It was a fun day as always at #EIC18. No time right now to properly blog about it, so here are some of the tweets related to my presentation today, and the slides that I used. At the #EIC18 #OpenID Foundation workshop, @_nat_en reminds us that #OAuth is just a framework. …
So, what encoding should a URI in OpenID Connect and OAuth discovery document use for an internationalized domain name such as “müsik.example.com”? . One option is to represent it in the encoding of the discovery document. As of January 2018, it MUST be UTF-8. Another option is to represent it in …
I just came across with Don Tapscott’s TED Talk titled “How the blockchain is changing money and business” . In it, he talks about 5 potential use cases of blockchain technology that may result in transformations for a prosperous world. They are: Protecting rights through immutable records, e.g., land title. In many places …
Here is the slide I used for APIDays Berlin 2017: Banking APIs and PSD2 — The finish line for PSD2 and Open Banking. A couple of questions came around, which I did not do a really good job of answering. Here are clearer answers: Q.1 What does protecting ‘code’ and ‘state’ mean? A.1 In RFC6749, …
Here is the slide I used in API Days Paris 2016, for the Banking track. Direct link to slideshare: http://www.slideshare.net/nat_sakimura/financial-grade-oauth-openid-connect Hope they are useful.
Here is the presentation file that I used for my 10 minutes OpenID Foundattion Financial API WG presentation at the Open Data in Finance Conference ( June 15, 2016). To join the Working Group, please sign the IPR Contribution agreement online by clicking here or download the PDF form and fill it, scan …
Here is the script of the Chair’s remark at the opening of the Open Data in Fianance Conference in London (June 15, 2016) 09:00 – 09:10 Chair’s Welcome Nat SakimuraSenior ResearcherNomura Research Institute Hello. Welcome to the Open Data in Finance Conference. I am really excited to be a part …
I have many bank accounts. If I wanted to use a new and shiny graphing service, I have to get authorization from each banks individually. That’s a bit of nuisance. Instead of doing that, if I can instruct each banks to delegate authorization on my accounts to my Authorization server, …
The so called ‘cut and pasted code attack’ also known as ‘Frankenstein Monster Attack’ is an attack that the adversary swaps the ‘code’ in the authorization response with the victim’s ‘code’ that the adversary has gotten hold of somehow. It can be through the Code Phishing attack, or some other attacks. …
Code phishing attack is the attack that the adversary obtains the code and client credentials from the legitimate client and uses them against the honest token endpoint to obtain tokens thereby accessing the protected resources illegitimately. Assumptions There are not much assumptions needed for this attack. The client and the server …
![Cut and pasted code attack in OAuth 2.0 [RFC6749]](https://i1.wp.com/nat.sakimura.org/wp-content/uploads/2016/01/cut-and-pasted-code.png?resize=430%2C350&ssl=1)
![Code phishing attack on OAuth 2.0 [RFC6749]](https://i0.wp.com/nat.sakimura.org/wp-content/uploads/2016/01/code_token_phishing.png?resize=430%2C350&ssl=1)