SlideShare a Scribd company logo

Comprehensive overview FAPI 1 and 2

T
Torsten Lodderstedt

FAPI 1 and 2 are security and interoperability profiles for OAuth that address high security requirements. FAPI 1 patched OAuth security issues and added features like CIBA mode and conformance testing. FAPI 2 aims to be simpler to use with mechanisms like PAR and broader scope through features like RAR and grant management. While some ecosystems use FAPI 1, FAPI 2 covers additional authorization needs and fits better with OpenID Connect, though incremental adoption of FAPI 2 features with FAPI 1 is possible.

Internet
1 of 24
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Comprehensive Overview FAPI 1 and 2 Dr. Torsten Lodderstedt, yes.com
What is FAPI? ● A security and interoperability profile for OAuth for open banking and other use cases with high security requirements ● Includes new specifications as required
FAPI Family Tree Baseline Advanced FAPI 1 2016-06 2017-07 2018-10 I D 1 I D 2 2019-08 2021-07* Baseline Advanced 2021-02 I D 1 * Projection Only F I N A L uses existing OpenID Connect security mechanisms to patch OAuth security issues Adopted by UK OpenBanking, FDX (US/CA), CDR (Australia), and Brasil FAPI 2 Open Banking Survey OAuth Security Best Current Practice (BCP) the next evolutionary step, simpler to use and with a broader scope Adopted in yes open banking scheme (~1000 banks)
FAPI 1
FAPI 1 vs Plain OAuth ● Patches OAuth security issues, e.g. code replay, authorization request tampering, and mix-up ● Formal security analysis by University Stuttgart ● Adds CIBA (Decoupled) interaction mode (beside Redirect) ● Defines interoperable OAuth profile that can be tested for conformance ● Introduces conformance testing
Signed Requests { "scope":"openid consent:urn-amazingbank-0be7a3bb-33e6-4d73-b60a-9523aee6cc0d accounts", "response_type":"code id_token", "redirect_uri":"https://tpp.localhost/cb", "code_challenge":"0q5idWeuyFAGeHHpawD3k4mjE7WzPhw6hOdKbnAQY7s", "code_challenge_method":"S256", "state":"19a1456013b8be71e6ce89916c9723e0642e1eb42a9360146cc84178f2bc928e", "nonce":"8dedaf2c53f7ba7294825ca25e45aa544c3feda8fd4ac16220c216e973ad5fd7", "claims":{ "id_token":{ "auth_time":{ "essential":true }, "cpf":{ "values":[ "16386335767" ], "essential":true }, "given_name":{ "essential":true }, "acr":{ "values":[ "brasil:openbanking:standard" ], "essential":true } } }, "max_age":300, "iss":"clientIdFromAmazingBank", "aud":"https://auth.amazingbank.com.br", "client_id":"clientIdFromAmazingBank", "jti":"_fj7iamgC1wDzh8KXaJ7XzJiEK_s25DhoDs7uAxpU-k", "iat":1618672338, "exp":1618672638, "nbf":1618672338 } ● Protect integrity and authenticity of request ● Request can also be encrypted to protect confidentiality https://server.example.com/authorize? response_type=code%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb& &request=eyJhbGciOiJSU...zCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzw
ID Token as Detached Signature HTTP/1.1 302 Found Location: https://tpp.localhost/cb# code=SplxlOBeZQQYbYS6WxSbIA &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso &state=af0ifjsldkj { "iss": "http://server.example.com", "sub": "248289761001", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "c_hash": "LDktKdoQak3Pk0cnXxCltA" "s_hash": "Zjk2Y2VhMTk4YWQxZGQ1Nj" } ● Protects against ○ code replay (nonce+c_hash) ○ mix-up (iss) ○ CSRF ● Requires “sub” (even if no federated id is required) ● End-User claims might be released in front channel (additional encryption might be required)
