Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authlete Feature Update (2019-03-25)

Taka
March 25, 2019

Authlete Feature Update (2019-03-25)

Presentation of a talk in "Authlete Partner Meetup" held on March 25, 2019. (Japanese)

Taka

March 25, 2019
Tweet

More Decks by Taka

Other Decks in Technology

Transcript

  1. Authlete Feature Update
    Authlete, Inc.
    Co-founder, Representative Director
    Takahiko Kawasaki
    March 25, 2019

    View Slide

  2. 2014/01 ! Authlete !
    2015/09 ! Authlete
    2016/09 ! Authlete UK
    2016/11 ! FINOLAB %
    2017/02 ! OpenID Foundation %
    2017/03 ! FIBC 2017

    2017/05 ! Level39 %
    2017/05 ! 5'4,6
    2017/07 ! OpenID Certification
    2017/08 ! Cyber39 03-4
    2017/09 ! Tech in Asia Tokyo 2017
    2018/02 ! 5.2'14)A6
    2018/04 ! Draper Nexus B2B Summit 2018 %$ IBM

    2018/07 ! Fintech
    2018/07 ! Japan/UK Open Banking and APIs Summit 2018 !
    2018/07 ! Financial-grade API (Authlete 2.0) &/4+
    2018/08 ! Open Banking Security Profile *(+
    2019/01 ! "OAuth #
    2019/02 ! CIBA &/4+
    2
    , A O, A 2B
    y O
    S
    lt 1 12564,-
    uvhv
    4 I A 6B . B 7E F
    . B F 9 F 4CB CB 0 ,- 83
    cNo
    K La W ‒
    W Whiv K L
    r Niv K 6D B2 e U Nh
    q e v dcqN K 6, B , CB U
    K f t W fve e nu d rit
    U Upv N

    View Slide

  3. Authlete Versions
    3

    View Slide

  4. 4
    (KJ C J e (KJ C J e (KJ C J e
    P v f ays
    k c P P
    A KJ C J FD
    r P P ay P P
    A L A KJ C J E J
    hn o dil ) P h
    SRmiTgW b u
    WO
    p hn
    t b • (KJ
    • . F
    • . AI FL M
    • 0
    • ( II 7FB E
    F JA I
    • -AE E A C ( .
    • 271
    • CA EJ (II JAFE
    • F (JJ A KJ I
    • E ) EBAE
    K AJM F AC
    • .)(
    • ( 2
    • 87 ( II 7FB E
    • . ME DA CA EJ
    AIJ JAFE

    View Slide

  5. Open Banking and
    Financial-grade API (FAPI)
    5

    View Slide

  6. OBIE
    Open Banking Implementation Entity
    Open Banking Standard
    1 Allied Irish Bank
    2 Bank of Ireland
    3 Barclays
    4 Danske
    5 HSBC
    6 Lloyds Banking Group
    7 Nationwide
    8 RBS Group
    9 Santander
    Others
    https://www.openbanking.org.uk/providers/standards/
    01
    02
    03
    04
    6

    View Slide

  7. OAuth 2.0
    OpenID Connect (OIDC)
    Financial-grade API (FAPI)
    A
    Open Banking Profile (OBP)
    I
    OBIE
    OIDF
    OpenID Foundation
    7

    View Slide

  8. I 2 P
    32
    32
    8
    OAuth 2.0
    e
    OpenID Connect (OIDC)
    1
    Financial-grade API (FAPI)
    . I
    Open Banking Profile (OBP)
    h
    A

    View Slide

  9. Bank TPP
    9
    Third Party Provider

    View Slide

  10. Bank TPP
    TPP
    TPP
    TPP
    TPP
    TPP
    Bank
    Bank
    Bank
    Bank
    Bank


    10

    View Slide

  11. Bank TPP
    TPP
    TPP
    TPP
    TPP
    TPP
    Bank
    Bank
    Bank
    Bank
    Bank
    Open Banking
    Directory
    11

    View Slide

  12. CIBA
    Client Initiated Backchannel Authentication
    12

    View Slide

  13. 13
    2017 2 02 2 0 1 A B :F I
    2017 7 02 2 0 1 A B :F I
    2018 10 02 2 0 1 -. A B :F I
    02 2 0 1 -. A B :F I C
    02 2 0 1 -.
    2019 2 . A B :F I
    Financial-grade API consists of the following parts:
    • Part 1: Read-Only API Security Profile
    • Part 2: Read and Write API Security Profile
    • Part 3: Client Initiated Backchannel Authentication Profile
    NEW

    View Slide

  14. 14
    e a
    m a
    p
    n
    a
    Consumption Device
    o
    a
    p
    Ap
    nD
    v D
    4
    1
    2
    3
    5
    6
    7
    t i P Pc h s a
    ) ); v u CI a
    a ) ) ) C A B

