SlideShare a Scribd company logo

Security Considerations for API Gateway Aggregation

Download as PPTX, PDF
Hitachi, Ltd. OSS Solution Center., profile picture
Hitachi, Ltd. OSS Solution Center.

This document discusses security considerations for API gateway aggregation. It proposes building an API gateway aggregator in front of existing API gateways to expose APIs outside a company while minimizing security risks and impact on existing services. It describes how the aggregator can implement OAuth 2.0 authorization with a centralized authorization server and token exchange to authorize external applications without complexifying authorization for internal services. Advanced use cases discussed include supporting the Financial-grade API security profile for highly sensitive data and implementing zero-trust networking.

Technology
1 of 34
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
© Hitachi, Ltd. 2023. All rights reserved. Security Considerations for API Gateway Aggregation APIsecure 2023 Hitachi, Ltd. Yoshiyuki Tabata Slides are available at https://www.slideshare.net/ssuserbeb7c0
1 © Hitachi, Ltd. 2023. All rights reserved. About the speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Software Engineer  Hitachi, Ltd.  GitHub: @y-tabata
© Hitachi, Ltd. 2023. All rights reserved. Contents 2 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
© Hitachi, Ltd. 2023. All rights reserved. Contents 3 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
4 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management API GW API API Authz Server own service API call API call API call issue token • “API management” is required when providing multiple APIs, considering the operational aspect. • In this case, luxurious API management is not necessary, but “Minimum” API Management is sufficient that provides only an API Gateway and an Authorization Server, especially for small-start projects.
5 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management NGINX API API Keycloak own service API call API call API call issue token • For example, this “Minimum” API Management can be built with only Keycloak and NGINX.
6 © Hitachi, Ltd. 2023. All rights reserved. Major features  Provide support for OAuth 2.0, OpenID Connect and SAML.  Connect to existing LDAP or Active Directory servers.  Login with social networks. What is Keycloak • Keycloak is IAM (Identity and Access Management) OSS. • Keycloak provides OAuth 2.0 authorization server feature and single sign-on. Based on Standard Protocols Keycloak LDAP Active Directory RDB OpenID Connect SAML GitHub Twitter Facebook User Federation Social Login
7 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • In the case company provides multiple services, multiple minimum API management systems exist in-house together. “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token
8 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • Recently, use cases for exposing APIs outside the company become popular, such as providing APIs to 3rd-party applications and the spread of remote work. • Existing APIs may not be exposed outside the company without changes because of low-level security and usability. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
9 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
10 © Hitachi, Ltd. 2023. All rights reserved. Proposal: API GW Aggregation • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users -> Build API GW Aggregator in front of API GWs. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
© Hitachi, Ltd. 2023. All rights reserved. Contents 11 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
12 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
13 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
14 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum security (API authorization, OWASP Top 10) • API authorization -> Authorization server based on OAuth 2.0 • OWASP Top 10 -> WAF (Web Application Firewall) API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps API GW Aggregator Authz Server API call API call issue token API call API call + WAF issue tokens using OAuth2 authz code grant verify issuer, audience, expiration, revocation
15 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
16 © Hitachi, Ltd. 2023. All rights reserved. ✔ ✔ ✔ How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in API GW Aggregator and that of each own services in individual API GW works with no problems because using their dedicated authz servers. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call
17 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. API GW API API Authz Server API call API call API GW API API Authz Server API call API call remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call API call API call
18 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
