SlideShare a Scribd company logo

Security Considerations for API Gateway Aggregation

Download as PPTX, PDF
Hitachi, Ltd. OSS Solution Center.
Hitachi, Ltd. OSS Solution Center.

APIsecure 2023

Technology
1 of 34
© Hitachi, Ltd. 2023. All rights reserved. Security Considerations for API Gateway Aggregation APIsecure 2023 Hitachi, Ltd. Yoshiyuki Tabata Slides are available at https://www.slideshare.net/ssuserbeb7c0
1 © Hitachi, Ltd. 2023. All rights reserved. About the speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Software Engineer  Hitachi, Ltd.  GitHub: @y-tabata
© Hitachi, Ltd. 2023. All rights reserved. Contents 2 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
© Hitachi, Ltd. 2023. All rights reserved. Contents 3 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
4 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management API GW API API Authz Server own service API call API call API call issue token • “API management” is required when providing multiple APIs, considering the operational aspect. • In this case, luxurious API management is not necessary, but “Minimum” API Management is sufficient that provides only an API Gateway and an Authorization Server, especially for small-start projects.
5 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management NGINX API API Keycloak own service API call API call API call issue token • For example, this “Minimum” API Management can be built with only Keycloak and NGINX.
6 © Hitachi, Ltd. 2023. All rights reserved. Major features  Provide support for OAuth 2.0, OpenID Connect and SAML.  Connect to existing LDAP or Active Directory servers.  Login with social networks. What is Keycloak • Keycloak is IAM (Identity and Access Management) OSS. • Keycloak provides OAuth 2.0 authorization server feature and single sign-on. Based on Standard Protocols Keycloak LDAP Active Directory RDB OpenID Connect SAML GitHub Twitter Facebook User Federation Social Login
7 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • In the case company provides multiple services, multiple minimum API management systems exist in-house together. “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token
8 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • Recently, use cases for exposing APIs outside the company become popular, such as providing APIs to 3rd-party applications and the spread of remote work. • Existing APIs may not be exposed outside the company without changes because of low-level security and usability. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
9 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
10 © Hitachi, Ltd. 2023. All rights reserved. Proposal: API GW Aggregation • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users -> Build API GW Aggregator in front of API GWs. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
© Hitachi, Ltd. 2023. All rights reserved. Contents 11 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
12 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
13 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
14 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum security (API authorization, OWASP Top 10) • API authorization -> Authorization server based on OAuth 2.0 • OWASP Top 10 -> WAF (Web Application Firewall) API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps API GW Aggregator Authz Server API call API call issue token API call API call + WAF issue tokens using OAuth2 authz code grant verify issuer, audience, expiration, revocation
15 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
16 © Hitachi, Ltd. 2023. All rights reserved. ✔ ✔ ✔ How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in API GW Aggregator and that of each own services in individual API GW works with no problems because using their dedicated authz servers. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call
17 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. API GW API API Authz Server API call API call API GW API API Authz Server API call API call remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call API call API call
18 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
19 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. -> We should avoid this situation because it extends the surface of possible attacks such as IdP mix-up attacks and may have an impact on own services. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
20 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS.
21 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) -> Token translation such as exchanging lightweight access tokens*1 with more claims-packed access tokens can be realized and can protect privacy. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS. lightweight access tokens *1: an assertion-based access token w/o privacy information or a handle-based access token
22 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This API GW Aggregator also can be built with Keycloak and NGINX. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange NGINX App Protect (WAF) protect each API individually using OpenAPI specs.
© Hitachi, Ltd. 2023. All rights reserved. Contents 23 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
24 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • When publishing APIs that give access to highly sensitive data or that can be used to trigger highly important transactions, the system needs to support a highly secured OAuth profile such as FAPI (Financial-grade API) security profile. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange provide highly sensitive data
25 © Hitachi, Ltd. 2023. All rights reserved. What is FAPI • Financial-grade API (FAPI) security profile requires a high level of security based on OAuth 2.0, used as a protocol for "API Authorization" and OpenID Connect (OIDC), used as a protocol for "SSO". It defines secure usage of OAuth 2.0 and OIDC to apply to APIs in any market area. Financial-grade API Security Profile 1.0 Part 2: Advanced RFC 7519: JSON Web Token (JWT) RFC 7636: Proof Key for Code Exchange by OAuth Public Clients RFC 6819: OAuth 2.0 Threat Model and Security Considerations RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6749: The OAuth 2.0 Authorization Framework OpenID Connect Core 1.0 RFC 8705: OAuth 2.0 Mutual- TLS Client Authentication and Certificate-Bound Access Tokens RFC 9126: OAuth 2.0 Pushed Authorization Requests Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
26 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • To support FAPI, the authz server, the client application, and the resource server all must meet FAPI requirements. -> API GW Aggregator built with Keycloak and NGINX can support FAPI. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange Hitachi publishes a certified implementation of FAPI RP. https://github.com/Hitachi/hitachi-fapi-java provide highly sensitive data
27 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To protect from a domino effect, where one compromised API compromises multiple other critical components, implement a zero-trust network. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange compromised API
28 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Establishing mTLS connections between NGINX, and validating the access token (JWT) in cooperation with Keycloak. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS + JWT) issue token issue token token exchange token exchange NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS + JWT) API call (mTLS + JWT) compromised API API call (mTLS + JWT) Keycloak supports policy decision and policy administration
29 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Complicated certificate management for mTLS is reduced by integrating with Vault. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS) issue token issue token token exchange token exchange Vault NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS) API call (mTLS) API call (mTLS) compromised API real-time Vault certificate-issuing requests and the dynamic certificate-loading feature in NGINX Plus.
30 © Hitachi, Ltd. 2023. All rights reserved. Other advanced use cases • There are many other advanced use cases. The below are for different types of clients. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange For native apps, issue client credentials via dynamic client registration endpoint For browser-based apps, behave as BFF (backend for frontend) handling the full authz flow and managing tokens.
31 © Hitachi, Ltd. 2023. All rights reserved. Summary  We proposed “API GW Aggregation”  can expose APIs outside the company  with minimum security and  minimum impact on services provided to existing users.  the underlying technologies are OAuth2, WAF, and token exchange.  can be built with Keycloak and NGINX.  supports advanced use cases such as FAPI and zero-trust networks. Slides are available at https://www.slideshare.net/ssuserbeb7c0
32 © Hitachi, Ltd. 2023. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. • NGINX and NGINX Plus are registered trademarks of F5, inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
Security Considerations for API Gateway Aggregation

