- 著者
-
Takashi NORIMATSU
Yuichi NAKAMURA
Toshihiro YAMAUCHI
- 出版者
- The Institute of Electronics, Information and Communication Engineers
- 雑誌
- IEICE TRANSACTIONS on Information and Systems (ISSN:09168532)
- 巻号頁・発行日
- vol.E106-D, no.9, pp.1364-1379, 2023-09-01
Two problems occur when an authorization server is utilized for a use case where a different security profile needs to be applied to a unique client request for accessing a distinct type of an API, such as open banking. A security profile can be applied to a client request by using the settings of an authorization server and client. However, this method can only apply the same security profile to all client requests. Therefore, multiple authorization servers or isolated environments, such as realms of an authorization server, are needed to apply a different security profile. However, this increases managerial costs for the authorization server administration. Moreover, new settings and logic need to be added to an authorization server if the existing client settings are inadequate for applying a security profile, which requires modification of an authorization server's source code. We aims to propose the policy-based method that resolves these problems. The proposed method does not completely rely on the settings of a client and can determine an applied security profile using a policy and the context of the client's request. Therefore, only one authorization server or isolated environment, such as a realm of an authorization server, is required to support multiple different security profiles. Additionally, the proposed method can implement a security profile as a pluggable software module. Thus, the source code of the authorization server need not be modified. The proposed method and Financial-grade application programming interface (FAPI) security profiles were implemented in Keycloak, which is an open-source identity and access management solution, and evaluation scenarios were executed. The results of the evaluation confirmed that the proposed method resolves these problems. The implementation has been contributed to Keycloak, making the proposed method and FAPI security profiles publicly available.