SlideShare a Scribd company logo

Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC Deployment #api

Tatsuo Kudo
Tatsuo Kudo

Prepared for API World 2019 https://sched.co/T4bw

Internet
1 of 35
Download to read offline
Authorization Architecture Patterns: How to Avoid Pitfalls in OAuth/OIDC Deployment Tatsuo Kudo Authlete, Inc.
About Me • Tatsuo Kudo https://www.linkedin.com/in/tatsuokudo – Sun Microsystems (1998-2008) – Nomura Research Institute (2008-2018) – OpenID Foundation Japan (2013-2014) – NRI SecureTechnologies (2014-2018) – Authlete (2018-) • VP of Solution Strategy 2
• A Tokyo / London based company providing “API Authorization Backend-as-a-Service” enabling developers to quickly and securely implement OAuth 2.0, OpenID Connect, Financial-grade API and CIBA. https://www.authlete.com/ Who is Authlete? 3
4 • OAuth / OpenID Connect (OIDC) basics • Deployment architecture patterns in the wild • Future-proof API authorization services In This Talk
OAuth / OIDC Basics
6 • Client credentials e.g. API Key (and API secret) – Simple but not scalable How API Servers Grant Access for Clients 1. API request with client credentials API Client API Server 2. API response GET /items/12345 HTTP/1.1 x-api-key: <API Key>
7 • Tokens in exchange for client credentials – More flexible but limited to client-server authentication How API Servers Grant Access for Clients 3. API request with token API Client API Server 4. API response Authorization Server (AS) 1. Token request with client credentials 2. Token response GET /items/12345 HTTP/1.1 Authorization: Bearer <Token> POST /token HTTP/1.1 Authorization: Basic <Key:Secret>
8 • Tokens in exchange for authorization proof – Resource owner / assertion issuer can participate access granting process How API Servers Grant Access for Clients 5. API request with token API Client API Server 6. API response 1. Authorization / assertion request Resource Owner / Assertion Issuer Authorization Server (AS) 3. Token request with authorization code / assertion 2. Authorization code / assertion 4. Token response User Organization HTTP/1.1 302 Found Location: https://as/authorize?... (User authentication and consent) GET /items/12345 HTTP/1.1 Authorization: Bearer <Token>
9 • Framework for API access delegation using tokens – RFC 6749 describes token granting process and essential grant flows such as authorization code and client credentials • Highly extensible for broad use cases – Extensible grant type – User-involved (with user agents) and unattended (service accounts for machines) • Sister standard: OpenID Connect – “ID Token” to convey user authentication event from Identity Provider to Relying Party OAuth at a Glance
• Resource Owner e.g. end user • User Agent e.g. Web browser • Client e.g. Web application using APIs • Authorization Server e.g. user authentication server • Resource Server e.g. API server “OAuth Dance” Resource Owner User Agent Client Authorization Server Resource Server 10
Basic OAuth/OIDC Authorization Code Grant Flow / Bearer Token Resource Owner User Agent Client Authorization Server Resource Server ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Authorization Request Authorization Code Authorization Code Access Token Access Token API Response • ReceiveAuthorization Request and return Authorization Code • ReceiveAuthorization Code and return Access Token • ReceiveAPI Request with Access Token and return API response 11
Advanced OAuth/OIDC for High-StakesTransactions FAPI (Financial-grade API) 12 https://www.authlete.com/fapi Fintechs Adversaries Banks Authorization / token request Authorization / token response API requests with the token Preventing fraudulent token exchange by signing requests and responses Token theft Preventing fraudulent access by using mutual TLS to detect identity of the requester Stolen tokens won’t work as the adversaries can’t use the signing certificate bound to these tokens
Advanced OAuth/OIDC for “Decoupled Authentication” CIBA (Client Initiated Backchannel Authentication) https://www.authlete.com/ciba 13 Send $50 to Bob Alice Alice’s smartphone Notify to the bank’s app Alice’s smart speaker Initiate a payment via pre- registered bank’s APIs Banking APIs with CIBA Use case 1: Voice-initiated money transfer Send Bob $50 ? Alice Alice’s smartphone Notify to the payment app Teleshopping’s call center Initiate a payment via pre- registered payment service’s APIs Payment’s APIs with CIBA Use case 2: Call-center-initiated payment Buy ? $50 $50
