APIdays London 2020: Toward certifying Financial-grade API security profile with Keycloak
Download as PPTX, PDF0 likes688 views
The document discusses Keycloak and its capabilities for satisfying the Financial-grade API (FAPI) security profile. It introduces Keycloak and describes how the proposed "Client Policy" feature allows Keycloak to easily meet the FAPI requirements by applying security profiles to client applications based on configurable conditions and executors. It also outlines other efforts like the FAPI-SIG group and implementation of FAPI requirements in the 3scale API gateway to help build fully FAPI-compliant systems.
APIdays London 2020: Toward certifying Financial-grade API security profile with Keycloak
- 1. © Hitachi, Ltd. 2020. All rights reserved. Toward certifying Financial-grade API security profile with Keycloak APIdays London 2020 Hitachi, Ltd. OSS Solution Center Yoshiyuki Tabata
- 2. 1© Hitachi, Ltd. 2020. All rights reserved. About the speaker • Consultant of API system • For example, building a high-security banking API system. • Contributor of 3scale (OSS of API Management) • Developed functions around security and access control. • “Edge Limiting”, “RBAC”, “OAuth MTLS”, … • Contributor of Keycloak (OSS of Identity Management) • Developed functions required for API use cases based on OAuth/OIDC. • “Token Revocation”, “Refresh token setting per client”, … Yoshiyuki Tabata Software Engineer OSS Solution Center, Hitachi, Ltd. GitHub: @y-tabata
- 3. © Hitachi, Ltd. 2020. All rights reserved. Contents 2 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
- 4. © Hitachi, Ltd. 2020. All rights reserved. Contents 3 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
- 5. 4© Hitachi, Ltd. 2020. All rights reserved. What is FAPI (Financial-grade API)? OAuth 2.0 OpenID Connect (OIDC) FAPI OAuth 2.0 is the de fact standard to secure API. However, lots are left to implementers, insecure usage can easily happen. OIDC standardizes user verification using ID token. FAPI standardizes secure usage of OAuth 2.0 and OIDC. Expected to be used mainly in the financial field. FAPI is a hardened standard of "OAuth 2.0" and "OpenID Connect (OIDC)". Formulated by the OpenID Foundation.
- 6. 5© Hitachi, Ltd. 2020. All rights reserved. FAPI Milestone
- 7. 6© Hitachi, Ltd. 2020. All rights reserved. FAPI: needs and difficulties However, since authorization server requires various functions/settings, and sometimes changes of implementation are required, it’s difficult to meet FAPI security profile. PSD2 (2015/11) revised Banking Act (2017/6) OBIE announced its collaboration with FAPI WG (2017/5) Japanese Bankers Association recommended conforming to FAPI (2017/7) Following this, the movement of open APIs had become active mainly in EU member states. The UK came to be recognized as a leader in this field. FAPI is gaining attention both in Japan and globally. In response to the above movements. Each bank was required to make efforts for open APIs. Japan UK Open Banking Standard (2016/2)
- 8. 7© Hitachi, Ltd. 2020. All rights reserved. Keycloak Identity Federation (OpenID Connect, OAuth 2.0, SAML) Social Login (Identity Brokering) Identity Management Authentication LDAP Active Directory RDB OpenID SAML XML.org GitHub Twitter Facebook What is Keycloak? OSS for Identity Management, community is led by Red Hat: https://www.keycloak.org Keycloak provides single sign-on and authentication/authorization based on OAuth 2.0.
- 9. 8© Hitachi, Ltd. 2020. All rights reserved. Keycloak acts as OAuth2 authorization server 3. API Request w/ Token 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server API Gateway Client Application Orthodox API system: Authorization Server + API Gateway + Resource Server e.g.) OAuth2 Authorization Code Grant
- 10. 9© Hitachi, Ltd. 2020. All rights reserved. Our colleague @tnorimat is mainly working. We'd finished implementing all functions required for FAPI-RW. • KEYCLOAK-6767 FAPI (Financial API) Security Profile Support Our activities toward certifying FAPI security profile JIRA Description PR Opened by KEYCLOAK-2604 Support PKCE (RFC7636) 3831 tnorimat KEYCLOAK-5661 Return allowed scopes with access token 4527 tnorimat KEYCLOAK-5811 Support client_secret_jwt 4835 tnorimat KEYCLOAK-6700 Support s_hash 5022 tnorimat KEYCLOAK-6768 Support signed and encrypted ID token 5779 tnorimat KEYCLOAK-6770 Support signature algorithm ES256 5533 tnorimat KEYCLOAK-6771 Support holder of key (RFC8705) 5083 tnorimat
- 11. 10© Hitachi, Ltd. 2020. All rights reserved. Next assignment: pass all conformance tests for FAPI-RW We'd finished implementing all functions required for FAPI. -> However, this is not enough to pass all conformance tests. To pass these tests, it's necessary to implement fine-grained checks to the authorization server, i.e. Keycloak. e.g.) • Check a client uses request objects at a sufficiently high-security level. (KEYCLOAK-14204) • Check a client uses suitable response types in OIDC Hybrid Flow. (KEYCLOAK-14205) There were difficulties: Regarding usability Settings for clients and realms (i.e. services) will increase too much. Regarding implementation Implementing check logics to each endpoint will increase conditional branches and impair readability. -> We proposed “Client Policy”!
