SlideShare a Scribd company logo

Why Assertion-based Access Token is preferred to Handle-based one?

Download as PPTX, PDF
Hitachi, Ltd. OSS Solution Center.
Hitachi, Ltd. OSS Solution Center.

This document discusses the differences between assertion-based access tokens and handle-based access tokens in OAuth 2.0. Assertion-based tokens are parsable tokens like JWTs that contain user and client information, while handle-based tokens are opaque references. Assertion-based tokens have advantages for performance and scalability but require cryptographic protection, while handle-based tokens require validation through the authorization server. The document then examines scenarios where handle-based tokens could cause problems, such as with multiple authorization servers, and outlines secure validation steps for assertion-based tokens.

1 of 34
Download to read offline
© Hitachi, Ltd. 2022. All rights reserved. Why Assertion-based Access Token is preferred to Handle-based one? APIsecure 2022 Hitachi, Ltd. Yoshiyuki Tabata Slides are available at https://www.slideshare.net/ssuserbeb7c0
1 © Hitachi, Ltd. 2022. All rights reserved. About the speaker • Specialist in authentication and authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS)  midPoint (IGA OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of a Keycloak book (Japanese) and writer of web articles (Japanese) Yoshiyuki Tabata  Software Engineer  Hitachi, Ltd.  GitHub: @y-tabata
2 © Hitachi, Ltd. 2022. All rights reserved. Session Overview - In OAuth 2.0, there are 2 representations of an access token, Assertion-based access token and Handle-based access token. - They have their advantages and disadvantages from several viewpoints. Authorization Server  Organize differences between Assertion-based access token and Handle-based one  Analyze the recent trend toward Assertion-based access token is preferred  Propose a solution to disadvantages of Assertion-based access token In this session, user id scope … id Assertion-based access token is a parsable token (e.g. JWT) contains information about the user and the client Handle-based access token is a reference to internal data structure does not contain any information client id internal data structure
© Hitachi, Ltd. 2022. All rights reserved. Contents 3 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
© Hitachi, Ltd. 2022. All rights reserved. Contents 4 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
5 © Hitachi, Ltd. 2022. All rights reserved. Assertion-based access token - Assertion-based access token is a parsable token (e.g. JWT) - It contains information about the user and the client Authorization Server Access Token Resource Server Client App 1. Issue token 2. Call API 3. Validate token 4. Revoke token Point 1 The token is parsable, so if it is stolen, its contents may be leaked. Cryptographic mechanism is required to protect the contents. Point 2 The token contains information, so to validate the token, it's not mandatory to interact with the authorization server. Point 3 If the resource server doesn‘t interact with the authorization server frequently, an additional mechanism is required to notify the resource server of token revocation in the authorization server.
6 © Hitachi, Ltd. 2022. All rights reserved. Handle-based access token - Handle-based access token is a reference to internal data structure - It does not contain any information Authorization Server Access Token Resource Server Client App 1. Issue token 2. Call API 3. Validate token 4. Revoke token Point 1 The token is “opaque”, so even if it is stolen, any information can't be leaked. Cryptographic mechanism is not required. Point 2 The token doesn't contain information, so to validate the token, it's mandatory to interact with the authorization server. Point 3 The resource server always interacts with the authorization server, so it can notice immediately the token is revoked in the authorization server.
7 © Hitachi, Ltd. 2022. All rights reserved. Summary: Differences between Assertion and Handle - "OAuth 2.0 Threat Model and Security Considerations (RFC 6819)" also refers to these differences. Assertion-based access token Handle-based access token Description • a parsable token (e.g. JWT) • contains information about the user and the client • a reference to internal data structure • does not contain any information Validation • does not require interactions with the authorization server to validate the token • requires interactions with the authorization server to validate the token Performance /Scalability • better performance and scalability especially if the authorization server and the resource server reside on different systems • worse performance and scalability especially if the authorization server and the resource server reside on different systems Information leakage • requires cryptographic mechanisms to protect token content • does not require cryptographic mechanisms to protect token content Revocation • requires more difficult implementation • enables simple revocation  Many well-known IAM products, such as Keycloak, Okta, Azure AD, AWS, Ping Identity, IdentityServer, ForgeRock AM adopt Assertion-based (JWT) access token  JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (RFC 9068)" was published in October 2021 In recent years, Assertion seems to be preferred over Handle:
