Introduction to the FAPI Read & Write OAuth Profile

Transcription

1 Nomura Research Institute Introduction to the FAPI Read & Write OAuth Profile Nat Foundation Chairman of the board Research Fellow OpenID is a registered trademark of the OpenID Foundation. *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.

2 Using itunes? Using Android? Using Google? Using MS Office 365? 2

3 Over 3 Billion served. 3

4 International standards OpenID Connect OAuth PKCE(RFC7636) JSON Web Token (JWT) JSON Web Signature (JWS) ISO/IEC OAuth JAR (RFC TBD) ISO/IEC AMD1 JIS X 9250 Etc. 4

5 An international standardization expert and a protocol designer on identity, access management, and privacy 5

6 Nat Sakimura Chairman, OpenID Foundation Chair, Financial API WG Head of delegate from Japanese National Body to ISO/IEC JTC 1/SC 27/WG5 WG5 OECD/SPDE Liaison Research Nomura Research Institute (NRI) (Co-)Author of: OpenID Connect Core 1.0 JSON Web Token [RFC7519] JSON Web Signature [7515] OAuth PKCE [RFC7636] OAuth JAR [IETF Last Call] Etc. (Co-)Editor of: ISO/IEC Guidelines for online notice and consent ISO/IEC AMD: Privacy Framework Amendment 1 ISO/IEC Requirements for attribute based unlinkable entity authentication Etc. (Japanese) natsakimura 崎村夏彦 Copyright(C) Nomura Research Institute, Ltd. All rights reserved. 6 6

7 FAPI Updates 7

8 A year ago in APIDays Paris Introduced FAPI WG Copyright(C) Nomura Research Institute, Ltd. All rights reserved.

9 OAuth is a framework needs to be profiled This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability. 9

10 Which OAuth? 10

11 11

12 Value of the resource That creates specification to take care of medium to high risk API access security. High e.g., Closed circuit Factory application Financial API Read & Write Bearer Basic token choices Not NOT OK OK Financial API Read only Basic choices ok. Social sharing Low High Environment control level Low No need to satisfy all the security requirments by OAuth 12 12

13 That can serve all financial transactions including PSD2, but not limited to. 13

14 FAPI Security Profile is a general purpose higher security API protection mechanism based on OAuth framework. 14

15 It has been adopted by Open Banking UK 15

16 9 Major banks in UK goes live on January, 2018 (Source) Copyright Chris 2016 Mitchel, Nat Sakimura. Banking All is Rights now more Reserved. open, Identify

17 It is also recommended by the Japanese Banker s association (source) 17

18 US FS-ISAC aligning their security requirements 18

19 and major IAM vendors are implementing it 19

20 II. What is OpenID Foundation It has been developed within OpenID Foundation A WG can be spun up by more than three members proposing and by the approval by the Specs Council and the Board review (2 weeks). Specs Council is composed by the current editors of the specs and checks the overlaps with other WGs or SDOs. The board checks that it will not cause IPR threats to the foundation. Copyright(C) Nomura Research Institute, Ltd. All rights reserved

21 II. What is OpenID Foundation At FAPI WG since there are right people, IPR, and structure Right People All the authors of OAuth, JWT, JWS, OpenID Connect are here. Right IPR Loyalty free, mutual non-assert IPR: Anyone can freely implement. Right Structure No fee for joining a WG (Sponsors welcome) WTO TBT Treaty compliant process

22 II. What is OpenID Foundation Working Together (Co-Chair) Anoop Saxena (Chair) (Co-Chair) Nat Sakimura Tony Nadalin fido 2.0 WG Chair W3C Web Authn WG Chair (UK OBIE Liaison) OpenID FAPI Liaison Organizations TC 68 JTC 1/SC 27/WG

23 II. What is OpenID Foundation The work progresses with a weekly tele-conferences, mailing list discussions and project repository ( ) Draft Text Commit History Pull Requests Issue Tracker Meeting notes 23 23

24 Value of the resource We have issued two implementer s drafts e.g., High Closed circuit Factory application Financial API Read & Write Financial API Read only Basic choices ok. Social sharing Low High Environment control level Low 24

25 Which are redirect approach Part 1: Read Only Security Profile Part 2: Read and Write Security Profile Redirect Approach Decoupled Approach Embedded Approach 25

26 While RFC6749 is not complete with source, destination, and message authentication, TLS Terminated AuthZ Req AuthZ Res Token Req Token Res Sender AuthN Receiver AuthN Message AuthN Indirect None None None None None Weak Good Good Good Good Good TLS Protected Clien t UA TLS Protected TLS Protected AS 26

27 FAPI Part 2 is complete with source, destination, and message authentication. By using OpenID Connect s Hybrid Flow and Request Object, you are pretty well covered. Sender AuthN Receiver AuthN Message AuthN AuthZ Req Request Object Request Request object Object AuthZ Res Hybrid Flow Hybrid Flow Hybrid Flow Token Req Good Good Good Token Res Good Good Good 27 27

28 Tokens are Sender Constrained instead of being bearer Security Levels Token Types Sender Constrained Token Notes Only the entity that was issued can used the token. Bearer Token Stolen tokens can also be used 28

29 These are in the form of check lists. (source) 29

30 Crypto Requirements are tightened for interoperability and security (source) 30

31 And now working on the decoupled approach CIBA (client initiated backchannel authentication) profile. Redirect Approach Decoupled Approach Embedded Approach 31

32 We are not working on Embedded Approach Since we do not know how it can be phishing resistant W3C Web Authentication will not work. Come to the WG if you know how IPR release is necessary though. GDPR explicit consent for third party data transfer? What would be the liability implications? Redirect Approach Decoupled Approach Embedded Approach 32

33 We have other works as well E.g. The OpenBanking OpenID Dynamic Client Registration Specification 33

34 How can we tell that the implementation conforms to the specification? 34

35 II. What is OpenID Foundation OpenID Foundation provides the online test environment for the implementers to test their conformance. Once it passes the test, the implementer can self-certify and publish. That gets the implementers under the premise of the article 5 of the FTC Act. The log will be openly available so others can also find out false claims. See for details 35 35

36 36

37 37

38 * Not Invented Here 38

39 But work together in the open, IPR safe environment. 39

40 uestions? 40