OAuth and OpenID Connect for PSD2 and Third-Party Access

•Download as PPTX, PDF•

3 likes•1,357 views

Not only banks struggle with third-party systems needing access to their APIs. In this talk though, Daniel will discuss how this can be done in the banking sector according to the Payment Services Directive (PSD2) and also in other sectors where trust of third-parties is also of great importance.

PSD2 and Third-Party Access
Daniel Lindau - @dlindau
Platform Summit 2018

Bio
• Working (almost) exclusively with OAuth and OpenID Connect
projects
• Doing OAuth/OpenID Connect workshop with Nordic APIs

PSD2
• Second Payment Service Directive
• Activated 13 January 2018
• Banks needs to comply by September 2019

PSD2
• API Access
• Strong user authentication
• User consent

OAuth and OpenID Connect for PSD2 and Third-Party Access

User
Third Party app
OAuth2/OpenID provider
APIs

Reference Token
984b1914-d25a-11e8-a8d5-f2801f1b9fd1

By value token
{
“sub": “dlindau”,
“name": “Daniel Lindau",
“exp”: 1516239022,
“iat”: 1516236022,
}

{
“sub": “dlindau”,
“name": “Daniel Lindau”
}

Phantom Token Flow
• Keeps information from the clients
• Gives trusted info to the APIs
• APIs can make their authorization decision without asking anyone else

Scopes
• Static strings that represent permissions
• Clients specifies exactly which scopes it want for each token
• Server configures what scopes the client is allowed to ask for

Consent screen
Testapp A wants your permission to:
Create a transaction
Read account balance

Scopes
• Consents to all transactions
• No transaction information

Prefix Scopes
• Prefix with a known string transaction_*
• Can contain things like Transaction ID for instance transaction_FooBar

Consent screen
Testspp A wants your permission to:
Create a transaction with id FooBar

Request Object
• Allows the Client to specify request parameters
• Signed JWT – no risk of tampering
• Supports all OAuth/OpenID parameters, as well as metadata

$Request object { "client_id": "third-party", "scope": "openid transfer_TRIDF00 read_balance", "redirect_uri": "https://example.com/callback", "response_type": "code", "state": "R4nd0m", "nonce": "4ls0R4nd0m” … }$

$Request object – with scope metadata { "client_id": "third-party", "scope": "transfer_TRIDF00 read_balance", "scope_metadata": { "transfer_TRIDF00": { "description": "Transfer 100kr to Daniel" } } – }$

Consent screen
Testspp A wants your permission to:
Perform transaction TRIDF00
Read account balance
Transfer 100kr to Daniel

Summarize
• Authorization Code Grant – OAuth2
• Phantom Token Flow
• Keeps information hidden for clients
• Prefix scopes
• Allows user to grant each unique transactions
• OpenID Request Object
• Reduce query param clutter
• Add metadata to scopes

Thank You!
@dlindau
https://curity.io
https://developer.curity.io
info@curity.io
@curity.io

More Related Content

OAuth and OpenID Connect for PSD2 and Third-Party Access

1. PSD2 and Third-Party Access Daniel Lindau - @dlindau Platform Summit 2018

2. Bio • Working (almost) exclusively with OAuth and OpenID Connect projects • Doing OAuth/OpenID Connect workshop with Nordic APIs

3. PSD2 • Second Payment Service Directive • Activated 13 January 2018 • Banks needs to comply by September 2019

4. PSD2 • API Access • Strong user authentication • User consent

5. Standards!

8. User Third Party app OAuth2/OpenID provider APIs

9. Authorization Code Grant

10. Authorization Code Grant

11. Authorization Code Grant

12. Authorization Code Grant

13. Authorization Code Grant

14. Authorization Code Grant

15. Authorization Code Grant

16. Authorization Code Grant

17. Authorization Code Grant

18. Authorization Code Grant

19. Authorization Code Grant

20. Authorization Code Grant

21. Reference Token 984b1914-d25a-11e8-a8d5-f2801f1b9fd1

22. By value token { “sub": “dlindau”, “name": “Daniel Lindau", “exp”: 1516239022, “iat”: 1516236022, }

23. API Call

24. API Call

26. { “sub": “dlindau”, “name": “Daniel Lindau” }

27. API response

28. New Player Reverse Proxy/ API Gateway

29. New Player

30. New Player

31. New Player JWT

32. New Player JWT

33. New Player

34. Phantom Token Flow • Keeps information from the clients • Gives trusted info to the APIs • APIs can make their authorization decision without asking anyone else

