SlideShare una empresa de Scribd logo
1 de 44
Descargar para leer sin conexión
Copyright© Nomura Research Institute, Ltd. All rights reserved.
FAPI and beyond
仕様策定者の立場から
Nat Sakimura, Research Fellow, NRI
Chairman, OpenID Foundation
@_nat_en
🌏 https://nat.sakimura.org/
linkedin.com/in/natsakimura
Copyright© Nomura Research Institute, Ltd. All rights reserved.
JWT
JWS
OAuth PKCE
OpenID Connect
Copyright© Nomura Research Institute, Ltd. All rights reserved.
崎村夏彦(Nat Sakimura)
• 著作:
– OpenID Connect Core 1.0
– JSON Web Token [RFC7519]
– JSON Web Signature [7515]
– OAuth PKCE [RFC7636]
– OAuth JAR [IETF Last Call]
– Etc.
• Editor of:
– ISO/IEC 29184 Guidelines for online notice and consent
– ISO/IEC 29100 AMD: Privacy Framework – Amendment 1
– ISO/IEC 27551 Requirements for attribute based
unlinkable entity authentication
– Etc.
• OpenID Foundation 理事長
• Financial API WG議長
• ISO/IEC JTC 1/SC 27/WG5国
内小委員会主査
• WG5〜OECD/SPDEリエゾン
• 野村総合研究所上席研究員
3
• https://www.sakimura.org
• https://nat.sakimura.org
• @_nat_en (English)
• @_nat (日本語)
• https://www.linkedin.com/
in/natsakimura
• https://ja.wikipedia.org/wi
ki/崎村夏彦
Copyright© Nomura Research Institute, Ltd. All rights reserved.
API Security
4
Copyright© Nomura Research Institute, Ltd. All rights reserved.
OAuth Solves everything?
Copyright© Nomura Research Institute, Ltd. All rights reserved.
“combining the correct component
is the important thing. Just saying
use OAuth is not a solution”
6
-- Mark O’Neill, Gartner
(SOURCE) Photo taken by Nat Sakimura @APIDays on 13th Dec. 2016
@APIDays Paris 2016
In the mobile first era, using Oauth 2.0 is the way to
go but
Because…
Copyright© Nomura Research Institute, Ltd. All rights reserved.
OAuth is a Framework
This framework was designed with the clear expectation that
future work will define prescriptive profiles and extensions
necessary to achieve full web-scale interoperability.
“
Copyright© Nomura Research Institute, Ltd. All rights reserved.
There are many
options to chose from.
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Which options should we choose to achieve
high enough security for financial usage?
9
資源の価値
環境制御レベルHigh Low
High
Low
ソーシャル共有
閉域網アプリ
ケーション
金融 API
– Read & Write
e.g.,
Basic choices ok.
Bearer token Not OK
Basic choices
NOT OK
金融 API
– Read only
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Solution time!
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Financial-
Grade
Financial-Grade API (FAPI) Security Profile
11
Valueoftheresource
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
e.g.,
Basic choices ok.
No need to satisfy all the security
requirments by OAuth
Copyright© Nomura Research Institute, Ltd. All rights reserved.
There are multiple consideration
points when we think about it.
12
These are often not
observed in
implementations.
Financial profile needs to
address all of them.
• Assumption of One Client One
Server
• Message Authentication
• Sender Authentication
• Receiver Authentication
• User Authentication
• Message Confidentiality
• Token Phishing / Replay
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Paraphrased BCM*1 Principles
13
4 Criteria
(a) Unique Source Identifier
(b)Protocol + Version + Message Identifier
(c) List of all actors/roles
(d)Detection fo the message integrity loss
Basin, D., Cremers, C., Meier, S.: Provably Repairing the ISO/IEC 9798
Standard for Entity Authentication. Journal of Computer Security - Security and Trust Principles
archive Volume 21 Issue 6, 817-846 (2013)
*1
Copyright© Nomura Research Institute, Ltd. All rights reserved.
RFC6749 OAuth – code grant protocol messages
• Authorization Request
• Authorization Response
• Token Request
• Token Response
• Assume:
– a network attacker (e.g. Browser malware)
– the crypto & TLS are not broken
– pure RFC6749 – Three parties static OAuth 2.0
14
UA
Client AS
Copyright© Nomura Research Institute, Ltd. All rights reserved.