JARM (JWT Secured Authorization Response Mode) ● Response parameters are wrapped in a signed (optionally encrypted) JWT ● No user claims required ● works with plain OAuth { "iss":"https://accounts.example.com", "aud":"s6BhdRkqt3", "exp":1311281970, "code":"PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA", "state":"S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw" } HTTP/1.1 302 Found Location: https://client.example.com/cb? response=eyJraWQiOiJsYWViIiwiYWxnIjoiRVMyNTYifQ.eyAgImlzcyI6ICJodHRwczov L2FjY291bnRzLmV4YW1wbGUuY29tIiwgICJhdWQiOiAiczZCaGRSa3F0MyIsICAiZXhwIjog MTMxMTI4MTk3MCwgICJjb2RlIjogIlB5eUZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4 YWt2OUNlUkRTZDBRQSIsICAic3RhdGUiOiAiUzhOSjd1cWs1Zlk0RWpOdlBfR19GdHlKdTZw VXN2SDlqc1luaTlkTUFKdyJ9.4VdtknVZ9zFYDVLagJpVBD436bjPMcSgOaPDPFgTEkNyCs2 uIHYJ2XML6d2w1AUsm5GBG77DBisZNhLWfug6dA
Open Banking Survey ... … revealed that Open Banking Use Cases require: (1) authorization beyond scope values and (2) grant management capabilities Examples: - Lodging Intent (UK OB & NextGenPSD2) - Scope value + JSON object (Polish API) { "instructedAmount":{ "currency":"EUR", "amount":"123.50" }, "debtorAccount":{ "iban":"DE40100100103307118608" }, "creditorName":"Merchant123", "creditorAccount":{ "iban":"DE02100100109307118603" }, "remittanceInformationUnstructured":"Ref Number Merchant" } see https://cutt.ly/oauth-transaction-authorization for details
FAPI 2
FAPI 2 as next step ● Broader interoperability ○ through coverage of rich authorization / consent management and secure access to APIs ● Simpler to use ○ through new mechanisms (e.g. Pushed Authorization Requests/PAR, no ID Token as detached signature required) ● Well-understood and better-defined security ○ Formal attacker model ○ FAPI 2 Baseline fully protects against attacker model ○ FAPI 2 Baseline has same protection level as FAPI 1 Advanced ● More versatile ○ through alternative mechanism for token replay protection (DPoP)
Pushed Authorization Requests (PAR) Authorization request data is pushed to the AS before user dialog is startet → Can replace signed authorization requests → Simplified development through vendor support and reliance on TLS (signed requests possible) → Minimize data in front-channel to improve security and increase robustness POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb <voluminous payload goes here> HTTP/1.1 201 Created Cache-Control: no-cache, no-store Content-Type: application/json { "request_uri":"urn:example:bwc4JK-ESC0w8acc1...", "expires_in": 90 } https://server.example.com/authorize? client_id=s6BhdRkqt3& request_uri=urn:example:bwc4JK-ESC0w8acc1...
Rich Authorization Requests (RAR) enable fine-grained and complex consents captured as JSON objects. ● Structure of authorization details can be defined as needed (e.g. per jurisdiction and AAP) ● Supports Multi-Consents → Can replace scopes + related authorization data (e.g. in lodging intents) [ { "type":"payment_initiation", "instructedAmount":{ "currency":"AUD", "amount":"123.50" }, "creditorName":"Merchant123", "creditorAccount":{ "bsb":"123-456", "accountNumber":"1234567890" }, "paymentDescription":"INV123456 Description123" } ] [ { "type":"brasil:openbanking:standard:data", "permissions":[ "ACCOUNTS_READ" ], "expirationDateTime":"2021-05-21T08:30:00Z", "transactionFromDateTime":"2021-01-01T00:00:00Z", "transactionToDateTime":"2021-02-01T23:59:59Z" } ]
Grant Management Grant Management enables support for ● consent state synchronization ● consent revocation ● concurrent consents ● consent update & renewal ● Dashboards Closely aligned with Australian requirements because it was started during AU CDR consent proposal discussions.