14 • Handmade OAuth server was valid in the good old days (circa early 2010’s) • It is no longer applicable nowadays – A lot of OAuth extensions are now emerging • Assertionframework, PKCE,JWT client authentication, device grant, … – Security considerations are frequently being updated for new use cases and threats • Mobile app ecosystem,microservices,high- stakes transactions, … Building Authorization Servers From Scratch Source: https://twitter.com/blhjelm/status/1055551254401736704, https://hackerone.com/hacktivity?order_direction=DESC&order_field=latest_disclosable_activity_at&filter=type%3Aall&querystring=oauth
15 • Identity and access management(IAM) • API management (e.g. API gateways) • Authorization decision service that decides “who has access to what in which context” for token requests Services Integrated with Authorization Server Client Protected Resources Resource Owner Authorization Server IAM Service Authorization DecisionService API Gateway User authentication and consent Token request API request Token introspection
Deployment Architecture Patterns in the Wild
17 • Authorization server provides at least two functionalities – Protocol operations (OAuth, OIDC and their extensions) – Token management (life cycle, clients, scopes etc.) • Authorization server would often be a part of other system – Application runtime – IAM system – API gateways Where Authorization Server Belongs Authorization Server Protocol Operations Token Management
18 • Pros – Application developers don’t need to handle OAuth • Cons – Runtime vendors usually don’t consider OAuth functionality with high priority; sometimes obsolete AS Embedded in Application Runtime Client Applications Resource Owner Authorization Server Subsystem IAM Service Authorization Decision Implementation API Endpoints Application Runtime User authentication and consent Token request API request
IAM System 19 • Pros – Usually IAM vendors are serious (and competing)in adopting open standards • Cons – User management and authentication services are tightly integrated with AS – Authorization decision needs to be implemented on the vendor’s proprietary extension framework AS Separated as IAM System Client Protected Resources Resource Owner Authorization Server Subsystem User Authentication Subsystem Authorization Decision Subsystem API Gateway User authentication and consent Token request API request Token introspection
20 • Pros – Familiar with API operations • Cons – API gateway vendors usually don’t consider OAuth functionality with high priority; sometimesobsolete – Authorization decision needs to be implemented on the vendor’s proprietary extension framework AS Integrated with API Gateways Client Protected Resources Resource Owner Authorization Server Subsystem IAM Service Authorization Decision Subsystem API Endpoint Subsystem API Gateway User authentication and consent Token request API request
21 • Freedom of choice for development • Offloading cumbersome protocol operations and token management • Leveraging the most suited solutions and/or other subsystems within organizations What Developers Really Needed Client Protected Resources Resource Owner Authorization Server IAM Service Authorization DecisionService API Gateway
Future-Proof API Authorization Services
23 • Deploying a “backend” behind your authorization server • Your authorization server acting as “frontend” • No need to consider “what to do next with what methods” on OAuth/OIDC protocol processing Introducing Semi-hosted Pattern Client Protected Resources Resource Owner Authorization Server Frontend IAM Service Authorization DecisionService API Gateway Authorization Server Backend User authentication and consent Token request API request Token introspection
Solution Example: Authlete Semi-Hosted Authorization Server Solution 24 Authlete Customer’s EnvironmentAPI Clients Existing Services © 2018 Authlete, Inc. Websites Mobile Networked Devices Authorization Server Authorization Decision User Authentication Consent Management Entitlement Management API Servers / Gateways /data /f unction /transaction Authlete Authorization BackendAPIs Authorization Information (e.g. Tokens) Database Authorization Request API Access Authorization Status Check OAuth/OIDC Processing Request Authorization Frontend Leveraging existing services Authorization decision logic with no dependency on Authlete Separation of operation between authorization server and API servers Externalizing cumbersome OAuth/OIDC processing and token management /… OSS components available via GitHub
Sequence is Simple - Implementation is Not 25 Resource Owner User Agent Client Authorization Server Resource Server Processing Authorization Request Issuing Authorization Code Processing Token Request Access Token Introspection ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent
