Nomura Research Institute
Nat Sakimura(@_nat_en)
Introduction to
the FAPI Read & Write OAuth Profile
• OpenID® is a registered trademark of the OpenID Foundation. • *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.
2017-11-08
Foundation
Research FellowChairman of the board
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2
Using iTunes?Using Android? Using Google?
Using MS Office 365?…
2
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3
Over 3 Billion served.
3
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
4
International standards
4
OpenID Connect
JSON Web Token (JWT)
JSON Web Signature (JWS)
OAuth PKCE(RFC7636)
OAuth JAR (RFC TBD)
ISO/IEC 29184
ISO/IEC 29100 AMD1
JIS X 9250
Etc.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
5
An international standardization expert
and a protocol designer
on identity, access management, and privacy
5
Copyright(C) Nomura Research Institute, Ltd. All rights reserved. 6
Nat Sakimura
(Co-)Author of:
OpenID Connect Core 1.0
JSON Web Token [RFC7519]
JSON Web Signature [7515]
OAuth PKCE [RFC7636]
OAuth JAR [IETF Last Call]
Etc.
(Co-)Editor of:
ISO/IEC 29184 Guidelines for online notice and consent
ISO/IEC 29100 AMD: Privacy Framework – Amendment 1
ISO/IEC 27551 Requirements for attribute based unlinkable
entity authentication
Etc.
• Chairman, OpenID Foundation
• Chair, Financial API WG
• Head of delegate from
Japanese National Body to
ISO/IEC JTC 1/SC 27/WG5
• WG5〜OECD/SPDE Liaison
• Research Fellow
@ Nomura Research Institute
(NRI)
• https://www.sakimura.org
• https://nat.sakimura.org
• @_nat_en (English)
• @_nat (Japanese)
• https://www.linkedin.com/in/
natsakimura
• https://ja.wikipedia.org/wiki/
崎村夏彦
6
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
7
FAPI Updates
Copyright(C) Nomura Research Institute, Ltd. All rights reserved.
A year ago in APIDays Paris
Introduced FAPI WG
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
9
OAuth is a framework – needs to be profiled
This framework was designed with the clear expectation that future
work will define prescriptive profiles and extensions necessary to
achieve full web-scale interoperability.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
10
Which OAuth?
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
1111
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
12
That creates specification to take care of medium to high risk API access security.
12
Valu
e o
f th
e r
esourc
e
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
Financial API
– Read & Writee.g.,
Basic choices ok.
Bearer token Not
OK
Basic choices
NOT OK
No need to satisfy all the
security requirments by OAuth
Financial API
– Read only
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
13
That can serve all financial transactions
including PSD2,
but not limited to.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
14
FAPI Security Profile is a general purpose higher
security API protection mechanism based on
OAuth framework.
14
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
15
It has been adopted by Open Banking UK
15
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
16
9 Major banks in UK goes live on January, 2018
(Source) Chris Mitchel, “Banking is now more open”, Identify 2017
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
17
It is also recommended by the Japanese Banker’s association
17
(source) https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_1.pdf
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
18
US FS-ISAC aligning their security
requirements
18
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
19
… and major IAM vendors are
implementing it
19
Copyright(C) Nomura Research Institute, Ltd. All rights reserved. 20
II. What is OpenID Foundation
A WG can be spun up by more than
three members proposing and by the
approval by the Specs Council and the
Board review (2 weeks).
Specs Council is composed by the
current editors of the specs and checks
the overlaps with other WGs or SDOs.
The board checks that it will not cause
IPR threats to the foundation.
It has been developed within OpenID Foundation
20
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
21
II. What is OpenID Foundation
At FAPI WG since there are right people, IPR, and structure
• All the authors of OAuth, JWT, JWS, OpenID Connect are here.
Right People
• Loyalty free, mutual non-assert IPR:
• Anyone can freely implement. Right IPR
• No fee for joining a WG (Sponsors welcome)
• WTO TBT Treaty compliant process.
Right Structure
21
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
22
II. What is OpenID Foundation
Working Together
22
OpenID FAPI
(Chair)(Co-Chair)(Co-Chair)
(UK OBIE Liaison)
Liaison Organizations
TC 68
JTC 1/SC 27/WG 5
Nat SakimuraTony NadalinAnoop Saxena
fido 2.0 WG Chair
W3C Web Authn WG
Chair
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
23
II. What is OpenID Foundation
The work progresses with a weekly tele-conferences, mailing list discussions and project repository (https://bitbucket.org/openid/fapi/ )
23
Issue Tracker
Meeting notes
Commit History
Pull Requests
Draft Text
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
24
We have issued two implementer’s draftsV
alu
e o
f th
e r
esourc
e
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
Financial API
– Read & Write
e.g.,
Basic choices ok.
Financial API
– Read only
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
25
Which are redirect approach
Part 1: Read Only Security Profile
Part 2: Read and Write Security Profile
25
Redirect
Approach
Decoupled
Approach
Embedded
Approach
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
26
While RFC6749 is not complete with source, destination, and message authentication,
UA
Clien
tAS
TLS Protected
TLS Protected TLS Protected
TLS Terminated
Sender
AuthN
Receiver
AuthN
Message
AuthN
AuthZ
Req
Indirect None None
AuthZ
Res
None None None
Token
Req
Weak Good Good
Token
Res
Good Good Good
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
27
By using OpenID Connect’s Hybrid Flow and Request Object, you are pretty well covered.
FAPI Part 2 is complete with source, destination, and message authentication.
27
Sender
AuthN
Receiver
AuthN
Message
AuthN
AuthZ Req Request Object Request
Object
Request object
AuthZ Res Hybrid Flow Hybrid Flow Hybrid Flow
Token Req Good Good Good
Token Res Good Good Good
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
28
Tokens are Sender Constrained instead of being bearer
Security
Levels
Token Types Notes
Sender Constrained
Token
Only the entity that was issued
can used the token.
Bearer Token Stolen tokens can also be used
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
29
These are in the form of check lists.
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
30
Crypto Requirements are tightened for interoperability and security
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
31
And now working on the decoupled approach …
CIBA (client initiated backchannel
authentication) profile.
31
Redirect
Approach
Decoupled
Approach
Embedded
Approach
https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
32
We are not working on Embedded Approach
Since we do not know how it can be phishing resistant
W3C Web Authentication will not work.
Come to the WG if you know how
▪ IPR release is necessary though.
GDPR explicit consent for third party data transfer?
What would be the liability implications?
32
Redirect
Approach
Decoupled
Approach
Embedded
Approach
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
33
We have other works as well…
E.g. The OpenBanking OpenID Dynamic Client Registration Specification
33
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
34
How can we tell that the implementation conforms to the specification?
34
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
35
II. What is OpenID Foundation
Once it passes the test, the implementer can self-certify and publish.
• That gets the implementers under the premise of the article 5 of the FTC Act.
• The log will be openly available so others can also find out false claims.
See http://openid.net/certification/ for details
OpenID Foundation provides the online test environment for the implementers to test their conformance.
35
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
36
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3737
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3838
* Not Invented Here
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
39
But work together in the open, IPR safe
environment.
39
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
40
uestions?
40
Top Related