Grant Management (request new grant id) POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rm... response_type=code& client_id=s6BhdRkqt3 &grant_management_action=create &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=K2-ltc83acc4h... &authorization_details=%5B%7B%2... HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-cache, no-store { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "grant_id":"0a15a804-b5b4-4a45-9cd9-18b1a44f3383", "authorization_details": [... ] } (Pushed) Authorization Request) Token Response
Grant Management (API) GET /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383 Host: as.example-bank.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA HTTP/1.1 200 OK Cache-Control: no-cache, no-store Content-Type: application/json { "authorization_details":[...] } DELETE /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383 Host: as.example-bank.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA HTTP/1.1 204 No Content Query Revoke
Grant Management (request use of certain grant) POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rm... response_type=code& client_id=s6BhdRkqt3 &grant_management_action=update &grant_id=0a15a804-b5b4-4a45-9cd9-18b1a44f3383 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=K2-ltc83acc4h... &authorization_details=%5B%7B%2... (Pushed) Authorization Request) Use cases ● Renew grant (because it is about to be expire) ● Update existing grant ● Ensure authorization process is performed with same user ● Allows identification of user (alternative login hint for CIBA)
PKCE POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM ... POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk PKCE (RFC 7636) is used to detect code replay and CSRF Dynamically generated cryptographically random key used to bind transaction to browser/device → simple and robust → security check moved to AS → Can replace ID token as detached signature
Feature Comparison Topic FAPI 1 FAPI 2 Request Integrity Signed Request Objects PAR CSRF state + s_hash in ID Token PKCE Code Replay ID Token as detached signature or JARM or PKCE PKCE Mix-Up iss claim in ID token or JARM iss response parameter Access Token Replay mTLS mTLS or DPoP Rich authorizations data custom solutions, e.g. Lodging Intent PAR+RAR Consent management custom solutions, e.g. Lodging Intent Grant Management Non-repudiation Signed Request Objects, ID Token as detached signature API not covered JAR, JARM, Signed Introspection Response, Simple HTTP Message Integrity Protocol B a s e l i n e A d v
FAPI 1 (lodging intent) vs FAPI 2 (PAR+RAR)
MTLS FAPI Family Tree Baseline Advanced ver.1 2016-06 2017-07 2018-10 I D 1 I D 2 JARM ID 1 FAPI-CIBA 2019-08 2021-07* “Public” Client Prof. ID 1 Baseline=JAR+PAR+RAR Advanced PAR RFC8705 2021-02 F I N A L I D 1 * Projection Only ver.2 F I N A L RAR L C
FAPI adoption in new ecosystems ● Reasons to use FAPI 1 ○ If vendors in an ecosystem already support FAPI 1 ○ FAPI 1 is a mature and widely supported security profile. ● Reasons to use FAPI 2 ○ FAPI 2 is easier to implement ○ FAPI 2 covers complex authorization requests and grant lifecycle management aspects ○ FAPI 2 (as profile for API access authorization) better fits with OpenID Connect (for identity claims provisioning) then FAPI 1
Ecosystems already using FAPI 1 ● Benefit for adoption: ○ Simpler protocol and improved interoperability ○ Specification aligned with the latest OAuth best practices and security advice ● Incremental adoption of FAPI 2 modules possible: ○ Example: Australia adopted PAR with FAPI 1 ○ RAR + Grant Management as full lifecycle consent management solution for FAPI 1 ● Running both profile in parallel is possible ○ Would allow new clients to utilize the simpler protocol (and existing clients to migrate)
Q & A

