Authlete Feature Update (2019-03-25)

Transcript

1. Authlete Feature Update Authlete, Inc. Co-founder, Representative Director Takahiko Kawasaki

   <[email protected]> March 25, 2019

2. 2014/01 ! Authlete ! 2015/09 ! Authlete  2016/09 !

   Authlete UK  2016/11 ! FINOLAB % 2017/02 ! OpenID Foundation % 2017/03 ! FIBC 2017   2017/05 ! Level39 % 2017/05 ! 5'4,6 2017/07 ! OpenID Certification  2017/08 ! Cyber39 03-4 2017/09 ! Tech in Asia Tokyo 2017  2018/02 ! 5.2'14)A6 2018/04 ! Draper Nexus B2B Summit 2018 %$ IBM   2018/07 ! Fintech 
    2018/07 ! Japan/UK Open Banking and APIs Summit 2018 ! 2018/07 ! Financial-grade API (Authlete 2.0) &/4+ 2018/08 ! Open Banking Security Profile *(+  2019/01 ! "OAuth  #  2019/02 ! CIBA &/4+ 2 , A O, A 2B y O S lt 1 12564,- uvhv 4 I A 6B . B 7E F . B F 9 F 4CB CB 0 ,- 83 cNo K La W ‒ W Whiv K L r Niv K 6D B2 e U Nh q e v dcqN K 6, B , CB U K f t W fve e nu d rit U Upv N

3. Authlete Versions 3

4. 4 (KJ C J e (KJ C J e (KJ

   C J e P v f ays k c P P A KJ C J FD r P P ay P P A L A KJ C J E J hn o dil ) P h SRmiTgW b u WO p hn t b • (KJ • . F • . AI FL M • 0 • ( II 7FB E F JA I • -AE E A C ( . • 271 • CA EJ (II JAFE • F (JJ A KJ I • E ) EBAE K AJM F AC • .)( • ( 2 • 87 ( II 7FB E • . ME DA CA EJ AIJ JAFE

5. Open Banking and Financial-grade API (FAPI) 5

6. OBIE Open Banking Implementation Entity Open Banking Standard 1 Allied

   Irish Bank 2 Bank of Ireland 3 Barclays 4 Danske 5 HSBC 6 Lloyds Banking Group 7 Nationwide 8 RBS Group 9 Santander Others https://www.openbanking.org.uk/providers/standards/ 01 02 03 04 6

7. OAuth 2.0 OpenID Connect (OIDC) Financial-grade API (FAPI) A Open

   Banking Profile (OBP) I OBIE OIDF OpenID Foundation 7

8. I 2 P 32 32 8 OAuth 2.0 e OpenID

   Connect (OIDC) 1 Financial-grade API (FAPI) . I Open Banking Profile (OBP) h A

9. Bank TPP 9 Third Party Provider

10. Bank TPP TPP TPP TPP TPP TPP Bank Bank Bank

    Bank Bank 
        10

11. Bank TPP TPP TPP TPP TPP TPP Bank Bank Bank

    Bank Bank Open Banking Directory 11

12. CIBA Client Initiated Backchannel Authentication 12

13. 13 2017 2 02 2 0 1 A B :F

    I 2017 7 02 2 0 1 A B :F I 2018 10 02 2 0 1 -. A B :F I 02 2 0 1 -. A B :F I C 02 2 0 1 -. 2019 2 . A B :F I Financial-grade API consists of the following parts: • Part 1: Read-Only API Security Profile • Part 2: Read and Write API Security Profile • Part 3: Client Initiated Backchannel Authentication Profile NEW

14. 14 e a m a p n a Consumption Device

    o a p Ap nD v D 4 1 2 3 5 6 7 t i P Pc h s a ) ); v u CI a a ) ) ) C A B

15. 15 • 02/. q .42P. I A:I: gm 6 9:K

    6 I A:I: C:I • i fadq P I 7 8DB 6 I A:I: 6K6 D6 I : K: • . I :CI 86I DC 1:K 8: bce P8 76 B 6 I A:I: 8DB • 0DC B I DC 1:K 8: bce P8 76 B 6 I A:I: 8DB • ls t T vkn u ils q r 02/. jw II - I6 8DB 56 6 D36 6 6 I:B 7 7 9 8: 76 . I A:I: p 02/. h i o II - I6 8DB 9:7 :* I:B 8 9 7 8 8 6

