DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak

© Hitachi, Ltd. 2020. All rights reserved.
WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno University of Technology, Czech Republic
Hitachi, Ltd.
OSS Solution Center
26 January 2020
Takashi Norimatsu

1© Hitachi, Ltd. 2020. All rights reserved.
Self Introduction
Engaging in :
◼ providing support services about OSS.
◼ implementing and contributing promising features to OSS.
The current works :
 contributing WebAuthn support to keycloak.
 contributing Financial-grade API Security Profile support to keycloak.
Takashi Norimatsu (tnorimat in github) :
OSS Solution Center, Hitachi, Ltd.
@ Yokohama, Japan
* Yokohama : The 2nd largest city in Japan by population, about 35km south west from Tokyo.
* keycloak : The Identity and Access Management (IAM) OSS. Its community is led by Red Hat.

1. What is WebAuthn?
2. Contribution to Keycloak
Contents
2
3. Use Case

1. What is WebAuthn?

1-1 Overview: WebAuthn (W3C Web Authentication)
[ Motivation : Why we try to support WebAuthn for keycloak ? ]
WebAuthn is promising technology.
Therefore, it will be nothing special
for IAM products to support it
in the future.
WebAuthn := Asymmetric Cryptography used Web based authentication standard
by W3C achieving Password-less and Multi-Factor Authentication, resolving
problems arising when using password-based authentication.
< WebAuthn Authentication UI (windows) >

User/Browser
WebAuthn RP
(keycloak)
Registration := WebAuthn Relying Party(RP) registers a public key generated by
WebAuthn Authenticator and bind it with an authenticated user’s ID.
WebAuthn
Authenticator
Authenticate user locally
Generate authenticator attestation response
including user’s public key and its related information
Sign it by
vendor’s private key
Verify it by
vendor’s
public key.
WebAuthn RP can confirm :
* The response was
generated by the legitimate
WebAuthn Authenticator, not
tampered and forged.
* The response itself was not
tampered, forged.
=> RP can trust its contents.
Authenticate user
user ID
user’s
private key
authentication
authenticator
attestation response
1-2 WebAuthn - Registration
vendor’s
private key
vendor’s
public key
user’s
public key
Generate key pair and
bind them with user ID
Bind user ID with user’s public key
WebAuthn RP binds
authenticated user’s ID with
public key generated by
WebAuthn Authenticator.
vendor’s
certificate
username/
password

User/Browser
Authentication := WebAuthn Relying Party(RP) verifies the assertion stating the
user was authenticated by WebAuthn Authenticator by registered user’s public key.
WebAuthn
Authenticator
Verify it by user’s
public key.
Authenticate user by 1st
factor (password).
user ID
user’s
public key
authentication
username/
password
Compare user ID by 1st
factor authentication with
one by 2nd factor
authentication.
authenticator
assertion response
1-3 WebAuthn - Authentication - Multi Factor Authentication
Due to WebAuthn
Authenticator’s
nature, its
authentication factor
is basically
“ownership factor”.
user’s
private key
user ID
(handle)
authentication
fingerprint
Authenticate user by 2nd
factor (biometrics) locally.
Generate authenticator assertion
response including user’s public key ID.
Sign it by user’s
private key.
WebAuthn RP
(keycloak)
tampered, forged.
* The user bound with the
public key was authenticated
by multifactor authentication.
1st authentication factor :
knowledge factor
by WebAuthn RP
2nd authentication factor :
ownership factor /
inherence factor
by WebAuthn Authenticator

User/Browser
WebAuthn
Authenticator
Look up user ID
user ID
username
authenticator
assertion response
1-4 WebAuthn - Authentication - Password-less
Due to WebAuthn
Authenticator’s
nature, its
is basically
Compare user ID looked up
with one authenticated by
WebAuthn Authenticator.
public key.
user’s
public key
user’s
private key
user ID
(handle)
authentication
fingerprint
Sign it by user’s
private key.
WebAuthn RP
(keycloak)
tampered, forged.
by password-less
authentication.
ownership factor /
inherence factor

