Yoshiyuki Tabata
CNCF TAG Security and Compliance Tech Lead / CNCF Ambassador
Actions
Yoshiyuki Tabata is an OSS consultant with over a decade of experience in IAM, API platforms, and cloud-native security. As Tech Lead of CNCF TAG Security and Compliance, he helps shape security guidelines and best practices. He also speaks at global conferences including KubeCon, sharing insights from his work in open source and cloud-native security. In the Keycloak community, he helped launch the first KeycloakCon, maintains language translations, and supports community engagement at events.
Links
Modern PostgreSQL Authorization with Keycloak: Cloud-Native Identity Meets Database Security
Still using usernames and passwords for DB access? In 2025, that’s not just outdated—it’s a security liability. Static credentials are hard to manage, rotate, and audit, especially in dynamic, multi-tenant cloud-native environments. Traditional DB authentication no longer meets modern security and compliance needs.
In this session, Yoshiyuki Tabata and Gabriele Bartolini will show how to modernize PostgreSQL authorization by integrating it with Keycloak, an identity and access management OSS. They’ll walk through externalizing authentication and authorization logic from the DB, enabling centralized identity control across services. You’ll learn how to map Keycloak roles and groups to PostgreSQL privileges, enforce fine-grained access policies, and manage secure access in Kubernetes environments using CloudNativePG.
They will explore how the innovative native OAuth support introduced in PostgreSQL 18 has the potential to transform the landscape of DB authentication in Kubernetes.
Securing AI Agent Infrastructure: AuthN/AuthZ Patterns for MCP and A2A
Is your AI agent infrastructure secure?
As AI agents begin to exchange model context and coordinate across systems, secure interaction is no longer optional—it’s essential. To bring structure to these interactions, protocols like Model Context Protocol (MCP) and Agent-to-Agent (A2A) have emerged, offering standardized ways for agents to communicate.
Adopting these protocols introduces new responsibilities. Developers must implement authentication and authorization (AuthN/AuthZ) mechanisms that comply with MCP and A2A while remaining practical for real-world deployment.
In this session, Yoshiyuki Tabata shares best practices for designing AuthN/AuthZ and shows how to apply key principles from the CNCF IAM whitepaper to AI agent infrastructure—such as OAuth-based API access, P*P architecture for authorization, and workload authentication. The session includes a demo of secure AuthZ for an MCP server using Keycloak, illustrating how these practices apply in real-world agent interactions.
Secure Authorization for Agentic AI in Multi-Domain Environments
Agentic AI systems are increasingly expected to operate across organizational boundaries, where distinct trust domains govern identity and access control. This session explores how to design secure and scalable authorization flows for agentic AI collaboration using open standards such as OAuth 2.1, Model Context Protocol (MCP), and Agent-to-Agent (A2A).
Starting with a single-domain setup, Yoshiyuki Tabata walks through the implementation of authorization code flow, token introspection, and resource protection. He then introduces the concept of multi-domain environments, where tokens issued in one domain cannot be reused in another. To address this, he explains how OAuth 2.0 Token Exchange (RFC 8693) enables agents to securely obtain new tokens for downstream services in other domains.
The session concludes with a demonstration using Keycloak, showcasing federated authorization in action. Attendees will gain practical insights into building secure, interoperable agent infrastructures across trust boundaries.
Let’s join CNCF TAG Security APAC!
The CNCF Security Technical Advisory Group (TAG Security) is a group of cloud-native security experts and anyone interested in cloud-native security, and we can come together to work on various issues in different security areas. We do this in various ways, including through white papers we produce as resources for the community, presentations on new security projects including CNCF projects, and security assessments we provide to CNCF projects and many other initiatives.
Previously, TAG Security meetings were only held in the US and EMEA time zones for a long time. This made it difficult for security friends in the APAC time zone to contribute to TAG Security, but we have now managed to hold meetings in the APAC time zone starting in August of this year!
In this presentation, Yoshiyuki Tabata, facilitator for TAG Security APAC, will provide an overview of TAG Security and its latest trends.
Let's make TAG Security APAC even more exciting together!
Mastering Authorization: Integrating Authentication and Authorization Data in Cloud-Native Apps
Authorization is one of the most important considerations for cloud-native applications, as highlighted by the OWASP Top 10. For a long time, there was no clear standard, making authorization a significant challenge for many implementers. The OpenID Foundation AuthZEN WG is now working on standards, focusing on interfaces between PEP (Policy Enforcement Point) and PDP (Policy Decision Point), which provides some hope.
However, managing authorization data remains challenging. Since this data is closely related to authentication data, architects often struggle with how the OP (OpenID Provider) and PDP should manage and integrate it. There are multiple methods, and the best approach varies by use case.
In this session, Yoshiyuki Tabata will explain various methods for managing and integrating authentication and authorization data. He will also describe implementation using Keycloak for OP and Topaz for PDP, providing valuable insights into effective data management.
How does a workload authenticate an API request?: Implementing Transaction Tokens with Keycloak
Using OAuth2 access tokens is the best practice for authenticating an API request by a resource server. As stated in the draft CNCF Zero Trust White Paper, it is recommended to verify the "audience" of the access token to prevent access tokens from being consumed by other recipients ("Token Redirect" attack). Especially in cloud-native architectures, there are many internal workloads, so it's hard for the resource owner to identify all audiences and consent for each consumption. In this case, we can adopt the OAuth WG's draft called "Transaction Tokens" (Txn-Tokens), which utilizes OAuth2 Token Exchange (RFC8693) to issue Txn-Tokens that allow downstream workloads to identify call chains. Keycloak, an IAM OSS, supports Token Exchange. Therefore, Keycloak can potentially support the Txn-Token service which issues Txn-Tokens.
In this presentation, Yoshiyuki Tabata provides an overview of Txn-Tokens and introduces how to implement Txn-Tokens with Keycloak.
Challenge to Implementing “Scalable” Authorization with Keycloak
In the OWASP API Security Top 10 2023, three of the top 5 vulnerabilities include the word "authorization (authz)", authz is becoming more important for security considerations. Authz is often developed from scratch, however, along with the expanded service, the authz logic often becomes low scalability due to the increase in authz targets, attributes, and combinations. In such cases, it is common to introduce an authz service. Keycloak, an IAM OSS, also has an authz service. Keycloak has OAuth2 authz server capabilities, too, so by using the authz service, it is possible to centrally manage data related to authentication (authn) and authz.
In this session, Yoshiyuki Tabata explains how to implement scalable authz using Keycloak and how to combine it with OPA to avoid Keycloak becoming SPOF and improve authz performance. Furthermore, by combining with CockroachDB, he introduces an authn and authz solution that withstands regional failures and operates in multi-cloud environments.
Open Source Summit Japan + AI_dev: Open Source GenAI & ML Summit Japan 2025 Sessionize Event Upcoming
KubeCon + CloudNativeCon North America 2025 Sessionize Event Upcoming
KubeCon + CloudNativeCon Japan 2025 Sessionize Event
SOSS Community Day Japan 2024 Sessionize Event
CloudNativeSecurityCon North America 2024 Sessionize Event
KubeCon + CloudNativeCon North America 2023 Sessionize Event
Yoshiyuki Tabata
CNCF TAG Security and Compliance Tech Lead / CNCF Ambassador
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top