Authlete Feature Update (2019-03-25)

by Taka

Slide 1

Slide 1 text

Authlete Feature Update Authlete, Inc. Co-founder, Representative Director Takahiko Kawasaki March 25, 2019

Slide 2

Slide 2 text

2014/01 ! Authlete ! 2015/09 ! Authlete 2016/09 ! Authlete UK 2016/11 ! FINOLAB % 2017/02 ! OpenID Foundation % 2017/03 ! FIBC 2017 2017/05 ! Level39 % 2017/05 ! 5'4,6 2017/07 ! OpenID Certification 2017/08 ! Cyber39 03-4 2017/09 ! Tech in Asia Tokyo 2017 2018/02 ! 5.2'14)A6 2018/04 ! Draper Nexus B2B Summit 2018 %$ IBM 2018/07 ! Fintech 2018/07 ! Japan/UK Open Banking and APIs Summit 2018 ! 2018/07 ! Financial-grade API (Authlete 2.0) &/4+ 2018/08 ! Open Banking Security Profile *(+ 2019/01 ! "OAuth # 2019/02 ! CIBA &/4+ 2 , A O, A 2B y O S lt 1 12564,- uvhv 4 I A 6B . B 7E F . B F 9 F 4CB CB 0 ,- 83 cNo K La W ‒ W Whiv K L r Niv K 6D B2 e U Nh q e v dcqN K 6, B , CB U K f t W fve e nu d rit U Upv N

Slide 3

Slide 3 text

Authlete Versions 3

Slide 4

Slide 4 text

4 (KJ C J e (KJ C J e (KJ C J e P v f ays k c P P A KJ C J FD r P P ay P P A L A KJ C J E J hn o dil ) P h SRmiTgW b u WO p hn t b • (KJ • . F • . AI FL M • 0 • ( II 7FB E F JA I • -AE E A C ( . • 271 • CA EJ (II JAFE • F (JJ A KJ I • E ) EBAE K AJM F AC • .)( • ( 2 • 87 ( II 7FB E • . ME DA CA EJ AIJ JAFE

Slide 5

Slide 5 text

Open Banking and Financial-grade API (FAPI) 5

Slide 6

Slide 6 text

OBIE Open Banking Implementation Entity Open Banking Standard 1 Allied Irish Bank 2 Bank of Ireland 3 Barclays 4 Danske 5 HSBC 6 Lloyds Banking Group 7 Nationwide 8 RBS Group 9 Santander Others https://www.openbanking.org.uk/providers/standards/ 01 02 03 04 6

Slide 7

Slide 7 text

OAuth 2.0 OpenID Connect (OIDC) Financial-grade API (FAPI) A Open Banking Profile (OBP) I OBIE OIDF OpenID Foundation 7

Slide 8

Slide 8 text

I 2 P 32 32 8 OAuth 2.0 e OpenID Connect (OIDC) 1 Financial-grade API (FAPI) . I Open Banking Profile (OBP) h A

Slide 9

Slide 9 text

Bank TPP 9 Third Party Provider

Slide 10

Slide 10 text

Bank TPP TPP TPP TPP TPP TPP Bank Bank Bank Bank Bank 10

Slide 11

Slide 11 text

Bank TPP TPP TPP TPP TPP TPP Bank Bank Bank Bank Bank Open Banking Directory 11

Slide 12

Slide 12 text

CIBA Client Initiated Backchannel Authentication 12

Slide 13

Slide 13 text

13 2017 2 02 2 0 1 A B :F I 2017 7 02 2 0 1 A B :F I 2018 10 02 2 0 1 -. A B :F I 02 2 0 1 -. A B :F I C 02 2 0 1 -. 2019 2 . A B :F I Financial-grade API consists of the following parts: • Part 1: Read-Only API Security Profile • Part 2: Read and Write API Security Profile • Part 3: Client Initiated Backchannel Authentication Profile NEW

Slide 14

Slide 14 text

14 e a m a p n a Consumption Device o a p Ap nD v D 4 1 2 3 5 6 7 t i P Pc h s a ) ); v u CI a a ) ) ) C A B

Slide 15

Slide 15 text

15 • 02/. q .42P. I A:I: gm 6 9:K 6 I A:I: C:I • i fadq P I 7 8DB 6 I A:I: 6K6 D6 I : K: • . I :CI 86I DC 1:K 8: bce P8 76 B 6 I A:I: 8DB • 0DC B I DC 1:K 8: bce P8 76 B 6 I A:I: 8DB • ls t T vkn u ils q r 02/. jw II - I6 8DB 56 6 D36 6 6 I:B 7 7 9 8: 76 . I A:I: p 02/. h i o II - I6 8DB 9:7 :* I:B 8 9 7 8 8 6