RFC 6749 Situation
Message Parameters (a) Unique Source
Identifier
(b) Protocol +
version identifier
(c) Full list of
actor/roles
(d) Message
Authentication
Authorization
Request
response type
client id
redirect uri
scope
state
Authorization
Response
code
state
other extension
parameters
Token Request grant type
code
redirect uri
client
credential/client id
.
Token Response access token
token_type
expires_in
refresh_token
others
15
Parameters combination in
each messages are different
so (b)= Good!
Legend
Required Parameter
Optional Parameter
Recommended Parameter
But that’s the end of the
happy land.
Copyright© Nomura Research Institute, Ltd. All rights reserved.
RFC 6749 – mostly RED
Message Parameters (a) Unique Source
Identifier
(b) Protocol +
version identifier
(c) Full list of
actor/roles
(d) Message
Authentication
Authorization
Request
response type
client id
redirect uri
scope
state
Client ID is not
globally unique.
Tampering possible
OK, but it is not
integrity protected
No. No.
Authorization
Response
code
state
other extension
parameters
No source identifier OK, but it is not
integrity protected
No No
Token Request grant type
code
redirect uri
client
credential/client id
Client ID is not
globally unique.
OK (as long as there
is no OAuth 3.0)
No. OK
Token Response access token
token_type
expires_in
refresh_token
others
No source identifier As above No. OK
16
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Sender, Receiver, Message authentication in RFC6749
17
Sender AuthN Receiver AuthN Msg AuthN
AuthZ Req Indirect None None
AuthZ Res None None None
Token Req Weak Good Good
Token Res Good Good Good
Copyright© Nomura Research Institute, Ltd. All rights reserved.
18
whaaa
Copyright© Nomura Research Institute, Ltd. All rights reserved.
OAuth 2.0 options and the security levels
Security
Level
Functionality Note
JWS Authz Req
w/Hybrid Flow
認可要求の保護
Hybrid Flow*1
(confidential
client)
認可応答の保護
Code Flow
(confidential
client)
+ PKCE + MTLS
code injectionへの対応
長期Bearer Tokenの排除
Code Flow
(confidential
client)
クライアント認証
Implicit Flow クライアント認証無し
Plain OAuth Anonymous
*1) stateインジェクションの回避のために、‘s_hash’ を含む。
Authorization Req/Res and the security Levels Token Types and Security Level
Security
Level
Functionality Note
記名式トークン
(Sender
Constrained
Token)
発行をうけた者しかトー
クン利用不能
持参人トークン
(Bearer Token)
盗難されたトークンも
利用可能
19
Part 1
Part 2
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Can be strengthened
Message Parameters (a) Unique Source
Identifier
(b) Protocol +
version identifier
(c) Full list of
actor/roles
(d) Message
Authentication
Authorization
Request
response type
client id
redirect uri
scope
state
Unique redirect URI
+ Client ID
OK (Unique
Parameter List)
(a) + state as the UA
identifier / TBID as
UA identifier
Request signing by
JAR
Authorization
Response
code
state
other extension
parameters
Unique redirect URI OK (Unique
Parameter List)
(a) + client_id + state
as the UA identifier /
TBID as UA identifier
Response signing by
ID Token + s_hash
Token Request grant type
code
redirect uri
client
credential/client id
Unique redirect URI
+ Client ID
OK (Unique
Parameter List)
(a) + state as the UA
identifier / TBID as
UA identifier
TLS Protected
Token Response access token
token_type
expires_in
refresh_token
others
Unique redirect URI OK (Unique
Parameter List)
(a) + client_id + state
as the UA identifier /
TBID as UA identifier
TLS Protected
20
Copyright© Nomura Research Institute, Ltd. All rights reserved.
FAPI RW Security Profile
21
Sender AuthN Receiver AuthN Msg AuthN
AuthZ Req Request Object Request Object Request object
AuthZ Res Hybrid Flow Hybrid Flow Hybrid Flow
Token Req Good Good Good
Token Res Good Good Good
Copyright© Nomura Research Institute, Ltd. All rights reserved.
PKCE [RFC7636]
+
JAR [RFCxxxx]
+
Hybrid Flow [OIDC]
+
Sender Constrained Tokens
(MTLS / Token Binding)
22
FAPI
Security
Profile
=
