SlideShare une entreprise Scribd logo

DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak

Hitachi, Ltd. OSS Solution Center.
Hitachi, Ltd. OSS Solution Center.

The presentation for DevConf.CZ 2020, Brno, Czech Republic.

Logiciels
1  sur  23
Télécharger pour lire hors ligne
© Hitachi, Ltd. 2020. All rights reserved. WebAuthn support for keycloak DevConf.CZ 2020 @ Brno University of Technology, Czech Republic Hitachi, Ltd. OSS Solution Center 26 January 2020 Takashi Norimatsu
1© Hitachi, Ltd. 2020. All rights reserved. Self Introduction Engaging in : ◼ providing support services about OSS. ◼ implementing and contributing promising features to OSS. The current works :  contributing WebAuthn support to keycloak.  contributing Financial-grade API Security Profile support to keycloak. Takashi Norimatsu (tnorimat in github) : OSS Solution Center, Hitachi, Ltd. @ Yokohama, Japan * Yokohama : The 2nd largest city in Japan by population, about 35km south west from Tokyo. * keycloak : The Identity and Access Management (IAM) OSS. Its community is led by Red Hat.
© Hitachi, Ltd. 2020. All rights reserved. 1. What is WebAuthn? 2. Contribution to Keycloak Contents 2 3. Use Case
3© Hitachi, Ltd. 2020. All rights reserved. 1. What is WebAuthn?
4© Hitachi, Ltd. 2020. All rights reserved. 1-1 Overview: WebAuthn (W3C Web Authentication) [ Motivation : Why we try to support WebAuthn for keycloak ? ] WebAuthn is promising technology. Therefore, it will be nothing special for IAM products to support it in the future. WebAuthn := Asymmetric Cryptography used Web based authentication standard by W3C achieving Password-less and Multi-Factor Authentication, resolving problems arising when using password-based authentication. < WebAuthn Authentication UI (windows) >
5© Hitachi, Ltd. 2020. All rights reserved. User/Browser WebAuthn RP (keycloak) Registration := WebAuthn Relying Party(RP) registers a public key generated by WebAuthn Authenticator and bind it with an authenticated user’s ID. WebAuthn Authenticator Authenticate user locally Generate authenticator attestation response including user’s public key and its related information Sign it by vendor’s private key Verify it by vendor’s public key. WebAuthn RP can confirm : * The response was generated by the legitimate WebAuthn Authenticator, not tampered and forged. * The response itself was not tampered, forged. => RP can trust its contents. Authenticate user user ID user’s private key authentication authenticator attestation response 1-2 WebAuthn - Registration vendor’s private key vendor’s public key user’s public key Generate key pair and bind them with user ID Bind user ID with user’s public key WebAuthn RP binds authenticated user’s ID with public key generated by WebAuthn Authenticator. vendor’s certificate username/ password
6© Hitachi, Ltd. 2020. All rights reserved. User/Browser Authentication := WebAuthn Relying Party(RP) verifies the assertion stating the user was authenticated by WebAuthn Authenticator by registered user’s public key. WebAuthn Authenticator Verify it by user’s public key. Authenticate user by 1st factor (password). user ID user’s public key authentication username/ password Compare user ID by 1st factor authentication with one by 2nd factor authentication. authenticator assertion response 1-3 WebAuthn - Authentication - Multi Factor Authentication Due to WebAuthn Authenticator’s nature, its authentication factor is basically “ownership factor”. user’s private key user ID (handle) authentication fingerprint Authenticate user by 2nd factor (biometrics) locally. Generate authenticator assertion response including user’s public key ID. Sign it by user’s private key. WebAuthn RP (keycloak) WebAuthn RP can confirm : * The response itself was not tampered, forged. => RP can trust its contents. * The user bound with the public key was authenticated by multifactor authentication. 1st authentication factor : knowledge factor by WebAuthn RP 2nd authentication factor : ownership factor / inherence factor by WebAuthn Authenticator
7© Hitachi, Ltd. 2020. All rights reserved. User/Browser WebAuthn Authenticator Look up user ID user ID username authenticator assertion response 1-4 WebAuthn - Authentication - Password-less Authentication := WebAuthn Relying Party(RP) verifies the assertion stating the user was authenticated by WebAuthn Authenticator by registered user’s public key. Due to WebAuthn Authenticator’s nature, its authentication factor is basically “ownership factor”. Compare user ID looked up with one authenticated by WebAuthn Authenticator. Verify it by user’s public key. user’s public key user’s private key user ID (handle) authentication fingerprint Authenticate user by 1st factor (biometrics) locally. Generate authenticator assertion response including user’s public key ID. Sign it by user’s private key. WebAuthn RP (keycloak) WebAuthn RP can confirm : * The response itself was not tampered, forged. => RP can trust its contents. * The user bound with the public key was authenticated by password-less authentication. 1st authentication factor : ownership factor / inherence factor by WebAuthn Authenticator