More Related Content

PDF
Red Hat OpenShift Container Platform Overview
James Falkner
 
PDF
Kong API
Patrick Pierson
 
PDF
Zynq MPSoC勉強会 Codec編
Tetsuya Morizumi
 
PDF
Nervesが開拓する「ElixirでIoT」の新世界
Hideki Takase
 
PDF
Introduction to Kong API Gateway
Yohann Ciurlik
 
PDF
Keycloak拡張入門
Hiroyuki Wada
 
PPTX
Gatekeeper: API gateway
ChengHui Weng
 
PDF
Riverpodでテストを書こう
Shinnosuke Tokuda
 
Red Hat OpenShift Container Platform Overview
James Falkner
 
Kong API
Patrick Pierson
 
Zynq MPSoC勉強会 Codec編
Tetsuya Morizumi
 
Nervesが開拓する「ElixirでIoT」の新世界
Hideki Takase
 
Introduction to Kong API Gateway
Yohann Ciurlik
 
Keycloak拡張入門
Hiroyuki Wada
 
Gatekeeper: API gateway
ChengHui Weng
 
Riverpodでテストを書こう
Shinnosuke Tokuda
 

What's hot (20)

PDF
【BS13】チーム開発がこんなにも快適に!コーディングもデバッグも GitHub 上で。 GitHub Codespaces で叶えられるシームレスな開発
日本マイクロソフト株式会社
 
PDF
クラウドとAWSの説明
真吾 吉田
 
PDF
Building an API Security Strategy
SmartBear
 
PPT
Workshop: API Management
WSO2
 
PDF
ブルックスのいう銀の弾丸とは何か?
Yoshitaka Kawashima
 
PDF
Container Security Essentials
DNIF
 
PPTX
[社内勉強会]ELBとALBと数万スパイク負荷テスト
Takahiro Moteki
 
PDF
AWS Black Belt Online Seminar AWS Direct Connect
Amazon Web Services Japan
 
PDF
だれも教えてくれないJavaの世界。 あと、ぼくが会社員になったわけ。
なおき きしだ
 
PDF
.NET Core時代のCI/CD
Yuta Matsumura
 
PDF
ABAPも進化が止まらない! ABAP RESTful Programming Model
SusumuHonna
 
KEY
やはりお前らのMVCは間違っている
Koichi Tanaka
 
PPTX
Kafka vs kinesis
Kaushal Lahankar, FRM
 
PDF
OpenID Connect Client Initiated Backchannel Authentication Flow (CIBA)のご紹介 ~ ...
OpenID Foundation Japan
 
PDF
Comparison of Current Service Mesh Architectures
Mirantis
 
PPTX
ゲームエンジニアのためのデータベース設計
sairoutine
 
PDF
Microservices
Stephan Lindauer
 
PDF
[CEDEC 2021] 運用中タイトルでも怖くない! 『メルクストーリア』におけるハイパフォーマンス・ローコストなリアルタイム通信技術の導入事例
Naoya Kishimoto
 
PPTX
Kong
Troublemaker Khunpech
 
PDF
ドメイン駆動設計のための Spring の上手な使い方
増田 亨
 
【BS13】チーム開発がこんなにも快適に!コーディングもデバッグも GitHub 上で。 GitHub Codespaces で叶えられるシームレスな開発
日本マイクロソフト株式会社
 
クラウドとAWSの説明
真吾 吉田
 
Building an API Security Strategy
SmartBear
 
Workshop: API Management
WSO2
 
ブルックスのいう銀の弾丸とは何か?
Yoshitaka Kawashima
 
Container Security Essentials
DNIF
 
[社内勉強会]ELBとALBと数万スパイク負荷テスト
Takahiro Moteki
 
AWS Black Belt Online Seminar AWS Direct Connect
Amazon Web Services Japan
 
だれも教えてくれないJavaの世界。 あと、ぼくが会社員になったわけ。
なおき きしだ
 
.NET Core時代のCI/CD
Yuta Matsumura
 
ABAPも進化が止まらない! ABAP RESTful Programming Model
SusumuHonna
 
やはりお前らのMVCは間違っている
Koichi Tanaka
 
Kafka vs kinesis
Kaushal Lahankar, FRM
 
OpenID Connect Client Initiated Backchannel Authentication Flow (CIBA)のご紹介 ~ ...
OpenID Foundation Japan
 