Slide 16

Slide 16 text

16 # • C BI D • • • D D • C BI D AD • D D AD • D D #! $ " D

Slide 17

Slide 17 text

JARM JWT Secured Authorization Response Mode 17

Slide 18

Slide 18 text

18 2018 10 5 5 :A5 ( , 2 DA (D A 5 0 - A .(D ,(0- M 5 5 :A5 ( R sol U f h uip ie P , 2 z cW ISd uip i e{ cS O PcI,(0- e } ) lJg e ) 5 : 5 DA T O cI ( ) 5A HTTP/1.1 302 Found Location: Ft fugl 0 ?response={JWT} uip i z Iuip insrJ J O A adcI

Slide 19

Slide 19 text

19 HTTP/1.1 302 Found Location: https://client.example.com/cb? response=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FjY291bnRzLm V4YW1wbGUuY29tIiwiYXVkIjoiczZCaGRSa3F0MyIsImV4cCI6MTMxMTI4MTk3MCwiY29kZSI6IlB5eU ZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4YWt2OUNlUkRTZDBRQSIsInN0YXRlIjoiUzhOSjd1cW s1Zlk0RWpOdlBfR19GdHlKdTZwVXN2SDlqc1luaTlkTUFKdyJ9.HkdJ_TYgwBBj10C-aWuNUiA062Amq 2b0_oyuc5P0aMTQphAqC2o9WbGSkpfuHVBowlb-zJ15tBvXDIABL_t83q6ajvjtq_pqsByiRK2dLVdUw KhW3P_9wjvI0K20gdoTNbNlP9Z41mhart4BqraIoI8e-L_EfAHfhCG_DDDv7Yg { "iss": "https://accounts.example.com", "aud": "s6BhdRkqt3", "exp": 1311281970, "code": "PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA", "state": "S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw" }

Slide 20

Slide 20 text

MTLS TLS Client Authentication & Certificate Binding 20

Slide 21

Slide 21 text

21 I0 / .2 A C A A= B C = C AC: A C A ? L/ .2M o pf .2 mkcS _ l ti ndP / .2 ui _ ti _ p S tls_client_auth 1- ti self_signed_tls_client_auth eahs ti _ ti K _Sr O C : A C A - H ? ? T g

Slide 22

Slide 22 text

22 A AL TA A AL A P A AL A MI A A A S A L

Slide 23

Slide 23 text

23 M API M API M API M API M API S M API T LP M API

Slide 24

Slide 24 text

24 . 2 1-0F M hC l I 1-0 l h 32 4 7 B M I h L Mf T d B I u c u IMe 8 B B eg B P ag B l r B Sh Pi eg 8 l B l 2 3 2 7 24 ih .1-0 lr B ShP M h “Authlete FAPI Enhancements” by t u n A B at t on https://youtu.be/hYhHan5FzlA

Slide 25

Slide 25 text

JWT-based Access Token 25

Slide 26

Slide 26 text

26 T . J abc123 abc123 T W { "scope":"...", "client_id":"...", "exp":..., "iat":..., "sub":"...", "iss":"...", "jti":"..." } W

Slide 27

Slide 27 text

27 e i o i t p 27 36 . 7 32 e i e i e i P e i P F u 27 36 . 7 32 R B R I Rp e i P nF C t P u 27 36 . 7 32 R A s P p t h e i 27 36 . 7 32 rD 7 1.7. e i o l e c 27 36 . 7 32

Slide 28

Slide 28 text

28 fi fp fne p o l fi fp fi fp fi fp tR A S R tKa . . . 3 32 21 2. . . 3 3 31 cr KaC I c tI A I R fi fp O I AL I t sI SKaS 2 3 . 32 c S O I R fi fpc Ka c I tc a SA cKa S A fi fpc K fi fp P c R a fi fp c K a o l u C R c v l C I A