8© Hitachi, Ltd. 2020. All rights reserved. User/Browser WebAuthn Authenticator Verify it by user’s public key. authenticator assertion response 1-5 WebAuthn - Authentication - ID & Password-less Authentication := WebAuthn Relying Party(RP) verifies the assertion stating the user was authenticated by WebAuthn Authenticator by registered user’s public key. Due to WebAuthn Authenticator’s nature, its authentication factor is basically “ownership factor”. user’s public key Look up user’s public keyuser’s private key user ID (handle) authentication fingerprint Authenticate user by 1st factor (biometrics) locally. Generate authenticator assertion response including user’s public key ID. Sign it by user’s private key. WebAuthn RP (keycloak) WebAuthn RP can confirm : * The response itself was not tampered, forged. => RP can trust its contents. * The user bound with the public key was authenticated by ID & password-less authentication. 1st authentication factor : ownership factor / inherence factor by WebAuthn Authenticator
9© Hitachi, Ltd. 2020. All rights reserved. 2. Contribution to keycloak
10© Hitachi, Ltd. 2020. All rights reserved. 2-1 Contribution Plan / Merged Pull-Requests Develop ✓ Build a prototype for feasibility study ✓ Write and submit design documents to community to be reviewed and approved ✓ Implement WebAuthn RP’s features to keycloak based on the approved design Merged ✓ Issue pull requests to keycloak to be reviewed and approved ✓ Make them merged onto keycloak Certified  Pass conformance Self-Validation Testing against keycloak  Get certificate confirming that keycloak complies with FIDO2 2.0 Specification for Servers (managed and presented by FIDO Alliance) # JIRA Ticket Description Pull Request Included Version 1 KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - WIP 1st impl phase 6248 8.0.0 2 KEYCLOAK-11743 Update to webauthn4j 0.9.14.RELEASE and add apache-kerby-asn1:2.0.0 dependency 6401 8.0.0 3 KEYCLOAK-11372 Support for attestation statement verification 6449 8.0.0 Merged Pull-Requests
11© Hitachi, Ltd. 2020. All rights reserved. 2-2 Design [ Design Document ] https://github.com/keycloak/keycloak-community/blob/master/design/web-authn- authenticator.md Major topics (two picked up here):  Verifying Attestation Statement and Authentication Assertion • On registration, an attestation certificate should be verified. Need to manage trust anchor certificate sources. • On registration and authentication, keycloak need to verify information returned from Web Authentication API (e.g. navigator.credentials.create(), .get()) Need to choose an appropriate library to treat them. We adopted “webauthn4j” (https://github.com/webauthn4j/webauthn4j) as a core library where all mandatory test cases and optional Android Key attestation test cases of FIDO2 Test Tools provided by FIDO Alliance has been passed.
12© Hitachi, Ltd. 2020. All rights reserved. 2-3 Current Status Basic WebAuthn support has been merged and released on keycloak-8.0.0.  Registration • Settings (navigator.credentials.create(), .get() options) https://www.keycloak.org/docs/8.0/server_admin/index.html#managing-webauthn-as-an-administrator • Attestation Statement Verification https://www.keycloak.org/docs/8.0/server_admin/index.html#attestation-statement-verification  Authentication • 2FA https://www.keycloak.org/docs/8.0/server_admin/index.html#setup • Password-less https://www.keycloak.org/docs/8.0/server_admin/index.html#creating-a-password-less-browser-login- flow Notes: Whether WebAuthn’s operations succeed depends on a user’s WebAuthn supporting authenticator, browser and platform.
13© Hitachi, Ltd. 2020. All rights reserved. 2-4 In the Future  Account Recovery If my smart device (WebAuthn Authenticator) has been lost … https://fidoalliance.org/recommended-account-recovery-practices/  Registration Acceptance Control based on various kind of criteria The admin wants to accept only the WebAuthn Authenticator that has the capability of authentication by fingerprint. The admin wants to accept only the WebAuthn Authenticator to which no vulnerability is reported. ⇒ Metadata Statement from FIDO Alliance Metadata Services(MDS) https://fidoalliance.org/metadata/  Authentication Acceptance Control based on various kind of criteria The admin wants to accept only the result of the authentication by biometrics factor. ⇒ WebAuthn Extension: User Verification Method Extension (uvm) https://www.w3.org/TR/webauthn/#sctn-uvm-extension