Copyright© Nomura Research Institute, Ltd. All rights reserved.
PKCE: RFC7636
• 認可リクエスト、認可レスポンス、トーク
ンリクエストを結びつけるための仕組み。
• 1回限りの鍵を認可リクエスト送信時に生
成、そのハッシュを認可リクエストにつけ
て送る。
• 認可サーバは、このハッシュとcodeを結び
つけておく。
• トークン要求には、生成した鍵をつけて送
ることにより、一連のメッセージフローを
紐付けることができる。
Copyright© Nomura Research Institute, Ltd. All rights reserved.
JAR (JWS Authorization Request)
• 認可リクエストに署名をつけることによ
り、改ざんを検知。
• 公開鍵署名を使うことによって、証拠性
を向上、否認を難しくしている。
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Hybrid Flow
• 認可応答に署名を掛ける方式
(Detatched Signature)
• IDトークンを認可応答に含めて返す。
– このIDトークンはDetached Signatureであ
り、個人を識別するものではないことに注意
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Sender Constrained Token
• Bearer Token がだれでも使えるのに対して、
Sender Constrained Tokenは、対応する鍵
を持っていないと使えないタイプのトーク
ン
– MTLS https://datatracker.ietf.org/doc/draft-
ietf-oauth-mtls/
– Token Binding
https://tools.ietf.org/html/draft-ietf-oauth-
token-binding-07
Copyright© Nomura Research Institute, Ltd. All rights reserved.
It has been adopted by Open Banking UK
27
Copyright© Nomura Research Institute, Ltd. All rights reserved.
(Source) Chris Mitchel, “Banking is now more open”, Identify 2017
(出所) @UKOpenBanking https://twitter.com/UKOpenBanking/status/1017675263243702272
Copyright© Nomura Research Institute, Ltd. All rights reserved.
29
(source) https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_1.pdf
Copyright© Nomura Research Institute, Ltd. All rights reserved.
US FS-ISAC
セキュリティ要件を合わせる方向
30
Copyright© Nomura Research Institute, Ltd. All rights reserved.
…そして多くのベンダーもサポート
31
Copyright© Nomura Research Institute, Ltd. All rights reserved.
ISO/TC 68へも提出
32
Copyright© Nomura Research Institute, Ltd. All rights reserved.
• 2つのImplementer’s Draft を策定。(近々Updateの予定)
Valueoftheresource
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
Financial API
– Read & Write
e.g.,
Basic choices ok.
Financial API
– Read only
Copyright© Nomura Research Institute, Ltd. All rights reserved.
これらはリダイレクト・アプローチを採用
• Part 1: Read Only Security Profile
• Part 2: Read and Write Security Profile
34
Redirect
Approach
Decoupled
Approach
Embedded
Approach
Copyright© Nomura Research Institute, Ltd. All rights reserved.
すべての要件に番号がついたチェックリスト形式なの
で、対応のチェックも簡単。
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
Copyright© Nomura Research Institute, Ltd. All rights reserved.
暗号要件も絞り込んであるため、安全か
つ相互運用性高く運用可能
(source)
https://bitbucket.org/openid/f
api/src/master/Financial_API_
WD_002.md
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Decoupled アプローチも検討中
• CIBA (client initiated backchannel authentication) profile.
37
Redirect
Approach
Decoupled
Approach
Embedded
Approach
https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md
Copyright© Nomura Research Institute, Ltd. All rights reserved.
Embedded Approach…
• Giving one’s bearer token to a third party is a bad idea.
• What about giving application password (aka access token) by
hand?
38
Redirect
Approach
Decoupled
Approach
Embedded
Approach
Copyright© Nomura Research Institute, Ltd. All rights reserved.
その他にも…
39
• E.g. The
OpenBanking
OpenID
Dynamic Client
Registration
Specification
Copyright© Nomura Research Institute, Ltd. All rights reserved.
• Intent registration endpoint
40
Intent Registration EP
Authorization EP
Token EP
ServerPushing the intent,
e.g., to send $1,000 to
Bob’s account
Intent ID
AuthZ Req w/Intent ID
AuthZ Response
Redirect URI
Client
Copyright© Nomura Research Institute, Ltd. All rights reserved.
How do we know that it is implemented
correctly?
41
Copyright© Nomura Research Institute, Ltd. All rights reserved.
42
(出所)https://twitter.com/IdentityMonk/status/1011960862272294912
Copyright© Nomura Research Institute, Ltd. All rights reserved.
join us at
https://openid.net/wg/fapi/
Copyright© Nomura Research Institute, Ltd. All rights reserved.
@_nat_en (English)
@_nat (Japanese)
🌏 https://nat.sakimura.org/
https://linkedin.com/in/natsakimura
https://nat.sakimura.org/youtube.php
Subscribe!