Offloading These Tasks to Authlete Resource Owner User Agent Client Authorization Server Resource Server Authlete API Processing Authorization Request Issuing Authorization Code Processing Token Request Access Token Intro- spection /auth/authorizationPOST /auth/authorization/issuePOST /auth/tokenPOST /auth/introspectionPOST (Start) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent 26
1. Processing Authorization Request Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "parameters": "response_type=code&client_id=57297408867&red irect_uri=https%3A%2F%2Fapi.authlete.com%2Fap i%2Fmock%2Fredirection%2F10167240235" }' Send query parameters “as is” to Authlete /auth/authorizationPOST Authlete { "action": "INTERACTION", "client": { (OAuth Client information) }, "service": { (Authlete Service information) }, "ticket": "c4iy3TWGn74UMO7ihRl0ZS8OEUzV9axBlBbJbqxH-9Q" […] } Return a ticket and information for authentication and consent ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Processing Authorization Request 27
2. Issuing Authorization Code Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "ticket": "FFgB9gwb_WXh6g1u-UQ8ZI-d_k4B-o- cm7RkVzI8Vnc", "subject": "78yM7DpDNgUTF7h4” } Send the ticket and frontend- generated user identifier /auth/authorization/issuePOST Authlete { "action": "LOCATION", "responseContent": "https://api.authlete.com/api/mock/redirectio n/10167240235?code=_VSzpgug3OpdUymcbLYJjH1v9t E4hSPaxX_pSkxUUyk" […] } Return response contentto be sent back to the client ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Issuing Authorization Code and Tokens 28
3. Processing Token Request Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "parameters": "grant_type=authorization_code&code=DkKMvKzrR AsWErsWCChNX_gydqqgA55AW2OJlXmNTQI&redirect_u ri=https%3A%2F%2Fapi.authlete.com%2Fapi%2Fmoc k%2Fredirection%2F10167240235", "clientId": 57297408867, "clientSecret": "[…]", […] } Send query parameters “as is” to Authlete /auth/tokenPOST Authlete { "responseContent": "{¥"scope¥":null,¥"expires_in¥":86400,¥"token _type¥":¥"Bearer¥",¥"refresh_token¥":¥"sdQqY9 Tbhsq6ZsWm1rZLgW4A3yxIk6RcgmmexHZ9BXB¥",¥"acc ess_token¥":¥"rt5bUJsGfS17YCSmYGtgelMtokTLdoC mBe4VUFCk1YZ¥"}", […] } Return response contentto be sent back to the client ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Processing Token Request 29
4. Access Token Introspection Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "token": "VFGsNK- 5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI" } Send a token for introspection /auth/introspectionPOST Authlete { "type": "introspectionResponse", "resultCode": "A056001", "resultMessage": "[A056001] The access token is valid.", "action": "OK", "clientId": 57297408867, "clientIdAliasUsed": false, "existent": true, "expiresAt": 1511252965000, "refreshable": true, "responseContent": "Bearer error=¥"invalid_request¥"", "subject": "78yM7DpDNgUTF7h4", "sufficient": true, "usable": true } Return details associated with the token ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Access Token Intro- spection 30
• They have been using Authlete instead of Azure API Management’s built-in OAuth 2.0 – It didn’t meet their requirement for open banking APIs • They haven’t deployed any IAM for the API infrastructure – Their existing internet banking system does user authentication and consent as well as entitlement management Semi-Hosted Pattern in Action: Seven Bank Sources for the diagrams: https://www.isi d.co.j p/case/case/2018sevenbank.html, https://www.isid.co.j p/news/release/2018/0919.html Client (Bank App and Third-Party Providers) Other Apps Bank Customers Authorization Server Frontend Internet Banking System Authorization Decision Service API Management Authlete Microsoft Azure User authentication and consent API request Token request 31
Takeaways
33 • Examine which pattern is the best for your context – Application runtime if API authorization doesn’tmatter – IAM system if you want to make AS tightly coupled with user authentication service – API gatewaysif you want build everything on those infrastructure • If none of options above works for you, do consider semi-hosted pattern – Take back the right to implementyour own authorization servers Build a Future-Proof Authorization Server Authorization Server FRONTEND Authlete API BACKEND Semi-hostedArchitecture - Token management - OAuth/OIDC protocol processing - UI/UX - Authorization decision logic - Identity & access management
34 • Justin Richer (@justin__richer)’s blog entry on semi-hosted service – https://link.medium.com/SPXhiVMfz0 • Taka Kawasaki (@darutk)’s blog entry on its implementation – https://link.medium.com/ROV8nUTfz0 • Authlete – https://www.authlete.com/ Resources
Thank You www.authlete.com www.linkedin.com/in/tatsuokudo

