Implementing security and availability requirements for banking API system using Open Source Software (OSS)

© Hitachi, Ltd. 2019. All rights reserved.
Implementing security and availability requirements for
banking API system using Open Source Software (OSS)
Open Source Summit Japan 2019
Hitachi, Ltd.
OSS Solution Center
Yoshiyuki Tabata

1
Self introduction
Yoshiyuki Tabata :
OSS Solution Center, Hitachi, Ltd. @ Yokohama, Japan
• Software engineer
• API Management & Identity Management
• 3scale, Keycloak
• Contributor of 3scale
• Developed “Edge Limiting policy”, “Keycloak Role Check policy”

Contents
2
1. Introduction: background and requirements
2. Usage of OSS to meet requirements

3
Background: Banking API and its security in Japan
• The revised banking act was published in Jun 2017 to promote API.
• Similar to PSD2 in EU
• 83% of banks (114 banks) answered they will open API by 2020/6(*).
(*) Based on survey of Japanese Bankers Association as of Dec 2017
• Security : OAuth 2.0 is recognized as a key technology to secure API
Quoted from Report about open API by the Japanese Bankers Association
https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_3.pdf

4
Usage of OAuth 2.0: Authentication, Authorization
End users Applications API Server
3. Who is allowed what?
-> Access control
(Authorization)
Uses Apps
via browsers or
mobile devices
Call REST API
Access token
* OAuth 2.0 (RFC 6749) only describes how tokens are issued.
We have to use other standards or create something outside of standards.
1. Who is using API?
-> User authentication
2. What is using API?
-> Client authentication
OAuth 2.0

5
Requirements for Authentication/Authorization for banking API
# Category Description
1 Authentication • Can support various (customized) authentication in
OAuth flow
• Compliance to OpenID Connect on top of OAuth
2 Access control • Deny/Allow accesses based on claims in token
• Can be combined with rate limit to protect backend
3 Manage tokens • Revoke tokens triggered by users, administrators
• Revoke tokens based on policy
4 Compliance to the
latest standards
• Financial-grade API (FAPI) of OpenID Foundation

6
Background: Banking API and its availability
Level 5 4 3 2
Operating Rate > 99.999% > 99.99% > 99.9% > 99%
Total recovery time per
year (MTTR)
< 5.26 min < 52.6 min < 8.76 h < 87.6 h
Recovery time per failure < 1 min < 10 min < 1 h < 2 h
Banking API
System Infrastructure Non-Functional Requirements Related Grade Table
• Non-Functional Requirements 2018(*) was published in Apr 2018
to construct appropriate information systems, and enable stable provision of services.
(*) Reported by Information-Technology Promotion Agency, Japan
• Information systems are categorized into 5 levels according to characteristics.
• In our experience, almost all banking API systems belong to over Level 3.

7
Achieve Level 3
How to minimize MTTR ( < 8h ) and the recovery time per failure ( < 1 h ).
• Generally, to construct HA configuration and failover the system
when a failure has occurred.
• To configure the system to be recovered automatically.
-> Fault Tolerance
* This takes a high cost for preparing more resources than usual.
• To reduce dependencies of each component.
-> Fail Soft / Fault Avoidance
Level 3 Level 2
banking API system
highly
depends on
critical critical
Level 3 Level 2
banking API system
not
depends on
critical not critical

8
Requirements for Availability for banking API
1 Fault Tolerance • HA configuration
• Can be recovered automatically
2 Fail Soft/
Fault Avoidance
• Reduce dependencies of each component

Contents
9
• Which OSS should be used?
• Security requirements
• Availability requirements

10
Open API system
API
Gateway
Legacy
Backend
REST API
Server
Applications
(Web App,
Mobile App)
Developer
Portal
API Management
Manager
App Developers
End Users
Bank
• API Management product is usually used for common functions to open APIs
• Rate limit, dev portal, analytics etc.
• It is desirable authentication/authorization are integrated into API management
Authentication/
Authorization

11
Open Source Software (OSS) for open API
• There are various OSSs
• We chose “3scale” and “Keycloak”
• Completeness of feature
• Activity and future of community
OSS
API Management 3scale WSO2
Kong tyk
Authentication/
Authorization
Keycloak OpenAM
Gluu