User/Browser
WebAuthn
Authenticator
public key.
authenticator
assertion response
1-5 WebAuthn - Authentication - ID & Password-less
Due to WebAuthn
Authenticator’s
nature, its
is basically
user’s
public key
Look up user’s
public keyuser’s
private key
user ID
(handle)
authentication
fingerprint
Sign it by user’s
private key.
WebAuthn RP
(keycloak)
tampered, forged.
by ID & password-less
authentication.
ownership factor /
inherence factor

2. Contribution to keycloak

2-1 Contribution Plan / Merged Pull-Requests
Develop
✓ Build a prototype for feasibility study
✓ Write and submit design documents to community to be reviewed and approved
✓ Implement WebAuthn RP’s features to keycloak based on the approved design
Merged
✓ Issue pull requests to keycloak to be reviewed and approved
✓ Make them merged onto keycloak
Certified
 Pass conformance Self-Validation Testing against keycloak
 Get certificate confirming that keycloak complies with FIDO2 2.0 Specification for
Servers (managed and presented by FIDO Alliance)
# JIRA Ticket Description Pull Request Included Version
1 KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - WIP 1st impl phase 6248 8.0.0
2 KEYCLOAK-11743 Update to webauthn4j 0.9.14.RELEASE and add apache-kerby-asn1:2.0.0
dependency
6401 8.0.0
3 KEYCLOAK-11372 Support for attestation statement verification 6449 8.0.0
Merged Pull-Requests

2-2 Design
[ Design Document ]
https://github.com/keycloak/keycloak-community/blob/master/design/web-authn-
authenticator.md
Major topics (two picked up here):
 Verifying Attestation Statement and Authentication Assertion
• On registration, an attestation certificate should be verified.
Need to manage trust anchor certificate sources.
• On registration and authentication, keycloak need to verify information returned
from Web Authentication API (e.g. navigator.credentials.create(), .get())
Need to choose an appropriate library to treat them.
We adopted “webauthn4j” (https://github.com/webauthn4j/webauthn4j) as a core
library where all mandatory test cases and optional Android Key attestation test
cases of FIDO2 Test Tools provided by FIDO Alliance has been passed.

2-3 Current Status
Basic WebAuthn support has been merged and released on keycloak-8.0.0.
 Registration
• Settings (navigator.credentials.create(), .get() options)
https://www.keycloak.org/docs/8.0/server_admin/index.html#managing-webauthn-as-an-administrator
• Attestation Statement Verification
https://www.keycloak.org/docs/8.0/server_admin/index.html#attestation-statement-verification
 Authentication
• 2FA
https://www.keycloak.org/docs/8.0/server_admin/index.html#setup
• Password-less
https://www.keycloak.org/docs/8.0/server_admin/index.html#creating-a-password-less-browser-login-
flow
Notes:
Whether WebAuthn’s operations succeed depends on a user’s WebAuthn supporting
authenticator, browser and platform.

2-4 In the Future
 Account Recovery
If my smart device (WebAuthn Authenticator) has been lost …
https://fidoalliance.org/recommended-account-recovery-practices/
 Registration Acceptance Control based on various kind of criteria
The admin wants to accept only the WebAuthn Authenticator that has the capability of
authentication by fingerprint.
The admin wants to accept only the WebAuthn Authenticator to which
no vulnerability is reported.
⇒ Metadata Statement from FIDO Alliance Metadata Services(MDS)
https://fidoalliance.org/metadata/
 Authentication Acceptance Control based on various kind of criteria
The admin wants to accept only the result of the authentication
by biometrics factor.
⇒ WebAuthn Extension: User Verification Method Extension (uvm)
https://www.w3.org/TR/webauthn/#sctn-uvm-extension

3. Use Case

3-1 Financial-grade API (FAPI) Security Profile
[ What’s FAPI ? ]
OAuth 2.0’s security profile of APIs intended for financial institutes
[ Motivation : Why we try it? ]
We would like to apply keycloak in financial sector requiring high security level for APIs.
(*) Based on survey of Japanese Bankers Association as of Dec 2017
Quoted from Report about open API by the Japanese Bankers Association
https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_3.pdf
In Japan…
◆ The revised banking act was published in Jun 2017 to
promote API. Similar to PSD2 in EU.
◆ 83% of banks (114 banks) answered they will open
API by Jun 2020(*).
◆ OAuth 2.0 is recognized as a key technology to
secure API. FAPI is also being required.
In UK…
◆ UK OpenBanking security profile is based on FAPI.
(https://bitbucket.org/openid/obuk/src/master/uk-openbanking-security-profile.md)

