Yoshiyuki Tabata
Senior OSS Consultant at Hitachi, Ltd. / CNCF Ambassador / Cloud Native Community Japan organizer / Cloud Native Security Japan founder
Actions
He's a Senior OSS Consultant at Hitachi, Ltd. As an expert in IAM and APIs, he has provided numerous consultations over the past decade, including designing API and Authn/Authz platforms. He has actively contributed to CNCF TAG Security and has added significant functionalities to OSS projects such as Keycloak. As a CNCF Ambassador, he has delivered talks at events like KubeCon, focusing on secure solutions for the CNCF ecosystem. Additionally, he has organized several CNCF meetups in Japan.
Links
How does a workload authenticate an API request?: Implementing Transaction Tokens with Keycloak
Using OAuth2 access tokens is the best practice for authenticating an API request by a resource server. As stated in the draft CNCF Zero Trust White Paper, it is recommended to verify the "audience" of the access token to prevent access tokens from being consumed by other recipients ("Token Redirect" attack). Especially in cloud-native architectures, there are many internal workloads, so it's hard for the resource owner to identify all audiences and consent for each consumption. In this case, we can adopt the OAuth WG's draft called "Transaction Tokens" (Txn-Tokens), which utilizes OAuth2 Token Exchange (RFC8693) to issue Txn-Tokens that allow downstream workloads to identify call chains. Keycloak, an IAM OSS, supports Token Exchange. Therefore, Keycloak can potentially support the Txn-Token service which issues Txn-Tokens.
In this presentation, Yoshiyuki Tabata provides an overview of Txn-Tokens and introduces how to implement Txn-Tokens with Keycloak.
Challenge to Implementing “Scalable” Authorization with Keycloak
In the OWASP API Security Top 10 2023, three of the top 5 vulnerabilities include the word "authorization (authz)", authz is becoming more important for security considerations. Authz is often developed from scratch, however, along with the expanded service, the authz logic often becomes low scalability due to the increase in authz targets, attributes, and combinations. In such cases, it is common to introduce an authz service. Keycloak, an IAM OSS, also has an authz service. Keycloak has OAuth2 authz server capabilities, too, so by using the authz service, it is possible to centrally manage data related to authentication (authn) and authz.
In this session, Yoshiyuki Tabata explains how to implement scalable authz using Keycloak and how to combine it with OPA to avoid Keycloak becoming SPOF and improve authz performance. Furthermore, by combining with CockroachDB, he introduces an authn and authz solution that withstands regional failures and operates in multi-cloud environments.
SOSS Community Day Japan 2024 Sessionize Event
CloudNativeSecurityCon North America 2024 Sessionize Event
KubeCon + CloudNativeCon North America 2023 Sessionize Event
Yoshiyuki Tabata
Senior OSS Consultant at Hitachi, Ltd. / CNCF Ambassador / Cloud Native Community Japan organizer / Cloud Native Security Japan founder
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top