OAuth SIG (OAuth : Special Interest Group)

Ex FAPI-SIG (Financial-grade API Security : Special Interest Group)

Overview

FAPI-SIG is a group whose activity is mainly supporting Financial-grade API (FAPI) and its related specifications to keycloak.

FAPI-SIG is open to everybody so that anyone can join it anytime. Nothing special need not to be done to join it. Who want to join it can only access to the communication channels shown below. All of its activities and outputs are public so that anyone can access them.

FAPI-SIG mainly treats FAPI and its related specifications but not limited to. E.g., Ecosystems employing FAPI for their API Security like UK OpenBanking, Open Banking Brasil and Australia Consumer Data Right (CDR).

Since June 2023, FAPI-SIG is evolved into OAuth SIG. OAuth SIG will mainly treats OAuth/OIDC and its related security features like FAPI 2.0 to Keycloak.

Scope

Supporting OAuth/OIDC and its related security features to Keycloak.

Roles

Tech Lead : Takashi Norimatsu

Members

Please refer to the list.

Goals

Currently, proposed goals are as follows.

OAuth and OIDC related security features

• OAuth 2.0 Rich Authorization Requests (RAR)

• OpenID for Verifiable Credential Issuance

Nation/Region/Market Specific Features

• EU : PSD2/eIDAS - QWAC Verification Extension

Open Works

Currently, proposed open works are as follows.

• Integrating FAPI conformance tests run into keycloak’s CI/CD pipeline

• Implement security profiles for Apps run on mobile devices

  • RFC 8252 OAuth 2.0 for Native Apps
  • OAuth 2.0 for Browser-Based Apps

• FAPI-RW App2App

Contributions

FAPI related accomplishments by FAPI-SIG and OAuth SIG, other contributors and keycloak development team is as follows.​

Common Security Features

keycloak 14

• Client Policies​

keycloak 24

• Lightweight Access Token
• OAuth Grant Type SPI

Nation/Region/Market Specific Features

keycloak 15

• Brazil : Open Banking Brasil Financial-grade API Security Profile

  mainly by keycloak development team.

Standards​

keycloak 13

• Client Initiated Backchannel Authentication (CIBA) poll mode​

keycloak 14

• FAPI 1.0 Baseline Security Profile​
• FAPI 1.0 Advanced Security Profile​

keycloak 15

• Client Initiated Backchannel Authentication (CIBA) ping mode​

  mainly by keycloak development team.

• FAPI JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)​

  mainly by the contributor outside FAPI-SIG.

• FAPI Client Initiated Backchannel Authentication Profile (FAPI-CIBA)​

• RFC 9126 OAuth 2.0 Pushed Authorization Requests (PAR)

keycloak 18

• OpenID Connect Logout 1.0 for Logout Profiles

  mainly by keycloak development team and the contributor outside FAPI-SIG.

keycloak 20

• UK OpenBanking​ Security Profile

keycloak 23

• RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
• RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
• FAPI 2.0 Security Profile Second Implementer’s Draft
• FAPI 2.0 Message Signing First Implementer’s Draft

keycloak 24

• RFC 8032 Edwards-Curve Digital Signature Algorithm (EdDSA)
• The OAuth 2.1 Authorization Framework - Draft version 10

In progress

OpenID for Verifiable Credentials

Format

• Selective Disclosure for JWTs (SD-JWT)
• SD-JWT-based Verifiable Credentials (SD-JWT VC)
• JWT VC
• W3C Verfiable Credentials Data Format(VCDM)

Issurance Protocol

• OpenID for Verifiable Credential Issuance

Other OpenID Connect Extension

• OpenID Connect for Identity Assurance 1.0

Automated Conformance Test Run Environment by this kc-fapi-sig repository

The current environment uses the following software version.

• Keycloak version : 24.0.34
• Conformance-suite version : release-v5.1.16

FAPI 1.0 Advanced (Final)​

• Client Authentication Method : MTLS, private_key_jwt​
• Signature Algorithm : PS256, ES256​
• Request Object Method : plain, PAR​
• Response Mode : plain, JARM​

Keycloak 15.0.2 have achieved certification for all 8 conformance profiles of FAPI 1 Advanced Final (Generic).