8 © Hitachi, Ltd. 2022. All rights reserved. Summary: Differences between Assertion and Handle - "OAuth 2.0 Threat Model and Security Considerations (RFC 6819)" also refers to these differences. Assertion-based access token Handle-based access token Description • a parsable token (e.g. JWT) • contains information about the user and the client • a reference to internal data structure • does not contain any information Validation • does not require interactions with the authorization server to validate the token • requires interactions with the authorization server to validate the token Performance /Scalability • better performance and scalability especially if the authorization server and the resource server reside on different systems • worse performance and scalability especially if the authorization server and the resource server reside on different systems Information leakage • requires cryptographic mechanisms to protect token content • does not require cryptographic mechanisms to protect token content Revocation • requires more difficult implementation • enables simple revocation  One of the biggest reasons why Assertion is preferred is for performance reasons. Recently, the number of API calls grows enormous number, the interaction overheads are not ignorable even if it is a small amount at one API call.
© Hitachi, Ltd. 2022. All rights reserved. Contents 9 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
10 © Hitachi, Ltd. 2022. All rights reserved. Scenario: Multiple authorization servers - If client applications use access tokens issued from multiple authorization servers,  Assertion-based tokens should be validated by verifying the signature using the public key of the proper authorization server.  Handle-based tokens should be validated by interacting with the proper authorization server. BTW, how to identify the proper authorization server? Authorization Server A Resource Server 2. Call API 3. Validate token Authorization Server B Authorization Server C 1. Issue token Client Apps
11 © Hitachi, Ltd. 2022. All rights reserved. Scenario: Multiple authorization servers - To identify the proper authorization server,  Assertion-based tokens include the authorization server information, so we can use it.  Handle-based tokens do not include any information, so we cannot use it.  The proper authorization server cannot be identified if Handle-based tokens, without any extension of OAuth 2.0.  There are several ways to force achieving this, but they might be unacceptable.  for example, to add an additional parameter to the API request to identify the authorization server, or to interact with all authorization servers Authorization Server A Resource Server Authorization Server B Authorization Server C ?
12 © Hitachi, Ltd. 2022. All rights reserved. Scenario: Multiple authorization servers - Actually, this scenario is quite common. Assertion-based token can easily cover this common scenario. This is one of the strong points. RS 1 Service 1 (small) Client Apps Since starting from small is best practice these days, there are a lot of services (sets of a resource server and an authorization server) in the company. Eventually, as some of those services grow well, there will be a need for users of other services to use the growth service as well. AS 1 RS 2 Service 2 (small) Client Apps AS 2 RS 1 Service 1 (big) Client Apps AS 1 RS 2 Service 2 (big) Client Apps AS 2 Instead of letting RS 2 interact with AS 1, it is possible to let client apps interact with AS 2, but that would require not a few modifications to a large number of third-party's client apps. So, that may not be a viable option.
© Hitachi, Ltd. 2022. All rights reserved. Contents 13 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
14 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - What is the first step when validating Assertion-based token? A Check the expiration time (one of the easiest claims to validate) B Verify the signature
15 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - What is the first step when validating Assertion-based token? A Check the expiration time (one of the easiest claims to validate) B Verify the signature Unless the signature is verified first, the possibility cannot be denied that some claims were tampered with.
16 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - How to get the public key to verify the signature? A Request the public key to the authorization server indicated in issuer ("iss") claim B Some kind of check is required before processing A
17 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - How to get the public key to verify the signature? A Request the public key to the authorization server indicated in issuer ("iss") claim B Some kind of check is required before processing A Again, unless the signature is verified first, the possibility cannot be denied that the “iss” claim was tampered with. An attacker could tamper with the claim, direct the resource server to a fake authorization server and convince it that an unjust access token is the correct access token, so the resource server could allow an unjust API call.
18 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - How to get the public key to verify the signature? A Request the public key to the authorization server indicated in issuer ("iss") claim B Some kind of check is required before processing A So, some kind of check is required before processing A. For example, whitelist check, that is check whether the authz server indicated in the “iss” claim is in the whitelist or not. Even if the “iss” claim is tampered with, it can be detected when verifying the signature, because the public keys of authz servers in the whitelist cannot be tampered with.
19 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
20 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
21 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