14© Hitachi, Ltd. 2020. All rights reserved. 3. Use Case
15© Hitachi, Ltd. 2020. All rights reserved. 3-1 Financial-grade API (FAPI) Security Profile [ What’s FAPI ? ] OAuth 2.0’s security profile of APIs intended for financial institutes [ Motivation : Why we try it? ] We would like to apply keycloak in financial sector requiring high security level for APIs. (*) Based on survey of Japanese Bankers Association as of Dec 2017 Quoted from Report about open API by the Japanese Bankers Association https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_3.pdf In Japan… ◆ The revised banking act was published in Jun 2017 to promote API. Similar to PSD2 in EU. ◆ 83% of banks (114 banks) answered they will open API by Jun 2020(*). ◆ OAuth 2.0 is recognized as a key technology to secure API. FAPI is also being required. In UK… ◆ UK OpenBanking security profile is based on FAPI. (https://bitbucket.org/openid/obuk/src/master/uk-openbanking-security-profile.md)
16© Hitachi, Ltd. 2020. All rights reserved. 3-2 FAPI Flow for the first API Access 1. Authz Code Request User/Browser Client App Authz Server API Server 2. User Authentication (User Consent) 3. Authz Code Response 5. API Access 4. Token Request (Client Authentication) redirect redirect [Phase] FAPI Flow for the first API Access : based on and complies with OAuth 2.0 Authorization Code Grant and OIDC Hybrid Flow. Phase 3 and 5 are required in this flow, but out of scope of OAuth 2.0 Authorization Code Grant and OIDC Hybrid Flow. Instead of that, FAPI describes its own security requirements in phase 3 and 5. Authz Code Request / Response : Client App receives the authz code indicating that a user was authenticated and authorized the API access to Client App in the range of determined scope. Token Request / Response : In return to the authz code, Client App receives an access token which has the right to access the API in the range of determined scope. authz code access token authz code access token
17© Hitachi, Ltd. 2020. All rights reserved. 3-3 FAPI : Highly Credible User Authentication User/Browser Client App Authz Server API Server redirect redirect * Request not tampered. * Request generated by legitimate Client App. * User authenticated by highly credible way. * Response not tampered. * Response generated by legitimate Authz Server. * Token received by legitimate Client App. * Token exercised by legitimate Client App. [What FAPI checks in each phase] 2. User Authentication (User Consent) 3. Authz Code Response 5. API Access 4. Token Request (Client Authentication) [Phase] 1. Authz Code Request * Client App authenticated by highly credible way.
18© Hitachi, Ltd. 2020. All rights reserved. 3-4 FAPI : Highly Credible User Authentication MFA by WebAuthn User/Browser Authz Server (keycloak) USE CASE : Using keycloak as Authz Server for securing APIs providing financial services to customers. It needs to satisfy high security level. WebAuthn Authenticator Authenticate user by 2nd factor (biometrics) locally. Generate authenticator assertion response including user’s public key ID. Sign it by user’s private key. keycloak can confirm : User was authenticated by multifactor authentication. [Phase] 2. User Authentication (User Consent) Authenticate user by 1st factor (password). user ID authentication/consent Need to register user’s public key in keycloak in advance by WebAuthn’s manner (Registration). FAPI does not require WebAuthn itself. FAPI requires Level of Assurance (LoA) 3 defined in ITU-T X.1254 (to say shortly, MFA). WebAuthn is a promising candidate satisfying it. authenticator assertion response user’s private key user ID (handle) Verify it by user’s public key. user’s public key Compare user ID by 1st factor authentication with one by 2nd factor authentication. username/ password authentication fingerprint Due to WebAuthn Authenticator’s nature, its authentication factor is basically “ownership factor”.
19© Hitachi, Ltd. 2020. All rights reserved. Concluding Remarks ✓ WebAuthn is a promising technology for Password-less and Multi- Factor Authentication. ✓ Basic WebAuthn support for keycloak has been contributed. But there are still a lot we do in the future. ✓ Possible use case of WebAuthn is securing API providing financial services by FAPI security profile.
© Hitachi, Ltd. 2020. All rights reserved. Takashi Norimatsu 26 January 2020 Hitachi, Ltd. OSS Solution Center END DevConf.CZ 2020 @ Brno University of Technology, Czech Republic WebAuthn support for keycloak 20
21© Hitachi, Ltd. 2020. All rights reserved. Trademarks • FIDO is a trademark or registered trademark of FIDO Alliance, Inc. in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a trademark or registered trademark of Red Hat, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak

Recommandé

What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...Hitachi, Ltd. OSS Solution Center.
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Hitachi, Ltd. OSS Solution Center.
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_shaHitachi, Ltd. OSS Solution Center.
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Hitachi, Ltd. OSS Solution Center.
 

Recommandé

What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...Hitachi, Ltd. OSS Solution Center.
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Hitachi, Ltd. OSS Solution Center.
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_shaHitachi, Ltd. OSS Solution Center.
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Hitachi, Ltd. OSS Solution Center.
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure WebservicesMatthias Käppler
 
Vbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsVbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsCisco DevNet
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
 
DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...
DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...
DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...Cisco DevNet
 
API Design Principles Essential 
API Design Principles Essential API Design Principles Essential 
API Design Principles Essential Oracle Korea
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On WSO2
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
DEVNET-2011 Jabber Guest - Android SDK Live Coding TutorialDEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
DEVNET-2011 Jabber Guest - Android SDK Live Coding TutorialCisco DevNet
 
Service Mesh - Why? How? What?
Service Mesh - Why? How? What?Service Mesh - Why? How? What?
Service Mesh - Why? How? What?Orkhan Gasimov
 
Cloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesChris Sterling
 
WSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater ScalabilityWSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater ScalabilityWSO2
 
Kasten securing access to your kubernetes applications
Kasten securing access to your kubernetes applicationsKasten securing access to your kubernetes applications
Kasten securing access to your kubernetes applicationsLibbySchulze
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016Nov Matake
 
Liferay Module Framework
Liferay Module FrameworkLiferay Module Framework
Liferay Module FrameworkMiguel Pastor
 
Implementing PII Encryption with PDX Serialization
Implementing PII Encryption with PDX SerializationImplementing PII Encryption with PDX Serialization
Implementing PII Encryption with PDX SerializationVMware Tanzu
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabiRafik HARABI
 
Liferay on docker
Liferay on dockerLiferay on docker
Liferay on dockerGeeta Raghu Vamsi Kotipalli
 
Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...
Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...
Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...Milen Dyankov
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfHitachi, Ltd. OSS Solution Center.
 
WebAuthn & FIDO2
WebAuthn & FIDO2WebAuthn & FIDO2
WebAuthn & FIDO2Leonard Moustacchis
 

Contenu connexe

Tendances

Vbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsVbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsCisco DevNet
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
 
DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...
DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...
DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...Cisco DevNet
 
API Design Principles Essential 
API Design Principles Essential API Design Principles Essential 
API Design Principles Essential Oracle Korea
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On WSO2
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
DEVNET-2011 Jabber Guest - Android SDK Live Coding TutorialDEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
DEVNET-2011 Jabber Guest - Android SDK Live Coding TutorialCisco DevNet
 
Service Mesh - Why? How? What?
Service Mesh - Why? How? What?Service Mesh - Why? How? What?
Service Mesh - Why? How? What?Orkhan Gasimov
 
Cloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesChris Sterling
 
WSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater ScalabilityWSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater ScalabilityWSO2
 
Kasten securing access to your kubernetes applications
Kasten securing access to your kubernetes applicationsKasten securing access to your kubernetes applications
Kasten securing access to your kubernetes applicationsLibbySchulze
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016Nov Matake
 
Liferay Module Framework
Liferay Module FrameworkLiferay Module Framework
Liferay Module FrameworkMiguel Pastor
 
Implementing PII Encryption with PDX Serialization
Implementing PII Encryption with PDX SerializationImplementing PII Encryption with PDX Serialization
Implementing PII Encryption with PDX SerializationVMware Tanzu
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabiRafik HARABI
 
Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...
Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...
Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...Milen Dyankov
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 

Tendances (20)

Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
Vbrownbag container networking for real workloads
Vbrownbag container networking for real workloadsVbrownbag container networking for real workloads
Vbrownbag container networking for real workloads
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
 
DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...
DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...
DEVNET-2010 Remote Expert Mobile Web/Android/iOS SDK Live Coding Tutorial and...
 