19 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. -> We should avoid this situation because it extends the surface of possible attacks such as IdP mix-up attacks and may have an impact on own services. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
20 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS.
21 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) -> Token translation such as exchanging lightweight access tokens*1 with more claims-packed access tokens can be realized and can protect privacy. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS. lightweight access tokens *1: an assertion-based access token w/o privacy information or a handle-based access token
22 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This API GW Aggregator also can be built with Keycloak and NGINX. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange NGINX App Protect (WAF) protect each API individually using OpenAPI specs.
© Hitachi, Ltd. 2023. All rights reserved. Contents 23 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
24 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • When publishing APIs that give access to highly sensitive data or that can be used to trigger highly important transactions, the system needs to support a highly secured OAuth profile such as FAPI (Financial-grade API) security profile. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange provide highly sensitive data
25 © Hitachi, Ltd. 2023. All rights reserved. What is FAPI • Financial-grade API (FAPI) security profile requires a high level of security based on OAuth 2.0, used as a protocol for "API Authorization" and OpenID Connect (OIDC), used as a protocol for "SSO". It defines secure usage of OAuth 2.0 and OIDC to apply to APIs in any market area. Financial-grade API Security Profile 1.0 Part 2: Advanced RFC 7519: JSON Web Token (JWT) RFC 7636: Proof Key for Code Exchange by OAuth Public Clients RFC 6819: OAuth 2.0 Threat Model and Security Considerations RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6749: The OAuth 2.0 Authorization Framework OpenID Connect Core 1.0 RFC 8705: OAuth 2.0 Mutual- TLS Client Authentication and Certificate-Bound Access Tokens RFC 9126: OAuth 2.0 Pushed Authorization Requests Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
26 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • To support FAPI, the authz server, the client application, and the resource server all must meet FAPI requirements. -> API GW Aggregator built with Keycloak and NGINX can support FAPI. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange Hitachi publishes a certified implementation of FAPI RP. https://github.com/Hitachi/hitachi-fapi-java provide highly sensitive data
27 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To protect from a domino effect, where one compromised API compromises multiple other critical components, implement a zero-trust network. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange compromised API
28 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Establishing mTLS connections between NGINX, and validating the access token (JWT) in cooperation with Keycloak. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS + JWT) issue token issue token token exchange token exchange NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS + JWT) API call (mTLS + JWT) compromised API API call (mTLS + JWT) Keycloak supports policy decision and policy administration
29 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Complicated certificate management for mTLS is reduced by integrating with Vault. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS) issue token issue token token exchange token exchange Vault NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS) API call (mTLS) API call (mTLS) compromised API real-time Vault certificate-issuing requests and the dynamic certificate-loading feature in NGINX Plus.
30 © Hitachi, Ltd. 2023. All rights reserved. Other advanced use cases • There are many other advanced use cases. The below are for different types of clients. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange For native apps, issue client credentials via dynamic client registration endpoint For browser-based apps, behave as BFF (backend for frontend) handling the full authz flow and managing tokens.
31 © Hitachi, Ltd. 2023. All rights reserved. Summary  We proposed “API GW Aggregation”  can expose APIs outside the company  with minimum security and  minimum impact on services provided to existing users.  the underlying technologies are OAuth2, WAF, and token exchange.  can be built with Keycloak and NGINX.  supports advanced use cases such as FAPI and zero-trust networks. Slides are available at https://www.slideshare.net/ssuserbeb7c0
32 © Hitachi, Ltd. 2023. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. • NGINX and NGINX Plus are registered trademarks of F5, inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
Security Considerations for API Gateway Aggregation