22 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
23 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
24 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
25 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
© Hitachi, Ltd. 2022. All rights reserved. Contents 26 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
27 © Hitachi, Ltd. 2022. All rights reserved. Disadvantages of Assertion-based access token - Recap the characteristics of both token types  Regarding “Revocation”, it's a little complex, but there are options such as “OpenID Connect Back- Channel Logout”.  Here, focus on “Information leakage”. To protect token content, mainly there are 2 options:  Encrypt token contents  Remove user privacy information Assertion-based access token Handle-based access token Description • a parsable token (e.g. JWT) • contains information about the user and the client • a reference to internal data structure • does not contain any information Validation • does not require interactions with the authorization server to validate the token • requires interactions with the authorization server to validate the token Performance /Scalability • better performance and scalability especially if the authorization server and the resource server reside on different systems • worse performance and scalability especially if the authorization server and the resource server reside on different systems Information leakage • requires cryptographic mechanisms to protect token content • does not require cryptographic mechanisms to protect token content Revocation • requires more difficult implementation • enables simple revocation
28 © Hitachi, Ltd. 2022. All rights reserved. How to protect token content: Encrypt token contents - To encrypt token contents, we need to consider cryptographic technology and key management.  Encryption might be the first thing that comes up with but is a little hard to implement like the above. Authorization Server Encrypted Access Token Resource Server Client App 1. Issue token 2. Call API 3. Validate token Encrypt Decrypt Option 1: Public Key Encryption • AS encrypts with the RS's public key. • RS decrypts with the RS's private key. • AS registers and manages a public key per RS. • AS selects the proper public key when receiving an authz request. Option 2: Common Key Encryption • AS encrypts with the common key. • RS decrypts with the same common key. • AS had better manage a common key per RS. • AS selects the proper common key when receiving an authz request. -> It's possible only AS manages the common key and AS both encrypts and decrypts, but the interaction between RS and AS is mandatory in that case.
29 © Hitachi, Ltd. 2022. All rights reserved. How to protect token content: Remove user information - Achieve “Lightweight access token” that only includes a user identifier and does not include other user information such as private information. - This other user information is provisioned by the IDM (Identity Management) product. Authorization Server Lightweight Access Token Resource Server Client App 1. Issue token 2. Call API 3. Validate token IDM Product Only user credentials Other user information Only carries: - User identifier - Client App info (authorization info) - Other JWT info (exp, iss, ...) • While the user information linking method through access tokens at the timing of API calls is called “JIT (Just-in-Time) provisioning”, on the other hand, the provisioning method shown on the left using IDM product allows user information to be linked at arbitrary timing independently of API calls. • By using this provisioning, revocation information can also be linked, so the revocation problem of Assertion-based token might also be resolved. • cf. Keycloak is discussing Lightweight access token just now. https://github.com/keycloak/keycloak/discuss ions/9713
30 © Hitachi, Ltd. 2022. All rights reserved. How to protect token content: Remove user information - It is also possible to use the IGA (Identity Governance and Administration) product.  Rather than simply provisioning at arbitrary timing, by provisioning at appropriate timings such as ID life cycle and ID stocktaking, we can achieve ID governance for the entire system and build an integrated authentication system that adheres to proper compliances. Authorization Server (Keycloak) Lightweight Access Token Resource Server Client App 1. Issue token 2. Call API IGA Product (midPoint) Only user credentials Other user information IGA IDM ID life cycle management Entitlement management Policy management Workflow Access request management Access certification Fulfillment Auditing Identity analytics Reporting User management Group management Role management Password management  The integrated authentication system by Keycloak + midPoint is one of our best solutions for the case using Assertion-based access token. IGA is an extended concept of IDM
31 © Hitachi, Ltd. 2022. All rights reserved. Summary  We organized differences between Assertion-based access token and Handle- based one.  We analyzed the recent trend that Assertion-based access token is preferred and described the scenario where using Handle-based access token causes a problem.  We described how to validate Assertion-based access token securely.  We proposed a solution to disadvantages of Assertion-based access token, the integrated authentication system by Keycloak + midPoint. Slides are available at https://www.slideshare.net/ssuserbeb7c0
32 © Hitachi, Ltd. 2022. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
Why Assertion-based Access Token is preferred to Handle-based one?
Ad