3-2 FAPI Flow for the first API Access
1. Authz Code Request
User/Browser Client App Authz Server API Server
2. User Authentication
(User Consent)
3. Authz Code Response
5. API Access
4. Token Request
(Client Authentication)
redirect
redirect
[Phase]
FAPI Flow for the first API Access :
based on and complies with OAuth 2.0 Authorization Code Grant and OIDC Hybrid Flow.
Phase 3 and 5 are required in this flow,
but out of scope of OAuth 2.0
Authorization Code Grant and OIDC
Hybrid Flow.
Instead of that, FAPI describes its own
security requirements in phase 3 and 5.
Authz Code Request / Response :
Client App receives the authz code
indicating that a user was authenticated
and authorized the API access to Client
App in the range of determined scope.
Token Request / Response :
In return to the authz code, Client App
receives an access token which has the
right to access the API in the range of
determined scope.
authz code
access token
authz code
access token

3-3 FAPI : Highly Credible User Authentication
User/Browser Client App Authz Server API Server
redirect
redirect
* Request not tampered.
* Request generated by legitimate Client App.
* User authenticated by highly credible way.
* Response not tampered.
* Response generated by legitimate Authz Server.
* Token received by legitimate Client App.
* Token exercised by legitimate Client App.
[What FAPI checks in each phase]
(User Consent)
3. Authz Code Response
5. API Access
4. Token Request
(Client Authentication)
[Phase]
1. Authz Code Request
* Client App authenticated by highly credible way.

3-4 FAPI : Highly Credible User Authentication
MFA by WebAuthn
User/Browser
Authz Server
(keycloak)
USE CASE : Using keycloak as Authz Server for securing APIs providing financial
services to customers. It needs to satisfy high security level.
WebAuthn
Authenticator
Authenticate user by 2nd
Sign it by user’s
private key.
keycloak can confirm :
User was authenticated by
multifactor authentication.
[Phase]
(User Consent)
factor (password).
user ID
authentication/consent
Need to register user’s public key in
keycloak in advance by WebAuthn’s
manner (Registration).
FAPI does not require WebAuthn itself.
FAPI requires Level of Assurance (LoA) 3
defined in ITU-T X.1254 (to say shortly, MFA).
WebAuthn is a promising candidate satisfying it.
authenticator
assertion response
user’s
private key
user ID
(handle)
public key. user’s
public key
Compare user ID by 1st factor
authentication with one by
2nd factor authentication.
username/
password
authentication
fingerprint
Due to WebAuthn
Authenticator’s nature, its
authentication factor is
basically “ownership factor”.

Concluding Remarks
✓ WebAuthn is a promising technology for Password-less and Multi-
Factor Authentication.
✓ Basic WebAuthn support for keycloak has been contributed. But there
are still a lot we do in the future.
✓ Possible use case of WebAuthn is securing API providing financial
services by FAPI security profile.

Takashi Norimatsu
26 January 2020
Hitachi, Ltd.
OSS Solution Center
END
DevConf.CZ 2020 @ Brno University of Technology, Czech Republic
WebAuthn support for keycloak
20

Trademarks
• FIDO is a trademark or registered trademark of FIDO Alliance, Inc. in the
United States and other countries.
• GitHub is a trademark or registered trademark of GitHub, Inc. in the United
States and other countries.
• Red Hat is a trademark or registered trademark of Red Hat, Inc. in the United
States and other countries.
• Other brand names and product names used in this material are trademarks,
registered trademarks, or trade names of their respective holders.

DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak

DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak

More Related Content

What's hot (20)

Similar to DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak (20)

More from Hitachi, Ltd. OSS Solution Center. (20)

Recently uploaded (20)

DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak