Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authlete Feature Update (2019-03-25)

Taka
March 25, 2019

Authlete Feature Update (2019-03-25)

Presentation of a talk in "Authlete Partner Meetup" held on March 25, 2019. (Japanese)

Taka

March 25, 2019
Tweet

More Decks by Taka

Other Decks in Technology

Transcript

  1. 2014/01 ! Authlete ! 2015/09 ! Authlete  2016/09 !

    Authlete UK  2016/11 ! FINOLAB % 2017/02 ! OpenID Foundation % 2017/03 ! FIBC 2017   2017/05 ! Level39 % 2017/05 ! 5'4,6 2017/07 ! OpenID Certification  2017/08 ! Cyber39 03-4 2017/09 ! Tech in Asia Tokyo 2017  2018/02 ! 5.2'14)A6 2018/04 ! Draper Nexus B2B Summit 2018 %$ IBM   2018/07 ! Fintech  2018/07 ! Japan/UK Open Banking and APIs Summit 2018 ! 2018/07 ! Financial-grade API (Authlete 2.0) &/4+ 2018/08 ! Open Banking Security Profile *(+  2019/01 ! "OAuth  #  2019/02 ! CIBA &/4+ 2 , A O, A 2B y O S lt 1 12564,- uvhv 4 I A 6B . B 7E F . B F 9 F 4CB CB 0 ,- 83 cNo K La W ‒ W Whiv K L r Niv K 6D B2 e U Nh q e v dcqN K 6, B , CB U K f t W fve e nu d rit U Upv N
  2. 4 (KJ C J e (KJ C J e (KJ

    C J e P v f ays k c P P A KJ C J FD r P P ay P P A L A KJ C J E J hn o dil ) P h SRmiTgW b u WO p hn t b • (KJ • . F • . AI FL M • 0 • ( II 7FB E F JA I • -AE E A C ( . • 271 • CA EJ (II JAFE • F (JJ A KJ I • E ) EBAE K AJM F AC • .)( • ( 2 • 87 ( II 7FB E • . ME DA CA EJ AIJ JAFE
  3. OBIE Open Banking Implementation Entity Open Banking Standard 1 Allied

    Irish Bank 2 Bank of Ireland 3 Barclays 4 Danske 5 HSBC 6 Lloyds Banking Group 7 Nationwide 8 RBS Group 9 Santander Others https://www.openbanking.org.uk/providers/standards/ 01 02 03 04 6
  4. OAuth 2.0 OpenID Connect (OIDC) Financial-grade API (FAPI) A Open

    Banking Profile (OBP) I OBIE OIDF OpenID Foundation 7
  5. I 2 P 32 32 8 OAuth 2.0 e OpenID

    Connect (OIDC) 1 Financial-grade API (FAPI) . I Open Banking Profile (OBP) h A
  6. Bank TPP TPP TPP TPP TPP TPP Bank Bank Bank

    Bank Bank     10
  7. Bank TPP TPP TPP TPP TPP TPP Bank Bank Bank

    Bank Bank Open Banking Directory 11
  8. 13 2017 2 02 2 0 1 A B :F

    I 2017 7 02 2 0 1 A B :F I 2018 10 02 2 0 1 -. A B :F I 02 2 0 1 -. A B :F I C 02 2 0 1 -. 2019 2 . A B :F I Financial-grade API consists of the following parts: • Part 1: Read-Only API Security Profile • Part 2: Read and Write API Security Profile • Part 3: Client Initiated Backchannel Authentication Profile NEW
  9. 14 e a m a p n a Consumption Device

    o a p Ap nD v D 4 1 2 3 5 6 7 t i P Pc h s a ) ); v u CI a a ) ) ) C A B
  10. 15 • 02/. q .42P. I A:I: gm 6 9:K

    6 I A:I: C:I • i fadq P I 7 8DB 6 I A:I: 6K6 D6 I : K: • . I :CI 86I DC 1:K 8: bce P8 76 B 6 I A:I: 8DB • 0DC B I DC 1:K 8: bce P8 76 B 6 I A:I: 8DB • ls t T vkn u ils q r 02/. jw II - I6 8DB 56 6 D36 6 6 I:B 7 7 9 8: 76 . I A:I: p 02/. h i o II - I6 8DB 9:7 :* I:B 8 9 7 8 8 6
  11. 16 # • C BI D • • • D