Recommended

APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...apidays
 
AWS Well-Architected Security とベストプラクティス
AWS Well-Architected Security とベストプラクティスAWS Well-Architected Security とベストプラクティス
AWS Well-Architected Security とベストプラクティスAmazon Web Services Japan
 
OpenID Connect入門
OpenID Connect入門OpenID Connect入門
OpenID Connect入門土岐 孝平
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するHitachi, Ltd. OSS Solution Center.
 
NW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャ
NW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャNW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャ
NW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャShuji Kikuchi
 
AWS CLIでAssumeRole
AWS CLIでAssumeRoleAWS CLIでAssumeRole
AWS CLIでAssumeRoleTetsunori Nishizawa
 
20211109 bleaの使い方(基本編)
20211109 bleaの使い方(基本編)20211109 bleaの使い方(基本編)
20211109 bleaの使い方(基本編)Amazon Web Services Japan
 
20190130 AWS Black Belt Online Seminar AWS Identity and Access Management (AW...
20190130 AWS Black Belt Online Seminar AWS Identity and Access Management (AW...20190130 AWS Black Belt Online Seminar AWS Identity and Access Management (AW...
20190130 AWS Black Belt Online Seminar AWS Identity and Access Management (AW...Amazon Web Services Japan
 

Recommended

APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...apidays
 
AWS Well-Architected Security とベストプラクティス
AWS Well-Architected Security とベストプラクティスAWS Well-Architected Security とベストプラクティス
AWS Well-Architected Security とベストプラクティスAmazon Web Services Japan
 
OpenID Connect入門
OpenID Connect入門OpenID Connect入門
OpenID Connect入門土岐 孝平
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するHitachi, Ltd. OSS Solution Center.
 
NW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャ
NW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャNW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャ
NW-JAWS x Tech-on勉強会:AWS Transit Gateway で広がる ネットワークアーキテクチャShuji Kikuchi
 
AWS CLIでAssumeRole
AWS CLIでAssumeRoleAWS CLIでAssumeRole
AWS CLIでAssumeRoleTetsunori Nishizawa
 
20211109 bleaの使い方(基本編)
20211109 bleaの使い方(基本編)20211109 bleaの使い方(基本編)
20211109 bleaの使い方(基本編)Amazon Web Services Japan
 