Comparison of Current Service Mesh Architectures
Mirantis
 
ゲームエンジニアのためのデータベース設計
sairoutine
 
Microservices
Stephan Lindauer
 
[CEDEC 2021] 運用中タイトルでも怖くない! 『メルクストーリア』におけるハイパフォーマンス・ローコストなリアルタイム通信技術の導入事例
Naoya Kishimoto
 
Kong
Troublemaker Khunpech
 
ドメイン駆動設計のための Spring の上手な使い方
増田 亨
 
Ad

Similar to Comprehensive overview FAPI 1 and 2 (20)

PPTX
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
PDF
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
PDF
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
PDF
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
 
PDF
Open Bank Project Presentation Tel Aviv CA 4th April 2017
simonredfern
 
PDF
Building a Fool Proof Security Strategy for PSD2 Compliance
WSO2
 
PDF
Rich Authorization Requests
Torsten Lodderstedt
 
PDF
ForgeRock Open banking - Meetup 28/06/2018
Quentin Castel
 
PDF
RAR and GNAP for VC HTTP API
Justin Richer
 
PDF
OpenID Foundation FAPI WG: June 2017 Update
Nat Sakimura
 
PDF
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
MikeLeszcz
 
PPTX
Extended Security with WSO2 API Management Platform
WSO2
 
PPTX
Financial Grade OAuth & OpenID Connect
Nat Sakimura
 
PDF
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
PPTX
Enterprise Access Control Patterns for Rest and Web APIs
CA API Management
 
PDF
What’s New With WSO2 Open Banking?
WSO2
 
PPTX
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
 
PPTX
OAuth
Adi Challa
 
PPTX
OAuth and OpenID Connect for PSD2 and Third-Party Access
Nordic APIs
 
PDF
Top X OAuth 2 Hacks
Antonio Sanso
 
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
 
Open Bank Project Presentation Tel Aviv CA 4th April 2017
simonredfern
 
Building a Fool Proof Security Strategy for PSD2 Compliance
WSO2
 
Rich Authorization Requests
Torsten Lodderstedt
 
ForgeRock Open banking - Meetup 28/06/2018
Quentin Castel
 
RAR and GNAP for VC HTTP API
Justin Richer
 
OpenID Foundation FAPI WG: June 2017 Update
Nat Sakimura
 
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
MikeLeszcz
 
Extended Security with WSO2 API Management Platform
WSO2
 
Financial Grade OAuth & OpenID Connect
Nat Sakimura
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
Enterprise Access Control Patterns for Rest and Web APIs
CA API Management
 
What’s New With WSO2 Open Banking?
WSO2
 
OpenID Foundation Foundation Financial API (FAPI) WG
Nat Sakimura
 
OAuth
Adi Challa
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
Nordic APIs
 
Top X OAuth 2 Hacks
Antonio Sanso
 
Ad

More from Torsten Lodderstedt (20)

PDF
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
PDF
The European Union goes Decentralized
Torsten Lodderstedt
 
PDF
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
PDF
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
PPTX
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
PDF
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
PPTX
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
PPTX
GAIN Presentation.pptx
Torsten Lodderstedt
 
PDF
OpenID for SSI
Torsten Lodderstedt
 
PDF
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
PDF
OpenID Connect 4 SSI
Torsten Lodderstedt
 
PDF
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
PDF
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
PDF
OpenID Connect 4 Identity Assurance at IIW #32
Torsten Lodderstedt
 
PPTX
OpenID Connect for W3C Verifiable Credential Objects
Torsten Lodderstedt
 
PPTX
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
PPTX
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
PDF
Pushed Authorization Requests
Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
The European Union goes Decentralized
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
GAIN Presentation.pptx
Torsten Lodderstedt
 
