23. Basic認証は使えない。「OAuthクライアント認証のためのMutual TLS」もしくは
「OAuth 2.0クライアント認証のためのJWTプロファイル」を用いなければならない
FAPI Part 1: 認可サーバー
クライアント認証
• 3. shall provide a client secret that adheres to the
requirements in section 16.19 of [OIDC] if a symmetric key
is used
• 4. shall authenticate the confidential client at the token
endpoint using one of the following methods:
– 1. Mutual TLS for OAuth Client Authentication as
specified in section 2 of [MTLS]
– 2. client_secret_jwt or private_key_jwt as specified in
section 9 of [OIDC]
• 5. shall require a key of size 2048 bits or larger if RSA
algorithms are used for the client authentication
• 6. shall require a key of size 160 bits or larger if elliptic
curve algorithms are used for the client authentication
• 19. shall return an invalid_client error as defined in 5.2 of
[RFC6749] when mis-matched client identifiers were
provided through the client authentication methods that
permits sending the client identifier in more than one way
23
24. JWTを用いたOAuth 2.0クライアント認証の例
共通鍵暗号 or 公開鍵暗号により署名された情報(クレームセット)をもとに認証
24
Resource
Owner
User Agent Client
Authorization
Server
Resource
Server
クレームセット
{
"iss": "55f9f559-2496-49d4-b6c3-351a586b7484”,
"sub": "55f9f559-2496-49d4-b6c3-351a586b7484",
"aud": "https://idp-p.example.com/token",
"iat": 1418698788,
"exp": 1418698848,
"jti": "1418698788/107c4da5194df463e52b56865c5af34e5595"
}
トークンリクエスト
Signed JWT
POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: idp-p.example.com
grant_type=authorization_code
&code=sedaFh
&scope=openid+email
&client_id=55f9f559-2496-49d4-b6c3-351a586b7484
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-
assertion-type%3Ajwt-bearer&
client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.
ew0KICAg[...omitted for brevity...].
t-_gX8JQ[...omitted for brevity...]
Signed JWT生成
26. redirect_uriは事前登録したリダイレクトURIと「厳密に一致」しなければならない。
またhttps以外のスキームを用いてはならない
FAPI Part 1: 認可サーバー
リダイレクトURI
• 9. shall require the redirect_uri parameter in the authorization
request
• 10. shall require the value of redirect_uri to exactly match one
of the pre-registered redirect URIs
• 20. shall require redirect URIs to use the https scheme
26
32. FAPI Part 1: 認可サーバー
ユーザー認証・認可
• 11. shall require user authentication at LoA 2 as defined in
[X.1254] or more
• 12. shall require explicit consent by the user to authorize the
requested scope if it has not been previously authorized
32
ユーザー認証の保証レベル(LoA)は2以上が必須(SHALL)。これまでに認可を受けて
いない権限(スコープ)については明示的に同意を求めることが必須(SHALL)
34. FAPI Part 1: 認可サーバー
トークン交換
• 7. shall require [RFC7636] with S256 as the code
challenge method;
• 13. should verify that the authorization code (section 1.3.1
of [RFC6749]) has not been previously used;
– NOTE: Section 4.1.3 of [RFC6749] does not provide
guidance regarding code reuse, but this document
provides limitation on code reuse in Section 3.1.3.2 of
[OIDC].
– NOTE: If replay identification of the authorization code is
not possible, it is desirable to set the validity period of the
authorization code to one minute or a suitable short
period of time. The validity period may act as a cache
control indicator of when to clear the authorization code
cache if one is used.
• 14. shall return token responses that conform to section
4.1.4 of [RFC6749];
• 15. shall return the list of granted scopes with the issued
access token;
34
“PKCE” (Proof Key for Code Exchange by OAuth Public Clients) が必須(SHALL)
36. FAPI Part 1: 認可サーバー
トークン
• 16. shall provide opaque non-guessable access tokens with a
minimum of 128 bits of entropy where the probability of an
attacker guessing the generated token is less than or equal to
2^(-160) as per [RFC6749] section 10.10
– NOTE: The opaqueness requirement for the access token does not
preclude the server to create a structured access token.