Recommended

Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...
Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...
Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...HostedbyConfluent
 
15分でわかるAWSクラウドで オンプレ以上のセキュリティを実現できる理由
15分でわかるAWSクラウドで オンプレ以上のセキュリティを実現できる理由15分でわかるAWSクラウドで オンプレ以上のセキュリティを実現できる理由
15分でわかるAWSクラウドで オンプレ以上のセキュリティを実現できる理由Yasuhiro Horiuchi
 
OneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMOneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMAdrian Dumitrescu
 
How to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialHow to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialShiu-Fun Poon
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Securing your IBM MQ environment.
Securing your IBM MQ environment.Securing your IBM MQ environment.
Securing your IBM MQ environment.Robert Parker
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Identity Days
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 

Recommended

Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...
Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...
Automated Apache Kafka Mocking and Testing with AsyncAPI | Hugo Guerrero, Red...HostedbyConfluent
 
15分でわかるAWSクラウドで オンプレ以上のセキュリティを実現できる理由
15分でわかるAWSクラウドで オンプレ以上のセキュリティを実現できる理由15分でわかるAWSクラウドで オンプレ以上のセキュリティを実現できる理由
15分でわかるAWSクラウドで オンプレ以上のセキュリティを実現できる理由Yasuhiro Horiuchi
 
OneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMOneIdentity - A Future-Ready Approach to IAM
OneIdentity - A Future-Ready Approach to IAMAdrian Dumitrescu
 
How to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialHow to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialShiu-Fun Poon
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Securing your IBM MQ environment.
Securing your IBM MQ environment.Securing your IBM MQ environment.
Securing your IBM MQ environment.Robert Parker
 
Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Gestion des identités : par où commencer ?
Gestion des identités : par où commencer ?Identity Days
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
RedHat OpenStack Platform Overview
RedHat OpenStack Platform OverviewRedHat OpenStack Platform Overview
RedHat OpenStack Platform Overviewindevlab
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connectKellton Tech Solutions Ltd
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to MicroservicesAmazon Web Services
 
AWS Black Belt Techシリーズ AWS IAM
AWS Black Belt Techシリーズ AWS IAMAWS Black Belt Techシリーズ AWS IAM
AWS Black Belt Techシリーズ AWS IAMAmazon Web Services Japan
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basicsJuan Vicente Herrera Ruiz de Alejo
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Api Gateway
Api GatewayApi Gateway
Api GatewayKhaqanAshraf
 
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Amazon Web Services
 
AWS Black Belt Techシリーズ Amazon VPC
AWS Black Belt Techシリーズ Amazon VPCAWS Black Belt Techシリーズ Amazon VPC
AWS Black Belt Techシリーズ Amazon VPCAmazon Web Services Japan
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Azure API Management
Azure API ManagementAzure API Management
Azure API ManagementDaniel Toomey
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)Apigee | Google Cloud
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Amazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringAmazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringRick Hwang
 
Using the KVMhypervisor in CloudStack
Using the KVMhypervisor in CloudStackUsing the KVMhypervisor in CloudStack
Using the KVMhypervisor in CloudStackShapeBlue
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 

More Related Content

What's hot

RedHat OpenStack Platform Overview
RedHat OpenStack Platform OverviewRedHat OpenStack Platform Overview
RedHat OpenStack Platform Overviewindevlab
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Amazon Web Services
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Azure API Management
Azure API ManagementAzure API Management
Azure API ManagementDaniel Toomey
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)Apigee | Google Cloud
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Amazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringAmazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringRick Hwang
 
Using the KVMhypervisor in CloudStack
Using the KVMhypervisor in CloudStackUsing the KVMhypervisor in CloudStack
Using the KVMhypervisor in CloudStackShapeBlue
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018Amazon Web Services Korea
 

What's hot (20)

RedHat OpenStack Platform Overview
RedHat OpenStack Platform OverviewRedHat OpenStack Platform Overview
RedHat OpenStack Platform Overview
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
 
AWS Black Belt Techシリーズ AWS IAM
AWS Black Belt Techシリーズ AWS IAMAWS Black Belt Techシリーズ AWS IAM
AWS Black Belt Techシリーズ AWS IAM
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
Api Gateway
Api GatewayApi Gateway
Api Gateway
 
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
Introducing AWS Certificate Manager Private Certificate Authority (CA) - AWS ...
 