12
API Management
What is 3scale
API
Gateway
(APIcast)
Legacy
Backend
REST API
Server
Applications
(Web App,
Mobile App)
Developer
Portal(porta)
Manager
(porta)
App Developers
End Users
Authentication/
Authorization
Container Platform
• Include full functions of API management (not only API GW)
• Cloud native : Works on OpenShift or okd
• OAuth2, OIDC in combination with Keycloak
OSS for API Management, community is led by Red Hat: https://github.com/3scale

13
What is Keycloak
Identity Management
Authentication
Social Login
(Identity Brokering)
Identity Federation
OpenID Connect, OAuth 2.0, SAML
OSS for Identity Management, community is led by Red Hat: https://www.keycloak.org
LDAP
Active Directory
RDB

Contents
14

15
<Recap> Requirements for Authentication/Authorization for banking API
1 Authentication • Can support various (customized) authentication in
OAuth flow
• Compliance to OpenID Connect on top of OAuth
2 Access control • Deny/Allow accesses based on claims in token
• Can be combined with rate limit to protect backend
3 Manage tokens • Revoke tokens triggered by users, administrators
4 Compliance to the
latest standards
• Financial-grade API (FAPI) of OpenID Foundation
Implemented these requirements using 3scale + Keycloak,
collaborating with OSS community

16
Authentication : Registering Apps
Authentication within OAuth/OIDC flow works well, basically
Keycloak
Dev/Admin
portal
(system)
Developer/Administrator
(1) Generate client ID/secret
via Web console,
and register app
zync
MySQL
3scale
(2) Register client ID/secret
to manage from 3scale
(3) Sync client ID/secret to
Keycloak
* OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)

17
Authentication : Authentication / Issue token
(1) Redirect to login screen
User data
store
(2) Authenticates user using
user data storage
(3) Authorization code
(4) Token request with client secret
(5) Access token and ID token
Authentication within OAuth/OIDC flow works well, basically
e.g.) Authorization code grant
End user
Keycloak
Application

18
Authentication : Issues
1. PKCE (RFC 7636) is required to protect code
User data
store
(2) Authenticates user using
user data storage
End user
Keycloak
Application
2. Login screen is generated by Keycloak.
However, it lacks high customizability.

19
PKCE support for Keycloak
• Keycloak did not support PKCE..
-> We submitted PR and merged.
https://github.com/keycloak/keycloak/pull/3831
• From Keycloak 3.1.0, PKCE was supported.
• Enabled by default (no switch)
• Only when PKCE is requested from a client, it works
• Included in OIDC server metadata from 4.0.0

20
Highly customized login screen
(2) Forward login
screen & result
End user
Keycloak
Application
Login
Screen
AP server
1. Delegates login screen by using
Identity brokering feature
2. Login screen/logic can be coded
as customers like
Extra parameters could not be forwarded
Besides the template, login screen can be generated by delegated server
We submitted a patch to enable forward parameters from Keycloak.
https://github.com/keycloak/keycloak/pull/5163

21
Access Control
Keycloak only issues tokens. Access control is out of scope.
API
Gateway
(APIcast)
REST API
Server
Applications
(Web App,
Mobile App)
Access control has to be implemented in
APIcast or REST API server
APIcast did not support access control using tokens -> We submitted PRs.
API Request with
access token
More convenient, to reduce development in REST API server

22
How to access control using tokens
{
"jti": "c26a32c4-4b48-4c2f-a7da-3b9b8ecad652",
"exp": 1535424101,
"nbf": 0,
"iat": 1535423801,
"iss": "http://localhost:8080/auth/realms/provider",
"aud": "broker",
"sub": "e4b11e2e-9136-409b-8720-57463c627c10",
"typ": "Bearer",
"azp": "broker",
"auth_time": 0,
"session_state": "ac1767e2-2e30-4d44-b6f3-b77935a7a0bc",
"acr": "1",
"allowed-origins": [],
"realm_access": {
"roles": [
"read",
"additional",
"write"
]
},
"name": "Takashi Mogi",
"preferred_username": "mogi",
"given_name": "Takashi",
"family_name": "Mogi",
"email": "mogi@example.com"
}
• The format of access token is not
standardized neither RFC nor OIDC.
-> It depends on implementation.
• In Keycloak, the format is similar to
ID token of OIDC (JWT, claims).
-> We targeted the Keycloak access token,
and developed 2 policies(*).
(*) plugin to extend functions of APIcast

