introduction to the fapi read & write oauth profile · oauth is a framework –needs to be...
TRANSCRIPT
Nomura Research Institute
Nat Sakimura(@_nat_en)
Introduction to
the FAPI Read & Write OAuth Profile
• OpenID® is a registered trademark of the OpenID Foundation. • *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.
2018-05-15
Foundation
Research FellowChairman of the board
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2
OAuth is a framework – needs to be profiled
This framework was designed with the clear expectation that future work will
define prescriptive profiles and extensions necessary to achieve full web-scale
interoperability.“
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3
Which OAuth?
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
44
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
5
That creates specification to take care of medium to high risk API access security.
5
Va
lue
of
the
re
so
urc
e
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
Financial API
– Read & Writee.g.,
Basic choices ok.
Bearer token Not
OK
Basic choices
NOT OK
No need to satisfy all the security
requirments by OAuth
Financial API
– Read only
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
6
That can serve all financial transactions
including PSD2,
but not limited to.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
7
FAPI Security Profile is a general purpose higher
security API protection mechanism based on
OAuth framework.
7
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
8
It has been adopted by Open Banking UK
8
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
9
9 Major banks in UK went live on January, 2018
(Source) Chris Mitchel, “Banking is now more open”, Identify 2017
Australia adopting the same profile
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
10
It is also recommended by the Japanese Banker’s association
10
(source) https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_1.pdf
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
11
US FS-ISAC aligning their security
requirements
11
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
12
… and major IAM vendors are
implementing it
12
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
13
Submit to ISO/TC 68 and is a part of the
forthcoming technical specification
13
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
14
We have issued two implementer’s draftsVa
lue
of
the
re
so
urc
e
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
Financial API
– Read & Write
e.g.,
Basic choices ok.
Financial API
– Read only
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
15
Which are redirect approach
Part 1: Read Only Security Profile
Part 2: Read and Write Security Profile
15
Redirect
Approach
Decoupled
Approach
Embedded
Approach
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
16
While RFC6749 is not complete with source, destination, and message authentication,
UA
Client ASTLS Protected
TLS Protected TLS Protected
TLS Terminated
Sender
AuthN
Receiver
AuthN
Message
AuthN
AuthZ
Req
Indirect None None
AuthZ
Res
None None None
Token
Req
Weak Good Good
Token
Res
Good Good Good
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
17
By using OpenID Connect’s Hybrid Flow and Request Object, you are pretty well covered.
FAPI Part 2 is complete with source, destination, and message authentication.
17
Sender
AuthN
Receiver
AuthN
Message
AuthN
AuthZ Req Request Object Request Object Request object
AuthZ Res Hybrid Flow Hybrid Flow Hybrid Flow
Token Req Good Good Good
Token Res Good Good Good
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
18
Tokens are Sender Constrained instead of being bearer
Security
Levels
Token Types Notes
Sender Constrained
Token
Only the entity that was issued
can used the token.
Bearer Token Stolen tokens can also be used
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
19
These are in the form of check lists.
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
20
Crypto Requirements are tightened for interoperability and security
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
21
And now working on the decoupled approach …
CIBA (client initiated backchannel
authentication) profile.
21
Redirect
Approach
Decoupled
Approach
Embedded
Approach
https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
22
Embedded Approach
Giving bearer credentials to a third party is a bad idea.
GDPR explicit consent for third party data transfer?
What would be the liability implications?
Perhaps per app “password”?
22
Redirect
Approach
Decoupled
Approach
Embedded
Approach
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
23
We have other works as well…
E.g. The OpenBanking OpenID Dynamic Client Registration Specification
23
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
24
… and perhaps
Intent registration endpoint
24
Intent Registration EP
Authorization EP
Token EP
ServerPushing the intent,
e.g., to send $1,000 to
Bob’s account
Intent ID
AuthZ Req w/Intent ID
AuthZ ResponseRedirect URI
Client
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
25
How can we tell that the implementation
conforms to the specification?
25
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
26
OpenID Foundation provides the online test environment for the implementers to test their conformance.
26
Once it passes the test, the implementer can self-certify and publish.
•That gets the implementers under the premise of the article 5 of the FTC Act.
•The log will be openly available so others can also find out false claims.
See http://openid.net/certification/for details
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2727
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
28
New Name for WG?
28
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
29
After all, there is nothing specifically
“Financial”
29
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
30
It is a general purpose High Security API
protection protocol
30
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
31
Some of the candidates …
Fully Assured Protection Interoperable
Fair Assurance Protection Interface
Full Assurance Protection Interface
Full Assurance Profile Interface (FAPI) WG
Plus …
31