36
トークンに十分なエントロピーが必須(SHALL)。ただしこれは
構造化されたアクセストークンの生成を禁止するものではないことに留意
37. FAPI Part 1: 認可サーバー
同意管理
• 17. should clearly identify long-term grants to the user
during authorization as in 16.18 of [OIDC]
• 18. should provide a mechanism for the end-user to
revoke access tokens and refresh tokens granted to a
client as in 16.18 of [OIDC]
37
ユーザーに長期間のアクセス権限付与の許可を求める際にはそれを明確に示すべき
(SHOULD)。またトークンの取り消し機能をユーザーに提供するべき(SHOULD)
38. FAPI Part 1: クライアント
基本的なセキュリティ・プラクティス
• 1. shall support [RFC7636] or the mechanisms defined in
Financial-grade API - Part 2
• 2. shall use S256 as the code challenge method for the
[RFC7636]
• 3. shall use separate and distinct redirect URI for each
authorization server that it talks to
• 4. shall store the redirect URI value in the resource
owner's user-agents (such as browser) session and
compare it with the redirect URI that the authorization
response was received at, where, if the URIs do not match,
the client shall terminate the process with error
• 5. shall adhere to the best practice stated by [BCP212]
• 6. shall implement an effective CSRF protection
• If openid is not in the scope value, then it
– 9. shall include the state parameter defined in section
4.1.1 of [RFC6749].
38
PKCE, “IdP Mix-Up Attack” 対策, “OAuth 2.0 for Native Apps”, CSRF 対策の
すべてが必須(SHALL)
47. FAPI Part 1: クライアント
ユーザー識別子の取得
• Further, if it is desired to obtain a persistent identifier of
the authenticated user, then it
– 7. shall include openid in the scope value
– 8. shall include nonce parameter defined in Section 3.1.2.1 of
[OIDC] in the authentication request
47
ユーザー識別子の取得にはOIDCを用いることが必須(SHALL)
48. FAPI Part 1: クライアント
クライアント認証(コンフィデンシャル・クライアント)
• In addition to the provisions for a public client, a confidential client
– 1. shall support the following methods to authenticate against the token endpoint:
• 1. Mutual TLS for OAuth Client Authentication as specified in section 2 of [MTLS]
• 2. client_secret_jwt or private_key_jwt as specified in section 9 of [OIDC]
– 2. shall use RSA keys with a minimum 2048 bits if using RSA cryptography
– 3. shall use elliptic curve keys with a minimum of 160 bits if using Elliptic Curve cryptography
– 4. shall verify that its client secret has a minimum of 128 bits if using symmetric key cryptography
48
Basic認証は使えない。「OAuthクライアント認証のためのMutual TLS」もしくは
「OAuth 2.0クライアント認証のためのJWTプロファイル」を用いなければならない
49. FAPI Part 1: クライアント
リソースへのアクセス
• 1. shall send access tokens in the HTTP header as in Section 2.1 of OAuth 2.0 Bearer Token Usage [RFC6750]
• 3. may send the last time the customer logged into the client in the x-fapi-auth-date header where the value is supplied as a HTTP-date as
in section 7.1.1.1 of [RFC7231]
– e.g., x-fapi-auth-date: Tue, 11 Sep 2012 19:43:31 GMT
• 4. may send the customer’s IP address if this data is available in the x-fapi-customer-ip-address header
– e.g., x-fapi-customer-ip-address: 198.51.100.119
• 5. may send the x-fapi-interaction-id request header whose value is a [RFC4122] UUID to the server to help correlate log entries between
client and server
– e.g., x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a.