Más contenido relacionado

La actualidad más candente

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right!  How to secure OAuth authentication from your...The Client is not always right!  How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...Mike Schwartz
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
OAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightNov Matake
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...Scott Brady
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Tatsuo Kudo
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Hitachi, Ltd. OSS Solution Center.
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 

La actualidad más candente (20)

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right!  How to secure OAuth authentication from your...The Client is not always right!  How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
OAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technight
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014   introduction to open id connect and o-auth 2Mit 2014   introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
 
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Full stack security
Full stack securityFull stack security
Full stack security
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 

Similar a 170724 JP/UK Open Banking Summit English Translation

Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Hitachi, Ltd. OSS Solution Center.
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter PresentationBeny Haddad
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchLior Rotkovitch
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 

Similar a 170724 JP/UK Open Banking Summit English Translation (20)

Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter Presentation
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 

Más de Nat Sakimura

FAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにFAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにNat Sakimura
 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureNat Sakimura
 
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesIntroduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesNat Sakimura
 
Introduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileIntroduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileNat Sakimura
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WGNat Sakimura
 
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革Nat Sakimura
 
API Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGAPI Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGNat Sakimura
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectNat Sakimura
 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGNat Sakimura
 
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴールNat Sakimura
 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91Nat Sakimura
 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problemsNat Sakimura
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extensionNat Sakimura
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nat Sakimura
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OPNat Sakimura
 
Open idとcyber空間
Open idとcyber空間Open idとcyber空間
Open idとcyber空間Nat Sakimura
 
サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済Nat Sakimura
 
20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告Nat Sakimura
 

Más de Nat Sakimura (20)

FAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのためにFAPI and beyond - よりよいセキュリティのために
FAPI and beyond - よりよいセキュリティのために
 
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureOpenID in the Digital ID Landscape: A Perspective From the Past to the Future
OpenID in the Digital ID Landscape: A Perspective From the Past to the Future
 
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesIntroduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
Introduction to 
the FAPI Read & Write OAuth Profile - Jan 2018 Updates
 
Introduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth ProfileIntroduction to the FAPI Read & Write OAuth Profile
Introduction to the FAPI Read & Write OAuth Profile
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
 
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革ブロックチェーン〜信頼の源泉の民主化のもたらす変革
ブロックチェーン〜信頼の源泉の民主化のもたらす変革
 
API Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WGAPI Days 2016 Day 1: OpenID Financial API WG
API Days 2016 Day 1: OpenID Financial API WG
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID Connect
 
OpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WGOpenID Foundation Foundation Financial API (FAPI) WG
OpenID Foundation Foundation Financial API (FAPI) WG
 
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
車輪は丸くなったか?~デジタル・アイデンティティの標準化動向とそのゴール
 
OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91OAuth SPOP @ IETF 91
OAuth SPOP @ IETF 91
 
Oidc how it solves your problems
Oidc how it solves your problemsOidc how it solves your problems
Oidc how it solves your problems
 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604Nc 30 sakimura-distribution_0604
Nc 30 sakimura-distribution_0604
 
Smartphone Native Application OP
Smartphone Native Application OPSmartphone Native Application OP
Smartphone Native Application OP
 
Open idとcyber空間
Open idとcyber空間Open idとcyber空間
Open idとcyber空間
 
サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済サイバー空間上の信頼フレームワークとパーソナルデータ経済
サイバー空間上の信頼フレームワークとパーソナルデータ経済
 
Closing Note
Closing NoteClosing Note
Closing Note
 
20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告20110706 PIDSプロジェクト中間報告
20110706 PIDSプロジェクト中間報告
 

Último

Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 

Último (20)

Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 

170724 JP/UK Open Banking Summit English Translation

  • 1. Copyright© Nomura Research Institute, Ltd. All rights reserved. FAPI and beyond 仕様策定者の立場から Nat Sakimura, Research Fellow, NRI Chairman, OpenID Foundation @_nat_en 🌏 https://nat.sakimura.org/ linkedin.com/in/natsakimura
  • 2. Copyright© Nomura Research Institute, Ltd. All rights reserved. JWT JWS OAuth PKCE OpenID Connect
  • 3. Copyright© Nomura Research Institute, Ltd. All rights reserved. 崎村夏彦(Nat Sakimura) • 著作: – OpenID Connect Core 1.0 – JSON Web Token [RFC7519] – JSON Web Signature [7515] – OAuth PKCE [RFC7636] – OAuth JAR [IETF Last Call] – Etc. • Editor of: – ISO/IEC 29184 Guidelines for online notice and consent – ISO/IEC 29100 AMD: Privacy Framework – Amendment 1 – ISO/IEC 27551 Requirements for attribute based unlinkable entity authentication – Etc. • OpenID Foundation 理事長 • Financial API WG議長 • ISO/IEC JTC 1/SC 27/WG5国 内小委員会主査 • WG5〜OECD/SPDEリエゾン • 野村総合研究所上席研究員 3 • https://www.sakimura.org • https://nat.sakimura.org • @_nat_en (English) • @_nat (日本語) • https://www.linkedin.com/ in/natsakimura • https://ja.wikipedia.org/wi ki/崎村夏彦
  • 4. Copyright© Nomura Research Institute, Ltd. All rights reserved. API Security 4
  • 5. Copyright© Nomura Research Institute, Ltd. All rights reserved. OAuth Solves everything?
  • 6. Copyright© Nomura Research Institute, Ltd. All rights reserved. “combining the correct component is the important thing. Just saying use OAuth is not a solution” 6 -- Mark O’Neill, Gartner (SOURCE) Photo taken by Nat Sakimura @APIDays on 13th Dec. 2016 @APIDays Paris 2016 In the mobile first era, using Oauth 2.0 is the way to go but Because…
  • 7. Copyright© Nomura Research Institute, Ltd. All rights reserved. OAuth is a Framework This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability. “
  • 8. Copyright© Nomura Research Institute, Ltd. All rights reserved. There are many options to chose from.
  • 9. Copyright© Nomura Research Institute, Ltd. All rights reserved. Which options should we choose to achieve high enough security for financial usage? 9 資源の価値 環境制御レベルHigh Low High Low ソーシャル共有 閉域網アプリ ケーション 金融 API – Read & Write e.g., Basic choices ok. Bearer token Not OK Basic choices NOT OK 金融 API – Read only
  • 10. Copyright© Nomura Research Institute, Ltd. All rights reserved. Solution time!
  • 11. Copyright© Nomura Research Institute, Ltd. All rights reserved. Financial- Grade Financial-Grade API (FAPI) Security Profile 11 Valueoftheresource Environment control levelHigh Low High Low Social sharing Closed circuit Factory application e.g., Basic choices ok. No need to satisfy all the security requirments by OAuth
  • 12. Copyright© Nomura Research Institute, Ltd. All rights reserved. There are multiple consideration points when we think about it. 12 These are often not observed in implementations. Financial profile needs to address all of them. • Assumption of One Client One Server • Message Authentication • Sender Authentication • Receiver Authentication • User Authentication • Message Confidentiality • Token Phishing / Replay
  • 13. Copyright© Nomura Research Institute, Ltd. All rights reserved. Paraphrased BCM*1 Principles 13 4 Criteria (a) Unique Source Identifier (b)Protocol + Version + Message Identifier (c) List of all actors/roles (d)Detection fo the message integrity loss Basin, D., Cremers, C., Meier, S.: Provably Repairing the ISO/IEC 9798 Standard for Entity Authentication. Journal of Computer Security - Security and Trust Principles archive Volume 21 Issue 6, 817-846 (2013) *1
  • 14. Copyright© Nomura Research Institute, Ltd. All rights reserved. RFC6749 OAuth – code grant protocol messages • Authorization Request • Authorization Response • Token Request • Token Response • Assume: – a network attacker (e.g. Browser malware) – the crypto & TLS are not broken – pure RFC6749 – Three parties static OAuth 2.0 14 UA Client AS