16. 16 #
    
    • C BI D • • • D

    D   
     • C BI D AD • D D AD • D D #! 
     $ " D

17. JARM JWT Secured Authorization Response Mode 17

18. 18 2018 10 5 5 :A5 ( , 2 DA

    (D A 5 0 - A .(D ,(0- M 5 5 :A5 ( R sol U f h uip ie P , 2 z cW ISd uip i e{ cS O PcI,(0- e } ) lJg e ) 5 : 5 DA T O cI ( ) 5A HTTP/1.1 302 Found Location: Ft fugl 0 ?response={JWT} uip i z Iuip insrJ J O A adcI

19. 19 HTTP/1.1 302 Found Location: https://client.example.com/cb? response=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FjY291bnRzLm V4YW1wbGUuY29tIiwiYXVkIjoiczZCaGRSa3F0MyIsImV4cCI6MTMxMTI4MTk3MCwiY29kZSI6IlB5eU ZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4YWt2OUNlUkRTZDBRQSIsInN0YXRlIjoiUzhOSjd1cW s1Zlk0RWpOdlBfR19GdHlKdTZwVXN2SDlqc1luaTlkTUFKdyJ9.HkdJ_TYgwBBj10C-aWuNUiA062Amq

    2b0_oyuc5P0aMTQphAqC2o9WbGSkpfuHVBowlb-zJ15tBvXDIABL_t83q6ajvjtq_pqsByiRK2dLVdUw KhW3P_9wjvI0K20gdoTNbNlP9Z41mhart4BqraIoI8e-L_EfAHfhCG_DDDv7Yg { "iss": "https://accounts.example.com", "aud": "s6BhdRkqt3", "exp": 1311281970, "code": "PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA", "state": "S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw" }   
     

20. MTLS TLS Client Authentication & Certificate Binding 20

21. 21 I0 / .2 A C A A= B C

    = C AC: A C A ? 
    L/ .2M o pf .2 mkcS _ l ti ndP / .2 ui _ ti _ p S tls_client_auth 1- ti self_signed_tls_client_auth eahs ti _ ti K _Sr O C : A C A - H ? ? T g

22. 22 A AL TA A AL A P A AL

    A MI A A A S A L

23. 23 M API M API M API M API M

    API S M API T LP M API

24. 24 . 2 1-0F M hC l I 1-0 l

    h 32 4 7 B M I h L Mf T d B I u c u IMe 8 B B eg B P ag B l r B Sh Pi eg 8 l B l 2 3 2 7 24 ih .1-0 lr B ShP M h “Authlete FAPI Enhancements” by t u n A B at t on https://youtu.be/hYhHan5FzlA

25. JWT-based Access Token 25

26. 26 T . J abc123 abc123 T W { "scope":"...",

    "client_id":"...", "exp":..., "iat":..., "sub":"...", "iss":"...", "jti":"..." } W

27. 27 e i o i t p 27 36 .

    7 32 e i e i e i P e i P F u 27 36 . 7 32 R B R I Rp e i P nF C t P u 27 36 . 7 32 R A s P p t h e i 27 36 . 7 32 rD 7 1.7. e i o l e c 27 36 . 7 32

28. 28 fi fp fne p o l fi fp fi

    fp fi fp tR A S R tKa . . . 3 32 21 2. . . 3 3 31 cr KaC I c tI A I R fi fp O I AL I t sI SKaS 2 3 . 32 c S O I R fi fpc Ka c I tc a SA cKa S A fi fpc K fi fp P c R a fi fp c K a o l u C R c v l C I A

29. A . h 29 xrvhSFnmE12pKz6Opu5gI7KkOAFUVuI8gjIZdHlfPVI eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiIxMDAxIiwic2NvcGUiOi JlbWFpbCBvcGVuaWQgcHJvZmlsZSIsImlzcyI6Imh0dHBzOi8vY XV0aGxldGUuY29tIiwiZXhwIjoxNTUzNDI3MjU1LCJpYXQiOjE1 NTMzNDA4NTUsImNsaWVudF9pZCI6IjUwNjgxMTIxMjMiLCJqdGk iOiJ4cnZoU0ZubUUxMnBLejZPcHU1Z0k3S2tPQUZVVnVJOGdqSV

    pkSGxmUFZJIn0.bGKzVC9tVYN3H3hbnxmW6hIWKHrqXqgFz4kSD VHEGjQh_QRXvSFhBbFqwZR2W9T0ybdv-TE9lxWphRqUd92j7Q { "sub": "1001", "scope": "email openid profile", "iss": "https://authlete.com", "exp": 1553427255, "iat": 1553340855, "client_id": "5068112123", "jti": "xrvhSFnmE12pKz6Opu5gI7KkOAFUVuI8gjIZdHlfPVI" } J • T • A e A • l 1 1 1 2 W