API Design Principles Essential 
API Design Principles Essential API Design Principles Essential 
API Design Principles Essential 
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
DEVNET-2011 Jabber Guest - Android SDK Live Coding TutorialDEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
DEVNET-2011 Jabber Guest - Android SDK Live Coding Tutorial
 
Service Mesh - Why? How? What?
Service Mesh - Why? How? What?Service Mesh - Why? How? What?
Service Mesh - Why? How? What?
 
Cloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud Services
 
WSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater ScalabilityWSO2 API Microgateway for Easier Development and Greater Scalability
WSO2 API Microgateway for Easier Development and Greater Scalability
 
Kasten securing access to your kubernetes applications
Kasten securing access to your kubernetes applicationsKasten securing access to your kubernetes applications
Kasten securing access to your kubernetes applications
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
 
Liferay Module Framework
Liferay Module FrameworkLiferay Module Framework
Liferay Module Framework
 
Implementing PII Encryption with PDX Serialization
Implementing PII Encryption with PDX SerializationImplementing PII Encryption with PDX Serialization
Implementing PII Encryption with PDX Serialization
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
 
Liferay on docker
Liferay on dockerLiferay on docker
Liferay on docker
 
Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...
Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...
Moved to https://slidr.io/azzazzel/leveraging-osgi-to-create-extensible-plugi...
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 

Similaire à DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak

Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Hitachi, Ltd. OSS Solution Center.
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidFIDO Alliance
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerAnupam Gogoi
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0DigiLocker
 
Digital Locker Requester API Specification v1 0
Digital Locker Requester API Specification v1 0Digital Locker Requester API Specification v1 0
Digital Locker Requester API Specification v1 0Amit Ranjan
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 

Similaire à DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak (20)

KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
WebAuthn & FIDO2
WebAuthn & FIDO2WebAuthn & FIDO2
WebAuthn & FIDO2
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity Server
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0
 
Digital Locker Requester API Specification v1 0
Digital Locker Requester API Specification v1 0Digital Locker Requester API Specification v1 0
Digital Locker Requester API Specification v1 0
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 

Plus de Hitachi, Ltd. OSS Solution Center.

KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みKeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みHitachi, Ltd. OSS Solution Center.
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...Hitachi, Ltd. OSS Solution Center.
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可Hitachi, Ltd. OSS Solution Center.
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Hitachi, Ltd. OSS Solution Center.
 
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakChallenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakHitachi, Ltd. OSS Solution Center.
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するHitachi, Ltd. OSS Solution Center.
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Hitachi, Ltd. OSS Solution Center.
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~Hitachi, Ltd. OSS Solution Center.
 
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~Hitachi, Ltd. OSS Solution Center.
 

Plus de Hitachi, Ltd. OSS Solution Center. (20)

KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みKeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
 
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakChallenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
 
NGINXでの認可について考える
NGINXでの認可について考えるNGINXでの認可について考える
NGINXでの認可について考える
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
 
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
 
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
 
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門するKeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
 
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using ElectronNode-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
 
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
 
Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介
 
Node-REDからREST APIに接続
Node-REDからREST APIに接続Node-REDからREST APIに接続
Node-REDからREST APIに接続
 
Node-RED v1.3新機能紹介
Node-RED v1.3新機能紹介Node-RED v1.3新機能紹介
Node-RED v1.3新機能紹介
 
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~
社会のコードを、書き換えよう~エンジニア起点のNew Normalな働き方~
 

Dernier

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 

Dernier (20)