Recommended

OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsOAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
Tatsuo Kudo
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
Hitachi, Ltd. OSS Solution Center.
 
祝!公式サポート Auth0 + LINE Login
祝!公式サポート Auth0 + LINE Login祝!公式サポート Auth0 + LINE Login
祝!公式サポート Auth0 + LINE Login
Naohiro Fujie
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
Nat Sakimura
 
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Tatsuo Kudo
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要
Tatsuo Kudo
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
5 6
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakChallenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
Hitachi, Ltd. OSS Solution Center.
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteいまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
Tatsuo Kudo
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
Hitachi, Ltd. OSS Solution Center.
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
Kongの概要と導入事例
Kongの概要と導入事例Kongの概要と導入事例
Kongの概要と導入事例
briscola-tokyo
 
なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景
Tatsuo Kudo
 
OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14
OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14
OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14
OpenID Foundation Japan
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
FIDO Alliance
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
CA API Management
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 
Ad

More Related Content

What's hot (20)

Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
5 6
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakChallenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
Hitachi, Ltd. OSS Solution Center.
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteいまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
Tatsuo Kudo
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
Hitachi, Ltd. OSS Solution Center.
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
Kongの概要と導入事例
Kongの概要と導入事例Kongの概要と導入事例
Kongの概要と導入事例
briscola-tokyo
 
なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景
Tatsuo Kudo
 
OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14
OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14
OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14
OpenID Foundation Japan
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
FIDO Alliance
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
5 6
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakChallenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
Hitachi, Ltd. OSS Solution Center.
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteいまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
Tatsuo Kudo
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
Hitachi, Ltd. OSS Solution Center.
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
Kongの概要と導入事例
Kongの概要と導入事例Kongの概要と導入事例
Kongの概要と導入事例
briscola-tokyo
 
なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景
Tatsuo Kudo
 
OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14
OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14
OpenID Connectと身元確認/KYCのトレンド - 法人 KYCの現状 - OpenID BizDay #14
OpenID Foundation Japan
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
FIDO Alliance
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 

Similar to Why Assertion-based Access Token is preferred to Handle-based one? (20)

OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
CA API Management
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 
Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...
Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...
Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...
Hitachi, Ltd. OSS Solution Center.
 
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
Hitachi, Ltd. OSS Solution Center.
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Codit
 
Microservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerationsMicroservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerations
Imam Uddin Ahamed - PRINCE2 ® , ITIL ®
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
VMware Tanzu
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
Nordic APIs
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
CA API Management
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 
Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...
Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...
Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...
Hitachi, Ltd. OSS Solution Center.
 
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
Exploring Best Practice for Implementing Authn and Authz in a Cloud-Native En...
Hitachi, Ltd. OSS Solution Center.
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Codit
 
Microservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerationsMicroservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerations
Imam Uddin Ahamed - PRINCE2 ® , ITIL ®
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
VMware Tanzu
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
Nordic APIs
 
Ad

More from Hitachi, Ltd. OSS Solution Center. (20)

KubeCon + CloudNativeCon North America セキュリティ周りrecap
KubeCon + CloudNativeCon North America セキュリティ周りrecapKubeCon + CloudNativeCon North America セキュリティ周りrecap
KubeCon + CloudNativeCon North America セキュリティ周りrecap
Hitachi, Ltd. OSS Solution Center.
 
Let’s Join Cloud Native Computing Foundation TAG Security APAC!
Let’s Join Cloud Native Computing Foundation TAG Security APAC!Let’s Join Cloud Native Computing Foundation TAG Security APAC!
Let’s Join Cloud Native Computing Foundation TAG Security APAC!
Hitachi, Ltd. OSS Solution Center.
 
CloudNativeSecurityCon North America 2024 Overview
CloudNativeSecurityCon North America 2024 OverviewCloudNativeSecurityCon North America 2024 Overview
CloudNativeSecurityCon North America 2024 Overview
Hitachi, Ltd. OSS Solution Center.
 
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
How Does a Workload Authenticate an API Request?: Implementing Transaction To...How Does a Workload Authenticate an API Request?: Implementing Transaction To...
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
Hitachi, Ltd. OSS Solution Center.
 
Authentication and Authorization of The Latest Keycloak
Authentication and Authorization of The Latest KeycloakAuthentication and Authorization of The Latest Keycloak
Authentication and Authorization of The Latest Keycloak
Hitachi, Ltd. OSS Solution Center.
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みKeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
Hitachi, Ltd. OSS Solution Center.
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
Hitachi, Ltd. OSS Solution Center.
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
Hitachi, Ltd. OSS Solution Center.
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Hitachi, Ltd. OSS Solution Center.
 
NGINXでの認可について考える
NGINXでの認可について考えるNGINXでの認可について考える
NGINXでの認可について考える
Hitachi, Ltd. OSS Solution Center.
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
Hitachi, Ltd. OSS Solution Center.
 
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
Hitachi, Ltd. OSS Solution Center.
 
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
Hitachi, Ltd. OSS Solution Center.
 
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門するKeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
Hitachi, Ltd. OSS Solution Center.
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
Hitachi, Ltd. OSS Solution Center.
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Hitachi, Ltd. OSS Solution Center.
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
Hitachi, Ltd. OSS Solution Center.
 
