Yoshiyuki Tabata
Senior OSS Consultant at Hitachi, Ltd. / CNCF Ambassador / Cloud Native Community Japan organizer / Cloud Native Security Japan founder
Actions
He's a Senior OSS Consultant at Hitachi, Ltd, responsible for IAM and API-related solutions.
As an authentication and authorization expert, he has provided numerous consultations, for example designing and building API/SSO systems in various fields such as finance and public.
As a CNCF Ambassador, he disseminates solutions and know-how for a better and more secure CNCF ecosystem through conference talks and contributions. And he's a Cloud Native Community Japan organizer and a Cloud Native Security Japan founder.
He's also a contributor to OSS such as Keycloak and 3scale.
Links
How does a workload authenticate an API request?: Implementing Transaction Tokens with Keycloak
Using OAuth2 access tokens is the best practice for authenticating an API request by a resource server. As stated in the draft CNCF Zero Trust White Paper, it is recommended to verify the "audience" of the access token to prevent access tokens from being consumed by other recipients ("Token Redirect" attack). Especially in cloud-native architectures, there are many internal workloads, so it's hard for the resource owner to identify all audiences and consent for each consumption. In this case, we can adopt the OAuth WG's draft called "Transaction Tokens" (Txn-Tokens), which utilizes OAuth2 Token Exchange (RFC8693) to issue Txn-Tokens that allow downstream workloads to identify call chains. Keycloak, an IAM OSS, supports Token Exchange. Therefore, Keycloak can potentially support the Txn-Token service which issues Txn-Tokens.
In this presentation, Yoshiyuki Tabata provides an overview of Txn-Tokens and introduces how to implement Txn-Tokens with Keycloak.
Challenge to Implementing “Scalable” Authorization with Keycloak
In the OWASP API Security Top 10 2023, three of the top 5 vulnerabilities include the word "authorization (authz)", authz is becoming more important for security considerations. Authz is often developed from scratch, however, along with the expanded service, the authz logic often becomes low scalability due to the increase in authz targets, attributes, and combinations. In such cases, it is common to introduce an authz service. Keycloak, an IAM OSS, also has an authz service. Keycloak has OAuth2 authz server capabilities, too, so by using the authz service, it is possible to centrally manage data related to authentication (authn) and authz.
In this session, Yoshiyuki Tabata explains how to implement scalable authz using Keycloak and how to combine it with OPA to avoid Keycloak becoming SPOF and improve authz performance. Furthermore, by combining with CockroachDB, he introduces an authn and authz solution that withstands regional failures and operates in multi-cloud environments.
Yoshiyuki Tabata
Senior OSS Consultant at Hitachi, Ltd. / CNCF Ambassador / Cloud Native Community Japan organizer / Cloud Native Security Japan founder
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top