Hitachi Ltd.

Hitachi Ltd. used Keycloak to make financial grade security easier

Challenge

Hitachi is providing an API management cloud service for Japanese banks. Banks can open their APIs (like accessing bank accounts) to third-party fintech companies securely by using the service. One of the biggest challenges in the development phase was authorizing APIs for financial grade security. For API authorization in the financial sector, Financial-grade API (FAPI) is specified by the OpenID Foundation and widely adopted. We were also required to implement an authorization server conformant to FAPI. However, we had to implement more than 700 items to fully conform to FAPI on top of OAuth 2.0 very carefully (because the wrong implementation leads to security holes) and it was very hard work.

Solution

Keycloak has a feature of OAuth 2.0 authorization server, but did not have full features for FAPI at first. Since the Keycloak development community was very active, we decided to implement FAPI for Keycloak with the community. We’ve launched OAuth SIG (initially called FAPI-SIG) in the Keycloak community and developed the required features for FAPI and conformance test execution environments for FAPI.

Impact

We are using Keycloak as an authorization server of the API management cloud service. By using Keycloak, we can provide fully FAPI conformant API authorization for our customers. Configuration of FAPI in Keycloak is also easy because Keycloak has a feature called Client Policies that makes it easy to create configuration templates for FAPI. To apply FAPI to a client only one step of configuration – applying an element called profile – is necessary. Keycloak also passes conformance tests for 9 other specifications. When they are required in the future, we will be easily able to be conformant.