    View Slide

  15. 15
    • 02/. q .42P. I A:I: gm 6 9:K 6 I A:I: C:I
    • i fadq P I 7 8DB 6 I A:I: 6K6 D6 I : K:
    • . I :CI 86I DC 1:K 8: bce P8 76 B 6 I A:I: 8DB
    • 0DC B I DC 1:K 8: bce P8 76 B 6 I A:I: 8DB
    • ls t
    T vkn u ils q r 02/. jw
    II - I6 8DB 56 6 D36 6 6 I:B 7 7 9 8: 76
    . I A:I: p 02/. h i o
    II - I6 8DB 9:7 :* I:B 8 9 7 8 8 6

    View Slide

  16. 16
    #
    • C BI D


    • D D

    • C BI D AD
    • D D AD
    • D D
    #!
    $ "

    D

    View Slide

  17. JARM
    JWT Secured Authorization Response Mode
    17

    View Slide

  18. 18
    2018 10
    5 5 :A5 ( , 2 DA (D A 5 0
    - A .(D ,(0-
    M 5 5 :A5 ( R sol U f h
    uip ie P , 2 z cW ISd
    uip i e{ cS O PcI,(0- e }
    ) lJg e ) 5 : 5 DA T O cI
    ( ) 5A
    HTTP/1.1 302 Found
    Location: Ft fugl 0 ?response={JWT}
    uip i z Iuip insrJ J O A adcI

    View Slide

  19. 19
    HTTP/1.1 302 Found
    Location: https://client.example.com/cb?
    response=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FjY291bnRzLm
    V4YW1wbGUuY29tIiwiYXVkIjoiczZCaGRSa3F0MyIsImV4cCI6MTMxMTI4MTk3MCwiY29kZSI6IlB5eU
    ZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4YWt2OUNlUkRTZDBRQSIsInN0YXRlIjoiUzhOSjd1cW
    s1Zlk0RWpOdlBfR19GdHlKdTZwVXN2SDlqc1luaTlkTUFKdyJ9.HkdJ_TYgwBBj10C-aWuNUiA062Amq
    2b0_oyuc5P0aMTQphAqC2o9WbGSkpfuHVBowlb-zJ15tBvXDIABL_t83q6ajvjtq_pqsByiRK2dLVdUw
    KhW3P_9wjvI0K20gdoTNbNlP9Z41mhart4BqraIoI8e-L_EfAHfhCG_DDDv7Yg
    {
    "iss": "https://accounts.example.com",
    "aud": "s6BhdRkqt3",
    "exp": 1311281970,
    "code": "PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA",
    "state": "S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw"
    }



    View Slide

  20. MTLS
    TLS Client Authentication & Certificate Binding
    20

    View Slide

  21. 21
    I0 / .2 A C A A=
    B C = C AC: A C A ?
    L/ .2M
    o pf .2 mkcS _ l ti ndP
    / .2 ui _ ti _ p S
    tls_client_auth 1- ti
    self_signed_tls_client_auth eahs ti
    _ ti K _Sr O
    C : A C A - H ? ? T g

    View Slide

  22. 22
    A
    AL
    TA A
    AL
    A
    P
    A
    AL
    A
    MI
    A
    A A
    S A
    L

    View Slide

  23. 23
    M API
    M API
    M API
    M API
    M API S M API
    T
    LP M API

    View Slide

  24. 24
    . 2 1-0F M hC
    l I 1-0
    l h
    32 4 7
    B M I h L
    Mf T d
    B I u
    c u IMe
    8 B B eg
    B P ag
    B l
    r B Sh Pi eg 8 l
    B l 2 3 2 7 24
    ih .1-0 lr B ShP M h
    “Authlete FAPI Enhancements”
    by t u n A B
    at t
    on
    https://youtu.be/hYhHan5FzlA

    View Slide

  25. JWT-based Access Token
    25

    View Slide

  26. 26
    T
    . J
    abc123 abc123
    T
    W
    { "scope":"...", "client_id":"...",
    "exp":..., "iat":..., "sub":"...",
    "iss":"...", "jti":"..."
    }
    W

    View Slide

  27. 27
    e i
    o i t
    p
    27 36 . 7 32
    e i
    e i
    e i P
    e i P F u 27 36 . 7 32 R B R
    I Rp e i P nF C
    t P u 27 36 . 7 32 R A
    s P p t h
    e i
    27 36 . 7 32 rD 7 1.7. e i
    o l e c 27 36 . 7 32

    View Slide

  28. 28
    fi fp
    fne p o l
    fi fp
    fi fp
    fi fp tR A S R tKa
    . . . 3 32 21 2. . .
    3 3 31 cr KaC I c tI
    A I R fi fp O I AL I
    t sI SKaS 2 3 . 32 c S O I
    R fi fpc Ka c I tc a SA
    cKa S A
    fi fpc K
    fi fp P c
    R a
    fi fp c K
    a o
    l u C R
    c v l
    C I A

