Not only banks struggle with third-party systems needing access to their APIs. In this talk though, Daniel will discuss how this can be done in the banking sector according to the Payment Services Directive (PSD2) and also in other sectors where trust of third-parties is also of great importance.
Report
Share
Report
Share
1 of 51
More Related Content
OAuth and OpenID Connect for PSD2 and Third-Party Access
34. Phantom Token Flow
• Keeps information from the clients
• Gives trusted info to the APIs
• APIs can make their authorization decision without asking anyone else
35. Scopes
• Static strings that represent permissions
• Clients specifies exactly which scopes it want for each token
• Server configures what scopes the client is allowed to ask for
43. Request Object
• Allows the Client to specify request parameters
• Signed JWT – no risk of tampering
• Supports all OAuth/OpenID parameters, as well as metadata
The customer wants to give access to some of its to a third party app
Direct access and screen scraping is no longer allowed
The app is already registered as a trusted application
Four players
User
Third party app
OAuth AS
Microservices
Client pop ups a browser,
Points it to the OAuth server
This request contains information to identify the client, and what access it needs delegated
OAuth server validates the request, and continues to authenticate the user
Strong authentication required, so some kind of second factor is applied during the authentication
The AS now knows the user, and can lookup the account
The OAuth server can now ask the user for consent, which finalizes the delegation.
The response is sent back to client with a one time code,
The code is passed to the client, which immediately makes a token request to the OAuth server
The code is passed to the client, which immediately makes a token request to the OAuth server
The code is passed to the client, which immediately makes a token request to the OAuth server
The code is passed to the client, which immediately makes a token request to the OAuth server
The API can now validate the token, and return the data
The reference token does not have a meaning for anyone else than the AS
Cleartext token, signed by the private key of the OAuth server
As you can imagine, we don’t want the by value tokens to be out on the clients, since that would give the clients more information than it needs. The info is for the api, not the client.
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
The API can now validate the token, and return the data
This is inefficient. All APIs needs to ask the AS if the token is valid, and to get the token metadata to be able to take authorization decisions
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
Lets talk about the scopes and how they relate to the consent
The initial request contains the scopes that the client wants a token for
Skipping ahead, the user will be ask to consent to delegate access with the requested persmissions.
Lets talk about the scopes and how they relate to the consent
To
The initial request contains the scopes that the client wants a token for
Now the user has to consent once for every transaction
But still, something is missing. It would be bnice to have some data in there that describes the operation that is about to be performed
To
All of the query parameters inside a JWT, that is signed with the private key of the client.
When you get into the more advanced parts of OpenID, the parameters tend to grow, so building them
Now instead of passing all data as query parameters, we send one parameter with the JWT we created
All of the query parameters inside a JWT, that is signed with the private key of the client.
When you get into the more advanced parts of OpenID, the parameters tend to grow, so building them
Now instead of passing all data as query parameters, we send one parameter with the JWT we created