23
Keycloak Role Check policy
• Checks “role” claims of access token and URL.
• We submitted a patch and included from 3scale 2.3.
https://github.com/3scale/apicast/pull/773
{
"jti": "c26a32c4-4b48-4c2f-a7da-3b9b8ecad652",
"exp": 1535424101,
…
"allowed-origins": [],
"realm_access": {
"roles": [
"role1"
]
},
End User
Client
Application
Keycloak
APIcast API Backend
Resources:
/resource1
Role Check:
Require “role1” to access to “/resource1”
1.
Request
“role1”
4.
Issue
access
token
including
“role1”
5. “GET /resource1”
with access token
6. Allow to access
to “/resouce1”
Use
Access Token

24
Edge Limiting policy
Rate limiting: A kind of access control, to control the upper limit of traffics.
APIcast did not support STRICT rate limiting to protect backend.
-> We implemented patches and “Edge limiting policy” was included in 3scale 2.3.
API
Gateway
(APIcast)
REST API
Server
Applications
(Web App,
Mobile App)
API Request with
access token
Any values can be extracted as a key to control access
- header
- body parameter
- JWT claim
- etc.
Protects backend by rate limit, types of limit:
- leaky bucket
- fixed window
- concurrent connections

25
Keycloak itself has features to revoke tokens
• Revoke tokens triggered by administrator
-> Can be revoked from admin console
-> Timeout can be configured in admin console
• Revoke tokens triggered by users
- Keycloak does not support OAuth 2.0 Token Revocation (RFC 7009)
- Instead, logout endpoint(*) is used.
(*) /auth/realms/<realm>/protocol/openid-connect/logout
Related access tokens, ID tokens, refresh tokens are revoked.
Manage tokens

26
Manage tokens : Issue
1) API Request
with token
2) Token Introspection
(Check token is alive)
API
Gateway
(APIcast)
Applications
(Web App,
Mobile App)
Keycloak
• Only authorization server knows that tokens are revoked…
API gateways couldn’t deny API requests even if tokens were revoked.
• API gateways MUST ask the authorization server whether tokens were revoked.
-> token introspection (RFC 7662)

27
Token Introspection policy
• We implemented patches and “Token Introspection policy” was included in 3scale 2.3.
https://github.com/3scale/APIcast/pull/619
• This policy can cache the result of token introspection
for reducing performance impact
https://github.com/3scale/APIcast/pull/656
1) API Request
with token
(Check token is alive)
API
Gateway
(APIcast)
Applications
(Web App,
Mobile App)
Keycloak

28
How API is called in 3scale 2.3 + Keycloak
1) API Request
with token
(Token Introspection policy)
3scale API
Gateway
(APIcast)
REST API
Server
Applications
(Web App,
Mobile App)
Keycloak
3) Access control
(Role Check policy, Edge Limiting policy)
4) Extract necessary information from
access token and set header
(Header policy)
5) API Request with necessary
information in header

29
Compliance to the latest standard: FAPI
OAuth
OpenID
Connect
(OIDC)
Spec to exchange access token(authorization info).
A lots are left to implementers,
insecure usage can easily happen.
In addition to OAuth,
ID token (authentication info) can be included.
Usage of OAuth is a bit hardened.
ＦＡＰＩ
FAPI (Financial-Grade API) is being standardized in OpenID Foundation.
Part1 (Read Only), Part2 (Read Write), JARM, CIBA
Secure usage of OAuth and OIDC
is standardized.

30
FAPI in Japan
• FAPI is still implementer’s draft as of today
• However, being strongly promoted in banking industry
Quoted from “Report of Review Committee on Open APIs: Promoting Open Innovation”, Japanese Bankers Association
https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_3.pdf
• We have to prepare for FAPI in advance, because can not implement soon.

31
Issues toward FAPI in Keycloak
JIRA Description Pull
Request
Included
version
KEYCLOAK-2604 RFC 7636(PKCE) support 3831 3.1.0
KEYCLOAK-5661 shall return the list of allowed scopes with the
issued access token
4527 3.4.0
KEYCLOAK-5811 Client authentication client_secret_jwt 4835 4.0.0
KEYCLOAK-6700 Support of s_hash 5022 4.0.0
KEYCLOAK-6768 Support of Encrypted ID token 5779 Not yet
KEYCLOAK-6770 Signature algorithm (PS256 or ES256) support 5533 4.5.0
KEYCLOAK-8460 Signature algorithm (PS256 or ES256) support
(for request object)
5603 4.7.0
KEYCLOAK-6771 Support for holder of key mechanism 5083 4.0.0
Investigated implementation of Keycloak, and reported issues.
We were developing patches with community, major parts were resolved.
Our colleague @tnorimat is mainly working.