OpenID for SSI
Torsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
OpenID Connect 4 SSI
Torsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
OpenID Connect 4 Identity Assurance at IIW #32
Torsten Lodderstedt
 
OpenID Connect for W3C Verifiable Credential Objects
Torsten Lodderstedt
 
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
Torsten Lodderstedt
 
Pushed Authorization Requests
Torsten Lodderstedt
 

Recently uploaded (20)

PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PDF
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 

Comprehensive overview FAPI 1 and 2

  • 1. Comprehensive Overview FAPI 1 and 2 Dr. Torsten Lodderstedt, yes.com
  • 2. What is FAPI? ● A security and interoperability profile for OAuth for open banking and other use cases with high security requirements ● Includes new specifications as required
  • 3. FAPI Family Tree Baseline Advanced FAPI 1 2016-06 2017-07 2018-10 I D 1 I D 2 2019-08 2021-07* Baseline Advanced 2021-02 I D 1 * Projection Only F I N A L uses existing OpenID Connect security mechanisms to patch OAuth security issues Adopted by UK OpenBanking, FDX (US/CA), CDR (Australia), and Brasil FAPI 2 Open Banking Survey OAuth Security Best Current Practice (BCP) the next evolutionary step, simpler to use and with a broader scope Adopted in yes open banking scheme (~1000 banks)
  • 5. FAPI 1 vs Plain OAuth ● Patches OAuth security issues, e.g. code replay, authorization request tampering, and mix-up ● Formal security analysis by University Stuttgart ● Adds CIBA (Decoupled) interaction mode (beside Redirect) ● Defines interoperable OAuth profile that can be tested for conformance ● Introduces conformance testing
  • 6. Signed Requests { "scope":"openid consent:urn-amazingbank-0be7a3bb-33e6-4d73-b60a-9523aee6cc0d accounts", "response_type":"code id_token", "redirect_uri":"https://tpp.localhost/cb", "code_challenge":"0q5idWeuyFAGeHHpawD3k4mjE7WzPhw6hOdKbnAQY7s", "code_challenge_method":"S256", "state":"19a1456013b8be71e6ce89916c9723e0642e1eb42a9360146cc84178f2bc928e", "nonce":"8dedaf2c53f7ba7294825ca25e45aa544c3feda8fd4ac16220c216e973ad5fd7", "claims":{ "id_token":{ "auth_time":{ "essential":true }, "cpf":{ "values":[ "16386335767" ], "essential":true }, "given_name":{ "essential":true }, "acr":{ "values":[ "brasil:openbanking:standard" ], "essential":true } } }, "max_age":300, "iss":"clientIdFromAmazingBank", "aud":"https://auth.amazingbank.com.br", "client_id":"clientIdFromAmazingBank", "jti":"_fj7iamgC1wDzh8KXaJ7XzJiEK_s25DhoDs7uAxpU-k", "iat":1618672338, "exp":1618672638, "nbf":1618672338 } ● Protect integrity and authenticity of request ● Request can also be encrypted to protect confidentiality https://server.example.com/authorize? response_type=code%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb& &request=eyJhbGciOiJSU...zCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzw
  • 7. ID Token as Detached Signature HTTP/1.1 302 Found Location: https://tpp.localhost/cb# code=SplxlOBeZQQYbYS6WxSbIA &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso &state=af0ifjsldkj { "iss": "http://server.example.com", "sub": "248289761001", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "c_hash": "LDktKdoQak3Pk0cnXxCltA" "s_hash": "Zjk2Y2VhMTk4YWQxZGQ1Nj" } ● Protects against ○ code replay (nonce+c_hash) ○ mix-up (iss) ○ CSRF ● Requires “sub” (even if no federated id is required) ● End-User claims might be released in front channel (additional encryption might be required)