More Related Content

PDF
20200630 AWS Black Belt Online Seminar Amazon Cognito
Amazon Web Services Japan
 
PPTX
[112]rest에서 graph ql과 relay로 갈아타기 이정우
NAVER D2
 
PPTX
REST API
Tofazzal Ahmed
 
PDF
AWS Black Belt Online Seminar 2017 AWS Elastic Beanstalk
Amazon Web Services Japan
 
PDF
20210317 AWS Black Belt Online Seminar Amazon MQ
Amazon Web Services Japan
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
20190514 AWS Black Belt Online Seminar Amazon API Gateway
Amazon Web Services Japan
 
PDF
AWS Black Belt Techシリーズ AWS Direct Connect
Amazon Web Services Japan
 
20200630 AWS Black Belt Online Seminar Amazon Cognito
Amazon Web Services Japan
 
[112]rest에서 graph ql과 relay로 갈아타기 이정우
NAVER D2
 
REST API
Tofazzal Ahmed
 
AWS Black Belt Online Seminar 2017 AWS Elastic Beanstalk
Amazon Web Services Japan
 
20210317 AWS Black Belt Online Seminar Amazon MQ
Amazon Web Services Japan
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
20190514 AWS Black Belt Online Seminar Amazon API Gateway
Amazon Web Services Japan
 
AWS Black Belt Techシリーズ AWS Direct Connect
Amazon Web Services Japan
 

What's hot (20)

PPSX
Rest api standards and best practices
Ankita Mahajan
 
PDF
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
YongSung Yoon
 
PDF
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
Amazon Web Services Korea
 
PDF
AWS 기반 클라우드 아키텍처 모범사례 - 삼성전자 개발자 포털/개발자 워크스페이스 - 정영준 솔루션즈 아키텍트, AWS / 유현성 수석,...
Amazon Web Services Korea
 
PDF
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
Amazon Web Services Korea
 
PDF
[AWS Migration Workshop] AWS 클라우드로의 안전하고 신속한 마이그레이션 방안
Amazon Web Services Korea
 
PDF
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)
Amazon Web Services Korea
 
PDF
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
apidays
 
PDF
NW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャ
Shuji Kikuchi
 
PDF
AWS Black Belt Tech シリーズ 2015 AWS CLI & AWS Tools for Windows Powershell
Amazon Web Services Japan
 
PDF
OpenID Connect入門
土岐 孝平
 
PDF
AWS Black Belt Online Seminar AWS Direct Connect
Amazon Web Services Japan
 
PDF
[AKIBA.AWS] VGWのルーティング仕様
Shuji Kikuchi
 
PDF
20180509 AWS Black Belt Online Seminar Amazon GuardDuty
Amazon Web Services Japan
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PPTX
Rest assured
Varun Deshpande
 
PDF
パスワード氾濫時代のID管理とは? ~最新のOpenIDが目指すユーザー認証の効率的な強化~
Tatsuo Kudo
 
PDF
AWS Black Belt Online Seminar 2017 AWSにおけるアプリ認証パターンのご紹介
Amazon Web Services Japan
 
PDF
AWS Black Belt Online Seminar AWS Amplify
Amazon Web Services Japan
 
PPTX
DeNA の AWS アカウント管理とセキュリティ監査自動化
DeNA
 
Rest api standards and best practices
Ankita Mahajan
 
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
YongSung Yoon
 
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
Amazon Web Services Korea
 
AWS 기반 클라우드 아키텍처 모범사례 - 삼성전자 개발자 포털/개발자 워크스페이스 - 정영준 솔루션즈 아키텍트, AWS / 유현성 수석,...
Amazon Web Services Korea
 
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
Amazon Web Services Korea
 
[AWS Migration Workshop] AWS 클라우드로의 안전하고 신속한 마이그레이션 방안
Amazon Web Services Korea
 
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)
Amazon Web Services Korea
 
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
apidays
 
NW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャ
Shuji Kikuchi
 
AWS Black Belt Tech シリーズ 2015 AWS CLI & AWS Tools for Windows Powershell
Amazon Web Services Japan
 
OpenID Connect入門
土岐 孝平
 
AWS Black Belt Online Seminar AWS Direct Connect
Amazon Web Services Japan
 
[AKIBA.AWS] VGWのルーティング仕様
Shuji Kikuchi
 
20180509 AWS Black Belt Online Seminar Amazon GuardDuty
Amazon Web Services Japan
 
OAuth2 + API Security
Amila Paranawithana
 
Rest assured
Varun Deshpande
 
パスワード氾濫時代のID管理とは? ~最新のOpenIDが目指すユーザー認証の効率的な強化~
Tatsuo Kudo
 
AWS Black Belt Online Seminar 2017 AWSにおけるアプリ認証パターンのご紹介
Amazon Web Services Japan
 
AWS Black Belt Online Seminar AWS Amplify
Amazon Web Services Japan
 
DeNA の AWS アカウント管理とセキュリティ監査自動化
DeNA
 
Ad

Similar to Security Considerations for API Gateway Aggregation (20)

PDF
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
 
PDF
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
PPTX
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
 