Slide 29

Slide 29 text

A . h 29 xrvhSFnmE12pKz6Opu5gI7KkOAFUVuI8gjIZdHlfPVI eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiIxMDAxIiwic2NvcGUiOi JlbWFpbCBvcGVuaWQgcHJvZmlsZSIsImlzcyI6Imh0dHBzOi8vY XV0aGxldGUuY29tIiwiZXhwIjoxNTUzNDI3MjU1LCJpYXQiOjE1 NTMzNDA4NTUsImNsaWVudF9pZCI6IjUwNjgxMTIxMjMiLCJqdGk iOiJ4cnZoU0ZubUUxMnBLejZPcHU1Z0k3S2tPQUZVVnVJOGdqSV pkSGxmUFZJIn0.bGKzVC9tVYN3H3hbnxmW6hIWKHrqXqgFz4kSD VHEGjQh_QRXvSFhBbFqwZR2W9T0ybdv-TE9lxWphRqUd92j7Q { "sub": "1001", "scope": "email openid profile", "iss": "https://authlete.com", "exp": 1553427255, "iat": 1553340855, "client_id": "5068112123", "jti": "xrvhSFnmE12pKz6Opu5gI7KkOAFUVuI8gjIZdHlfPVI" } J • T • A e A • l 1 1 1 2 W

Slide 30

Slide 30 text

DCR Dynamic Client Registration 30

Slide 31

Slide 31 text

31 epdcr cm Mhor tgMlM yS T 7B C 7 y 7B FB97 • epdcr ni Mi .521 SP yS J • ni Mi , 0 797 7 u a O J T RIni Mi L s a J 0 /5 tls_client_auth_subject_dn, tls_client_auth_san_dns, tls_client_auth_san_uri, tls_client_auth_san_ip, tls_client_auth_san_email, tls_client_certificate_bound_access_tokens . 0 authorization_signed_response_alg, authorization_encrypted_response_alg, authorization_encrypted_response_enc backchannel_client_notification_endpoint, backchannel_authentication_request_signing_alg, backchannel_user_code_parameter N , 2 F 7 D C7 A CA A A 2B A 7 D C7 A y , 2 F 7 D C7 A 07 7 CA A A

Slide 32

Slide 32 text

32 puh q N b ed qd c np nN d O np n l s O np nN b g r e q ed q c b _ N N O 1 1 2 4 6 4 3 1 :4 4 # bS N a np nN b 4 4/0 / 4 : /2: 4 /24 5 20 4/1 3/0224 / 4 102 2 0 4:/ 4 /2 34/ 0 0 4 4 b np n nkJc bN S _ . , e i mf q ot k b

Slide 33

Slide 33 text

33 L ts u t e s c l _i Oa _Om D s 0 54 c c O_e a _Om c s u i m a _Om L _i Oa _Om FFF I 1, ce software_id software_version aOP R m 5A C 4 5 A 1 7 A 4A ce O Unk eD t s s iDt c client_id m _Om ts s 1, I y m D 0 21. aD 0 cs m s D ts u t k c m Unk R 7 A 4A 35 A3 a 7 A 4A 3455 3A 9 mRD L ci pk L 7 A 4A aOP r Om R m a c aUoD RFFF aOP Dg o c software_statement FFF e mRDUnR RD OaUo

Slide 34

Slide 34 text

34 Open Banking Directory Bank TPP D D B B DB 1 2 3 4 5 6

Slide 35

Slide 35 text

Slide 36

Slide 36 text

36 Open Banking Website https://www.openbanking.org.uk/ Open Banking Developer Zone https://openbanking.atlassian.net/wiki/spaces/DZ/overview Financial-grade API Working Group Website https://openid.net/wg/fapi/ Financial-grade API Working Group Official Repository https://bitbucket.org/openid/fapi/src/master/ Financial-grade API Official Conformance Test Suite https://gitlab.com/fintechlabs/fapi-conformance-suite "CIBA", a new authentication/authorization technology in 2019, explained by an implementer https://medium.com/@darutk/ciba-a-new-authentication-authorization-technology-in-2019- explained-by-an-implementer-d1e0ac1311b4 2019 API %#()&"* FAPI+Financial-grade API, https://qiita.com/TakahikoKawasaki/items/83c47c9830097dba2744 2019 CIBA https://qiita.com/TakahikoKawasaki/items/9b9616b999d4ce959ba3 Authlete ! CIBA $*'*! https://qiita.com/hidebike712/items/8fc2938055d0b49cfc0a Financial-grade API Implementer's Draft Version 2 Part 1: Read-Only API Security Profile https://openid.net/specs/openid-financial-api-part-1-ID2.html Part 2: Read and Write API Security Profile https://openid.net/specs/openid-financial-api-part-2-ID2.html MODRNA Working Group Website https://openid.net/wg/mobile/ MODRNA Working Group Official Repository https://bitbucket.org/openid/mobile/src/default/ CIBA Core 1.0 Implementer's Draft Version 1 https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html Authlete Website https://www.authlete.com/ Authlete API Document https://docs.authlete.com/ Authlete Knowledge Base https://kb.authlete.com/ Authlete Open Source Repository https://github.com/authlete/