Interview with Keycloak Contributor, Takashi Norimatsu of HITACHI OSS Group


Jason Perlow, Editorial Director of Linux Foundation Research, spoke with HITACHI’s Takashi Norimatsu about the Keycloak project, an open source identity access and management platform.

JP: Greetings, Norimatsu-san. Can you tell me a bit about yourself, where in Japan do you live, and what is your prior experience with information systems? Can you tell me how it is that how you became an OSS maintainer at HITACHI? Is it part of your regular responsibilities at the company, or is it something you do as a best effort?

こんにちは。乗松さん。少しあなた自身の事をお伺いしたいと思います。いまどちらにお住まいでしょうか? 現在の仕事をする前にIT分野でどのようなことをされてきましたでしょうか? 現在日立製作所の社員でありながら、どのようにしてオープンソースソフトウェア(OSS)のメンテナーになったのでしょうか? そして、メンテナーとしての活動は、会社の業務の一環として行っているのでしょうか?

TN: Thank you for the interview. I live in Yokohama, the 2nd largest city in Japan by population, about 35km southwest of Tokyo, Japan’s capital.

I had engaged in developing several kinds of equipment and systems, like some communication equipment firmware and their operation software, smart maintenance systems software, and so on.

My unit in Hitachi has been encouraging me to contribute features, especially about security to Keycloak. By following this policy, I’ve been contributing features to the Keycloak project for several years. It seems that existing Keycloak maintainers recognized my contributions and I was then promoted to Keycloak maintainer.

As a result of contributing to these open source activities, my unit in Hitachi decided that I would be working as a Keycloak maintainer as my regular responsibility.


JP: So, what is Keycloak?  What kind of OSS is it?

Keycloak というのは、どういったOSSなのでしょうか?

TN: Keycloak is an identity and access management open source software. It can be used for single sign-on, social login, and securing API accesses. Keycloak complies with several open standards like OAuth 2.0, OpenID Connect, SAMLv2, LDAP, Kerberos, and so on.

Keycloakは、アイデンティティおよびアクセス管理用のOSSです。シングルサインオン、ソーシャルログイン、APIへの安全なアクセスを実現します。Keycloakは、様々な標準仕様に準拠しています。例として、 OAuth 2.0, OpenID Connect, SAMLv2, LDAP, Kerberosなどが挙げられます。

JP: Why did HITACHI decide to make contributions to Keycloak? 


TN: Our team in HITACHI provides services for OSS in the security area. When we looked for an appropriate OSS for single sign-on and securing API access, we picked up Keycloak because it is very easy to use without a complicated setup and it is highly customizable so that it can be applied to a wide range of use cases.


JP: Why is OAuth 2.0 not sufficient for accessing APIs that require a high-security level?

高度なセキュリティが要求されるAPIアクセスにおいて、OAuth 2.0では不十分である理由はなんでしょうか?

TN: OAuth 2.0 is a framework for conveying authorization information among several entities so that it can be used flexibly in a wide range of use cases. Due to its flexibility, it may introduce security holes if it is used in the wrong way. To prevent it, detailed ways of how to use OAuth 2.0 securely have been developed like Financial-grade API (FAPI) security profile. For Open Banking use cases in the world, there are several in-service ecosystems whose security profiles are based on FAPI 1.0 Advanced security profile. For example, Open Banking Security Profile in the UK, Consumer Data Right (CDR) security profile in Australia, and Open Banking Brasil Financial-grade API Security Profile 1.0 in Brazil.

OAuth 2.0というのは、認可情報を複数のエンティティ間で伝達するためのフレームワークです。フレームワークであることから自由度が高く、様々なユースケースに適用可能です。その自由度の高さゆえに、誤った使い方をすると、セキュリティホールが生じる恐れがあります。それを防ぐために、どのようにOAuth 2.0を安全に使用したらいいかをこと細かく定めたものをセキュリティプロファイルと呼んでいます。その一例がFinancial-grade API (FAPI) Security Profileです。Open Bankingのユースケースにおいて、このFAPIをベースとしたセキュリティプロファイルがいくつかあります。例として、イギリスにおけるOpen Banking Security Profile、オーストラリアにおけるConsumer Data Right (CDR) security profile、ブラジルにおける Open Banking Brasil Financial-grade API Security Profile 1.0が挙げられます。

JP: How does FAPI accomplish accessing APIs that require a high-security level?


TN: It is difficult to explain it briefly because FAPI covers a wide range of technologies. However, to try to summarize it, FAPI determines how to use OAuth 2.0 precisely to assure that the only right client application can access the right API provided by the resource server.

FAPIは様々な技術分野に関係する為一言で説明するのは難しいです。ですが、あえて言うならば、FAPIでは、OAuth 2.0のこと細かい使い方を定めることで、正しいクライアントアプリケーションが正しくAPIにアクセスできるようにします。

JP: To become a maintainer of Keycloak, what kind of contribution activities did you do?


TN: I’ve been contributing some security features to Keycloak. In these contributions, my main contribution is supporting FAPI to Keycloak. However, it takes a lot of time and effort to do it by myself. Therefore, some contributors got together and established FAPI-SIG to work together on supporting FAPI to Keycloak. As a result, Keycloak 14 has supported FAPI 1.0 Baseline security profile, FAPI 1.0 Advanced security profile and FAPI-CIBA security profile. 

セキュリティに関する機能をKeycloakにコントリビューションし続けて来ました。その中で主要なものとしてFAPIのサポートが挙げられます。これは自分一人でやろうとすると非常に時間も手間もかかりますので、コントリビューターが集まりFAPI-SIGを立ち上げ、FAPIのサポート活動を行いました。結果として、Keycloak 14から FAPI 1.0 Baseline security profile, FAPI 1.0 Advanced security profile, and FAPI-CIBA security profileがサポートされるようになりました。

JP: What kind of support did you receive from your company for your contribution activities?


TN: My company, HITACHI sees the real value of Keycloak so that it allows me to use a significant portion of my time to contribute activities to Keycloak.


JP: That’s wonderful. Thank you Norimatsu-san, I greatly appreciate your time.