20190130 AWS Black Belt Online Seminar AWS Identity and Access Management (AW...
20190130 AWS Black Belt Online Seminar AWS Identity and Access Management (AW...20190130 AWS Black Belt Online Seminar AWS Identity and Access Management (AW...
20190130 AWS Black Belt Online Seminar AWS Identity and Access Management (AW...Amazon Web Services Japan
 
週末趣味のAWS Transit Gatewayでの経路制御
週末趣味のAWS Transit Gatewayでの経路制御週末趣味のAWS Transit Gatewayでの経路制御
週末趣味のAWS Transit Gatewayでの経路制御Namba Kazuo
 
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用Amazon Web Services Japan
 
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか?
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか? [SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか?
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか? de:code 2017
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証についてHitachi, Ltd. OSS Solution Center.
 
Infrastructure as Code (IaC) 談義 2022
Infrastructure as Code (IaC) 談義 2022Infrastructure as Code (IaC) 談義 2022
Infrastructure as Code (IaC) 談義 2022Amazon Web Services Japan
 
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)NTT DATA Technology & Innovation
 
20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM 20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM Amazon Web Services Japan
 
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #apiTatsuo Kudo
 
3分でわかるAzureでのService Principal
3分でわかるAzureでのService Principal3分でわかるAzureでのService Principal
3分でわかるAzureでのService PrincipalToru Makabe
 
20200630 AWS Black Belt Online Seminar Amazon Cognito
20200630 AWS Black Belt Online Seminar Amazon Cognito20200630 AWS Black Belt Online Seminar Amazon Cognito
20200630 AWS Black Belt Online Seminar Amazon CognitoAmazon Web Services Japan
 
週末趣味のAWS VPC Traffic Mirroring
週末趣味のAWS VPC Traffic Mirroring週末趣味のAWS VPC Traffic Mirroring
週末趣味のAWS VPC Traffic MirroringNamba Kazuo
 
20200212 AWS Black Belt Online Seminar AWS Systems Manager
20200212 AWS Black Belt Online Seminar AWS Systems Manager20200212 AWS Black Belt Online Seminar AWS Systems Manager
20200212 AWS Black Belt Online Seminar AWS Systems ManagerAmazon Web Services Japan
 
Keycloak開発入門
Keycloak開発入門Keycloak開発入門
Keycloak開発入門Yuichi Nakamura
 
AWSではじめるDNSSEC
AWSではじめるDNSSECAWSではじめるDNSSEC
AWSではじめるDNSSECTomohiro Nakashima
 
20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrail20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrailAmazon Web Services Japan
 
Kongの概要と導入事例
Kongの概要と導入事例Kongの概要と導入事例
Kongの概要と導入事例briscola-tokyo
 
20190226 AWS Black Belt Online Seminar Amazon WorkSpaces
20190226 AWS Black Belt Online Seminar Amazon WorkSpaces20190226 AWS Black Belt Online Seminar Amazon WorkSpaces
20190226 AWS Black Belt Online Seminar Amazon WorkSpacesAmazon Web Services Japan
 
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 ResolverAmazon Web Services Japan
 
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Tatsuo Kudo
 
AWSメンテナンス ElastiCache編
AWSメンテナンス ElastiCache編AWSメンテナンス ElastiCache編
AWSメンテナンス ElastiCache編Serverworks Co.,Ltd.
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...apidays
 

More Related Content

What's hot

週末趣味のAWS Transit Gatewayでの経路制御
週末趣味のAWS Transit Gatewayでの経路制御週末趣味のAWS Transit Gatewayでの経路制御
週末趣味のAWS Transit Gatewayでの経路制御Namba Kazuo
 
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用Amazon Web Services Japan
 
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか?
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか? [SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか?
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか? de:code 2017
 
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)NTT DATA Technology & Innovation
 
20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM 20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM Amazon Web Services Japan
 
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #apiTatsuo Kudo
 
3分でわかるAzureでのService Principal
3分でわかるAzureでのService Principal3分でわかるAzureでのService Principal
3分でわかるAzureでのService PrincipalToru Makabe
 
20200630 AWS Black Belt Online Seminar Amazon Cognito
20200630 AWS Black Belt Online Seminar Amazon Cognito20200630 AWS Black Belt Online Seminar Amazon Cognito
20200630 AWS Black Belt Online Seminar Amazon CognitoAmazon Web Services Japan
 
週末趣味のAWS VPC Traffic Mirroring
週末趣味のAWS VPC Traffic Mirroring週末趣味のAWS VPC Traffic Mirroring
週末趣味のAWS VPC Traffic MirroringNamba Kazuo
 