Contents
32

33
<Recap> Requirements for Availability for banking API
1 Fault Tolerance • HA configuration
• Can recover automatically
2 Fail Soft/
Fault Avoidance
• Reduce dependencies of each component
Implemented these requirements using 3scale,
collaborating with OSS community

34
API Management
HA configuration / Automatic recovery
API
Gateway
(APIcast)
Legacy
Backend
REST API
Server
Applications
(Web App,
Mobile App)
Developer
Portal(porta)
Manager
(porta)
App Developers
End Users
Authentication/
Authorization
Container Platform
OpenShift provides:
• Automatic recovery/Automatic rerouting -> Automatic recovery
• Flexible scaling -> HA configuration

35
Reduce dependencies of each component
apicast-
[staging|production]
system-[master|provider]
/ system-developer
system-redis
system-mysql
system-memcache
system-sidekiq
system-sphinx
backend-redis
backend-cron
backend-worker
backend-listener
zync-database
zync
Keycloak
Client Application API Backend
API Gateway
Authentication / Analytics
Portals
Data sync
External components

36
apicast-
/ system-developer
system-redis
system-mysql
system-memcache
system-sidekiq
system-sphinx
backend-redis
backend-cron
backend-worker
backend-listener
zync-database
zync
Keycloak
API Gateway
Authentication / Analytics
Portals
Data sync
External components
Level 3

37
apicast-
/ system-developer
system-redis
system-mysql
system-memcache
system-sidekiq
system-sphinx
backend-redis
backend-cron
backend-worker
backend-listener
zync-database
zync
Keycloak
Mission Critical components
Non-critical components
External components
Execute jobs
Enqueue jobs

38
Reduce dependency (APIcast to Backend)
apicast-
backend-listener
Authenticate &
Report traffics
when backend-listener is down
We have to consider:
1. how to authenticate API requests
2. how to report traffics

39
Reduce dependency (APIcast to Backend)
apicast-
backend-listener
Authenticate &
Report traffics
We have to consider:
1. how to authenticate API requests
👉 cache the result of authentication and authenticate using cache
-> cannot authenticate newcomers and results to opportunity loss
👉 allow newcomers without cache authentication and with
alternative authentications
2. how to report traffics
👉 cache traffics and report them all together when backend-listener
comes back
Caching policy
Batcher policy
Keycloak Role Check policy, Edge Limiting policy, Token Introspection policy

40
How API is called in 3scale 2.3
1) API Request
with token
(Token Introspection policy)
3scale API
Gateway
(APIcast)
REST API
Server
Applications
(Web App,
Mobile App)
Keycloak
3) Access control
(Role Check policy, Edge Limiting policy)
4) Extract necessary information
from access token and set header
(Header policy)
6) API Request with necessary
information in header
5) Reduce dependencies
(Caching policy, Batcher policy)
3scale
Backend

41
Summary
• OAuth is recognized as a key technology for banking API systems
• Requirements to be considered around OAuth
• Authentication, Access control, Token management,
Latest standard (OIDC, FAPI)
• Requirements to be considered around Availability
• HA configuration, Dependencies
• Applied OSS (3scale + Keycloak) to achieve them
• Improved with OSS community
• 3scale: enhanced rate limit, access control
• Keycloak: Features required for FAPI
-> Improvements are included in the latest version
• Let’s work with OSS community ! 3scale and Keycloak are great community.

42
Trademarks
• Red Hat is a trademark or registered trademark of Red Hat, Inc. in the United States and other
countries.
• OpenShift is a trademark or registered trademark of Red Hat, Inc. in the United States and other
countries.
• WSO2 is a trademark or registered trademark of WSO2 in the United States and other countries.
• OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other
countries.
• GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other
countries.
• Twitter is a trademark or registered trademark of Twitter, Inc. in the United States and other countries.
• Facebook is a trademark or registered trademark of Facebook, Inc. in the United States and other
countries.
• Other brand names and product names used in this material are trademarks, registered trademarks,
or trade names of their respective holders.

Implementing security and availability requirements for banking API system using Open Source Software (OSS)

Implementing security and availability requirements for banking API system using Open Source Software (OSS)

Recommended

More Related Content

What's hot (20)

Similar to Implementing security and availability requirements for banking API system using Open Source Software (OSS) (20)

More from Hitachi, Ltd. OSS Solution Center. (20)

Recently uploaded (20)

Implementing security and availability requirements for banking API system using Open Source Software (OSS)