- 12. © Hitachi, Ltd. 2020. All rights reserved. Contents 11 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
- 13. 12© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – Concept A framework for applying security profiles to client applications. Executor : “what action” Execute actions for security profiles. Condition : “which client” Select client applications based on conditions. Policy : Manage sets of executors and conditions.
- 14. 13© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – Processing Flow Client Policy Manager monitors requests from client applications to each endpoint. Determine if the client is subject to client policies. Static characteristics Client application's metadata. Dynamic characteristics Requests to endpoints. Execute actions for security profiles.
- 15. 14© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – How to implement Design Pattern: Abstract Factory Pattern All of Executor, Condition, Policy are implemented as Java interfaces. Since client policies can be set separately from settings for clients and realms, the settings do not become complicated. Since client policies can be implemented separately from each endpoint implementation, the readability of the endpoint implementation is not impaired. Security profiles other than FAPI, such as UK Open Banking, can be easily added without affecting Keycloak original source code.
- 16. 15© Hitachi, Ltd. 2020. All rights reserved. Our colleague @tnorimat is mainly working. • Due to our contribution FAPI-SIG (Financial-grade API Security: Special Interest Group) was founded. • https://github.com/keycloak/kc-sig-fapi • Main activity is supporting FAPI and its related specifications to Keycloak. • Communication Channels: Google Group, Zulip, and Web meeting on a regular basis. • Anyone can join it anytime! • KEYCLOAK-10331 Pass All Conformance Tests for Certified Financial-grade API (FAPI) OpenID Providers by OpenID Foundation • This activity is being accelerated by client policy and FAPI-SIG. Our activities toward passing conformance tests for FAPI-RW JIRA Description Progress KEYCLOAK-10332 Conformance Tests for FAPI R/W OP w/ MTLS 30% KEYCLOAK-10333 Conformance Tests for FAPI R/W OP w/ Private Key 30%
- 17. 16© Hitachi, Ltd. 2020. All rights reserved. Next assignment: considering whole API system 3. API Request w/ Token 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server MUST consider security! API Gateway MUST consider security! Client Application Security of the API system is not ensured only by the authorization server.
- 18. © Hitachi, Ltd. 2020. All rights reserved. Contents 17 1. Introduction: Financial-grade API (FAPI) and Keycloak 2. "Client Policy": how to satisfy FAPI security profile easily 3. Other activities help engineers to build FAPI compliant system
- 19. 18© Hitachi, Ltd. 2020. All rights reserved. Overview: whole API system 3. API Request w/ Token 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server 3scale API Gateway Hitachi’s Sample OIDC Client Application Client Application Implementing functions relating to FAPI to the client application and the API Gateway, and considering a kind of FAPI sandbox.
- 20. 19© Hitachi, Ltd. 2020. All rights reserved. What is 3scale? OSS for API Management, community is led by Red Hat: https://github.com/3scale End User App Developer REST API Server Legacy Backend Applications (Web, Mobile) Admin Admin PortalDev Portal Container Platform Authorization Server API Gateway (APIcast) API Manager (Porta)
- 21. 20© Hitachi, Ltd. 2020. All rights reserved. Our activities for API gateway Implemented necessary functions for FAPI. e.g.) OAuth MTLS (RFC8705) PR #1101 3. API Request w/ Token w/ Client Certificate 5. Authorized API Request 1. Authentication Resource Server End User 4. Token Introspection Keycloak API systemAuthorization Server 3scale API Gateway Client Application Token includes hash value of Client Certificate. Calculate hash value of Client Certificate and compare it with token's one.
- 22. 21© Hitachi, Ltd. 2020. All rights reserved. What is Hitachi’s Sample OIDC Client Application? A sample client application* created for testing a high-security API system we built. https://github.com/Hitachi/sample-oidc-client-application It follows OAuth 2.0 Security Best Practice. It has following functions, including FAPI-RW requirements: Act as a client application of Keycloak TLS OAuth 2.0 (RFC6749) / OIDC Authorization Code Grant Scope claim Audience claim State value Nonce value Proof Key for Code Exchange by OAuth Public Clients (RFC7636) OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC8705) OAuth 2.0 Form Post Response Mode * This sample source code is just a sample and not intended for applying to the product directly.
- 23. 22© Hitachi, Ltd. 2020. All rights reserved. Summary • Keycloak has already had all functions required for FAPI-RW. • We are actively moving toward passing all conformance tests for FAPI-RW with Keycloak. • We are also considering preparing a FAPI sandbox which is a demo set we can try FAPI with Keycloak easily. • Let's join FAPI-SIG! https://github.com/keycloak/kc-sig-fapi
- 24. 23© Hitachi, Ltd. 2020. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Twitter is a trademark or registered trademark of Twitter, Inc. in the United States and other countries. • Facebook is a trademark or registered trademark of Facebook, Inc. in the United States and other countries. • Red Hat, and OpenShift are registered trademarks of Red Hat, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
- 26. 25© Hitachi, Ltd. 2020. All rights reserved. What is Client Policy? – Architecture Policy Condition Executor Realm Client Keycloak Attribute Request apply Client Policy 1 0..* 0..* 1 0..* 1 1 0..* 1 0..* 0..* 1 1 0..* Manager Framework “Client Policy Basics” Components hook & call Separate security profile processing from Keycloak original source code and provide "Client Policy Basics" which is a framework for dynamically loading and unloading. Separate the client from its settings, treat them as logical components (Executor), and apply them to the client (Condition).