FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018
0 likes3,236 views
The document discusses FAPI/Open Banking conformance testing. It provides an overview of the conformance suite, including what it tests and its design goals. It then describes the test process for banks, demonstrates the conformance suite, and provides tips for successful FAPI deployment, including common problems banks faced in the UK and advice for running conformance testing early in development.
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018
- 1. FAPI/Open Banking Conformance Joseph Heenan, CTO July 2018
- 2. What we’re going to cover today •FAPI/Open Banking Conformance suite overview •Conformance suite demo •"Tips and Tricks" for successful conformance 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 2
- 3. Who am I? • Joseph Heenan, CTO at fintechlabs & Senior Architect at Authlete • Software engineer & architect with over 25 years’ experience • Active contributor to the OpenID Connect FAPI specifications • Team lead/product owner on the Open Banking Conformance Suite • Assisted many of the largest UK (CMA9) banks with achieving compliance to the UK OpenBanking specification 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 3
- 4. Conformance Suite Overview • Tests compliance to: • OpenBanking UK Security Profile • FAPI (Financial-Grade API profile for OpenID connect) • HEART (Health-related profile OpenID connect) • As part of above, also testssome (but not all) OpenID Connect & OAuth2 • Tests are applicable to: • IdP (identity provider – ie. Banks / ASPSP) • RP (relying party – ie. Fintechs / TPP / AISP / PISP) 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 4
- 5. Why would you use conformance suite? • Reduced support costs • If your implementation is interoperable it will “just work” for third parties • Evidence of compliance to show government regulators • Evidence of compliance may reduce insurance costs, chances of security breach, etc • It will be embarrassing if other people test your server & you fail • Anyone can test a server 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 5
- 6. Conformance Suite Design Goals • Multi-party protocol testing • Structured configuration • Structured logging and results • Deterministic, modular execution units • Protect sensitive configuration and results data • Transparent process • Usable as part of CI 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 6
- 7. Overview of test process for banks • Prepare test deployment of your server • Must be accessible to the conformance suite • Create keys & TLS certificates • Register necessary clients to authorization server • Create conformance suite configuration using frontend • Read the instructions if you are not sure how • Create “test plan” applicable to your configuration • Start test plan • Start each test module within the plan, one at a time • Login to authorization server when instructed • View results and confirm “PASS”. 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 7
- 8. Conformance suite demo (video) 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 8
- 9. Tips & tricks for successful FAPI deployment 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 9
- 10. Before you even start • Is OpenId Connect/FAPI part of your core competency? • Is it part of your value add? For fintechs, the answer is usually NO! Don’t reinvent the wheel – use existing OpenID Connect client libraries 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 10
- 11. Conformance testing is not an afterthought • Run conformance testing early and often • Conformance test suite will help you • Be secure • Be inter-operable • Conformance testing is the easy route to interoperability • Banks generally return confusing or unhelpful error messages • Banks often tolerate incorrect implementations – but not consistently • Conformance testing can be part of your Continuous Integration 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 11
- 12. Problems banks had in the UK (1) • Using software that was not OpenID Connect certified • Required a lot of last minute changes from their vendors • They missed government mandated “go live” date • Large number of certified vendors available – use one! 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 12
- 13. Problems banks had in the UK (2) • Not running conformance suite till development complete • Required a lot of last minute changes from their vendors and their own software teams • They missed government mandated “go live” date • Run conformance suite often during development! • It can be deployed locally & integrated with your continuous integration system 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 13
- 14. Problems banks had in the UK (3) • Staffing teams with generic engineers & testers • OAuth2, OpenID Connect & FAPI have some complexity • Dependency on underlying RFCs – JWT, HTTP/1.1, TLS, etc. • Some domain knowledge is essential • Without knowledge, profile compliance and conformance testing will be slow • Hire some experts for both development & test teams • Many competentconsultants available, including fintechlabs 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 14
- 15. Problems banks had in the UK (4) • Poor security architectures • Some banks designed their architectures,then tried to retrofit FAPI • If you change your implementation to not be standardscompliant, you will fail conformance testing! • Example: trying to change token_endpoint in .well-known/openid- configuration to an array • Hire some experts for architecture teams • Many competentconsultants available, including fintechlabs 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 15
- 16. Problems banks had in the UK (5) • Not reading instructions • Surprising number of banks simply ignore the single page documentation • RTFM! • It’ll be much faster - honest 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 16
- 17. Problems banks had in the UK (6) • Not designing for interoperability • Security teams in many banks have a “send exactly what we say or your request will fail” approach • This isn’t compatible with open standards • E.g. in HTTP/1.1, charset is case insensitive, banks must accept both: • Accept: application/json; charset=utf-8 • Accept: application/json; charset=UTF-8 • Requires a mindset change in the security team • Low friction interoperable APIs and ecosystemsare important 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 17
- 18. The End • Source code etc publicly available on gitlab: https://gitlab.com/fintechlabs/fapi-conformance-suite/ • Production deployment: http://fintechlabs-fapi-conformance-suite.fintechlabs.io/ (Login with any google account) • Open Source - contributions welcome, please ask if you’re like to help 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 18