  • 8. JARM (JWT Secured Authorization Response Mode) ● Response parameters are wrapped in a signed (optionally encrypted) JWT ● No user claims required ● works with plain OAuth { "iss":"https://accounts.example.com", "aud":"s6BhdRkqt3", "exp":1311281970, "code":"PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA", "state":"S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw" } HTTP/1.1 302 Found Location: https://client.example.com/cb? response=eyJraWQiOiJsYWViIiwiYWxnIjoiRVMyNTYifQ.eyAgImlzcyI6ICJodHRwczov L2FjY291bnRzLmV4YW1wbGUuY29tIiwgICJhdWQiOiAiczZCaGRSa3F0MyIsICAiZXhwIjog MTMxMTI4MTk3MCwgICJjb2RlIjogIlB5eUZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4 YWt2OUNlUkRTZDBRQSIsICAic3RhdGUiOiAiUzhOSjd1cWs1Zlk0RWpOdlBfR19GdHlKdTZw VXN2SDlqc1luaTlkTUFKdyJ9.4VdtknVZ9zFYDVLagJpVBD436bjPMcSgOaPDPFgTEkNyCs2 uIHYJ2XML6d2w1AUsm5GBG77DBisZNhLWfug6dA
  • 9. Open Banking Survey ... … revealed that Open Banking Use Cases require: (1) authorization beyond scope values and (2) grant management capabilities Examples: - Lodging Intent (UK OB & NextGenPSD2) - Scope value + JSON object (Polish API) { "instructedAmount":{ "currency":"EUR", "amount":"123.50" }, "debtorAccount":{ "iban":"DE40100100103307118608" }, "creditorName":"Merchant123", "creditorAccount":{ "iban":"DE02100100109307118603" }, "remittanceInformationUnstructured":"Ref Number Merchant" } see https://cutt.ly/oauth-transaction-authorization for details
  • 11. FAPI 2 as next step ● Broader interoperability ○ through coverage of rich authorization / consent management and secure access to APIs ● Simpler to use ○ through new mechanisms (e.g. Pushed Authorization Requests/PAR, no ID Token as detached signature required) ● Well-understood and better-defined security ○ Formal attacker model ○ FAPI 2 Baseline fully protects against attacker model ○ FAPI 2 Baseline has same protection level as FAPI 1 Advanced ● More versatile ○ through alternative mechanism for token replay protection (DPoP)
  • 12. Pushed Authorization Requests (PAR) Authorization request data is pushed to the AS before user dialog is startet → Can replace signed authorization requests → Simplified development through vendor support and reliance on TLS (signed requests possible) → Minimize data in front-channel to improve security and increase robustness POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb <voluminous payload goes here> HTTP/1.1 201 Created Cache-Control: no-cache, no-store Content-Type: application/json { "request_uri":"urn:example:bwc4JK-ESC0w8acc1...", "expires_in": 90 } https://server.example.com/authorize? client_id=s6BhdRkqt3& request_uri=urn:example:bwc4JK-ESC0w8acc1...
  • 13. Rich Authorization Requests (RAR) enable fine-grained and complex consents captured as JSON objects. ● Structure of authorization details can be defined as needed (e.g. per jurisdiction and AAP) ● Supports Multi-Consents → Can replace scopes + related authorization data (e.g. in lodging intents) [ { "type":"payment_initiation", "instructedAmount":{ "currency":"AUD", "amount":"123.50" }, "creditorName":"Merchant123", "creditorAccount":{ "bsb":"123-456", "accountNumber":"1234567890" }, "paymentDescription":"INV123456 Description123" } ] [ { "type":"brasil:openbanking:standard:data", "permissions":[ "ACCOUNTS_READ" ], "expirationDateTime":"2021-05-21T08:30:00Z", "transactionFromDateTime":"2021-01-01T00:00:00Z", "transactionToDateTime":"2021-02-01T23:59:59Z" } ]
  • 14. Grant Management Grant Management enables support for ● consent state synchronization ● consent revocation ● concurrent consents ● consent update & renewal ● Dashboards Closely aligned with Australian requirements because it was started during AU CDR consent proposal discussions.