35. Scopes • Static strings that represent permissions • Clients specifies exactly which scopes it want for each token • Server configures what scopes the client is allowed to ask for

36. Request scopes

38. Consent screen Testapp A wants your permission to: Create a transaction Read account balance

39. Scopes • Consents to all transactions • No transaction information

40. Prefix Scopes • Prefix with a known string transaction_* • Can contain things like Transaction ID for instance transaction_FooBar

41. Request scopes

42. Consent screen Testspp A wants your permission to: Create a transaction with id FooBar

43. Request Object • Allows the Client to specify request parameters • Signed JWT – no risk of tampering • Supports all OAuth/OpenID parameters, as well as metadata

44. Request object { "client_id": "third-party", "scope": "openid transfer_TRIDF00 read_balance", "redirect_uri": "https://example.com/callback", "response_type": "code", "state": "R4nd0m", "nonce": "4ls0R4nd0m” … }

45. Request scopes

46. Request object – with scope metadata { "client_id": "third-party", "scope": "transfer_TRIDF00 read_balance", "scope_metadata": { "transfer_TRIDF00": { "description": "Transfer 100kr to Daniel" } } – }

47. Request scopes

48. Consent screen Testspp A wants your permission to: Perform transaction TRIDF00 Read account balance Transfer 100kr to Daniel

49. Summarize • Authorization Code Grant – OAuth2 • Phantom Token Flow • Keeps information hidden for clients • Prefix scopes • Allows user to grant each unique transactions • OpenID Request Object • Reduce query param clutter • Add metadata to scopes

50. Standards!

51. Thank You! @dlindau https://curity.io https://developer.curity.io info@curity.io @curity.io

Editor's Notes

A customer at a bank
The customer wants to give access to some of its to a third party app Direct access and screen scraping is no longer allowed The app is already registered as a trusted application
Four players User Third party app OAuth AS Microservices
Client pop ups a browser,
Points it to the OAuth server This request contains information to identify the client, and what access it needs delegated
OAuth server validates the request, and continues to authenticate the user
Strong authentication required, so some kind of second factor is applied during the authentication
The AS now knows the user, and can lookup the account
The OAuth server can now ask the user for consent, which finalizes the delegation.
The response is sent back to client with a one time code,
The code is passed to the client, which immediately makes a token request to the OAuth server
The code is passed to the client, which immediately makes a token request to the OAuth server
The code is passed to the client, which immediately makes a token request to the OAuth server
The code is passed to the client, which immediately makes a token request to the OAuth server
The API can now validate the token, and return the data
The reference token does not have a meaning for anyone else than the AS
Cleartext token, signed by the private key of the OAuth server
As you can imagine, we don’t want the by value tokens to be out on the clients, since that would give the clients more information than it needs. The info is for the api, not the client.
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
The API can now validate the token, and return the data This is inefficient. All APIs needs to ask the AS if the token is valid, and to get the token metadata to be able to take authorization decisions
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
So in the case were the client has a reference token, it won’t have any meaning to to the apis
Lets talk about the scopes and how they relate to the consent
The initial request contains the scopes that the client wants a token for
Skipping ahead, the user will be ask to consent to delegate access with the requested persmissions.
Lets talk about the scopes and how they relate to the consent
To
The initial request contains the scopes that the client wants a token for
Now the user has to consent once for every transaction But still, something is missing. It would be bnice to have some data in there that describes the operation that is about to be performed
To
All of the query parameters inside a JWT, that is signed with the private key of the client. When you get into the more advanced parts of OpenID, the parameters tend to grow, so building them
Now instead of passing all data as query parameters, we send one parameter with the JWT we created
All of the query parameters inside a JWT, that is signed with the private key of the client. When you get into the more advanced parts of OpenID, the parameters tend to grow, so building them
Now instead of passing all data as query parameters, we send one parameter with the JWT we created