49
アクセストークンはHTTPヘッダーにて送信することが必須(SHALL)。
その他FAPI独自のヘッダーを用いてもよい(MAY)
50. FAPI Part 1: リソースサーバー
基本的なセキュリティ・プラクティス
• 1. shall support the use of the HTTP GET method as in Section 4.3.1 of [RFC7231];
• 2. shall accept access tokens in the HTTP header as in Section 2.1 of OAuth 2.0 Bearer Token Usage [RFC6750];
• 3. shall not accept access tokens in the query parameters stated in Section 2.3 of OAuth 2.0 Bearer Token Usage [RFC6750];
• 4. shall verify that the access token is neither expired nor revoked;
• 5. shall verify that the scope associated with the access token authorizes the reading of the resource it is representing;
• 6. shall identify the associated entity to the access token;
• 7. shall only return the resource identified by the combination of the entity implicit in the access and the granted scope and otherwise
return errors as in section 3.1 of [RFC6750];
50
アクセストークンをクエリパラメーターとして受け入れてはならない(SHALL NOT)
51. FAPI Part 1: リソースサーバー
セキュリティ・プラクティス (cont.) + FAPI拡張
• 8. shall encode the response in UTF-8 if applicable
• 9. shall send the Content-type HTTP header Content-Type: application/json; charset=UTF-8 if applicable
• 10. shall send the server date in HTTP Date header as in section 7.1.1.2 of [RFC7231]
• 11. shall set the response header x-fapi-interaction-id to the value received from the corresponding fapi client request header
or to a [RFC4122] UUID value if the request header was not provided to track the interaction, e.g., x-fapi-interaction-id:
c770aef3-6784-41f7-8e0e-ff5f97bddb3a
• 12. shall log the value of x-fapi-interaction-id in the log entry
• 13. should support the use of Cross Origin Resource Sharing (CORS) [CORS] and or other methods as appropriate to
enable JavaScript clients to access the endpoint if it decides to provide access to JavaScript clients
51
x-fapi-interaction-id の付加が必須(SHALL)
56. FAPI Part 2: 認可サーバー
認可リクエスト
• 1. shall require the request or request_uri parameter to be passed as a
JWS signed JWT as in clause 6 of [OIDC]
• 10. shall require that all parameters are present inside the signed
request object passed in the request or request_uri parameter
• 11. may support the request object endpoint as described in section 7
• 13. shall require the request object to contain an exp claim
56
認可リクエストに「リクエスト・オブジェクト」を要求することが必須(SHALL)
58. FAPI Part 2: 認可サーバー
認可レスポンス
• 2. shall require the response_type values code id_token or code id_token token
• 3. shall return ID Token as a detached signature to the authorization response
• 4. shall include state hash, s_hash, in the ID Token to protect the state value if
the client supplied a value for state. s_hash may be omitted from the ID Token
returned fromthe Token Endpoint w hen s_hash is present in the ID Token
returned fromthe Authorization Endpoint
• In addition to the provisions given in section 5.2.2, an authorization server may
protect authorization responses to clients using the "JWT Secured Authorization
Response Mode" [JARM].
• The [JARM] allow s a client to request that an authorization server encode the
authorization response (of any response type) in a JWT. It is an alternative to
utilizing ID Tokens as detached signatures for providing financial-grade security
on authorization responses.
• The authorization server should advertise support for the [JARM] response
modes using the response_modes_supported metadata parameter.
• If [JARM] is used to secure the authorization responses, the clauses 2, 3, and 4
of section 5.2.2. do not apply. For example, clients may use [JARM] in
conjunction w ith the response type code.
58
“Hybrid Flow” にし、IDトークンを “Detached Signature” として返却することが
必須(SHALL)。ただしJARMに対応している場合にはその限りではない
59. Resource
Owner
User Agent Client
Authorization
Server
Resource
Server
フラグメント
取得
フラグメント
送信
(フラグメント)state,
code, id_token#
state, code,
id_token
認可レスポンスの保護
Hybrid Flow
認可コードとIDトークンを認可EPから返却
59
認可リクエスト
GET /authorize
?response_type=code%20id_token
[…]
&state=af0ifjsldkj
Detached Signatureによる検証
トークンリクエスト
トークンレスポンス
code
AT, RT,
ID Token
認可レスポンス
HTTP/1.1 302 Found
Location: https://api.mytpp.com/cb#
code=SplxlOBeZQQYbYS6WxSbIA
&id_token=eyJ0 ... NiJ9.eyJ1c ...
