fapi%2Fmoc k%2Fredirection%2F10167240235", "clientId": 57297408867, "clientSecret": "[…]", […] } Send query parameters “as is” to Authlete /auth/tokenPOST Authlete { "responseContent": "{¥"scope¥":null,¥"expires_in¥":86400,¥"token _type¥":¥"Bearer¥",¥"refresh_token¥":¥"sdQqY9 Tbhsq6ZsWm1rZLgW4A3yxIk6RcgmmexHZ9BXB¥",¥"acc ess_token¥":¥"rt5bUJsGfS17YCSmYGtgelMtokTLdoC mBe4VUFCk1YZ¥"}", […] } Return response contentto be sent back to the client ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Processing Token Request 29
  • 30. 4. Access Token Introspection Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "token": "VFGsNK- 5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI" } Send a token for introspection /auth/introspectionPOST Authlete { "type": "introspectionResponse", "resultCode": "A056001", "resultMessage": "[A056001] The access token is valid.", "action": "OK", "clientId": 57297408867, "clientIdAliasUsed": false, "existent": true, "expiresAt": 1511252965000, "refreshable": true, "responseContent": "Bearer error=¥"invalid_request¥"", "subject": "78yM7DpDNgUTF7h4", "sufficient": true, "usable": true } Return details associated with the token ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Access Token Intro- spection 30
  • 31. • They have been using Authlete instead of Azure API Management’s built-in OAuth 2.0 – It didn’t meet their requirement for open banking APIs • They haven’t deployed any IAM for the API infrastructure – Their existing internet banking system does user authentication and consent as well as entitlement management Semi-Hosted Pattern in Action: Seven Bank Sources for the diagrams: https://www.isi d.co.j p/case/case/2018sevenbank.html, https://www.isid.co.j p/news/release/2018/0919.html Client (Bank App and Third-Party Providers) Other Apps Bank Customers Authorization Server Frontend Internet Banking System Authorization Decision Service API Management Authlete Microsoft Azure User authentication and consent API request Token request 31
  • 33. 33 • Examine which pattern is the best for your context – Application runtime if API authorization doesn’tmatter – IAM system if you want to make AS tightly coupled with user authentication service – API gatewaysif you want build everything on those infrastructure • If none of options above works for you, do consider semi-hosted pattern – Take back the right to implementyour own authorization servers Build a Future-Proof Authorization Server Authorization Server FRONTEND Authlete API BACKEND Semi-hostedArchitecture - Token management - OAuth/OIDC protocol processing - UI/UX - Authorization decision logic - Identity & access management
  • 34. 34 • Justin Richer (@justin__richer)’s blog entry on semi-hosted service – https://link.medium.com/SPXhiVMfz0 • Taka Kawasaki (@darutk)’s blog entry on its implementation – https://link.medium.com/ROV8nUTfz0 • Authlete – https://www.authlete.com/ Resources