PPTX
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays
 
PPTX
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
KEY
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Atlassian
 
KEY
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Atlassian
 
PDF
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
PPTX
API Best Practices
Sai Koppala
 
PDF
API, Integration, and SOA Convergence
Kasun Indrasiri
 
PDF
API-first, going beyond SOA, ESB & Integration
Apigee | Google Cloud
 
PDF
Authlete: API Authorization Enabler for API Economy
Tatsuo Kudo
 
PPTX
WEB API Gateway
Kumaresh Chandra Baruri
 
PDF
Gravitee API Management - Ahmet AYDIN
kloia
 
PPTX
2013 02-apache conna-api-manager-asanka
WSO2
 
PDF
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 
PDF
Introduction to Serverless computing and AWS Lambda - Floor28
Boaz Ziniman
 
PPTX
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
PDF
APIConnect Security Best Practice
Shiu-Fun Poon
 
PDF
Apidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdf
apidays
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays
 
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Atlassian
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Atlassian
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
API Best Practices
Sai Koppala
 
API, Integration, and SOA Convergence
Kasun Indrasiri
 
API-first, going beyond SOA, ESB & Integration
Apigee | Google Cloud
 
Authlete: API Authorization Enabler for API Economy
Tatsuo Kudo
 
WEB API Gateway
Kumaresh Chandra Baruri
 
Gravitee API Management - Ahmet AYDIN
kloia
 
2013 02-apache conna-api-manager-asanka
WSO2
 
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 
Introduction to Serverless computing and AWS Lambda - Floor28
Boaz Ziniman
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
APIConnect Security Best Practice
Shiu-Fun Poon
 
Apidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdf
apidays
 
Ad

More from Hitachi, Ltd. OSS Solution Center. (20)

PPTX
Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
Hitachi, Ltd. OSS Solution Center.
 
PDF
API認可を支えるKeycloakの基本と設計の考え方 ~ OAuth/OIDCによるAPI保護のベストプラクティス ~
Hitachi, Ltd. OSS Solution Center.
 
PPTX
Hitachi’s Keycloak Journey - Evolution of Business and Community
Hitachi, Ltd. OSS Solution Center.
 
PPTX
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
PDF
KubeCon + CloudNativeCon North America セキュリティ周りrecap
Hitachi, Ltd. OSS Solution Center.
 
PDF
Let’s Join Cloud Native Computing Foundation TAG Security APAC!
Hitachi, Ltd. OSS Solution Center.
 
PDF
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
Hitachi, Ltd. OSS Solution Center.
 
PPTX
Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...
Hitachi, Ltd. OSS Solution Center.
 
PPTX
CloudNativeSecurityCon North America 2024 Overview
Hitachi, Ltd. OSS Solution Center.
 
PPTX
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
Hitachi, Ltd. OSS Solution Center.
 
PDF
Authentication and Authorization of The Latest Keycloak
Hitachi, Ltd. OSS Solution Center.
 
PDF
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
PDF
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
Hitachi, Ltd. OSS Solution Center.
 
PDF
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
Hitachi, Ltd. OSS Solution Center.
 
PPTX
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
Hitachi, Ltd. OSS Solution Center.
 
PPTX
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Hitachi, Ltd. OSS Solution Center.
 
PPTX
Challenge to Implementing "Scalable" Authorization with Keycloak
Hitachi, Ltd. OSS Solution Center.
 
PPTX
NGINXでの認可について考える
Hitachi, Ltd. OSS Solution Center.
 
PPTX
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
Hitachi, Ltd. OSS Solution Center.
 
PDF
IDガバナンス&管理の基礎
Hitachi, Ltd. OSS Solution Center.
 
Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
Hitachi, Ltd. OSS Solution Center.
 
API認可を支えるKeycloakの基本と設計の考え方 ~ OAuth/OIDCによるAPI保護のベストプラクティス ~
Hitachi, Ltd. OSS Solution Center.
 
Hitachi’s Keycloak Journey - Evolution of Business and Community
Hitachi, Ltd. OSS Solution Center.
 