I6IjIifX0.DeWt4Qu ... ZXso
&state=af0ifjsldkj
Detached Signature生成
61. JARM
JWT Secured Authorization Response Mode for OAuth 2.0
61
Resource
Owner
User Agent Client
Authorization
Server
Resource
Server
response (code, state, 署名)
code
AT, RT,
ID Token
認可リクエスト
GET /authorize?
response_type=code&response_mode=jwt&[…]
認可レスポンス
HTTP/1.1 302 Found
Location: https://client.example.com/cb?
response=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJpc3MiOiJodHRwczovL2FjY291bnRzLmV4YW1wbGUuY29tIiwiYXVkI
joiczZCaGRSa3F0MyIsImV4cCI6MTMxMTI4MTk3MCwiY29kZSI6IlB5eU
ZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4YWt2OUNlUkRTZDBRQSI
sInN0YXRlIjoiUzhOSjd1cWs1Zlk0RWpOdlBfR19GdHlKdTZwVXN2SDlq
c1luaTlkTUFKdyJ9.
HkdJ_TYgwBBj10C-aWuNUiA062Amq2b0_oyuc5P0aMTQphAqC2o9WbGSk
pfuHVBowlb-zJ15tBvXDIABL_t83q6ajvjtq_pqsByiRK2dLVdUwKhW3P
_9wjvI0K20gdoTNbNlP9Z41mhart4BqraIoI8e-L_EfAHfhCG_DDDv7Yg
トークンリクエスト
トークンレスポンス
Signed JWT検証
クレームセット
{
"iss": "https://accounts.example.com",
"aud": "s6BhdRkqt3",
"exp": 1311281970,
"code": "PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA",
"state": "S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw"
}
response(SignedJWT)生成
62. FAPI Part 2: 認可サーバー
トークン
• Sender-constrained Tokens
– 5. shall only issue authorization code, access token, and refresh token that are holder of key bound
– 6. shall support [OAUTB] or [MTLS] as a holder of key mechanism
• ID Token
– 8. shall support signed ID Tokens
– 9. should support signed and encrypted ID Token
62
発行するすべての認可コード、アクセストークン、リフレッシュトークンは
「鍵の所有者」へのバインドが必須(SHALL)。IDトークンには署名が必須(SHALL)
63. MTLSによる“Holder of Key”
トークンリクエスト時のクライアント証明書に、発行するアクセストークンをバインドする
63
Resource
Owner
User Agent Client
Authorization
Server
Resource
Server
トークンリクエスト
• TLS相互認証を行ってクライアントのX.509証明書を取得し、
その証明書のサブジェクトDNをもとにクライアントを認証
• リクエスト内のclient_idの値からクライアントを識別
• そのクライアント情報として事前登録されている「証明書の
サブジェクトDN」の値と照合し認証
X.509 PKC +
code + client_id
client_id
code
トークンレスポンス
• 証明書に結びつけた(バインドした)アクセストークンを返却
AT, RT
APIリクエスト
• TLS相互認証を行いクライアントのX.509証明書を取得
• 証明書とアクセストークンの結びつき(バインド)を確認
• トークンに含まれる or イントロスペクションの結果と
して得られる、証明書の「サムプリント」を利用
X.509 PKC + AT
X.509 PKC +
RT + client_id
64. FAPI Part 2: 認可サーバー
ユーザー認証
• 7. shall support user authentication at LoA 3 or greater
as defined in [X.1254]
64
ユーザー認証の保証レベル(LoA)は3以上が必須(SHALL)
65. FAPI Part 2: 認可サーバー
クライアント認証
• 12. shall require [RFC7636] with S256 as the code challenge method
for public clients only, if it supports public clients
• 14. shall authenticate the confidential client at the token endpoint using
one of the following methods (this overrides FAPI part 1 clause 5.2.2.4)
– 1. Mutual TLS for OAuth Client Authentication as specified in section 2 of [MTLS]
– 2. private_key_jwt as specified in section 9 of [OIDC]
65
クライアント認証に「Mutual TLS」もしくは「JWTプロファイル」を
用いなければならない(SHALL)。後者は公開鍵暗号のみ(client_secret_jwt禁止)
66. FAPI Part 2: クライアント
認証コンテクストとIDトークン
• Authentication Context
– 3. shall request user authentication at LoA 3 or greater by requesting
the acr claim as an essentialclaim as defined in section 5.5.1.1 of
[OIDC]
– 5. shall verify that the acr claim in an ID Token indicates that user