    D    • C BI D AD • D D AD • D D #!  $ " D
  12. 18 2018 10 5 5 :A5 ( , 2 DA

    (D A 5 0 - A .(D ,(0- M 5 5 :A5 ( R sol U f h uip ie P , 2 z cW ISd uip i e{ cS O PcI,(0- e } ) lJg e ) 5 : 5 DA T O cI ( ) 5A HTTP/1.1 302 Found Location: Ft fugl 0 ?response={JWT} uip i z Iuip insrJ J O A adcI
  13. 19 HTTP/1.1 302 Found Location: https://client.example.com/cb? response=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FjY291bnRzLm V4YW1wbGUuY29tIiwiYXVkIjoiczZCaGRSa3F0MyIsImV4cCI6MTMxMTI4MTk3MCwiY29kZSI6IlB5eU ZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4YWt2OUNlUkRTZDBRQSIsInN0YXRlIjoiUzhOSjd1cW s1Zlk0RWpOdlBfR19GdHlKdTZwVXN2SDlqc1luaTlkTUFKdyJ9.HkdJ_TYgwBBj10C-aWuNUiA062Amq

    2b0_oyuc5P0aMTQphAqC2o9WbGSkpfuHVBowlb-zJ15tBvXDIABL_t83q6ajvjtq_pqsByiRK2dLVdUw KhW3P_9wjvI0K20gdoTNbNlP9Z41mhart4BqraIoI8e-L_EfAHfhCG_DDDv7Yg { "iss": "https://accounts.example.com", "aud": "s6BhdRkqt3", "exp": 1311281970, "code": "PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA", "state": "S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw" }     
  14. 21 I0 / .2 A C A A= B C

    = C AC: A C A ? L/ .2M o pf .2 mkcS _ l ti ndP / .2 ui _ ti _ p S tls_client_auth 1- ti self_signed_tls_client_auth eahs ti _ ti K _Sr O C : A C A - H ? ? T g
  15. 22 A AL TA A AL A P A AL

    A MI A A A S A L
  16. 23 M API M API M API M API M

    API S M API T LP M API
  17. 24 . 2 1-0F M hC l I 1-0 l

    h 32 4 7 B M I h L Mf T d B I u c u IMe 8 B B eg B P ag B l r B Sh Pi eg 8 l B l 2 3 2 7 24 ih .1-0 lr B ShP M h “Authlete FAPI Enhancements” by t u n A B at t on https://youtu.be/hYhHan5FzlA
  18. 26 T . J abc123 abc123 T W { "scope":"...",

    "client_id":"...", "exp":..., "iat":..., "sub":"...", "iss":"...", "jti":"..." } W
  19. 27 e i o i t p 27 36 .

    7 32 e i e i e i P e i P F u 27 36 . 7 32 R B R I Rp e i P nF C t P u 27 36 . 7 32 R A s P p t h e i 27 36 . 7 32 rD 7 1.7. e i o l e c 27 36 . 7 32
  20. 28 fi fp fne p o l fi fp fi

    fp fi fp tR A S R tKa . . . 3 32 21 2. . . 3 3 31 cr KaC I c tI A I R fi fp O I AL I t sI SKaS 2 3 . 32 c S O I R fi fpc Ka c I tc a SA cKa S A fi fpc K fi fp P c R a fi fp c K a o l u C R c v l C I A
  21. A . h 29 xrvhSFnmE12pKz6Opu5gI7KkOAFUVuI8gjIZdHlfPVI eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiIxMDAxIiwic2NvcGUiOi JlbWFpbCBvcGVuaWQgcHJvZmlsZSIsImlzcyI6Imh0dHBzOi8vY XV0aGxldGUuY29tIiwiZXhwIjoxNTUzNDI3MjU1LCJpYXQiOjE1 NTMzNDA4NTUsImNsaWVudF9pZCI6IjUwNjgxMTIxMjMiLCJqdGk iOiJ4cnZoU0ZubUUxMnBLejZPcHU1Z0k3S2tPQUZVVnVJOGdqSV