AWS Black Belt Techシリーズ Amazon VPC
AWS Black Belt Techシリーズ Amazon VPCAWS Black Belt Techシリーズ Amazon VPC
AWS Black Belt Techシリーズ Amazon VPC
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)
 
API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Amazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringAmazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and Monitoring
 
Using the KVMhypervisor in CloudStack
Using the KVMhypervisor in CloudStackUsing the KVMhypervisor in CloudStack
Using the KVMhypervisor in CloudStack
 
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
다양한 솔루션으로 만들어가는 AWS 네트워크 보안::이경수::AWS Summit Seoul 2018
 

Similar to Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC Deployment #api

CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIsApigee | Google Cloud
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
How to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIsHow to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIsWSO2
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldSitaraman Lakshminarayanan
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 

Similar to Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC Deployment #api (20)

CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
How to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIsHow to Build, Manage, and Promote APIs
How to Build, Manage, and Promote APIs
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 

More from Tatsuo Kudo

Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Tatsuo Kudo
 
金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性Tatsuo Kudo
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachTatsuo Kudo
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021Tatsuo Kudo
 
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizdayTatsuo Kudo
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteいまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteTatsuo Kudo
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideTatsuo Kudo
 
Financial-grade API Hands-on with Authlete
Financial-grade API Hands-on with AuthleteFinancial-grade API Hands-on with Authlete
Financial-grade API Hands-on with AuthleteTatsuo Kudo
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要Tatsuo Kudo
 
オープン API と Authlete のソリューション
オープン API と Authlete のソリューションオープン API と Authlete のソリューション
オープン API と Authlete のソリューションTatsuo Kudo
 
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションOAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションTatsuo Kudo
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...Tatsuo Kudo
 
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019Tatsuo Kudo
 
APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可Tatsuo Kudo
 
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...Tatsuo Kudo
 
Japan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOIJapan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOITatsuo Kudo
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIsTatsuo Kudo
 
銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisum銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisumTatsuo Kudo
 
アイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれからアイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれからTatsuo Kudo
 
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsOAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsTatsuo Kudo
 

More from Tatsuo Kudo (20)

Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
 
金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
 
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteいまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
 
Financial-grade API Hands-on with Authlete
Financial-grade API Hands-on with AuthleteFinancial-grade API Hands-on with Authlete
Financial-grade API Hands-on with Authlete
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要
 
オープン API と Authlete のソリューション
オープン API と Authlete のソリューションオープン API と Authlete のソリューション
オープン API と Authlete のソリューション
 
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションOAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
 
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
 
APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可
 
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
 
Japan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOIJapan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOI
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIs
 
銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisum銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisum
 
アイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれからアイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれから
 
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsOAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
 

Recently uploaded

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024SOFTTECHHUB
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxjeykeydeveloper
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...gragchanchal546
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 

Recently uploaded (20)

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsx
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 

Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC Deployment #api

  • 1. Authorization Architecture Patterns: How to Avoid Pitfalls in OAuth/OIDC Deployment Tatsuo Kudo Authlete, Inc.
  • 2. About Me • Tatsuo Kudo https://www.linkedin.com/in/tatsuokudo – Sun Microsystems (1998-2008) – Nomura Research Institute (2008-2018) – OpenID Foundation Japan (2013-2014) – NRI SecureTechnologies (2014-2018) – Authlete (2018-) • VP of Solution Strategy 2
  • 3. • A Tokyo / London based company providing “API Authorization Backend-as-a-Service” enabling developers to quickly and securely implement OAuth 2.0, OpenID Connect, Financial-grade API and CIBA. https://www.authlete.com/ Who is Authlete? 3
  • 4. 4 • OAuth / OpenID Connect (OIDC) basics • Deployment architecture patterns in the wild • Future-proof API authorization services In This Talk
  • 5. OAuth / OIDC Basics
  • 6. 6 • Client credentials e.g. API Key (and API secret) – Simple but not scalable How API Servers Grant Access for Clients 1. API request with client credentials API Client API Server 2. API response GET /items/12345 HTTP/1.1 x-api-key: <API Key>
  • 7. 7 • Tokens in exchange for client credentials – More flexible but limited to client-server authentication How API Servers Grant Access for Clients 3. API request with token API Client API Server 4. API response Authorization Server (AS) 1. Token request with client credentials 2. Token response GET /items/12345 HTTP/1.1 Authorization: Bearer <Token> POST /token HTTP/1.1 Authorization: Basic <Key:Secret>
  • 8. 8 • Tokens in exchange for authorization proof – Resource owner / assertion issuer can participate access granting process How API Servers Grant Access for Clients 5. API request with token API Client API Server 6. API response 1. Authorization / assertion request Resource Owner / Assertion Issuer Authorization Server (AS) 3. Token request with authorization code / assertion 2. Authorization code / assertion 4. Token response User Organization HTTP/1.1 302 Found Location: https://as/authorize?... (User authentication and consent) GET /items/12345 HTTP/1.1 Authorization: Bearer <Token>
  • 9. 9 • Framework for API access delegation using tokens – RFC 6749 describes token granting process and essential grant flows such as authorization code and client credentials • Highly extensible for broad use cases – Extensible grant type – User-involved (with user agents) and unattended (service accounts for machines) • Sister standard: OpenID Connect – “ID Token” to convey user authentication event from Identity Provider to Relying Party OAuth at a Glance
  • 10. • Resource Owner e.g. end user • User Agent e.g. Web browser • Client e.g. Web application using APIs • Authorization Server e.g. user authentication server • Resource Server e.g. API server “OAuth Dance” Resource Owner User Agent Client Authorization Server Resource Server 10
  • 11. Basic OAuth/OIDC Authorization Code Grant Flow / Bearer Token Resource Owner User Agent Client Authorization Server Resource Server ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Authorization Request Authorization Code Authorization Code Access Token Access Token API Response • ReceiveAuthorization Request and return Authorization Code • ReceiveAuthorization Code and return Access Token • ReceiveAPI Request with Access Token and return API response 11
  • 12. Advanced OAuth/OIDC for High-StakesTransactions FAPI (Financial-grade API) 12 https://www.authlete.com/fapi Fintechs Adversaries Banks Authorization / token request Authorization / token response API requests with the token Preventing fraudulent token exchange by signing requests and responses Token theft Preventing fraudulent access by using mutual TLS to detect identity of the requester Stolen tokens won’t work as the adversaries can’t use the signing certificate bound to these tokens
  • 13. Advanced OAuth/OIDC for “Decoupled Authentication” CIBA (Client Initiated Backchannel Authentication) https://www.authlete.com/ciba 13 Send $50 to Bob Alice Alice’s smartphone Notify to the bank’s app Alice’s smart speaker Initiate a payment via pre- registered bank’s APIs Banking APIs with CIBA Use case 1: Voice-initiated money transfer Send Bob $50 ? Alice Alice’s smartphone Notify to the payment app Teleshopping’s call center Initiate a payment via pre- registered payment service’s APIs Payment’s APIs with CIBA Use case 2: Call-center-initiated payment Buy ? $50 $50