20200212 AWS Black Belt Online Seminar AWS Systems Manager
20200212 AWS Black Belt Online Seminar AWS Systems Manager20200212 AWS Black Belt Online Seminar AWS Systems Manager
20200212 AWS Black Belt Online Seminar AWS Systems ManagerAmazon Web Services Japan
 
20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrail20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrailAmazon Web Services Japan
 
Kongの概要と導入事例
Kongの概要と導入事例Kongの概要と導入事例
Kongの概要と導入事例briscola-tokyo
 
20190226 AWS Black Belt Online Seminar Amazon WorkSpaces
20190226 AWS Black Belt Online Seminar Amazon WorkSpaces20190226 AWS Black Belt Online Seminar Amazon WorkSpaces
20190226 AWS Black Belt Online Seminar Amazon WorkSpacesAmazon Web Services Japan
 
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 ResolverAmazon Web Services Japan
 
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Tatsuo Kudo
 
AWSメンテナンス ElastiCache編
AWSメンテナンス ElastiCache編AWSメンテナンス ElastiCache編
AWSメンテナンス ElastiCache編Serverworks Co.,Ltd.
 

What's hot (20)

週末趣味のAWS Transit Gatewayでの経路制御
週末趣味のAWS Transit Gatewayでの経路制御週末趣味のAWS Transit Gatewayでの経路制御
週末趣味のAWS Transit Gatewayでの経路制御
 
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
20200722 AWS Black Belt Online Seminar AWSアカウント シングルサインオンの設計と運用
 
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか?
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか? [SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか?
[SC03] Active Directory の DR 対策~天災/人災/サイバー攻撃、その時あなたの IT 基盤は利用継続できますか?
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
 
Infrastructure as Code (IaC) 談義 2022
Infrastructure as Code (IaC) 談義 2022Infrastructure as Code (IaC) 談義 2022
Infrastructure as Code (IaC) 談義 2022
 
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
 
20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM 20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM
 
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
 
3分でわかるAzureでのService Principal
3分でわかるAzureでのService Principal3分でわかるAzureでのService Principal
3分でわかるAzureでのService Principal
 
20200630 AWS Black Belt Online Seminar Amazon Cognito
20200630 AWS Black Belt Online Seminar Amazon Cognito20200630 AWS Black Belt Online Seminar Amazon Cognito
20200630 AWS Black Belt Online Seminar Amazon Cognito
 
週末趣味のAWS VPC Traffic Mirroring
週末趣味のAWS VPC Traffic Mirroring週末趣味のAWS VPC Traffic Mirroring
週末趣味のAWS VPC Traffic Mirroring
 
20200212 AWS Black Belt Online Seminar AWS Systems Manager
20200212 AWS Black Belt Online Seminar AWS Systems Manager20200212 AWS Black Belt Online Seminar AWS Systems Manager
20200212 AWS Black Belt Online Seminar AWS Systems Manager
 
Keycloak開発入門
Keycloak開発入門Keycloak開発入門
Keycloak開発入門
 
AWSではじめるDNSSEC
AWSではじめるDNSSECAWSではじめるDNSSEC
AWSではじめるDNSSEC
 
20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrail20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrail
 
Kongの概要と導入事例
Kongの概要と導入事例Kongの概要と導入事例
Kongの概要と導入事例
 
20190226 AWS Black Belt Online Seminar Amazon WorkSpaces
20190226 AWS Black Belt Online Seminar Amazon WorkSpaces20190226 AWS Black Belt Online Seminar Amazon WorkSpaces
20190226 AWS Black Belt Online Seminar Amazon WorkSpaces
 
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
20191016 AWS Black Belt Online Seminar Amazon Route 53 Resolver
 
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
 
AWSメンテナンス ElastiCache編
AWSメンテナンス ElastiCache編AWSメンテナンス ElastiCache編
AWSメンテナンス ElastiCache編
 

Similar to Security Considerations for API Gateway Aggregation

APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...apidays
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...Hitachi, Ltd. OSS Solution Center.
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyAmazon Web Services
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyAmazon Web Services
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyAmazon Web Services
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Atlassian
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Atlassian
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays
 
Developing Serverless Application on AWS
Developing Serverless Application on AWSDeveloping Serverless Application on AWS
Developing Serverless Application on AWSAmazon Web Services
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAmazon Web Services
 
API Best Practices
API Best PracticesAPI Best Practices
API Best PracticesSai Koppala
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Amazon Web Services
 