    pkSGxmUFZJIn0.bGKzVC9tVYN3H3hbnxmW6hIWKHrqXqgFz4kSD VHEGjQh_QRXvSFhBbFqwZR2W9T0ybdv-TE9lxWphRqUd92j7Q { "sub": "1001", "scope": "email openid profile", "iss": "https://authlete.com", "exp": 1553427255, "iat": 1553340855, "client_id": "5068112123", "jti": "xrvhSFnmE12pKz6Opu5gI7KkOAFUVuI8gjIZdHlfPVI" } J • T • A e A • l 1 1 1 2 W
  22. 31 epdcr cm Mhor tgMlM yS T  7B C

    7 y 7B FB97 • epdcr ni Mi .521 SP yS J • ni Mi , 0 797 7 u a O J T RIni Mi L s a J 0 /5 tls_client_auth_subject_dn, tls_client_auth_san_dns, tls_client_auth_san_uri, tls_client_auth_san_ip, tls_client_auth_san_email, tls_client_certificate_bound_access_tokens . 0 authorization_signed_response_alg, authorization_encrypted_response_alg, authorization_encrypted_response_enc backchannel_client_notification_endpoint, backchannel_authentication_request_signing_alg, backchannel_user_code_parameter N  , 2 F 7 D C7 A CA A A 2B A 7 D C7 A y , 2 F 7 D C7 A 07 7 CA A A
  23. 32     puh q N b ed

    qd c np nN d O np n l s O np nN b g r e q ed q c b _ N N O 1 1 2 4 6 4 3 1 :4 4 # bS N a np nN b 4 4/0 / 4 : /2: 4 /24 5 20 4/1 3/0224 / 4 102 2 0 4:/ 4 /2 34/ 0 0 4 4 b np n nkJc bN S _ . , e i mf q ot k b
  24. 33     L ts u t e

    s c l _i Oa _Om D s 0 54 c c O_e a _Om c s u i m a _Om L _i Oa _Om FFF I 1, ce software_id software_version aOP R m 5A C 4 5 A 1 7 A 4A ce O Unk eD t s s iDt c client_id m _Om ts s 1, I y m D 0 21. aD 0 cs m s D ts u t k c m Unk R 7 A 4A 35 A3 a 7 A 4A 3455 3A 9 mRD L ci pk L 7 A 4A aOP r Om R m a c aUoD RFFF aOP Dg o c software_statement FFF e mRDUnR RD OaUo
  25. 36 Open Banking Website https://www.openbanking.org.uk/ Open Banking Developer Zone https://openbanking.atlassian.net/wiki/spaces/DZ/overview

    Financial-grade API Working Group Website https://openid.net/wg/fapi/ Financial-grade API Working Group Official Repository https://bitbucket.org/openid/fapi/src/master/ Financial-grade API Official Conformance Test Suite https://gitlab.com/fintechlabs/fapi-conformance-suite "CIBA", a new authentication/authorization technology in 2019, explained by an implementer https://medium.com/@darutk/ciba-a-new-authentication-authorization-technology-in-2019- explained-by-an-implementer-d1e0ac1311b4 2019   API %#()&"*  FAPI+Financial-grade API, https://qiita.com/TakahikoKawasaki/items/83c47c9830097dba2744 2019    CIBA https://qiita.com/TakahikoKawasaki/items/9b9616b999d4ce959ba3 Authlete ! CIBA  $*'*! https://qiita.com/hidebike712/items/8fc2938055d0b49cfc0a Financial-grade API Implementer's Draft Version 2 Part 1: Read-Only API Security Profile https://openid.net/specs/openid-financial-api-part-1-ID2.html Part 2: Read and Write API Security Profile https://openid.net/specs/openid-financial-api-part-2-ID2.html MODRNA Working Group Website https://openid.net/wg/mobile/ MODRNA Working Group Official Repository https://bitbucket.org/openid/mobile/src/default/ CIBA Core 1.0 Implementer's Draft Version 1 https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html Authlete Website https://www.authlete.com/ Authlete API Document https://docs.authlete.com/ Authlete Knowledge Base https://kb.authlete.com/ Authlete Open Source Repository https://github.com/authlete/