FAPI-CIBA (Implementer’s Draft)​

• Client Authentication Method : MTLS, private_key_jwt​
• Signature Algorithm : PS256, ES256​
• Mode : Poll, Ping

Keycloak 15.0.2 have achieved certification for all 4 conformance profiles of Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA).

Open Banking Brasil FAPI 1.0

• Client Authentication Method : MTLS, private_key_jwt​
• Signature Algorithm : PS256
• Request Object Method : plain, PAR​
• Response Mode : plain, JARM​

Keycloak 15.0.2 have achieved certification for 8 conformance profiles of Brazil Open Banking (Based on FAPI 1 Advanced Final) except for DCR (Dynamic Client Registration).

Open Finance Brasil FAPI 1.0 (Open Banking Brasil FAPI 1.0 was evolved)

• Client Authentication Method : private_key_jwt​
• Signature Algorithm : PS256
• Request Object Method : PAR​
• Response Mode : plain
• ID token encryption : required

Australia Consumer Data Right (CDR)

• Client Authentication Method : private_key_jwt​
• Signature Algorithm : PS256
• Request Object Method : plain, PAR​
• Response Mode : plain

Keycloak 15.0.2 have achieved certification for all 2 conformance profiles of Australia CDR (Based on FAPI 1 Advanced Final).

UK Open Banking

• Client Authentication Method : MTLS, private_key_jwt​
• Signature Algorithm : PS256
• Request Object Method : plain, PAR​
• Response Mode : plain

OpenID Connect: OpenID Providers

• Basic OP
• Implicit OP
• Hybrid OP
• Config OP
• Dynamic OP
• Form Post OP
• 3rd Party-Init OP

Keycloak 18.0.0 have re-achieved certification for 6 conformance profiles of Certified OpenID Providers except for 3rd Party-Init OP.

OpenID Connect: OpenID Providers for Logout Profile

• Front-Channel OP
• Back-Channel OP
• Session OP
• RP-Initiated OP

Keycloak 18.0.0 have achieved certification for all 4 conformance profiles of Certified OpenID Providers for Logout Profiles.

Note: Session OP and Front-Channel OP of OpenID Provider for Logout Profile conformance tests cannot be automated. These can be passed manually.

FAPI 2.0 Security Profile Second Implementer’s Draft

• FAPI2SP MTLS + MTLS
  • Client Authentication Method : mtls
  • Sender Constrain : mtls
  • OpenID : plain_oauth
  • FAPI Profile : plain​
• FAPI2SP private key + MTLS
  • Client Authentication Method : private_key_jwt
  • Sender Constrain : mtls
  • OpenID : plain_oauth
  • FAPI Profile : plain​
• FAPI2SP OpenID Connect
  • Client Authentication Method : mtls
  • Sender Constrain : mtls
  • OpenID : openid
  • FAPI Profile : plain​

FAPI 2.0 Message Signing First Implementer’s Draft

• FAPI2MS JAR
  • Client Authentication Method : mtls
  • Sender Constrain : mtls
  • OpenID : plain_oauth
  • FAPI Profile : plain​
  • FAPI Request Method : signed_non_repudiation
  • FAPI Response Mode : plain_response
• FAPI2MS JARM
  • Client Authentication Method : mtls
  • Sender Constrain : mtls
  • OpenID : plain_oauth
  • FAPI Profile : plain​
  • FAPI Request Method : signed_non_repudiation
  • FAPI Response Mode : jarm

Passed Conformance Tests per Keycloak version

To ensure that every keycloak version can pass conformance tests, we check if a new Keycloak version pass conformance tests that the older Keycloak version could pass whenever the new Keycloak version is released.

We tagged the environment for every keycloak verion:

Note: Keycloak legacy (wildfly) is no longer supported since keycloak 20.

*1 : Up to Implementer's Draft version 2, Open Banking Brazil Security Profile. From Implementer's Draft version 3, Open Finance Brazil Security Profile. Its conformance test is no longer supported since conformance suite version 5.1.11. Therefore, its conformance test is conducted by the conformance suite version 5.1.10.