Building Mobile Apps with AWS Amplify - Nader Dabit
Building Mobile Apps with AWS Amplify - Nader DabitBuilding Mobile Apps with AWS Amplify - Nader Dabit
Building Mobile Apps with AWS Amplify - Nader DabitAmazon Web Services
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationApigee | Google Cloud
 
Introduction to Serverless on AWS
Introduction to Serverless on AWSIntroduction to Serverless on AWS
Introduction to Serverless on AWSAmazon Web Services
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 

Similar to Security Considerations for API Gateway Aggregation (20)

APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
Developing Serverless Application on AWS
Developing Serverless Application on AWSDeveloping Serverless Application on AWS
Developing Serverless Application on AWS
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
 
API Best Practices
API Best PracticesAPI Best Practices
API Best Practices
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...
 
Building Mobile Apps with AWS Amplify - Nader Dabit
Building Mobile Apps with AWS Amplify - Nader DabitBuilding Mobile Apps with AWS Amplify - Nader Dabit
Building Mobile Apps with AWS Amplify - Nader Dabit
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & Integration
 
Introduction to Serverless on AWS
Introduction to Serverless on AWSIntroduction to Serverless on AWS
Introduction to Serverless on AWS
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
 

More from Hitachi, Ltd. OSS Solution Center.

Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Hitachi, Ltd. OSS Solution Center.
 
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みKeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みHitachi, Ltd. OSS Solution Center.
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...Hitachi, Ltd. OSS Solution Center.
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可Hitachi, Ltd. OSS Solution Center.
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Hitachi, Ltd. OSS Solution Center.
 
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakChallenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakHitachi, Ltd. OSS Solution Center.
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Hitachi, Ltd. OSS Solution Center.
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Hitachi, Ltd. OSS Solution Center.
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~Hitachi, Ltd. OSS Solution Center.
 

More from Hitachi, Ltd. OSS Solution Center. (20)

Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
 
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みKeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
 
Challenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with KeycloakChallenge to Implementing "Scalable" Authorization with Keycloak
Challenge to Implementing "Scalable" Authorization with Keycloak
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
NGINXでの認可について考える
NGINXでの認可について考えるNGINXでの認可について考える
NGINXでの認可について考える
 
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
 
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門するKeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
 
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using ElectronNode-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
 