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
KubeCon + CloudNativeCon North America セキュリティ周りrecap
Hitachi, Ltd. OSS Solution Center.
 
Let’s Join Cloud Native Computing Foundation TAG Security APAC!
Hitachi, Ltd. OSS Solution Center.
 
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
Hitachi, Ltd. OSS Solution Center.
 
Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...
Hitachi, Ltd. OSS Solution Center.
 
CloudNativeSecurityCon North America 2024 Overview
Hitachi, Ltd. OSS Solution Center.
 
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
Hitachi, Ltd. OSS Solution Center.
 
Authentication and Authorization of The Latest Keycloak
Hitachi, Ltd. OSS Solution Center.
 
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
Hitachi, Ltd. OSS Solution Center.
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
Hitachi, Ltd. OSS Solution Center.
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
Hitachi, Ltd. OSS Solution Center.
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Hitachi, Ltd. OSS Solution Center.
 
Challenge to Implementing "Scalable" Authorization with Keycloak
Hitachi, Ltd. OSS Solution Center.
 
NGINXでの認可について考える
Hitachi, Ltd. OSS Solution Center.
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
Hitachi, Ltd. OSS Solution Center.
 
IDガバナンス&管理の基礎
Hitachi, Ltd. OSS Solution Center.
 

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Teaching material agriculture food technology
LiaRayya
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Approach and Philosophy of On baking technology
30anthuong17
 

