Leading service providers have started developing their software in-house to achieve competitive business advantages. They naturally think that their OAuth 2.0 / OpenID Connect servers could be built in that way, but neither existing IAM software nor IDaaS meet their requirements. This session introduces a new OAuth/OIDC service architecture with agility and controllability. https://www.kuppingercole.com/sessions/4952/2
2. “We develop all our technology
in-house – and that is one of our
competitive advantages.”
– Nubank, the largest digital bank globally
“I've never heard of DX being left up
to vendors. In-house software
development is a global trend.”
– Minna Bank, cloud native digital bank in Japan
The Rise of In-house Software Development
Source: https://building.nubank.com.br/nubank-culture-and-values/, https://bizzine.jp/article/detail/6351?p=3
3. • Too many new standards and practices
to implement and maintain
OAuth/OIDC Was Considered as an Exception
DPoP
‘12 ‘13 ‘14 ‘15 ‘16 ‘17 ‘18 ‘19 ’20+
RFC6750
RFC6749 RFC7636
RFC6819 Security BCP
OIDC Discovery RFC7592
RFC8414
OIDC Core
Session Mgmt
RFC8252
FAPI1
FAPI2
JARM
CIBA
RFC8628
RAR
PAR
IDA
RFC7009 RFC7662
Multiple Response
Type Enc. Practice
Form Post
Response Mode
RFC7523
RFC7591
RFC8707
FAPI-CIBA
RFC8705
4. • Solution that
provides all
functions
• Customization is
doable in the
solution
IAM / IDaaS: A Good Old Approach
IAM / IDaaS
Client
Protected
Resources
Resource
Owner
Authorization
Server
Subsystem
User
Authentication
Subsystem
Authorization
Decision
Subsystem
API Gateway
User
authentication
and consent
Token
request
API
request
Token
introspection
Custom
Logic
Extension
Custom
Logic
Custom
Logic
5. • UI/UX is limited to
capabilities of IAM /
IDaaS
• Custom logic needs to
be implemented on the
solution’s framework
Is It What Developers Want?
IAM / IDaaS
Authorization
Server
Subsystem
User
Authentication
Subsystem
Authorization
Decision
Subsystem
Limited
UI/UX
Custom
Logic
Extension
Custom
Logic
Custom
Logic
Framework
Lock-in
6. • “Authorization
Server Backend”
• Full control over
UI/UX
• Framework-
agnostic
Modern Approach to In-house OAuth/OIDC
Client
Protected
Resources
Resource
Owner
Authorization
Server
IAM Service
Authorization
Decision Service
API Gateway
Protocol
Operations
and Token
Management
User
authentication
and consent
Token
request
API
request
Token
introspection
Development
& Deployment
Freedom
Authorization
Server Backend
In-house
OAuth/OIDC
7. Authlete: Authorization Server Backend
Mobile Apps
& Websites
Fintechs
Partners
OAuth 2.0 &
OpenID Connect
Protocol
Operations
Access Token
Life Cycle
Management
API Authorization
& ID Federation
Open Financial
APIs
KYC Information
Sharing Identity
Assurance
Financial-
grade API
OAuth 2.0
& OpenID
Connect
API Providers
Providing the Latest Industry-standard APIs No Vendor Lock-in for Designing UX
Offloading the Hardest Part of OAuth 2.0 & OpenID Connect Deployment
8. End User User Agent API Client
Authorization
Server
Resource
Server
How Authlete Works
Authlete
{ "parameters":
"response_type=code&
client_id=57297408867&
redirect_uri=https%3A%2F%2F
client.example.org%2Fcb" }'
/auth/authorization
POST
Authlete
{
”action”: ”INTERACTION”,
”ticket”: ”c4iy3TWUzV9axH-9Q”
...
}
Authlete API tells your server
what to do next.
Authlete
Authorization Request
User Authentication & Access Grant
Authorization Response
Token Request
Token Response
API Request
API Response
Forward the
authorization request
“as-is”
Request to issue an
authorization code
Forward the token
request “as-is”
Send tokens
to introspect
https://as.example.com/authorize?
response_type=code&
client_id=57297408867&
redirect_uri=https%3A%2F%2F
client.example.org%2Fcb
9. • OPs (OpenID Providers)
• Basic OP
• Implicit OP
• Hybrid OP
• Config OP
• Dynamic OP
• Form Post OP
• FAPI 1.0 Final OPs
• FAPI 1 Advanced Final
(Generic)
• FAPI Adv. OP w/ MTLS
• FAPI Adv. OP w/ MTLS, PAR
• FAPI Adv. OP w/ Private Key
• FAPI Adv. OP w/ Private Key,
PAR
• FAPI Adv. OP w/ MTLS, JARM
• FAPI Adv. OP w/ Private Key,
JARM
• FAPI Adv. OP w/ MTLS, PAR,
JARM
• FAPI Adv. OP w/ Private Key,
PAR, JARM
• UK Open Banking (Based
on FAPI 1 Advanced Final)
• UK-OB Adv. OP w/ MTLS
• UK-OB Adv. OP w/ Private Key
• Australia CDR (Based on
FAPI 1 Advanced Final)
• AU-CDR Adv. OP w/ Private
Key
• AU-CDR Adv. OP w/ Private
Key, PAR
• Brazil Open Banking
(Based on FAPI 1
Advanced Final)
• BR-OB Adv. OP w/ MTLS
• BR-OB Adv. OP w/ Private Key
• BR-OB Adv. OP w/ MTLS, PAR
• BR-OB Adv. OP w/ Private Key,
PAR
• BR-OB Adv. OP w/ MTLS, JARM
• BR-OB Adv. OP w/ Private Key,
JARM
• BR-OB Adv. OP w/ MTLS, PAR,
JARM
• BR-OB Adv. OP w/ Private Key,
PAR, JARM
• BR-OB Adv. OP DCR
• FAPI 1.0 ID2 OPs
• FAPI R/W OP w/ MTLS
• FAPI R/W OP w/ MTLS, PAR
• FAPI R/W OP w/ Private Key
• FAPI R/W OP w/ Private Key, PAR
• UK-OB R/W OP w/ MTLS
• UK-OB R/W OP w/ Private Key
• AU-CDR R/W OP w/ Private Key
• AU-CDR R/W OP w/ Private Key,
PAR
• FAPI-CIBA OPs
• FAPI-CIBA OP poll w/ MTLS
• FAPI-CIBA OP poll w/ Private
Key
• FAPI-CIBA OP Ping w/ MTLS
• FAPI-CIBA OP Ping w/ Private
Key
Conformance to OIDC/FAPI/CIBA Standards
See https://openid.net/certification/ for details
10. Proven by Successful Deployments
Financial
Personal Data /
KYC
Integration Partners
B2B / B2E Entertainment
Healthcare
Awards
Education
Media
DPG Media
Nubank Rakuten Bank
11. • DPG Media
– Neither IDaaS, IAM software, nor
OSS worked to build their CIAM
platform
– Authlete enables the new reliable
and flexible CIAM so that it can
provide the best customer
experience
Agility, Controllability, and Cost-Efficiency
https://www.authlete.com/customers/dpgmedia/