30. DCR Dynamic Client Registration 30

31. 31 epdcr cm Mhor tgMlM yS T
     7B C

    7 y 7B FB97 • epdcr ni Mi .521 SP yS J • ni Mi , 0 797 7 u a O J T RIni Mi L s a J 0 /5 tls_client_auth_subject_dn, tls_client_auth_san_dns, tls_client_auth_san_uri, tls_client_auth_san_ip, tls_client_auth_san_email, tls_client_certificate_bound_access_tokens . 0 authorization_signed_response_alg, authorization_encrypted_response_alg, authorization_encrypted_response_enc backchannel_client_notification_endpoint, backchannel_authentication_request_signing_alg, backchannel_user_code_parameter N  , 2 F 7 D C7 A CA A A 2B A 7 D C7 A y , 2 F 7 D C7 A 07 7 CA A A

32. 32  
     puh q N b ed

    qd c np nN d O np n l s O np nN b g r e q ed q c b _ N N O 1 1 2 4 6 4 3 1 :4 4 # bS N a np nN b 4 4/0 / 4 : /2: 4 /24 5 20 4/1 3/0224 / 4 102 2 0 4:/ 4 /2 34/ 0 0 4 4 b np n nkJc bN S _ . , e i mf q ot k b

33. 33   
      L ts u t e

    s c l _i Oa _Om D s 0 54 c c O_e a _Om c s u i m a _Om L _i Oa _Om FFF I 1, ce software_id software_version aOP R m 5A C 4 5 A 1 7 A 4A ce O Unk eD t s s iDt c client_id m _Om ts s 1, I y m D 0 21. aD 0 cs m s D ts u t k c m Unk R 7 A 4A 35 A3 a 7 A 4A 3455 3A 9 mRD L ci pk L 7 A 4A aOP r Om R m a c aUoD RFFF aOP Dg o c software_statement FFF e mRDUnR RD OaUo

34. 34 Open Banking Directory Bank TPP D D B B

    DB 1 2 3 4 5 6

35. 
     35

36. 36 Open Banking Website https://www.openbanking.org.uk/ Open Banking Developer Zone https://openbanking.atlassian.net/wiki/spaces/DZ/overview

    Financial-grade API Working Group Website https://openid.net/wg/fapi/ Financial-grade API Working Group Official Repository https://bitbucket.org/openid/fapi/src/master/ Financial-grade API Official Conformance Test Suite https://gitlab.com/fintechlabs/fapi-conformance-suite "CIBA", a new authentication/authorization technology in 2019, explained by an implementer https://medium.com/@darutk/ciba-a-new-authentication-authorization-technology-in-2019- explained-by-an-implementer-d1e0ac1311b4 2019 
     API %#()&"*  FAPI+Financial-grade API, https://qiita.com/TakahikoKawasaki/items/83c47c9830097dba2744 2019 
      CIBA https://qiita.com/TakahikoKawasaki/items/9b9616b999d4ce959ba3 Authlete ! CIBA  $*'*! https://qiita.com/hidebike712/items/8fc2938055d0b49cfc0a Financial-grade API Implementer's Draft Version 2 Part 1: Read-Only API Security Profile https://openid.net/specs/openid-financial-api-part-1-ID2.html Part 2: Read and Write API Security Profile https://openid.net/specs/openid-financial-api-part-2-ID2.html MODRNA Working Group Website https://openid.net/wg/mobile/ MODRNA Working Group Official Repository https://bitbucket.org/openid/mobile/src/default/ CIBA Core 1.0 Implementer's Draft Version 1 https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html Authlete Website https://www.authlete.com/ Authlete API Document https://docs.authlete.com/ Authlete Knowledge Base https://kb.authlete.com/ Authlete Open Source Repository https://github.com/authlete/