Implementing WebAuthn & FAPI supports on Keycloak

© Hitachi, Ltd. 2019. All rights reserved.
Implementing Web Authentication API (WebAuthn)
& Financial-Grade API (FAPI) supports on keycloak
KeyConf 2019 @ STFC Hartree Centre, United Kingdom
Hitachi, Ltd.
OSS Solution Center
12 June 2019
Takashi Norimatsu

1© Hitachi, Ltd. 2019. All rights reserved.
Self Introduction
Engaging in :
◼ providing support services about OSS
◼ implementing and contributing promising features to OSS
The current works :
 contributing WebAuthn support to keycloak
 making keycloak pass FAPI’s conformance tests to get FAPI Certificate
Takashi Norimatsu (@tnorimat in github) :
OSS Solution Center, Hitachi, Ltd.
@ Yokohama, Japan
* Yokohama : the 2nd largest city in Japan by population, about 35km south west from Tokyo

1. Overview
2. Web Authentication API (WebAuthn) Support
3. Financial-Grade API (FAPI) Support
Contents
2

1. Overview

1-1 Overview: WebAuthn
[ What’s WebAuthn ? ]
Web standard as W3C Recommendation for achieving secure authentication (2FA,
passwordless) resolving problems arising in password authentication.
[ Motivation : Why we try to support WebAuthn for keycloak ? ]
WebAuthn is promising technology.
Therefore, it will be nothing special
for IAM products to support it
in the future.

1-2 Overview: FAPI
[ What’s FAPI ? ]
OAuth 2.0’s security profile of APIs intended for financial institutes
[ Motivation : Why we try to support FAPI for keycloak ? ]
We would like to apply keycloak in financial sector requiring high security level for APIs.
(*) Based on survey of Japanese Bankers Association as of Dec 2017
Quoted from Report about open API by the Japanese Bankers Association
https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_3.pdf
In Japan…
◆ The revised banking act was published in Jun 2017 to
promote API. Similar to PSD2 in EU.
◆ 83% of banks (114 banks) answered they will open
API by Jun 2020(*).
◆ OAuth 2.0 is recognized as a key technology to
secure API. FAPI is also being required.
In UK…
◆ UK OpenBanking security profile is based on FAPI.
(https://bitbucket.org/openid/obuk/src/master/uk-openbanking-security-profile.md)

2. Web Authentication API (WebAuthn) Support

2-1 WebAuthn: Contribution Plan
Hitachi, Ltd. and WebAuthn4j community(https://github.com/webauthn4j/) are working for it.
Now still in “Develop” phase, working in https://github.com/webauthn4j/keycloak-webauthn-
authenticator .
We are happy if you could contribute to it.
Develop
✓ Build a prototype for feasibility study
◼ Write and submit design documents to community to be reviewed and approved
 Implement WebAuthn RP’s features to keycloak based on the approved design
Merged
 Issue pull requests to keycloak to be reviewed and approved
 Make them merged onto keycloak
Certified
 Pass conformance Self-Validation Testing against keycloak
 Get certificate confirming that keycloak complies with FIDO2 2.0 Specification for
Servers (*)
(*) managed and presented by FIDO Alliance

2-3 WebAuthn: Current Status - Prototype
You can actually try this prototype from https://github.com/webauthn4j/keycloak-
webauthn-authenticator .
You can experience the following 2 scenario using this prototype:
◼ 2 Factor Authentication (2FA) Scenario
OS : Windows 10, macOS Mojave (ver 10.14.4)
Browser : Google Chrome (ver 75), Mozilla Firefox (ver 66)
Authenticator : Yubico Security Key, Touch ID (macOS)
◼ Authentication with Resident Key (passwordless) Scenario
OS : Windows 10
Browser : Microsoft Edge (ver 44)
Authenticator : Internal Fingerprint Authentication Device

2-3 WebAuthn: Current Status - Design
[ Objective ]
2FA scenario at first, passwordless scenario next.
Major topics to be considered (picked up three here):
 Verifying Attestation Statement and Authentication Assertion
• On registration, an attestation certificate should be verified
Need to manage trust anchor certificate sources (e.g. FIDO Metadata Service)
• On registration and authentication, keycloak need to verify information returned
from Web Authentication API (e.g. navigator.credentials.create(), .get())
Need to choose an appropriate library to treat them
We adopted “webauthn4j” (https://github.com/webauthn4j/webauthn4j) as a core
library where all mandatory test cases and optional Android Key attestation test
cases of FIDO2 Test Tools provided by FIDO Alliance has been passed.
We not only use “webauthn4j” but contribute to it.