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using ElectronNode-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
Hitachi, Ltd. OSS Solution Center.
 
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hitachi, Ltd. OSS Solution Center.
 
KubeCon + CloudNativeCon North America セキュリティ周りrecap
KubeCon + CloudNativeCon North America セキュリティ周りrecapKubeCon + CloudNativeCon North America セキュリティ周りrecap
KubeCon + CloudNativeCon North America セキュリティ周りrecap
Hitachi, Ltd. OSS Solution Center.
 
Let’s Join Cloud Native Computing Foundation TAG Security APAC!
Let’s Join Cloud Native Computing Foundation TAG Security APAC!Let’s Join Cloud Native Computing Foundation TAG Security APAC!
Let’s Join Cloud Native Computing Foundation TAG Security APAC!
Hitachi, Ltd. OSS Solution Center.
 
CloudNativeSecurityCon North America 2024 Overview
CloudNativeSecurityCon North America 2024 OverviewCloudNativeSecurityCon North America 2024 Overview
CloudNativeSecurityCon North America 2024 Overview
Hitachi, Ltd. OSS Solution Center.
 
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
How Does a Workload Authenticate an API Request?: Implementing Transaction To...How Does a Workload Authenticate an API Request?: Implementing Transaction To...
How Does a Workload Authenticate an API Request?: Implementing Transaction To...
Hitachi, Ltd. OSS Solution Center.
 
Authentication and Authorization of The Latest Keycloak
Authentication and Authorization of The Latest KeycloakAuthentication and Authorization of The Latest Keycloak
Authentication and Authorization of The Latest Keycloak
Hitachi, Ltd. OSS Solution Center.
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みKeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
Hitachi, Ltd. OSS Solution Center.
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
Hitachi, Ltd. OSS Solution Center.
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
Hitachi, Ltd. OSS Solution Center.
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Hitachi, Ltd. OSS Solution Center.
 
NGINXでの認可について考える
NGINXでの認可について考えるNGINXでの認可について考える
NGINXでの認可について考える
Hitachi, Ltd. OSS Solution Center.
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
Hitachi, Ltd. OSS Solution Center.
 
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
Hitachi, Ltd. OSS Solution Center.
 
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
Hitachi, Ltd. OSS Solution Center.
 
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門するKeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
Hitachi, Ltd. OSS Solution Center.
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
Hitachi, Ltd. OSS Solution Center.
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Hitachi, Ltd. OSS Solution Center.
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
Hitachi, Ltd. OSS Solution Center.
 
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using ElectronNode-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
Hitachi, Ltd. OSS Solution Center.
 
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hitachi, Ltd. OSS Solution Center.
 
Ad

Recently uploaded (20)

Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Mastering Advance Window Functions in SQL.pdf
Mastering Advance Window Functions in SQL.pdfMastering Advance Window Functions in SQL.pdf
Mastering Advance Window Functions in SQL.pdf
Spiral Mantra
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Top 10 IT Help Desk Outsourcing Services
Top 10 IT Help Desk Outsourcing ServicesTop 10 IT Help Desk Outsourcing Services
Top 10 IT Help Desk Outsourcing Services
Infrassist Technologies Pvt. Ltd.
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
TrsLabs Consultants - DeFi, WEb3, Token Listing
TrsLabs Consultants - DeFi, WEb3, Token ListingTrsLabs Consultants - DeFi, WEb3, Token Listing
TrsLabs Consultants - DeFi, WEb3, Token Listing
Trs Labs
 
Vaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without HallucinationsVaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without Hallucinations
john409870
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Mastering Advance Window Functions in SQL.pdf
Mastering Advance Window Functions in SQL.pdfMastering Advance Window Functions in SQL.pdf
Mastering Advance Window Functions in SQL.pdf
Spiral Mantra
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Top 10 IT Help Desk Outsourcing Services
Top 10 IT Help Desk Outsourcing ServicesTop 10 IT Help Desk Outsourcing Services
Top 10 IT Help Desk Outsourcing Services
Infrassist Technologies Pvt. Ltd.
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
TrsLabs Consultants - DeFi, WEb3, Token Listing
TrsLabs Consultants - DeFi, WEb3, Token ListingTrsLabs Consultants - DeFi, WEb3, Token Listing
TrsLabs Consultants - DeFi, WEb3, Token Listing
Trs Labs
 
Vaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without HallucinationsVaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without Hallucinations
john409870
 

Why Assertion-based Access Token is preferred to Handle-based one?

  • 1. © Hitachi, Ltd. 2022. All rights reserved. Why Assertion-based Access Token is preferred to Handle-based one? APIsecure 2022 Hitachi, Ltd. Yoshiyuki Tabata Slides are available at https://www.slideshare.net/ssuserbeb7c0
  • 2. 1 © Hitachi, Ltd. 2022. All rights reserved. About the speaker • Specialist in authentication and authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS)  midPoint (IGA OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of a Keycloak book (Japanese) and writer of web articles (Japanese) Yoshiyuki Tabata  Software Engineer  Hitachi, Ltd.  GitHub: @y-tabata
  • 3. 2 © Hitachi, Ltd. 2022. All rights reserved. Session Overview - In OAuth 2.0, there are 2 representations of an access token, Assertion-based access token and Handle-based access token. - They have their advantages and disadvantages from several viewpoints. Authorization Server  Organize differences between Assertion-based access token and Handle-based one  Analyze the recent trend toward Assertion-based access token is preferred  Propose a solution to disadvantages of Assertion-based access token In this session, user id scope … id Assertion-based access token is a parsable token (e.g. JWT) contains information about the user and the client Handle-based access token is a reference to internal data structure does not contain any information client id internal data structure
  • 4. © Hitachi, Ltd. 2022. All rights reserved. Contents 3 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
  • 5. © Hitachi, Ltd. 2022. All rights reserved. Contents 4 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
  • 6. 5 © Hitachi, Ltd. 2022. All rights reserved. Assertion-based access token - Assertion-based access token is a parsable token (e.g. JWT) - It contains information about the user and the client Authorization Server Access Token Resource Server Client App 1. Issue token 2. Call API 3. Validate token 4. Revoke token Point 1 The token is parsable, so if it is stolen, its contents may be leaked. Cryptographic mechanism is required to protect the contents. Point 2 The token contains information, so to validate the token, it's not mandatory to interact with the authorization server. Point 3 If the resource server doesn‘t interact with the authorization server frequently, an additional mechanism is required to notify the resource server of token revocation in the authorization server.
  • 7. 6 © Hitachi, Ltd. 2022. All rights reserved. Handle-based access token - Handle-based access token is a reference to internal data structure - It does not contain any information Authorization Server Access Token Resource Server Client App 1. Issue token 2. Call API 3. Validate token 4. Revoke token Point 1 The token is “opaque”, so even if it is stolen, any information can't be leaked. Cryptographic mechanism is not required. Point 2 The token doesn't contain information, so to validate the token, it's mandatory to interact with the authorization server. Point 3 The resource server always interacts with the authorization server, so it can notice immediately the token is revoked in the authorization server.
  • 8. 7 © Hitachi, Ltd. 2022. All rights reserved. Summary: Differences between Assertion and Handle - "OAuth 2.0 Threat Model and Security Considerations (RFC 6819)" also refers to these differences. Assertion-based access token Handle-based access token Description • a parsable token (e.g. JWT) • contains information about the user and the client • a reference to internal data structure • does not contain any information Validation • does not require interactions with the authorization server to validate the token • requires interactions with the authorization server to validate the token Performance /Scalability • better performance and scalability especially if the authorization server and the resource server reside on different systems • worse performance and scalability especially if the authorization server and the resource server reside on different systems Information leakage • requires cryptographic mechanisms to protect token content • does not require cryptographic mechanisms to protect token content Revocation • requires more difficult implementation • enables simple revocation  Many well-known IAM products, such as Keycloak, Okta, Azure AD, AWS, Ping Identity, IdentityServer, ForgeRock AM adopt Assertion-based (JWT) access token  JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (RFC 9068)" was published in October 2021 In recent years, Assertion seems to be preferred over Handle:
  • 9. 8 © Hitachi, Ltd. 2022. All rights reserved. Summary: Differences between Assertion and Handle - "OAuth 2.0 Threat Model and Security Considerations (RFC 6819)" also refers to these differences. Assertion-based access token Handle-based access token Description • a parsable token (e.g. JWT) • contains information about the user and the client • a reference to internal data structure • does not contain any information Validation • does not require interactions with the authorization server to validate the token • requires interactions with the authorization server to validate the token Performance /Scalability • better performance and scalability especially if the authorization server and the resource server reside on different systems • worse performance and scalability especially if the authorization server and the resource server reside on different systems Information leakage • requires cryptographic mechanisms to protect token content • does not require cryptographic mechanisms to protect token content Revocation • requires more difficult implementation • enables simple revocation  One of the biggest reasons why Assertion is preferred is for performance reasons. Recently, the number of API calls grows enormous number, the interaction overheads are not ignorable even if it is a small amount at one API call.