  • 15. Copyright© Nomura Research Institute, Ltd. All rights reserved. RFC 6749 Situation Message Parameters (a) Unique Source Identifier (b) Protocol + version identifier (c) Full list of actor/roles (d) Message Authentication Authorization Request response type client id redirect uri scope state Authorization Response code state other extension parameters Token Request grant type code redirect uri client credential/client id . Token Response access token token_type expires_in refresh_token others 15 Parameters combination in each messages are different so (b)= Good! Legend Required Parameter Optional Parameter Recommended Parameter But that’s the end of the happy land.
  • 16. Copyright© Nomura Research Institute, Ltd. All rights reserved. RFC 6749 – mostly RED Message Parameters (a) Unique Source Identifier (b) Protocol + version identifier (c) Full list of actor/roles (d) Message Authentication Authorization Request response type client id redirect uri scope state Client ID is not globally unique. Tampering possible OK, but it is not integrity protected No. No. Authorization Response code state other extension parameters No source identifier OK, but it is not integrity protected No No Token Request grant type code redirect uri client credential/client id Client ID is not globally unique. OK (as long as there is no OAuth 3.0) No. OK Token Response access token token_type expires_in refresh_token others No source identifier As above No. OK 16
  • 17. Copyright© Nomura Research Institute, Ltd. All rights reserved. Sender, Receiver, Message authentication in RFC6749 17 Sender AuthN Receiver AuthN Msg AuthN AuthZ Req Indirect None None AuthZ Res None None None Token Req Weak Good Good Token Res Good Good Good
  • 18. Copyright© Nomura Research Institute, Ltd. All rights reserved. 18 whaaa
  • 19. Copyright© Nomura Research Institute, Ltd. All rights reserved. OAuth 2.0 options and the security levels Security Level Functionality Note JWS Authz Req w/Hybrid Flow 認可要求の保護 Hybrid Flow*1 (confidential client) 認可応答の保護 Code Flow (confidential client) + PKCE + MTLS code injectionへの対応 長期Bearer Tokenの排除 Code Flow (confidential client) クライアント認証 Implicit Flow クライアント認証無し Plain OAuth Anonymous *1) stateインジェクションの回避のために、‘s_hash’ を含む。 Authorization Req/Res and the security Levels Token Types and Security Level Security Level Functionality Note 記名式トークン (Sender Constrained Token) 発行をうけた者しかトー クン利用不能 持参人トークン (Bearer Token) 盗難されたトークンも 利用可能 19 Part 1 Part 2
  • 20. Copyright© Nomura Research Institute, Ltd. All rights reserved. Can be strengthened Message Parameters (a) Unique Source Identifier (b) Protocol + version identifier (c) Full list of actor/roles (d) Message Authentication Authorization Request response type client id redirect uri scope state Unique redirect URI + Client ID OK (Unique Parameter List) (a) + state as the UA identifier / TBID as UA identifier Request signing by JAR Authorization Response code state other extension parameters Unique redirect URI OK (Unique Parameter List) (a) + client_id + state as the UA identifier / TBID as UA identifier Response signing by ID Token + s_hash Token Request grant type code redirect uri client credential/client id Unique redirect URI + Client ID OK (Unique Parameter List) (a) + state as the UA identifier / TBID as UA identifier TLS Protected Token Response access token token_type expires_in refresh_token others Unique redirect URI OK (Unique Parameter List) (a) + client_id + state as the UA identifier / TBID as UA identifier TLS Protected 20
  • 21. Copyright© Nomura Research Institute, Ltd. All rights reserved. FAPI RW Security Profile 21 Sender AuthN Receiver AuthN Msg AuthN AuthZ Req Request Object Request Object Request object AuthZ Res Hybrid Flow Hybrid Flow Hybrid Flow Token Req Good Good Good Token Res Good Good Good
  • 22. Copyright© Nomura Research Institute, Ltd. All rights reserved. PKCE [RFC7636] + JAR [RFCxxxx] + Hybrid Flow [OIDC] + Sender Constrained Tokens (MTLS / Token Binding) 22 FAPI Security Profile =
  • 23. Copyright© Nomura Research Institute, Ltd. All rights reserved. PKCE: RFC7636 • 認可リクエスト、認可レスポンス、トーク ンリクエストを結びつけるための仕組み。 • 1回限りの鍵を認可リクエスト送信時に生 成、そのハッシュを認可リクエストにつけ て送る。 • 認可サーバは、このハッシュとcodeを結び つけておく。 • トークン要求には、生成した鍵をつけて送 ることにより、一連のメッセージフローを 紐付けることができる。
