Nat SakimuraResearch Fellow Nomura Research Institute, Ltd.
In the mobile-first world that we live, OAuth 2.0 as in RFC6749 and RFC6750 is the de-facto method for protecting your APIs. It is very simple to use while it is a vast improvement compared to API Key or shared password approach as far as security properties are concerned. However, it has given up some security properties as well. This session explains where the weakness of the basic OAuth exists by considering the source, destination, and message authentication as well as considering the recommendation based on the formal security analysis of ISO/IEC 9798 Standard for Entity Authentication by Basin, Cremers, and Meler. Then, explains how it can be solved using JWT Authorization Request and Sender Constrained Tokens based on the Financial API Security profile developed by OpenID Foundation’s FAPI WG and deployed in UK banks and other financial institutions elsewhere in the world. Such profile should be very useful not only for financial transactions but for other higher risk APIs.
Hi, I am Nat Sakimura. It is an honor to be able to present in front of the distinguished audience, and I am very thankful to the APIDays committee for letting it happen.
I am a Research Fellow at Nomura Research Institute, Chairman of the Board of the OpenID Foundation, and Chair of the Financial API WG among other things.
If you are in API security field, you probably heard about me because I am an author of OpenID Connect, JSON Web Token, JSON Web Signature, OAuth PKCE, etc.
OK. Now, here is the first Proposition to be discussed today:
The answer is of course “NO”. Like Mark O’Neill of Gartner spoke yesterday, Building blocks needs to be combined correctly. Just saying #oauth does not do the job.
And, to create such profile for Financial APIs, there are multiple factors that you actually have to take care of, many of which are often ignored and results in awfully insecure OAuth 2.0 implementations.