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
 

Recently uploaded

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

Security Considerations for API Gateway Aggregation

  • 1. © Hitachi, Ltd. 2023. All rights reserved. Security Considerations for API Gateway Aggregation APIsecure 2023 Hitachi, Ltd. Yoshiyuki Tabata Slides are available at https://www.slideshare.net/ssuserbeb7c0
  • 2. 1 © Hitachi, Ltd. 2023. All rights reserved. About the speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Software Engineer  Hitachi, Ltd.  GitHub: @y-tabata
  • 3. © Hitachi, Ltd. 2023. All rights reserved. Contents 2 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 4. © Hitachi, Ltd. 2023. All rights reserved. Contents 3 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 5. 4 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management API GW API API Authz Server own service API call API call API call issue token • “API management” is required when providing multiple APIs, considering the operational aspect. • In this case, luxurious API management is not necessary, but “Minimum” API Management is sufficient that provides only an API Gateway and an Authorization Server, especially for small-start projects.
  • 6. 5 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management NGINX API API Keycloak own service API call API call API call issue token • For example, this “Minimum” API Management can be built with only Keycloak and NGINX.
  • 7. 6 © Hitachi, Ltd. 2023. All rights reserved. Major features  Provide support for OAuth 2.0, OpenID Connect and SAML.  Connect to existing LDAP or Active Directory servers.  Login with social networks. What is Keycloak • Keycloak is IAM (Identity and Access Management) OSS. • Keycloak provides OAuth 2.0 authorization server feature and single sign-on. Based on Standard Protocols Keycloak LDAP Active Directory RDB OpenID Connect SAML GitHub Twitter Facebook User Federation Social Login
  • 8. 7 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • In the case company provides multiple services, multiple minimum API management systems exist in-house together. “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token
  • 9. 8 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • Recently, use cases for exposing APIs outside the company become popular, such as providing APIs to 3rd-party applications and the spread of remote work. • Existing APIs may not be exposed outside the company without changes because of low-level security and usability. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
  • 10. 9 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
  • 11. 10 © Hitachi, Ltd. 2023. All rights reserved. Proposal: API GW Aggregation • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users -> Build API GW Aggregator in front of API GWs. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 12. © Hitachi, Ltd. 2023. All rights reserved. Contents 11 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 13. 12 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 14. 13 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 15. 14 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum security (API authorization, OWASP Top 10) • API authorization -> Authorization server based on OAuth 2.0 • OWASP Top 10 -> WAF (Web Application Firewall) API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps API GW Aggregator Authz Server API call API call issue token API call API call + WAF issue tokens using OAuth2 authz code grant verify issuer, audience, expiration, revocation
  • 16. 15 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 17. 16 © Hitachi, Ltd. 2023. All rights reserved. ✔ ✔ ✔ How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in API GW Aggregator and that of each own services in individual API GW works with no problems because using their dedicated authz servers. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call
  • 18. 17 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. API GW API API Authz Server API call API call API GW API API Authz Server API call API call remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call API call API call
  • 19. 18 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
  • 20. 19 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. -> We should avoid this situation because it extends the surface of possible attacks such as IdP mix-up attacks and may have an impact on own services. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
  • 21. 20 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS.
  • 22. 21 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) -> Token translation such as exchanging lightweight access tokens*1 with more claims-packed access tokens can be realized and can protect privacy. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS. lightweight access tokens *1: an assertion-based access token w/o privacy information or a handle-based access token
  • 23. 22 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This API GW Aggregator also can be built with Keycloak and NGINX. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange NGINX App Protect (WAF) protect each API individually using OpenAPI specs.
  • 24. © Hitachi, Ltd. 2023. All rights reserved. Contents 23 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 25. 24 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • When publishing APIs that give access to highly sensitive data or that can be used to trigger highly important transactions, the system needs to support a highly secured OAuth profile such as FAPI (Financial-grade API) security profile. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange provide highly sensitive data
  • 26. 25 © Hitachi, Ltd. 2023. All rights reserved. What is FAPI • Financial-grade API (FAPI) security profile requires a high level of security based on OAuth 2.0, used as a protocol for "API Authorization" and OpenID Connect (OIDC), used as a protocol for "SSO". It defines secure usage of OAuth 2.0 and OIDC to apply to APIs in any market area. Financial-grade API Security Profile 1.0 Part 2: Advanced RFC 7519: JSON Web Token (JWT) RFC 7636: Proof Key for Code Exchange by OAuth Public Clients RFC 6819: OAuth 2.0 Threat Model and Security Considerations RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6749: The OAuth 2.0 Authorization Framework OpenID Connect Core 1.0 RFC 8705: OAuth 2.0 Mutual- TLS Client Authentication and Certificate-Bound Access Tokens RFC 9126: OAuth 2.0 Pushed Authorization Requests Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
  • 27. 26 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • To support FAPI, the authz server, the client application, and the resource server all must meet FAPI requirements. -> API GW Aggregator built with Keycloak and NGINX can support FAPI. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange Hitachi publishes a certified implementation of FAPI RP. https://github.com/Hitachi/hitachi-fapi-java provide highly sensitive data
  • 28. 27 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To protect from a domino effect, where one compromised API compromises multiple other critical components, implement a zero-trust network. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange compromised API
  • 29. 28 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Establishing mTLS connections between NGINX, and validating the access token (JWT) in cooperation with Keycloak. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS + JWT) issue token issue token token exchange token exchange NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS + JWT) API call (mTLS + JWT) compromised API API call (mTLS + JWT) Keycloak supports policy decision and policy administration
  • 30. 29 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Complicated certificate management for mTLS is reduced by integrating with Vault. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS) issue token issue token token exchange token exchange Vault NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS) API call (mTLS) API call (mTLS) compromised API real-time Vault certificate-issuing requests and the dynamic certificate-loading feature in NGINX Plus.
  • 31. 30 © Hitachi, Ltd. 2023. All rights reserved. Other advanced use cases • There are many other advanced use cases. The below are for different types of clients. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange For native apps, issue client credentials via dynamic client registration endpoint For browser-based apps, behave as BFF (backend for frontend) handling the full authz flow and managing tokens.
  • 32. 31 © Hitachi, Ltd. 2023. All rights reserved. Summary  We proposed “API GW Aggregation”  can expose APIs outside the company  with minimum security and  minimum impact on services provided to existing users.  the underlying technologies are OAuth2, WAF, and token exchange.  can be built with Keycloak and NGINX.  supports advanced use cases such as FAPI and zero-trust networks. Slides are available at https://www.slideshare.net/ssuserbeb7c0
  • 33. 32 © Hitachi, Ltd. 2023. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. • NGINX and NGINX Plus are registered trademarks of F5, inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.