    View Slide

  29. A .
    h
    29
    xrvhSFnmE12pKz6Opu5gI7KkOAFUVuI8gjIZdHlfPVI
    eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiIxMDAxIiwic2NvcGUiOi
    JlbWFpbCBvcGVuaWQgcHJvZmlsZSIsImlzcyI6Imh0dHBzOi8vY
    XV0aGxldGUuY29tIiwiZXhwIjoxNTUzNDI3MjU1LCJpYXQiOjE1
    NTMzNDA4NTUsImNsaWVudF9pZCI6IjUwNjgxMTIxMjMiLCJqdGk
    iOiJ4cnZoU0ZubUUxMnBLejZPcHU1Z0k3S2tPQUZVVnVJOGdqSV
    pkSGxmUFZJIn0.bGKzVC9tVYN3H3hbnxmW6hIWKHrqXqgFz4kSD
    VHEGjQh_QRXvSFhBbFqwZR2W9T0ybdv-TE9lxWphRqUd92j7Q
    {
    "sub": "1001",
    "scope": "email openid profile",
    "iss": "https://authlete.com",
    "exp": 1553427255,
    "iat": 1553340855,
    "client_id": "5068112123",
    "jti": "xrvhSFnmE12pKz6Opu5gI7KkOAFUVuI8gjIZdHlfPVI"
    }
    J
    • T
    • A e
    A
    • l
    1 1 1 2 W

    View Slide

  30. DCR
    Dynamic Client Registration
    30

    View Slide

  31. 31
    epdcr cm Mhor tgMlM yS T

    7B C 7
    y 7B FB97
    • epdcr ni Mi .521 SP yS J
    • ni Mi , 0 797 7 u a O J
    T RIni Mi L s a J
    0 /5 tls_client_auth_subject_dn, tls_client_auth_san_dns, tls_client_auth_san_uri,
    tls_client_auth_san_ip, tls_client_auth_san_email, tls_client_certificate_bound_access_tokens
    . 0 authorization_signed_response_alg, authorization_encrypted_response_alg,
    authorization_encrypted_response_enc
    backchannel_client_notification_endpoint, backchannel_authentication_request_signing_alg,
    backchannel_user_code_parameter
    N


    , 2 F 7 D C7 A CA A A
    2B A 7 D C7 A
    y , 2 F 7 D C7 A 07 7 CA A A

    View Slide

  32. 32


    puh q N b
    ed qd c np nN
    d O np n l s
    O np nN b
    g r e q ed q c b _ N
    N O 1 1 2 4 6 4 3 1 :4 4 #
    bS N a np nN b 4 4/0 / 4
    : /2: 4 /24 5 20 4/1 3/0224 / 4 102 2 0 4:/ 4 /2 34/ 0 0 4 4
    b np n nkJc bN S _
    . , e i mf q ot k b

    View Slide

  33. 33


    L ts u t e s c l _i Oa _Om
    D s 0 54 c c O_e a _Om
    c s u i m a _Om
    L _i Oa _Om FFF I
    1, ce software_id software_version aOP R m
    5A C 4 5 A 1 7 A 4A ce O Unk eD t
    s s iDt c client_id m _Om
    ts s 1, I y m D
    0 21. aD 0 cs m s D ts u
    t k c m
    Unk R 7 A 4A 35 A3 a 7 A 4A 3455 3A 9 mRD
    L ci pk L 7 A 4A aOP r Om R m a c
    aUoD RFFF aOP Dg o c
    software_statement FFF e mRDUnR RD OaUo

    View Slide

  34. 34
    Open Banking
    Directory
    Bank TPP
    D
    D
    B
    B
    DB
    1
    2
    3
    4
    5
    6

    View Slide


  35. 35

    View Slide

  36. 36
    Open Banking Website
    https://www.openbanking.org.uk/
    Open Banking Developer Zone
    https://openbanking.atlassian.net/wiki/spaces/DZ/overview
    Financial-grade API Working Group Website
    https://openid.net/wg/fapi/
    Financial-grade API Working Group Official Repository
    https://bitbucket.org/openid/fapi/src/master/
    Financial-grade API Official Conformance Test Suite
    https://gitlab.com/fintechlabs/fapi-conformance-suite
    "CIBA", a new authentication/authorization technology in 2019, explained by an implementer
    https://medium.com/@darutk/ciba-a-new-authentication-authorization-technology-in-2019-
    explained-by-an-implementer-d1e0ac1311b4
    2019 API %#()&"*
    FAPI+Financial-grade API,
    https://qiita.com/TakahikoKawasaki/items/83c47c9830097dba2744
    2019
    CIBA
    https://qiita.com/TakahikoKawasaki/items/9b9616b999d4ce959ba3
    Authlete ! CIBA $*'*!
    https://qiita.com/hidebike712/items/8fc2938055d0b49cfc0a
    Financial-grade API Implementer's Draft Version 2
    Part 1: Read-Only API Security Profile
    https://openid.net/specs/openid-financial-api-part-1-ID2.html
    Part 2: Read and Write API Security Profile
    https://openid.net/specs/openid-financial-api-part-2-ID2.html
    MODRNA Working Group Website
    https://openid.net/wg/mobile/
    MODRNA Working Group Official Repository
    https://bitbucket.org/openid/mobile/src/default/
    CIBA Core 1.0 Implementer's Draft Version 1
    https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html
    Authlete Website
    https://www.authlete.com/
    Authlete API Document
    https://docs.authlete.com/
    Authlete Knowledge Base
    https://kb.authlete.com/
    Authlete Open Source Repository
    https://github.com/authlete/

    View Slide