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 

DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak

  • 1. © Hitachi, Ltd. 2020. All rights reserved. WebAuthn support for keycloak DevConf.CZ 2020 @ Brno University of Technology, Czech Republic Hitachi, Ltd. OSS Solution Center 26 January 2020 Takashi Norimatsu
  • 2. 1© Hitachi, Ltd. 2020. All rights reserved. Self Introduction Engaging in : ◼ providing support services about OSS. ◼ implementing and contributing promising features to OSS. The current works :  contributing WebAuthn support to keycloak.  contributing Financial-grade API Security Profile support to keycloak. Takashi Norimatsu (tnorimat in github) : OSS Solution Center, Hitachi, Ltd. @ Yokohama, Japan * Yokohama : The 2nd largest city in Japan by population, about 35km south west from Tokyo. * keycloak : The Identity and Access Management (IAM) OSS. Its community is led by Red Hat.
  • 3. © Hitachi, Ltd. 2020. All rights reserved. 1. What is WebAuthn? 2. Contribution to Keycloak Contents 2 3. Use Case
  • 4. 3© Hitachi, Ltd. 2020. All rights reserved. 1. What is WebAuthn?
  • 5. 4© Hitachi, Ltd. 2020. All rights reserved. 1-1 Overview: WebAuthn (W3C Web Authentication) [ Motivation : Why we try to support WebAuthn for keycloak ? ] WebAuthn is promising technology. Therefore, it will be nothing special for IAM products to support it in the future. WebAuthn := Asymmetric Cryptography used Web based authentication standard by W3C achieving Password-less and Multi-Factor Authentication, resolving problems arising when using password-based authentication. < WebAuthn Authentication UI (windows) >
  • 6. 5© Hitachi, Ltd. 2020. All rights reserved. User/Browser WebAuthn RP (keycloak) Registration := WebAuthn Relying Party(RP) registers a public key generated by WebAuthn Authenticator and bind it with an authenticated user’s ID. WebAuthn Authenticator Authenticate user locally Generate authenticator attestation response including user’s public key and its related information Sign it by vendor’s private key Verify it by vendor’s public key. WebAuthn RP can confirm : * The response was generated by the legitimate WebAuthn Authenticator, not tampered and forged. * The response itself was not tampered, forged. => RP can trust its contents. Authenticate user user ID user’s private key authentication authenticator attestation response 1-2 WebAuthn - Registration vendor’s private key vendor’s public key user’s public key Generate key pair and bind them with user ID Bind user ID with user’s public key WebAuthn RP binds authenticated user’s ID with public key generated by WebAuthn Authenticator. vendor’s certificate username/ password
  • 7. 6© Hitachi, Ltd. 2020. All rights reserved. User/Browser Authentication := WebAuthn Relying Party(RP) verifies the assertion stating the user was authenticated by WebAuthn Authenticator by registered user’s public key. WebAuthn Authenticator Verify it by user’s public key. Authenticate user by 1st factor (password). user ID user’s public key authentication username/ password Compare user ID by 1st factor authentication with one by 2nd factor authentication. authenticator assertion response 1-3 WebAuthn - Authentication - Multi Factor Authentication Due to WebAuthn Authenticator’s nature, its authentication factor is basically “ownership factor”. user’s private key user ID (handle) authentication fingerprint Authenticate user by 2nd factor (biometrics) locally. Generate authenticator assertion response including user’s public key ID. Sign it by user’s private key. WebAuthn RP (keycloak) WebAuthn RP can confirm : * The response itself was not tampered, forged. => RP can trust its contents. * The user bound with the public key was authenticated by multifactor authentication. 1st authentication factor : knowledge factor by WebAuthn RP 2nd authentication factor : ownership factor / inherence factor by WebAuthn Authenticator
  • 8. 7© Hitachi, Ltd. 2020. All rights reserved. User/Browser WebAuthn Authenticator Look up user ID user ID username authenticator assertion response 1-4 WebAuthn - Authentication - Password-less Authentication := WebAuthn Relying Party(RP) verifies the assertion stating the user was authenticated by WebAuthn Authenticator by registered user’s public key. Due to WebAuthn Authenticator’s nature, its authentication factor is basically “ownership factor”. Compare user ID looked up with one authenticated by WebAuthn Authenticator. Verify it by user’s public key. user’s public key user’s private key user ID (handle) authentication fingerprint Authenticate user by 1st factor (biometrics) locally. Generate authenticator assertion response including user’s public key ID. Sign it by user’s private key. WebAuthn RP (keycloak) WebAuthn RP can confirm : * The response itself was not tampered, forged. => RP can trust its contents. * The user bound with the public key was authenticated by password-less authentication. 1st authentication factor : ownership factor / inherence factor by WebAuthn Authenticator