  • 24. Copyright© Nomura Research Institute, Ltd. All rights reserved. JAR (JWS Authorization Request) • 認可リクエストに署名をつけることによ り、改ざんを検知。 • 公開鍵署名を使うことによって、証拠性 を向上、否認を難しくしている。
  • 25. Copyright© Nomura Research Institute, Ltd. All rights reserved. Hybrid Flow • 認可応答に署名を掛ける方式 (Detatched Signature) • IDトークンを認可応答に含めて返す。 – このIDトークンはDetached Signatureであ り、個人を識別するものではないことに注意
  • 26. Copyright© Nomura Research Institute, Ltd. All rights reserved. Sender Constrained Token • Bearer Token がだれでも使えるのに対して、 Sender Constrained Tokenは、対応する鍵 を持っていないと使えないタイプのトーク ン – MTLS https://datatracker.ietf.org/doc/draft- ietf-oauth-mtls/ – Token Binding https://tools.ietf.org/html/draft-ietf-oauth- token-binding-07
  • 27. Copyright© Nomura Research Institute, Ltd. All rights reserved. It has been adopted by Open Banking UK 27
  • 28. Copyright© Nomura Research Institute, Ltd. All rights reserved. (Source) Chris Mitchel, “Banking is now more open”, Identify 2017 (出所) @UKOpenBanking https://twitter.com/UKOpenBanking/status/1017675263243702272
  • 29. Copyright© Nomura Research Institute, Ltd. All rights reserved. 29 (source) https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_1.pdf
  • 30. Copyright© Nomura Research Institute, Ltd. All rights reserved. US FS-ISAC セキュリティ要件を合わせる方向 30
  • 31. Copyright© Nomura Research Institute, Ltd. All rights reserved. …そして多くのベンダーもサポート 31
  • 32. Copyright© Nomura Research Institute, Ltd. All rights reserved. ISO/TC 68へも提出 32
  • 33. Copyright© Nomura Research Institute, Ltd. All rights reserved. • 2つのImplementer’s Draft を策定。(近々Updateの予定) Valueoftheresource Environment control levelHigh Low High Low Social sharing Closed circuit Factory application Financial API – Read & Write e.g., Basic choices ok. Financial API – Read only
  • 34. Copyright© Nomura Research Institute, Ltd. All rights reserved. これらはリダイレクト・アプローチを採用 • Part 1: Read Only Security Profile • Part 2: Read and Write Security Profile 34 Redirect Approach Decoupled Approach Embedded Approach
  • 35. Copyright© Nomura Research Institute, Ltd. All rights reserved. すべての要件に番号がついたチェックリスト形式なの で、対応のチェックも簡単。 (source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
  • 36. Copyright© Nomura Research Institute, Ltd. All rights reserved. 暗号要件も絞り込んであるため、安全か つ相互運用性高く運用可能 (source) https://bitbucket.org/openid/f api/src/master/Financial_API_ WD_002.md
  • 37. Copyright© Nomura Research Institute, Ltd. All rights reserved. Decoupled アプローチも検討中 • CIBA (client initiated backchannel authentication) profile. 37 Redirect Approach Decoupled Approach Embedded Approach https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md
  • 38. Copyright© Nomura Research Institute, Ltd. All rights reserved. Embedded Approach… • Giving one’s bearer token to a third party is a bad idea. • What about giving application password (aka access token) by hand? 38 Redirect Approach Decoupled Approach Embedded Approach
  • 39. Copyright© Nomura Research Institute, Ltd. All rights reserved. その他にも… 39 • E.g. The OpenBanking OpenID Dynamic Client Registration Specification
  • 40. Copyright© Nomura Research Institute, Ltd. All rights reserved. • Intent registration endpoint 40 Intent Registration EP Authorization EP Token EP ServerPushing the intent, e.g., to send $1,000 to Bob’s account Intent ID AuthZ Req w/Intent ID AuthZ Response Redirect URI Client
  • 41. Copyright© Nomura Research Institute, Ltd. All rights reserved. How do we know that it is implemented correctly? 41
  • 42. Copyright© Nomura Research Institute, Ltd. All rights reserved. 42 (出所)https://twitter.com/IdentityMonk/status/1011960862272294912
  • 43. Copyright© Nomura Research Institute, Ltd. All rights reserved. join us at https://openid.net/wg/fapi/
  • 44. Copyright© Nomura Research Institute, Ltd. All rights reserved. @_nat_en (English) @_nat (Japanese) 🌏 https://nat.sakimura.org/ https://linkedin.com/in/natsakimura https://nat.sakimura.org/youtube.php Subscribe!