2-3 WebAuthn: Current Status - Design (cont.)
 Public Key Credentials Management
• Users might have multiple authenticators. (e.g. security key, fingerprint)
Need to retain multiple public key credentials per user.
• On authentication, the user can select which public key credentials are used.
Need to retain Information the user can use to identify their credentials.
• Administrator wants to restrict authenticators the user can use.
Need to obtain authenticator’s metadata. (e.g. AAGUID)
 Automated Functional Test (E2E Test)
• Automate tests of registration and authentication flows including or emulating
real entities (e.g. authenticator, browser)
… our design document considering these topics can be found in
https://github.com/keycloak/keycloak-community/pull/11

3. Financial-Grade API (FAPI) Support

3-1 FAPI: Contribution Plan
(*) managed and presented by OpenID Foundation
Develop
✓ Clarify FAPI’s requirements keycloak does not satisfy
✓ Implement features satisfying such FAPI’s requirements to keycloak
Merged
✓ Issue pull requests to keycloak to be reviewed and approved
✓ Make them merged onto keycloak
Certified
◼ Pass all of FAPI conformance tests against keycloak
 Get certificate confirming that keycloak complies with Financial- grade API
(FAPI) OpenID Providers (*)
Hitachi, Ltd. has been working for it, and Nomura Research Institute, Ltd. joined it from
“Certified” step.
We are now already in “Certified” step, working in https://github.com/jsoss-sig/keycloak-fapi.
We are happy if you could contribute to it.

3-2 FAPI: Created and Merged Pull Requests
Content Slide
# JIRA Ticket Description Pull
Request
Included
Version
1 KEYCLOAK-2604 Support RFC 7636 Proof Key for Code Exchange (PKCE) 3831 3.1.0
2 KEYCLOAK-5661 Return the list of allowed scopes with the issued access token 4527 3.4.0
3 KEYCLOAK-5811 Support client authentication in client_secret_jwt 4835 4.0.0
4 KEYCLOAK-6700 Support s_hash 5022 4.0.0
5 KEYCLOAK-6771 Support Holder of Key mechanism for tokens 5083 4.0.0
6 KEYCLOAK-6768 Support signed and encrypted ID token 5779 Now reviewed by
maintainers
7 KEYCLOAK-6770 Support signature algorithm ES256/384/512 for tokens 5533 4.5.0
8 KEYCLOAK-7451 Support server metadata for PKCE 5228 4.0.0
9 KEYCLOAK-7959 Support Holder of Key mechanism for tokens in reverse proxy deployed
environment
5418 4.2.0
10 KEYCLOAK-8460 Support signature algorithm ES256/384/512 for request object 5603 4.7.0
11 KEYCLOAK-9756 Support signature algorithm PS256/384/512 for tokens and request object 5974 6.0.0

3-3 Featured FAPI function : Proof Key for Code Exchange (PKCE)
Safeguard against Fraudulent Token Acquisition
If an attacker steals a victim’s authorization code…
⚫ Without PKCE
Client gets Access Token in return to Authorization Code
The attacker can get the victim’s access token in return to the victim’s
authorization code.
⚫ With PKCE
Client gets Access Token in return to Authorization Code + Code Verifier
The attacker can NOT get the victim’s access token in return to the victim’s
authorization code alone.
We has already contributed supporting PKCE (Included in Keycloak 3.1.0)