  • 9. 8© Hitachi, Ltd. 2020. All rights reserved. User/Browser WebAuthn Authenticator Verify it by user’s public key. authenticator assertion response 1-5 WebAuthn - Authentication - ID & Password-less Authentication := WebAuthn Relying Party(RP) verifies the assertion stating the user was authenticated by WebAuthn Authenticator by registered user’s public key. Due to WebAuthn Authenticator’s nature, its authentication factor is basically “ownership factor”. user’s public key Look up user’s public keyuser’s private key user ID (handle) authentication fingerprint Authenticate user by 1st factor (biometrics) locally. Generate authenticator assertion response including user’s public key ID. Sign it by user’s private key. WebAuthn RP (keycloak) WebAuthn RP can confirm : * The response itself was not tampered, forged. => RP can trust its contents. * The user bound with the public key was authenticated by ID & password-less authentication. 1st authentication factor : ownership factor / inherence factor by WebAuthn Authenticator
  • 10. 9© Hitachi, Ltd. 2020. All rights reserved. 2. Contribution to keycloak
  • 11. 10© Hitachi, Ltd. 2020. All rights reserved. 2-1 Contribution Plan / Merged Pull-Requests Develop ✓ Build a prototype for feasibility study ✓ Write and submit design documents to community to be reviewed and approved ✓ Implement WebAuthn RP’s features to keycloak based on the approved design Merged ✓ Issue pull requests to keycloak to be reviewed and approved ✓ Make them merged onto keycloak Certified  Pass conformance Self-Validation Testing against keycloak  Get certificate confirming that keycloak complies with FIDO2 2.0 Specification for Servers (managed and presented by FIDO Alliance) # JIRA Ticket Description Pull Request Included Version 1 KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - WIP 1st impl phase 6248 8.0.0 2 KEYCLOAK-11743 Update to webauthn4j 0.9.14.RELEASE and add apache-kerby-asn1:2.0.0 dependency 6401 8.0.0 3 KEYCLOAK-11372 Support for attestation statement verification 6449 8.0.0 Merged Pull-Requests
  • 12. 11© Hitachi, Ltd. 2020. All rights reserved. 2-2 Design [ Design Document ] https://github.com/keycloak/keycloak-community/blob/master/design/web-authn- authenticator.md Major topics (two picked up here):  Verifying Attestation Statement and Authentication Assertion • On registration, an attestation certificate should be verified. Need to manage trust anchor certificate sources. • On registration and authentication, keycloak need to verify information returned from Web Authentication API (e.g. navigator.credentials.create(), .get()) Need to choose an appropriate library to treat them. We adopted “webauthn4j” (https://github.com/webauthn4j/webauthn4j) as a core library where all mandatory test cases and optional Android Key attestation test cases of FIDO2 Test Tools provided by FIDO Alliance has been passed.
  • 13. 12© Hitachi, Ltd. 2020. All rights reserved. 2-3 Current Status Basic WebAuthn support has been merged and released on keycloak-8.0.0.  Registration • Settings (navigator.credentials.create(), .get() options) https://www.keycloak.org/docs/8.0/server_admin/index.html#managing-webauthn-as-an-administrator • Attestation Statement Verification https://www.keycloak.org/docs/8.0/server_admin/index.html#attestation-statement-verification  Authentication • 2FA https://www.keycloak.org/docs/8.0/server_admin/index.html#setup • Password-less https://www.keycloak.org/docs/8.0/server_admin/index.html#creating-a-password-less-browser-login- flow Notes: Whether WebAuthn’s operations succeed depends on a user’s WebAuthn supporting authenticator, browser and platform.
  • 14. 13© Hitachi, Ltd. 2020. All rights reserved. 2-4 In the Future  Account Recovery If my smart device (WebAuthn Authenticator) has been lost … https://fidoalliance.org/recommended-account-recovery-practices/  Registration Acceptance Control based on various kind of criteria The admin wants to accept only the WebAuthn Authenticator that has the capability of authentication by fingerprint. The admin wants to accept only the WebAuthn Authenticator to which no vulnerability is reported. ⇒ Metadata Statement from FIDO Alliance Metadata Services(MDS) https://fidoalliance.org/metadata/  Authentication Acceptance Control based on various kind of criteria The admin wants to accept only the result of the authentication by biometrics factor. ⇒ WebAuthn Extension: User Verification Method Extension (uvm) https://www.w3.org/TR/webauthn/#sctn-uvm-extension
  • 15. 14© Hitachi, Ltd. 2020. All rights reserved. 3. Use Case
