Introduction to the FAPI Read & Write OAuth Profile

Nomura Research Institute
Nat Sakimura(@_nat_en)
Introduction to
the FAPI Read & Write OAuth Profile
• OpenID® is a registered trademark of the OpenID Foundation.
• *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.
2017-11-08
Foundation
Research FellowChairman of the board

© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2
Using iTunes?
Using Android?
Using Google?
Using MS Office 365?
…
2

3
Over 3 Billion served.
3

4
International standards
4
OpenID Connect
JSON Web Token (JWT)
JSON Web Signature (JWS)
OAuth PKCE(RFC7636)
OAuth JAR (RFC TBD)
ISO/IEC 29184
ISO/IEC 29100 AMD1
JIS X 9250
Etc.

5
An international standardization expert
and a protocol designer
on identity, access management, and privacy
5

Copyright（C） Nomura Research Institute, Ltd. All rights reserved. 6
Nat Sakimura
(Co-)Author of:
OpenID Connect Core 1.0
JSON Web Token [RFC7519]
JSON Web Signature [7515]
OAuth PKCE [RFC7636]
OAuth JAR [IETF Last Call]
Etc.
(Co-)Editor of:
ISO/IEC 29184 Guidelines for online notice and consent
ISO/IEC 29100 AMD: Privacy Framework – Amendment 1
ISO/IEC 27551 Requirements for attribute based unlinkable
entity authentication
Etc.
• Chairman, OpenID Foundation
• Chair, Financial API WG
• Head of delegate from
Japanese National Body to
ISO/IEC JTC 1/SC 27/WG5
• WG5〜OECD/SPDE Liaison
• Research Fellow
@ Nomura Research Institute
(NRI)
• https://www.sakimura.org
• https://nat.sakimura.org
• @_nat_en (English)
• @_nat (Japanese)
• https://www.linkedin.com/in/
natsakimura
• https://ja.wikipedia.org/wiki/
崎村夏彦
6

7
FAPI Updates

Copyright（C） Nomura Research Institute, Ltd. All rights reserved.
A year ago in APIDays Paris
Introduced FAPI WG

9
OAuth is a framework – needs to be profiled
 This framework was designed with the clear expectation that future
 work will define prescriptive profiles and extensions necessary to
 achieve full web-scale interoperability.

10
Which OAuth?

1111

12
That creates specification to take care of medium to high risk API access security.
12
Valueoftheresource
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
Financial API
– Read & Write
e.g.,
Basic choices ok.
Bearer token Not
OK
Basic choices
NOT OK
No need to satisfy all the
security requirments by OAuth
Financial API
– Read only

13
That can serve all financial transactions
including PSD2,
but not limited to.

14
FAPI Security Profile is a general purpose higher
security API protection mechanism based on
OAuth framework.
14

15
It has been adopted by Open Banking UK
15

16
9 Major banks in UK goes live on January, 2018
(Source) Chris Mitchel, “Banking is now more open”, Identify 2017

17
It is also recommended by the Japanese Banker’s association
17
(source) https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_1.pdf

18
US FS-ISAC aligning their security
requirements
18

19
… and major IAM vendors are
implementing it
19

Copyright（C） Nomura Research Institute, Ltd. All rights reserved. 20
II. What is OpenID Foundation
A WG can be spun up by more than
three members proposing and by the
approval by the Specs Council and the
Board review (2 weeks).
Specs Council is composed by the
current editors of the specs and checks
the overlaps with other WGs or SDOs.
The board checks that it will not cause
IPR threats to the foundation.
It has been developed within OpenID Foundation
20

21
At FAPI WG since there are right people, IPR, and structure
• All the authors of OAuth, JWT, JWS, OpenID
Connect are here.
Right
People
• Loyalty free, mutual non-assert IPR:
•  Anyone can freely implement.
Right IPR
• No fee for joining a WG (Sponsors welcome)
• WTO TBT Treaty compliant process.
Right
Structure
21

22
Working Together
22
OpenID FAPI
(Chair)
(Co-Chair)(Co-Chair)
(UK OBIE Liaison)
Liaison Organizations
TC 68
JTC 1/SC 27/WG 5
Nat Sakimura
Tony NadalinAnoop Saxena
fido 2.0 WG Chair
W3C Web Authn WG
Chair

23
The work progresses with a weekly tele-conferences, mailing list discussions
and project repository (https://bitbucket.org/openid/fapi/ )
23
Issue Tracker
Meeting notes
Commit History
Pull Requests
Draft Text

24
We have issued two implementer’s drafts
Valueoftheresource
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
Financial API
– Read & Write
e.g.,
Basic choices ok.
Financial API
– Read only

25
Which are redirect approach
Part 1: Read Only Security Profile
Part 2: Read and Write Security Profile
25
Redirect
Approach
Decoupled
Approach
Embedded
Approach

26
While RFC6749 is not complete with source, destination, and message authentication,
UA
Clien
t
AS
TLS Protected
TLS ProtectedTLS Protected
TLS Terminated
Sender
AuthN
Receiver
AuthN
Message
AuthN
AuthZ
Req
Indirect None None
AuthZ
Res
None None None
Token
Req
Weak Good Good
Token
Res
Good Good Good

27
 By using OpenID Connect’s Hybrid Flow and Request Object, you are pretty well covered.
FAPI Part 2 is complete with source, destination, and message authentication.
27
Sender
AuthN
Receiver
AuthN
Message
AuthN
AuthZ Req Request Object Request
Object
Request object
AuthZ Res Hybrid Flow Hybrid Flow Hybrid Flow
Token Req Good Good Good
Token Res Good Good Good

28
Tokens are Sender Constrained instead of being bearer
Security
Levels
Token Types Notes
Sender Constrained
Token
Only the entity that was issued
can used the token.
Bearer Token Stolen tokens can also be used

29
These are in the form of check lists.
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md

30
Crypto Requirements are tightened for interoperability and security
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md

31
And now working on the decoupled approach …
CIBA (client initiated backchannel
authentication) profile.
31
Redirect
Approach
Decoupled
Approach
Embedded
Approach
https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md

32
We are not working on Embedded Approach
Since we do not know how it can be phishing resistant
 W3C Web Authentication will not work.
Come to the WG if you know how
▪ IPR release is necessary though.
GDPR explicit consent for third party data transfer?
What would be the liability implications?
32
Redirect
Approach
Decoupled
Approach
Embedded
Approach

33
We have other works as well…
E.g. The OpenBanking OpenID Dynamic Client Registration Specification
33

34
How can we tell that the implementation
conforms to the specification?
34

35
Once it passes the test, the implementer
can self-certify and publish.
• That gets the implementers under the
premise of the article 5 of the FTC Act.
• The log will be openly available so others
can also find out false claims.
See http://openid.net/certification/ for
details
OpenID Foundation provides the online test environment for the implementers to test their conformance.
35

36

3737

3838
* Not Invented Here

39
But work together in the open, IPR safe
environment.
39

40
uestions?
40

Introduction to the FAPI Read & Write OAuth Profile

Related slideshows

More Related Content

Introduction to the FAPI Read & Write OAuth Profile

Editor's Notes