  • 14. 14 • Handmade OAuth server was valid in the good old days (circa early 2010’s) • It is no longer applicable nowadays – A lot of OAuth extensions are now emerging • Assertionframework, PKCE,JWT client authentication, device grant, … – Security considerations are frequently being updated for new use cases and threats • Mobile app ecosystem,microservices,high- stakes transactions, … Building Authorization Servers From Scratch Source: https://twitter.com/blhjelm/status/1055551254401736704, https://hackerone.com/hacktivity?order_direction=DESC&order_field=latest_disclosable_activity_at&filter=type%3Aall&querystring=oauth
  • 15. 15 • Identity and access management(IAM) • API management (e.g. API gateways) • Authorization decision service that decides “who has access to what in which context” for token requests Services Integrated with Authorization Server Client Protected Resources Resource Owner Authorization Server IAM Service Authorization DecisionService API Gateway User authentication and consent Token request API request Token introspection
  • 17. 17 • Authorization server provides at least two functionalities – Protocol operations (OAuth, OIDC and their extensions) – Token management (life cycle, clients, scopes etc.) • Authorization server would often be a part of other system – Application runtime – IAM system – API gateways Where Authorization Server Belongs Authorization Server Protocol Operations Token Management
  • 18. 18 • Pros – Application developers don’t need to handle OAuth • Cons – Runtime vendors usually don’t consider OAuth functionality with high priority; sometimes obsolete AS Embedded in Application Runtime Client Applications Resource Owner Authorization Server Subsystem IAM Service Authorization Decision Implementation API Endpoints Application Runtime User authentication and consent Token request API request
  • 19. IAM System 19 • Pros – Usually IAM vendors are serious (and competing)in adopting open standards • Cons – User management and authentication services are tightly integrated with AS – Authorization decision needs to be implemented on the vendor’s proprietary extension framework AS Separated as IAM System Client Protected Resources Resource Owner Authorization Server Subsystem User Authentication Subsystem Authorization Decision Subsystem API Gateway User authentication and consent Token request API request Token introspection
  • 20. 20 • Pros – Familiar with API operations • Cons – API gateway vendors usually don’t consider OAuth functionality with high priority; sometimesobsolete – Authorization decision needs to be implemented on the vendor’s proprietary extension framework AS Integrated with API Gateways Client Protected Resources Resource Owner Authorization Server Subsystem IAM Service Authorization Decision Subsystem API Endpoint Subsystem API Gateway User authentication and consent Token request API request
  • 21. 21 • Freedom of choice for development • Offloading cumbersome protocol operations and token management • Leveraging the most suited solutions and/or other subsystems within organizations What Developers Really Needed Client Protected Resources Resource Owner Authorization Server IAM Service Authorization DecisionService API Gateway
  • 23. 23 • Deploying a “backend” behind your authorization server • Your authorization server acting as “frontend” • No need to consider “what to do next with what methods” on OAuth/OIDC protocol processing Introducing Semi-hosted Pattern Client Protected Resources Resource Owner Authorization Server Frontend IAM Service Authorization DecisionService API Gateway Authorization Server Backend User authentication and consent Token request API request Token introspection
  • 24. Solution Example: Authlete Semi-Hosted Authorization Server Solution 24 Authlete Customer’s EnvironmentAPI Clients Existing Services © 2018 Authlete, Inc. Websites Mobile Networked Devices Authorization Server Authorization Decision User Authentication Consent Management Entitlement Management API Servers / Gateways /data /f unction /transaction Authlete Authorization BackendAPIs Authorization Information (e.g. Tokens) Database Authorization Request API Access Authorization Status Check OAuth/OIDC Processing Request Authorization Frontend Leveraging existing services Authorization decision logic with no dependency on Authlete Separation of operation between authorization server and API servers Externalizing cumbersome OAuth/OIDC processing and token management /… OSS components available via GitHub
  • 25. Sequence is Simple - Implementation is Not 25 Resource Owner User Agent Client Authorization Server Resource Server Processing Authorization Request Issuing Authorization Code Processing Token Request Access Token Introspection ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent
  • 26. Offloading These Tasks to Authlete Resource Owner User Agent Client Authorization Server Resource Server Authlete API Processing Authorization Request Issuing Authorization Code Processing Token Request Access Token Intro- spection /auth/authorizationPOST /auth/authorization/issuePOST /auth/tokenPOST /auth/introspectionPOST (Start) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent 26
  • 27. 1. Processing Authorization Request Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "parameters": "response_type=code&client_id=57297408867&red irect_uri=https%3A%2F%2Fapi.authlete.com%2Fap i%2Fmock%2Fredirection%2F10167240235" }' Send query parameters “as is” to Authlete /auth/authorizationPOST Authlete { "action": "INTERACTION", "client": { (OAuth Client information) }, "service": { (Authlete Service information) }, "ticket": "c4iy3TWGn74UMO7ihRl0ZS8OEUzV9axBlBbJbqxH-9Q" […] } Return a ticket and information for authentication and consent ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Processing Authorization Request 27
  • 28. 2. Issuing Authorization Code Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "ticket": "FFgB9gwb_WXh6g1u-UQ8ZI-d_k4B-o- cm7RkVzI8Vnc", "subject": "78yM7DpDNgUTF7h4” } Send the ticket and frontend- generated user identifier /auth/authorization/issuePOST Authlete { "action": "LOCATION", "responseContent": "https://api.authlete.com/api/mock/redirectio n/10167240235?code=_VSzpgug3OpdUymcbLYJjH1v9t E4hSPaxX_pSkxUUyk" […] } Return response contentto be sent back to the client ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Issuing Authorization Code and Tokens 28
  • 29. 3. Processing Token Request Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "parameters": "grant_type=authorization_code&code=DkKMvKzrR AsWErsWCChNX_gydqqgA55AW2OJlXmNTQI&redirect_u ri=https%3A%2F%2Fapi.authlete.com%2Fapi%2Fmoc k%2Fredirection%2F10167240235", "clientId": 57297408867, "clientSecret": "[…]", […] } Send query parameters “as is” to Authlete /auth/tokenPOST Authlete { "responseContent": "{¥"scope¥":null,¥"expires_in¥":86400,¥"token _type¥":¥"Bearer¥",¥"refresh_token¥":¥"sdQqY9 Tbhsq6ZsWm1rZLgW4A3yxIk6RcgmmexHZ9BXB¥",¥"acc ess_token¥":¥"rt5bUJsGfS17YCSmYGtgelMtokTLdoC mBe4VUFCk1YZ¥"}", […] } Return response contentto be sent back to the client ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Processing Token Request 29
  • 30. 4. Access Token Introspection Resource Owner User Agent Client Authorization Server Resource Server Authlete Authlete { "token": "VFGsNK- 5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI" } Send a token for introspection /auth/introspectionPOST Authlete { "type": "introspectionResponse", "resultCode": "A056001", "resultMessage": "[A056001] The access token is valid.", "action": "OK", "clientId": 57297408867, "clientIdAliasUsed": false, "existent": true, "expiresAt": 1511252965000, "refreshable": true, "responseContent": "Bearer error=¥"invalid_request¥"", "subject": "78yM7DpDNgUTF7h4", "sufficient": true, "usable": true } Return details associated with the token ((Start)) Authorization request Authorization response Token request Token response API request API response (End) User authentication and consent Access Token Intro- spection 30
  • 31. • They have been using Authlete instead of Azure API Management’s built-in OAuth 2.0 – It didn’t meet their requirement for open banking APIs • They haven’t deployed any IAM for the API infrastructure – Their existing internet banking system does user authentication and consent as well as entitlement management Semi-Hosted Pattern in Action: Seven Bank Sources for the diagrams: https://www.isi d.co.j p/case/case/2018sevenbank.html, https://www.isid.co.j p/news/release/2018/0919.html Client (Bank App and Third-Party Providers) Other Apps Bank Customers Authorization Server Frontend Internet Banking System Authorization Decision Service API Management Authlete Microsoft Azure User authentication and consent API request Token request 31
  • 33. 33 • Examine which pattern is the best for your context – Application runtime if API authorization doesn’tmatter – IAM system if you want to make AS tightly coupled with user authentication service – API gatewaysif you want build everything on those infrastructure • If none of options above works for you, do consider semi-hosted pattern – Take back the right to implementyour own authorization servers Build a Future-Proof Authorization Server Authorization Server FRONTEND Authlete API BACKEND Semi-hostedArchitecture - Token management - OAuth/OIDC protocol processing - UI/UX - Authorization decision logic - Identity & access management
  • 34. 34 • Justin Richer (@justin__richer)’s blog entry on semi-hosted service – https://link.medium.com/SPXhiVMfz0 • Taka Kawasaki (@darutk)’s blog entry on its implementation – https://link.medium.com/ROV8nUTfz0 • Authlete – https://www.authlete.com/ Resources