3-4 Featured FAPI function : Holder-of-Key Mechanism
Safeguard against Fraudulent Token Exercise
If an attacker steals an access token that enable to access victim’s resource …
⚫ Bearer Token
Any party possessing a token can exercise this token (e.g., train ticket)
The attacker can access a victim’s resource by the access token.
⚫ Holder-of-Key Token
Only certain party can exercise a token (e.g. passport)
The attacker can NOT access a victim’s resource by the access token.
We have contributed supporting Holder-of-Key Token
“OAuth2 Certificate Bound Access Tokens” (Included in Keycloak 4.0.0)

3-5 Featured FAPI function : Secure Signature Algorithm
⚫ Refactor sign/verify mechanism
keycloak before 4.5.0 supported only RS256 and it was hardcoded.
We’ve made some part of contribution to refactor sign/verify mechanism with
community and now signature algorithm is pluggable (Signature SPI).
⚫ Signature algorithms other than RS256
keycloak before 4.5.0 supported only RS256 for signature. Crypto specialists say
RS256 is not strong enough. Either PS256 or ES256 is required in FAPI.
We’ve made some part of contribution to support secure signature algorithms :
4.5.0(Tokens) / 4.7.0(Request Object)
ES256, ES384, ES512, HS256, HS384,HS512 are supported.
6.0.0(Tokens, Request Object)
PS256, PS384, PS512 are supported.

3-5 FAPI Conformance Tests : Issues to be resolved
# Item Description
1 OAuth2 Client Authentication in [MTLS] : support
Server Metadata and Client Registration
keycloak(6.0.0) has already implemented OAuth2 Client Authentication
in the way defined in Section 2 of [MTLS]. However, it has not yet
supported its Server Metadata advertisement and Client Registration.
2 OAuth2 Client Authentication in private_key_jwt :
support ES256 or PS256
keycloak(6.0.0) has already supported private_key_jwt, but only
supported RS256 in private_key_jwt.
3 Advertise "acr" claim in "claims_supported" Server
Metadata
keycloak(6.0.0) has already support "acr" claim in ID token, but not
advertise "acr" in "claims_supported" in Server Metadata.
… and so on. All issues and their details can be found in https://github.com/jsoss-sig/keycloak-fapi
[why so many issues arise]
 Implementer's Draft version 1 (2 Feb, 2017)
Read-Only : https://openid.net/specs/openid-financial-api-part-1-ID1.html
Read and Write : https://openid.net/specs/openid-financial-api-part-2-ID1.html
We worked with this version.
◼ Implementer's Draft version 2 (17 Oct, 2018)
Read-Only : https://openid.net/specs/openid-financial-api-part-1-ID2.html
Read and Write : https://openid.net/specs/openid-financial-api-part-2-ID2.html
Conformance test checks requirements on this version.

Concluding Remarks
⚫ We try to support WebAuthn RP’s feature onto keycloak.
Prototype : https://github.com/webauthn4j/keycloak-webauthn-authenticator
Design Document : https://github.com/keycloak/keycloak-community/pull/11
… but not yet completed.
⚫ We try to make keycloak satisfy FAPI’s requirements and get FAPI’s certificate.
Conformance Test Execution : https://github.com/jsoss-sig/keycloak-fapi
… but not yet completed.
We are very happy if you make some contributions to those work.

Takashi Norimatsu
12 June 2019
Hitachi, Ltd.
OSS Solution Center
END
KeyConf 2019 @ STFC Hartree Centre, United Kingdom
Implementing Web Authentication API (WebAuthn)
& Financial-Grade API (FAPI) supports on keycloak
19

Trademark
• FIDO is a trademark or registered trademark of FIDO Alliance, Inc. in the
United States and other countries.
• OpenID is a trademark or registered trademark of OpenID Foundation in the
United States and other countries.
• Github is a trademark or registered trademark of Github, Inc. in the United
States and other countries.
• Other brand names and product names used in this material are trademarks,
registered trademarks, or trade names of their respective holders.

Implementing WebAuthn & FAPI supports on Keycloak

Implementing WebAuthn & FAPI supports on Keycloak

More Related Content

What's hot (20)

Similar to Implementing WebAuthn & FAPI supports on Keycloak (20)

More from Yuichi Nakamura (9)

Recently uploaded (20)

Implementing WebAuthn & FAPI supports on Keycloak