About This Video

This video is a lightning talk by Authlete, recorded at Google SaaS Day online on February 27, 2020.

It shows overview of OAuth 2.0 and OpenID Connect (OIDC), challenges in traditional approaches, Authlete’s solution, and case studies, in five minutes.

Transcript (English translation)

OAuth and OIDC are the Foundation for Open APIs

In this talk, I’m going to introduce Authlete, an API authorization engine solution.

What is API access authorization? It is about how API providers control API access based on the following factors:

What kind of access
Which API clients are granted access
Who grant access

Adequate API access authorization enables the providers to have a relationship with third parties in conformance with an end user’s consent. It enhances customer experience and further brings higher usage and revenue.

OAuth 2.0 is the industry standard of API access authorization. OpenID Connect is another standard that extends OAuth 2.0 for identity information exchange.

Difficulties in Adopting OAuth/OIDC

In general, it is still difficult to implement and operate OAuth and OIDC properly.

In some aspects, this is due to complexity in API access authorization itself. Another reason why is that the standards are moving targets; a lot of new extensions and practices are being created.

It is merely possible for service providers to follow the standardization process without specialists in that domain.

The situation gets even worse once they implement API access authorization service without an appropriate understanding of the specification and operate it without knowing the best current practice. It could lead to security incidents such as illegal API access.

Victims could be not only service providers of the APIs but also end users - customers of the providers, who permitted such API access.

Existing Solutions Have Access Authorization Capabilities, But…

While there are a couple of solutions providing access authorization to solve the issue, each has its pros and cons.

IDaaS (Identity as a Service)

IDaaS is an attractive choice because it is a SaaS-type offering that could reduce deployment cost, but it doesn’t have enough flexibility to optimize API authorization functions for characteristics of the service providers’ APIs.

IAM (Identity and Access Management) Software

There are a lot of software vendors that provide a deployable package of IAM software onto your site and allow you to customize it. While you could fully control an API authorization system with the installed software, you have to migrate customer identity data and user authentication service from your existing infrastructure to the new IAM software system. You may spend more time and cost.

API Gateways

API gateways often have their access management functionality, which may be sufficient for some sort of APIs. Its advantage over other approaches is that the feature is built into the API gateways. But you might be concerned that they fall short of advanced standards such as FAPI (Financial-grade API).

Authlete: A New Approach

So, what would be the best solution? We have tackled this challenge and taken an approach of “Authorization Engine,” which is different from other existing ones.

We call the approach “Semi-hosted Architecture.” It splits OAuth/OIDC server functions into two parts; You can freely implement one part while we provide another OAuth/OIDC specific part as APIs. All functionalities we host are available as Web APIs and we have been implementing the latest OAuth/OIDC specifications. Our customers can enable such advanced industry standards such as FAPI requiring higher security provisions aimed for APIs in financial services, “Identity Assurance” for eKYC (Electronic Know Your Customer) ahead of their competitors.

Authlete Fits in Any Form of Existing Systems

The following diagram is a general integration architecture of Authlete and other components.

Service providers that deploy Authlete would fully manage “API service infrastructure,” including an authorization server. The server can be freely implemented by the providers themselves in accordance with their business and technical requirements, from user authentication and consent to integration with existing systems.

Authlete manages all of OAuth/OIDC processing operations so that the providers can offload them onto us. We accept requests from the providers through Web APIs, and then handle authorization flows as well as issuing and management of API access information called tokens.

When your third parties make API requests using tokens, you don’t have to verify them; Authlete does token introspection on your behalf.

This architecture enables service providers to externalize complicated implementations and operations in terms of OAuth/OIDC while gaining governance and control their API infrastructure.

A Broad Range of Use Cases

Authlete helps a wide range of industries, from high-security use cases in banking, fintechs and personal data services area, to customer experience-oriented businesses such as entertainments.

A Case Study in SaaS: SmartHR

SmartHR, one of our customers in SaaS space, have implemented OAuth in their HRtech offerings. We are delighted that they value Authlete especially in terms of a rich set of Web APIs, high maintenance ability, and continuous adoption of the latest standards.