  • 15. Grant Management (request new grant id) POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rm... response_type=code& client_id=s6BhdRkqt3 &grant_management_action=create &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=K2-ltc83acc4h... &authorization_details=%5B%7B%2... HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-cache, no-store { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "grant_id":"0a15a804-b5b4-4a45-9cd9-18b1a44f3383", "authorization_details": [... ] } (Pushed) Authorization Request) Token Response
  • 16. Grant Management (API) GET /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383 Host: as.example-bank.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA HTTP/1.1 200 OK Cache-Control: no-cache, no-store Content-Type: application/json { "authorization_details":[...] } DELETE /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383 Host: as.example-bank.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA HTTP/1.1 204 No Content Query Revoke
  • 17. Grant Management (request use of certain grant) POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rm... response_type=code& client_id=s6BhdRkqt3 &grant_management_action=update &grant_id=0a15a804-b5b4-4a45-9cd9-18b1a44f3383 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=K2-ltc83acc4h... &authorization_details=%5B%7B%2... (Pushed) Authorization Request) Use cases ● Renew grant (because it is about to be expire) ● Update existing grant ● Ensure authorization process is performed with same user ● Allows identification of user (alternative login hint for CIBA)
  • 18. PKCE POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM ... POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk PKCE (RFC 7636) is used to detect code replay and CSRF Dynamically generated cryptographically random key used to bind transaction to browser/device → simple and robust → security check moved to AS → Can replace ID token as detached signature
  • 19. Feature Comparison Topic FAPI 1 FAPI 2 Request Integrity Signed Request Objects PAR CSRF state + s_hash in ID Token PKCE Code Replay ID Token as detached signature or JARM or PKCE PKCE Mix-Up iss claim in ID token or JARM iss response parameter Access Token Replay mTLS mTLS or DPoP Rich authorizations data custom solutions, e.g. Lodging Intent PAR+RAR Consent management custom solutions, e.g. Lodging Intent Grant Management Non-repudiation Signed Request Objects, ID Token as detached signature API not covered JAR, JARM, Signed Introspection Response, Simple HTTP Message Integrity Protocol B a s e l i n e A d v
  • 20. FAPI 1 (lodging intent) vs FAPI 2 (PAR+RAR)
  • 21. MTLS FAPI Family Tree Baseline Advanced ver.1 2016-06 2017-07 2018-10 I D 1 I D 2 JARM ID 1 FAPI-CIBA 2019-08 2021-07* “Public” Client Prof. ID 1 Baseline=JAR+PAR+RAR Advanced PAR RFC8705 2021-02 F I N A L I D 1 * Projection Only ver.2 F I N A L RAR L C
  • 22. FAPI adoption in new ecosystems ● Reasons to use FAPI 1 ○ If vendors in an ecosystem already support FAPI 1 ○ FAPI 1 is a mature and widely supported security profile. ● Reasons to use FAPI 2 ○ FAPI 2 is easier to implement ○ FAPI 2 covers complex authorization requests and grant lifecycle management aspects ○ FAPI 2 (as profile for API access authorization) better fits with OpenID Connect (for identity claims provisioning) then FAPI 1
  • 23. Ecosystems already using FAPI 1 ● Benefit for adoption: ○ Simpler protocol and improved interoperability ○ Specification aligned with the latest OAuth best practices and security advice ● Incremental adoption of FAPI 2 modules possible: ○ Example: Australia adopted PAR with FAPI 1 ○ RAR + Grant Management as full lifecycle consent management solution for FAPI 1 ● Running both profile in parallel is possible ○ Would allow new clients to utilize the simpler protocol (and existing clients to migrate)
  • 24. Q & A