Security Considerations for API Gateway Aggregation

  • 1. © Hitachi, Ltd. 2023. All rights reserved. Security Considerations for API Gateway Aggregation APIsecure 2023 Hitachi, Ltd. Yoshiyuki Tabata Slides are available at https://www.slideshare.net/ssuserbeb7c0
  • 2. 1 © Hitachi, Ltd. 2023. All rights reserved. About the speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Software Engineer  Hitachi, Ltd.  GitHub: @y-tabata
  • 3. © Hitachi, Ltd. 2023. All rights reserved. Contents 2 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 4. © Hitachi, Ltd. 2023. All rights reserved. Contents 3 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 5. 4 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management API GW API API Authz Server own service API call API call API call issue token • “API management” is required when providing multiple APIs, considering the operational aspect. • In this case, luxurious API management is not necessary, but “Minimum” API Management is sufficient that provides only an API Gateway and an Authorization Server, especially for small-start projects.
  • 6. 5 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management NGINX API API Keycloak own service API call API call API call issue token • For example, this “Minimum” API Management can be built with only Keycloak and NGINX.
  • 7. 6 © Hitachi, Ltd. 2023. All rights reserved. Major features  Provide support for OAuth 2.0, OpenID Connect and SAML.  Connect to existing LDAP or Active Directory servers.  Login with social networks. What is Keycloak • Keycloak is IAM (Identity and Access Management) OSS. • Keycloak provides OAuth 2.0 authorization server feature and single sign-on. Based on Standard Protocols Keycloak LDAP Active Directory RDB OpenID Connect SAML GitHub Twitter Facebook User Federation Social Login
  • 8. 7 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • In the case company provides multiple services, multiple minimum API management systems exist in-house together. “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token
  • 9. 8 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • Recently, use cases for exposing APIs outside the company become popular, such as providing APIs to 3rd-party applications and the spread of remote work. • Existing APIs may not be exposed outside the company without changes because of low-level security and usability. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
  • 10. 9 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
  • 11. 10 © Hitachi, Ltd. 2023. All rights reserved. Proposal: API GW Aggregation • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users -> Build API GW Aggregator in front of API GWs. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 12. © Hitachi, Ltd. 2023. All rights reserved. Contents 11 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 13. 12 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 14. 13 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 15. 14 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum security (API authorization, OWASP Top 10) • API authorization -> Authorization server based on OAuth 2.0 • OWASP Top 10 -> WAF (Web Application Firewall) API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps API GW Aggregator Authz Server API call API call issue token API call API call + WAF issue tokens using OAuth2 authz code grant verify issuer, audience, expiration, revocation
  • 16. 15 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 17. 16 © Hitachi, Ltd. 2023. All rights reserved. ✔ ✔ ✔ How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in API GW Aggregator and that of each own services in individual API GW works with no problems because using their dedicated authz servers. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call
  • 18. 17 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. API GW API API Authz Server API call API call API GW API API Authz Server API call API call remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call API call API call
  • 19. 18 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
  • 20. 19 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. -> We should avoid this situation because it extends the surface of possible attacks such as IdP mix-up attacks and may have an impact on own services. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
  • 21. 20 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS.
  • 22. 21 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) -> Token translation such as exchanging lightweight access tokens*1 with more claims-packed access tokens can be realized and can protect privacy. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS. lightweight access tokens *1: an assertion-based access token w/o privacy information or a handle-based access token
  • 23. 22 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This API GW Aggregator also can be built with Keycloak and NGINX. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange NGINX App Protect (WAF) protect each API individually using OpenAPI specs.
  • 24. © Hitachi, Ltd. 2023. All rights reserved. Contents 23 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 25. 24 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • When publishing APIs that give access to highly sensitive data or that can be used to trigger highly important transactions, the system needs to support a highly secured OAuth profile such as FAPI (Financial-grade API) security profile. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange provide highly sensitive data
  • 26. 25 © Hitachi, Ltd. 2023. All rights reserved. What is FAPI • Financial-grade API (FAPI) security profile requires a high level of security based on OAuth 2.0, used as a protocol for "API Authorization" and OpenID Connect (OIDC), used as a protocol for "SSO". It defines secure usage of OAuth 2.0 and OIDC to apply to APIs in any market area. Financial-grade API Security Profile 1.0 Part 2: Advanced RFC 7519: JSON Web Token (JWT) RFC 7636: Proof Key for Code Exchange by OAuth Public Clients RFC 6819: OAuth 2.0 Threat Model and Security Considerations RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6749: The OAuth 2.0 Authorization Framework OpenID Connect Core 1.0 RFC 8705: OAuth 2.0 Mutual- TLS Client Authentication and Certificate-Bound Access Tokens RFC 9126: OAuth 2.0 Pushed Authorization Requests Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
  • 27. 26 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • To support FAPI, the authz server, the client application, and the resource server all must meet FAPI requirements. -> API GW Aggregator built with Keycloak and NGINX can support FAPI. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange Hitachi publishes a certified implementation of FAPI RP. https://github.com/Hitachi/hitachi-fapi-java provide highly sensitive data
  • 28. 27 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To protect from a domino effect, where one compromised API compromises multiple other critical components, implement a zero-trust network. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange compromised API
  • 29. 28 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Establishing mTLS connections between NGINX, and validating the access token (JWT) in cooperation with Keycloak. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS + JWT) issue token issue token token exchange token exchange NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS + JWT) API call (mTLS + JWT) compromised API API call (mTLS + JWT) Keycloak supports policy decision and policy administration
  • 30. 29 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Complicated certificate management for mTLS is reduced by integrating with Vault. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS) issue token issue token token exchange token exchange Vault NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS) API call (mTLS) API call (mTLS) compromised API real-time Vault certificate-issuing requests and the dynamic certificate-loading feature in NGINX Plus.
  • 31. 30 © Hitachi, Ltd. 2023. All rights reserved. Other advanced use cases • There are many other advanced use cases. The below are for different types of clients. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange For native apps, issue client credentials via dynamic client registration endpoint For browser-based apps, behave as BFF (backend for frontend) handling the full authz flow and managing tokens.
  • 32. 31 © Hitachi, Ltd. 2023. All rights reserved. Summary  We proposed “API GW Aggregation”  can expose APIs outside the company  with minimum security and  minimum impact on services provided to existing users.  the underlying technologies are OAuth2, WAF, and token exchange.  can be built with Keycloak and NGINX.  supports advanced use cases such as FAPI and zero-trust networks. Slides are available at https://www.slideshare.net/ssuserbeb7c0
  • 33. 32 © Hitachi, Ltd. 2023. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. • NGINX and NGINX Plus are registered trademarks of F5, inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.