Creating an “Open API platform” that exposes the core data and functionality of your services to partners and developers often requires the implementation of a dedicated API management solution. API management solutions act as a “gateway” that handles external API requests and provides a wide range of API sharing capabilities, from traffic control to access analytics. These include OAuth 2.0, which is required for API access authorization, and OpenID Connect (OIDC), which is essential for identity information distribution.
However, the built-in OAuth/OIDC functionality in API gateways is often not suitable for open APIs. For example, some solutions do not support the ever essential PKCE, or add proprietary parameters to OAuth/OIDC interactions. For other solutions, the only system that can be used to manage the users and groups needed to authorize API access is the company’s own solution, making migration difficult if an identity management infrastructure is already in place.
Most API management solutions provide frameworks for adding functionality, so it is technically possible to implement and integrate the necessary OAuth/OIDC extension specifications. However, there is a significant amount of work involved in keeping up with trends in OAuth/OIDC extension specifications, implementing them properly according to the framework, and maintaining them once they are integrated into the API management solution is significant. In addition, depending on the application, it may be necessary to comply with specifications that are difficult to implement by grafting onto standard API management solution features, such as FAPI, which defines more advanced OAuth security, and CIBA, which extends the use cases of APIs.
By replacing the OAuth/OIDC functionality of the API gateway with Authlete, you can quickly achieve OAuth/OIDC compliance without being affected by the state of your API management solution. Since Authlete is designed to operate entirely as a backend service, it’s possible to implement and operate OAuth/OIDC APIs, such as the authorization endpoint and token endpoint, as one of the endpoints managed by the API gateway, resulting in efficiency in managing the entire open API platform.
Minna Bank is a next-generation digital bank that was established as a new bank under the Fukuoka Financial Group and designed from the ground up. As a new bank for the nationwide digital native generation, where all services from account opening to ATM deposits, withdrawals, and remittances can be performed on a smartphone 24 hours a day, 365 days a year, it aims to realize a simpler and friendlier relationship with money.
au Jibun Bank selected Authlete to implement OAuth 2.0 authorization functionality for APIs exposed to its business partners. The bank valued Authlete's FAPI support and architecture to complement existing systems, as well as its smooth integration with an API gateway.
Authlete was used to implement the mechanism for OAuth 2.0 authorization for external access when Seven Bank linked its own services with external services via API.