  • 10. © Hitachi, Ltd. 2022. All rights reserved. Contents 9 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
  • 11. 10 © Hitachi, Ltd. 2022. All rights reserved. Scenario: Multiple authorization servers - If client applications use access tokens issued from multiple authorization servers,  Assertion-based tokens should be validated by verifying the signature using the public key of the proper authorization server.  Handle-based tokens should be validated by interacting with the proper authorization server. BTW, how to identify the proper authorization server? Authorization Server A Resource Server 2. Call API 3. Validate token Authorization Server B Authorization Server C 1. Issue token Client Apps
  • 12. 11 © Hitachi, Ltd. 2022. All rights reserved. Scenario: Multiple authorization servers - To identify the proper authorization server,  Assertion-based tokens include the authorization server information, so we can use it.  Handle-based tokens do not include any information, so we cannot use it.  The proper authorization server cannot be identified if Handle-based tokens, without any extension of OAuth 2.0.  There are several ways to force achieving this, but they might be unacceptable.  for example, to add an additional parameter to the API request to identify the authorization server, or to interact with all authorization servers Authorization Server A Resource Server Authorization Server B Authorization Server C ?
  • 13. 12 © Hitachi, Ltd. 2022. All rights reserved. Scenario: Multiple authorization servers - Actually, this scenario is quite common. Assertion-based token can easily cover this common scenario. This is one of the strong points. RS 1 Service 1 (small) Client Apps Since starting from small is best practice these days, there are a lot of services (sets of a resource server and an authorization server) in the company. Eventually, as some of those services grow well, there will be a need for users of other services to use the growth service as well. AS 1 RS 2 Service 2 (small) Client Apps AS 2 RS 1 Service 1 (big) Client Apps AS 1 RS 2 Service 2 (big) Client Apps AS 2 Instead of letting RS 2 interact with AS 1, it is possible to let client apps interact with AS 2, but that would require not a few modifications to a large number of third-party's client apps. So, that may not be a viable option.
  • 14. © Hitachi, Ltd. 2022. All rights reserved. Contents 13 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
  • 15. 14 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - What is the first step when validating Assertion-based token? A Check the expiration time (one of the easiest claims to validate) B Verify the signature
  • 16. 15 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - What is the first step when validating Assertion-based token? A Check the expiration time (one of the easiest claims to validate) B Verify the signature Unless the signature is verified first, the possibility cannot be denied that some claims were tampered with.
  • 17. 16 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - How to get the public key to verify the signature? A Request the public key to the authorization server indicated in issuer ("iss") claim B Some kind of check is required before processing A
  • 18. 17 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - How to get the public key to verify the signature? A Request the public key to the authorization server indicated in issuer ("iss") claim B Some kind of check is required before processing A Again, unless the signature is verified first, the possibility cannot be denied that the “iss” claim was tampered with. An attacker could tamper with the claim, direct the resource server to a fake authorization server and convince it that an unjust access token is the correct access token, so the resource server could allow an unjust API call.
  • 19. 18 © Hitachi, Ltd. 2022. All rights reserved. How to validate Assertion-based access token securely - How to get the public key to verify the signature? A Request the public key to the authorization server indicated in issuer ("iss") claim B Some kind of check is required before processing A So, some kind of check is required before processing A. For example, whitelist check, that is check whether the authz server indicated in the “iss” claim is in the whitelist or not. Even if the “iss” claim is tampered with, it can be detected when verifying the signature, because the public keys of authz servers in the whitelist cannot be tampered with.
  • 20. 19 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
  • 21. 20 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
  • 22. 21 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
  • 23. 22 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
  • 24. 23 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
  • 25. 24 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
  • 26. 25 © Hitachi, Ltd. 2022. All rights reserved. Summary: Steps to validate Assertion-based access token Resource Server Authorization Server Client App Whitelist “header” : { “kid”: …, … }, “payload”: { “iss”: …, “exp”: …, “scope”: …, “aud”: …, … }, “signature”: … ① Get the authorization server ID from the “iss” claim ② Check the authorization server is in Whitelist ③ Get the public key from the authorization server by using the “kid” claim ④ Cache the public key ⑤ Verify the signature by using the public key ⑥ Check at least the following claims of the payload • “exp” claim: the expiration time • “scope” claim: the scope the client app authorized • “aud” claim: the audience, that is, the resource server that can use this token to access control Call API Response ① ③ ④ ⑤ ⑥ ②
