IEICE TRANSACTIONS on Information
Policy-Based Method for Applying OAuth 2.0-Based Security Profiles
Summary :
Two problems occur when an authorization server is utilized for a use case where a different security profile needs to be applied to a unique client request for accessing a distinct type of an API, such as open banking. A security profile can be applied to a client request by using the settings of an authorization server and client. However, this method can only apply the same security profile to all client requests. Therefore, multiple authorization servers or isolated environments, such as realms of an authorization server, are needed to apply a different security profile. However, this increases managerial costs for the authorization server administration. Moreover, new settings and logic need to be added to an authorization server if the existing client settings are inadequate for applying a security profile, which requires modification of an authorization server's source code. We aims to propose the policy-based method that resolves these problems. The proposed method does not completely rely on the settings of a client and can determine an applied security profile using a policy and the context of the client's request. Therefore, only one authorization server or isolated environment, such as a realm of an authorization server, is required to support multiple different security profiles. Additionally, the proposed method can implement a security profile as a pluggable software module. Thus, the source code of the authorization server need not be modified. The proposed method and Financial-grade application programming interface (FAPI) security profiles were implemented in Keycloak, which is an open-source identity and access management solution, and evaluation scenarios were executed. The results of the evaluation confirmed that the proposed method resolves these problems. The implementation has been contributed to Keycloak, making the proposed method and FAPI security profiles publicly available.
- Publication
- IEICE TRANSACTIONS on Information Vol.E106-D No.9 pp.1364-1379
- Publication Date
- 2023/09/01
- Publicized
- 2023/06/20
- Online ISSN
- 1745-1361
- DOI
- 10.1587/transinf.2022ICP0004
- Type of Manuscript
- Special Section PAPER (Special Section on Information and Communication System Security)
- Category
Authors
Takashi NORIMATSU
Hitachi, Ltd.,Okayama University
Yuichi NAKAMURA
Hitachi, Ltd.
Toshihiro YAMAUCHI
Okayama University
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Takashi NORIMATSU, Yuichi NAKAMURA, Toshihiro YAMAUCHI, "Policy-Based Method for Applying OAuth 2.0-Based Security Profiles" in IEICE TRANSACTIONS on Information,
vol. E106-D, no. 9, pp. 1364-1379, September 2023, doi: 10.1587/transinf.2022ICP0004.
Abstract: Two problems occur when an authorization server is utilized for a use case where a different security profile needs to be applied to a unique client request for accessing a distinct type of an API, such as open banking. A security profile can be applied to a client request by using the settings of an authorization server and client. However, this method can only apply the same security profile to all client requests. Therefore, multiple authorization servers or isolated environments, such as realms of an authorization server, are needed to apply a different security profile. However, this increases managerial costs for the authorization server administration. Moreover, new settings and logic need to be added to an authorization server if the existing client settings are inadequate for applying a security profile, which requires modification of an authorization server's source code. We aims to propose the policy-based method that resolves these problems. The proposed method does not completely rely on the settings of a client and can determine an applied security profile using a policy and the context of the client's request. Therefore, only one authorization server or isolated environment, such as a realm of an authorization server, is required to support multiple different security profiles. Additionally, the proposed method can implement a security profile as a pluggable software module. Thus, the source code of the authorization server need not be modified. The proposed method and Financial-grade application programming interface (FAPI) security profiles were implemented in Keycloak, which is an open-source identity and access management solution, and evaluation scenarios were executed. The results of the evaluation confirmed that the proposed method resolves these problems. The implementation has been contributed to Keycloak, making the proposed method and FAPI security profiles publicly available.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2022ICP0004/_p
Copy
@ARTICLE{e106-d_9_1364,
author={Takashi NORIMATSU, Yuichi NAKAMURA, Toshihiro YAMAUCHI, },
journal={IEICE TRANSACTIONS on Information},
title={Policy-Based Method for Applying OAuth 2.0-Based Security Profiles},
year={2023},
volume={E106-D},
number={9},
pages={1364-1379},
abstract={Two problems occur when an authorization server is utilized for a use case where a different security profile needs to be applied to a unique client request for accessing a distinct type of an API, such as open banking. A security profile can be applied to a client request by using the settings of an authorization server and client. However, this method can only apply the same security profile to all client requests. Therefore, multiple authorization servers or isolated environments, such as realms of an authorization server, are needed to apply a different security profile. However, this increases managerial costs for the authorization server administration. Moreover, new settings and logic need to be added to an authorization server if the existing client settings are inadequate for applying a security profile, which requires modification of an authorization server's source code. We aims to propose the policy-based method that resolves these problems. The proposed method does not completely rely on the settings of a client and can determine an applied security profile using a policy and the context of the client's request. Therefore, only one authorization server or isolated environment, such as a realm of an authorization server, is required to support multiple different security profiles. Additionally, the proposed method can implement a security profile as a pluggable software module. Thus, the source code of the authorization server need not be modified. The proposed method and Financial-grade application programming interface (FAPI) security profiles were implemented in Keycloak, which is an open-source identity and access management solution, and evaluation scenarios were executed. The results of the evaluation confirmed that the proposed method resolves these problems. The implementation has been contributed to Keycloak, making the proposed method and FAPI security profiles publicly available.},
keywords={},
doi={10.1587/transinf.2022ICP0004},
ISSN={1745-1361},
month={September},}
Copy
TY - JOUR
TI - Policy-Based Method for Applying OAuth 2.0-Based Security Profiles
T2 - IEICE TRANSACTIONS on Information
SP - 1364
EP - 1379
AU - Takashi NORIMATSU
AU - Yuichi NAKAMURA
AU - Toshihiro YAMAUCHI
PY - 2023
DO - 10.1587/transinf.2022ICP0004
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E106-D
IS - 9
JA - IEICE TRANSACTIONS on Information
Y1 - September 2023
AB - Two problems occur when an authorization server is utilized for a use case where a different security profile needs to be applied to a unique client request for accessing a distinct type of an API, such as open banking. A security profile can be applied to a client request by using the settings of an authorization server and client. However, this method can only apply the same security profile to all client requests. Therefore, multiple authorization servers or isolated environments, such as realms of an authorization server, are needed to apply a different security profile. However, this increases managerial costs for the authorization server administration. Moreover, new settings and logic need to be added to an authorization server if the existing client settings are inadequate for applying a security profile, which requires modification of an authorization server's source code. We aims to propose the policy-based method that resolves these problems. The proposed method does not completely rely on the settings of a client and can determine an applied security profile using a policy and the context of the client's request. Therefore, only one authorization server or isolated environment, such as a realm of an authorization server, is required to support multiple different security profiles. Additionally, the proposed method can implement a security profile as a pluggable software module. Thus, the source code of the authorization server need not be modified. The proposed method and Financial-grade application programming interface (FAPI) security profiles were implemented in Keycloak, which is an open-source identity and access management solution, and evaluation scenarios were executed. The results of the evaluation confirmed that the proposed method resolves these problems. The implementation has been contributed to Keycloak, making the proposed method and FAPI security profiles publicly available.
ER -
English