authentication w as performed at LoA3 or greater
– 6. shall verify that the amr claim in an ID Token contains values
appropriate for the LoA indicated by the acr claim
• ID Token
– 4. shall require JWS signed ID Token be returned fromendpoints
– 7. shall verify that the authorization response w asnot tampered using
ID Token as the detached signature
– To verify that the authorization response w as not tampered using ID
Token as the detached signature, the client shall verify thats_hash
value is equal to the value calculated fromthe state value in the
authorization response in addition to all the requirements in 3.3.2.12 of
[OIDC]
66
IDトークンに含まれる認証コンテクストの検証が必須(SHALL)。認可レスポンスの改
ざんチェックにIDトークンを “Detached Signature” として用いることが必須(SHALL)
67. FAPI Part 2: クライアント
“Holder of Key” とリクエストオブジェクト
• Holder of key
– 1. shall support [OAUTB] or [MTLS] as a holder of key
mechanism
• Note: [MTLS] shall be used with instance-specific keys
and (self-signed) certificates to bind access tokens to
the particular instance ofa public client.It is NOT used
as clientauthentication mechanisms
• Request Object
– 2. shall include the request or request_uri parameter as
defined in Section 6 of [OIDC] in the authentication
request
– 8. shall send all parameters inside the authorization
request's signed request object
– 9. shall additionally send duplicates of the
parameters/values using the OAuth 2.0 request syntax
where required by the OAuth specification
67
認可サーバーにて利用可能な、HoK (OAUTB or MTLS) と、リクエストオブジェクトの
渡しかた(request_uri or request)への対応が必須(SHALL)
68. FAPI Part 2: クライアント
コンフィデンシャル・クライアントにおける “Holder of Key” と PII
• 1. shall support [OAUTB] or [MTLS] as a holder of key mechanism (this overrides clause
5.2.3.1)
– Note: In case of confidential clients, [MTLS] can also be used as client authentication mechanism
• 2. should require both JWS signed and JWE encrypted ID Tokens to be returned from
endpoints to protect any sensitive personally identifiable information (PII) contained in the
ID Token provided as a detached signature in the authorization response
68
認可サーバーにて利用可能なHoK (OAUTB or MTLS) への対応が必須(SHALL)。認可
レスポンスとして返却するIDトークンにPIIを含む場合にはJWS+JWEが必須(SHALL)
69. FAPI Part 2: クライアント
リソースへのアクセス
• The client supporting this document shall support the
provisions specified in clause 6.2.2 of Financial-grade
API - Part 1: Read-Only API Security Profile
69
Part 1と同様(アクセストークンはHTTPヘッダーにて送信することが必須(SHALL)。
その他FAPI独自のヘッダーを用いてもよい(MAY))
70. FAPI Part 2: リソースサーバー
セキュリティ・プラクティス + MTLS or OAUTB
• 1. shall support the provisions specified in clause 6.2.1
Financial-grade API - Part 1: Read Only API Security Profile
• 2. shall adhere to the requirements in [MTLS] or [OAUTB]
70
アクセストークンをクエリパラメーターとして受け入れてはならない(SHALL NOT)。
MTLS or OAUTBへの対応が必須(SHALL)
98. FAPI Adoption
• UK Open Banking
• Australian Consumer Data Right (CDR)
• その他
– Slovak Banking API Standard
https://www.sbaonline.sk/Content/f iles/projects/slovak-banking-api-standard-1_1.pdf
– MKB Bank (ハンガリー)
https://portal.sandbox.mkb.hu/api-documentation/account-info-1.0
– Payments NZ API standards
https://pay mentsdirection.atlassian.net/wiki/spaces/PaymentsNZAPIStandards/ov erview
98