  • 27. © Hitachi, Ltd. 2022. All rights reserved. Contents 26 1. Differences between Assertion-based access token and Handle-based access token 2. A scenario where using Handle-based access token causes a problem 3. How to validate Assertion-based access token securely 4. A solution to disadvantages of Assertion-based access token
  • 28. 27 © Hitachi, Ltd. 2022. All rights reserved. Disadvantages of Assertion-based access token - Recap the characteristics of both token types  Regarding “Revocation”, it's a little complex, but there are options such as “OpenID Connect Back- Channel Logout”.  Here, focus on “Information leakage”. To protect token content, mainly there are 2 options:  Encrypt token contents  Remove user privacy information Assertion-based access token Handle-based access token Description • a parsable token (e.g. JWT) • contains information about the user and the client • a reference to internal data structure • does not contain any information Validation • does not require interactions with the authorization server to validate the token • requires interactions with the authorization server to validate the token Performance /Scalability • better performance and scalability especially if the authorization server and the resource server reside on different systems • worse performance and scalability especially if the authorization server and the resource server reside on different systems Information leakage • requires cryptographic mechanisms to protect token content • does not require cryptographic mechanisms to protect token content Revocation • requires more difficult implementation • enables simple revocation
  • 29. 28 © Hitachi, Ltd. 2022. All rights reserved. How to protect token content: Encrypt token contents - To encrypt token contents, we need to consider cryptographic technology and key management.  Encryption might be the first thing that comes up with but is a little hard to implement like the above. Authorization Server Encrypted Access Token Resource Server Client App 1. Issue token 2. Call API 3. Validate token Encrypt Decrypt Option 1: Public Key Encryption • AS encrypts with the RS's public key. • RS decrypts with the RS's private key. • AS registers and manages a public key per RS. • AS selects the proper public key when receiving an authz request. Option 2: Common Key Encryption • AS encrypts with the common key. • RS decrypts with the same common key. • AS had better manage a common key per RS. • AS selects the proper common key when receiving an authz request. -> It's possible only AS manages the common key and AS both encrypts and decrypts, but the interaction between RS and AS is mandatory in that case.
  • 30. 29 © Hitachi, Ltd. 2022. All rights reserved. How to protect token content: Remove user information - Achieve “Lightweight access token” that only includes a user identifier and does not include other user information such as private information. - This other user information is provisioned by the IDM (Identity Management) product. Authorization Server Lightweight Access Token Resource Server Client App 1. Issue token 2. Call API 3. Validate token IDM Product Only user credentials Other user information Only carries: - User identifier - Client App info (authorization info) - Other JWT info (exp, iss, ...) • While the user information linking method through access tokens at the timing of API calls is called “JIT (Just-in-Time) provisioning”, on the other hand, the provisioning method shown on the left using IDM product allows user information to be linked at arbitrary timing independently of API calls. • By using this provisioning, revocation information can also be linked, so the revocation problem of Assertion-based token might also be resolved. • cf. Keycloak is discussing Lightweight access token just now. https://github.com/keycloak/keycloak/discuss ions/9713
  • 31. 30 © Hitachi, Ltd. 2022. All rights reserved. How to protect token content: Remove user information - It is also possible to use the IGA (Identity Governance and Administration) product.  Rather than simply provisioning at arbitrary timing, by provisioning at appropriate timings such as ID life cycle and ID stocktaking, we can achieve ID governance for the entire system and build an integrated authentication system that adheres to proper compliances. Authorization Server (Keycloak) Lightweight Access Token Resource Server Client App 1. Issue token 2. Call API IGA Product (midPoint) Only user credentials Other user information IGA IDM ID life cycle management Entitlement management Policy management Workflow Access request management Access certification Fulfillment Auditing Identity analytics Reporting User management Group management Role management Password management  The integrated authentication system by Keycloak + midPoint is one of our best solutions for the case using Assertion-based access token. IGA is an extended concept of IDM
  • 32. 31 © Hitachi, Ltd. 2022. All rights reserved. Summary  We organized differences between Assertion-based access token and Handle- based one.  We analyzed the recent trend that Assertion-based access token is preferred and described the scenario where using Handle-based access token causes a problem.  We described how to validate Assertion-based access token securely.  We proposed a solution to disadvantages of Assertion-based access token, the integrated authentication system by Keycloak + midPoint. Slides are available at https://www.slideshare.net/ssuserbeb7c0
  • 33. 32 © Hitachi, Ltd. 2022. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.