  • 16. 15© Hitachi, Ltd. 2020. All rights reserved. 3-1 Financial-grade API (FAPI) Security Profile [ What’s FAPI ? ] OAuth 2.0’s security profile of APIs intended for financial institutes [ Motivation : Why we try it? ] We would like to apply keycloak in financial sector requiring high security level for APIs. (*) Based on survey of Japanese Bankers Association as of Dec 2017 Quoted from Report about open API by the Japanese Bankers Association https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_3.pdf In Japan… ◆ The revised banking act was published in Jun 2017 to promote API. Similar to PSD2 in EU. ◆ 83% of banks (114 banks) answered they will open API by Jun 2020(*). ◆ OAuth 2.0 is recognized as a key technology to secure API. FAPI is also being required. In UK… ◆ UK OpenBanking security profile is based on FAPI. (https://bitbucket.org/openid/obuk/src/master/uk-openbanking-security-profile.md)
  • 17. 16© Hitachi, Ltd. 2020. All rights reserved. 3-2 FAPI Flow for the first API Access 1. Authz Code Request User/Browser Client App Authz Server API Server 2. User Authentication (User Consent) 3. Authz Code Response 5. API Access 4. Token Request (Client Authentication) redirect redirect [Phase] FAPI Flow for the first API Access : based on and complies with OAuth 2.0 Authorization Code Grant and OIDC Hybrid Flow. Phase 3 and 5 are required in this flow, but out of scope of OAuth 2.0 Authorization Code Grant and OIDC Hybrid Flow. Instead of that, FAPI describes its own security requirements in phase 3 and 5. Authz Code Request / Response : Client App receives the authz code indicating that a user was authenticated and authorized the API access to Client App in the range of determined scope. Token Request / Response : In return to the authz code, Client App receives an access token which has the right to access the API in the range of determined scope. authz code access token authz code access token
  • 18. 17© Hitachi, Ltd. 2020. All rights reserved. 3-3 FAPI : Highly Credible User Authentication User/Browser Client App Authz Server API Server redirect redirect * Request not tampered. * Request generated by legitimate Client App. * User authenticated by highly credible way. * Response not tampered. * Response generated by legitimate Authz Server. * Token received by legitimate Client App. * Token exercised by legitimate Client App. [What FAPI checks in each phase] 2. User Authentication (User Consent) 3. Authz Code Response 5. API Access 4. Token Request (Client Authentication) [Phase] 1. Authz Code Request * Client App authenticated by highly credible way.
  • 19. 18© Hitachi, Ltd. 2020. All rights reserved. 3-4 FAPI : Highly Credible User Authentication MFA by WebAuthn User/Browser Authz Server (keycloak) USE CASE : Using keycloak as Authz Server for securing APIs providing financial services to customers. It needs to satisfy high security level. WebAuthn Authenticator Authenticate user by 2nd factor (biometrics) locally. Generate authenticator assertion response including user’s public key ID. Sign it by user’s private key. keycloak can confirm : User was authenticated by multifactor authentication. [Phase] 2. User Authentication (User Consent) Authenticate user by 1st factor (password). user ID authentication/consent Need to register user’s public key in keycloak in advance by WebAuthn’s manner (Registration). FAPI does not require WebAuthn itself. FAPI requires Level of Assurance (LoA) 3 defined in ITU-T X.1254 (to say shortly, MFA). WebAuthn is a promising candidate satisfying it. authenticator assertion response user’s private key user ID (handle) Verify it by user’s public key. user’s public key Compare user ID by 1st factor authentication with one by 2nd factor authentication. username/ password authentication fingerprint Due to WebAuthn Authenticator’s nature, its authentication factor is basically “ownership factor”.
  • 20. 19© Hitachi, Ltd. 2020. All rights reserved. Concluding Remarks ✓ WebAuthn is a promising technology for Password-less and Multi- Factor Authentication. ✓ Basic WebAuthn support for keycloak has been contributed. But there are still a lot we do in the future. ✓ Possible use case of WebAuthn is securing API providing financial services by FAPI security profile.
  • 21. © Hitachi, Ltd. 2020. All rights reserved. Takashi Norimatsu 26 January 2020 Hitachi, Ltd. OSS Solution Center END DevConf.CZ 2020 @ Brno University of Technology, Czech Republic WebAuthn support for keycloak 20
  • 22. 21© Hitachi, Ltd. 2020. All rights reserved. Trademarks • FIDO is a trademark or registered trademark of FIDO Alliance, Inc. in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a trademark or registered trademark of Red Hat, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.