*2 : Its conformance test is supported by conformance suite version 5.1.11.

*3 : Except for Dynamic Client Registration (DCR) conformance profile.

*4 : Except for 3rd Party-Init OP conformance profile.

*5 : ISSUE-25022

Other Contributions

Conferences

OAuth Security Workshop 2024 (Auditorium Antonianum, Rome, Italy, April 11, 2024)

• Title: Supporting OAuth 2.0 Based Security Profiles to Open-source Software - from Implementation to Operation
• URL: https://oauth.secworkshop.events/osw2024/agenda-thursday-osw-2024

KubeCon + CloudNativeCon Europe 2024 (Paris Expo Porte de Versailles, Paris, France, March 22, 2024)

• Title: The Leading Edge of AuthN and AuthZ by Keycloak
• URL: https://kccnceu2024.sched.com/event/1YhiQ/the-leading-edge-of-authn-and-authz-by-keycloak-takashi-norimatsu-hitachi-thomas-darimont-codecentric-ag

OpenID Summit Tokyo 2024 (Shibuya Stream Hall, Tokyo, Japan, January 19, 2024)

• Title: Implementing OAuth 2.0-based Security Profiles on Open-source Software
• URL: https://www.openid.or.jp/summit/2024/en/

KubeCon + CloudNativeCon North America 2023 (McCormick Place West, Chicago, Illinois, United States of America, November 7, 2023)

• Title: 10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?
• URL: https://kccncna2023.sched.com/event/1R2mH/10-years-of-keycloak-whats-next-for-cloud-native-authentication-and-oidc-alexander-schwartz-red-hat-takashi-norimatsu-hitachi-ltd

Keyconf 23 (Level39, London, United Kingdom, June 16, 2023)

please see keyconf 23.

Apidays Paris 2022 (Cité des sciences et de l'industrie, Paris, France, December 6, 2022)

• Title: Securing APIs in Open Banking - Financial-grade API security profile implementation to open-source software
• URL: https://speakerdeck.com/apidays/apidays-paris-2022-securing-apis-in-open-banking-takashi-norimatsu-hitachi

OAuth Security Workshop 2021 (Virtual Event, December 1, 2021)

• Title: Consideration on how to apply multiple FAPI and its related security profiles dynamically
• URL: https://www.youtube.com/watch?app=desktop&v=_ei7e8aOfkY

Referred academic paper

Policy-Based Method for Applying OAuth 2.0-Based Security Profiles

• Journal: IEICE Transactions on Information and Systems, Volume E106.D-9, pp.1364-1379, Institute of Electronics, Information and Communications Engineers (IEICE), Septempber 1, 2023.
• DOI: https://doi.org/10.1587/transinf.2022icp0004
• URL: https://www.jstage.jst.go.jp/article/transinf/E106.D/9/E106.D_2022ICP0004/_pdf

Oral presentation of refereed international conference paper

Flexible Method for Supporting OAuth 2.0 Based Security Profiles in Keycloak

• Proceedings: Lecture Notes in Informatics (LNI) Proceedings of Open Identity Summit 2022, P-325, pp.87-98, DTU Compute, Lyngby, Denmark, July 7-8, 2022.
• DOI: https://doi.org/10.18420/OID2022_07
• DBLP: https://dblp.uni-trier.de/rec/conf/openidentity/NorimatsuNY22
• URL: https://dblp.uni-trier.de/rec/conf/openidentity/2022
• URL: https://dblp.uni-trier.de/db/conf/openidentity/openidentity2022.html#NorimatsuNY22

Communication Channels

Not only OAuth SIG member but others can communicate with each other by the following ways.

• Slack : Cloud Native Computing Foundation (CNCF) slack's channel #keycloak-oauth-sig
• Mail : Google Group keycloak developer mailing list
• Chat : Zulip Chat stream (#dev-sig-fapi)
• Meeting : Web meeting on a regular basis

Automated Conformance Test Run Environment

Please see conformance-tests-env.

License

• Apache License, Version 2.0