SlideShare a Scribd company logo

Comprehensive overview FAPI 1 and 2

โ€ข
โ€ข
T
Torsten Lodderstedt

FAPI 1 and 2 are security and interoperability profiles for OAuth that address high security requirements. FAPI 1 patched OAuth security issues and added features like CIBA mode and conformance testing. FAPI 2 aims to be simpler to use with mechanisms like PAR and broader scope through features like RAR and grant management. While some ecosystems use FAPI 1, FAPI 2 covers additional authorization needs and fits better with OpenID Connect, though incremental adoption of FAPI 2 features with FAPI 1 is possible.

Internet
1 of 24
Download to read offline
Comprehensive Overview FAPI 1 and 2 Dr. Torsten Lodderstedt, yes.com
What is FAPI? โ— A security and interoperability profile for OAuth for open banking and other use cases with high security requirements โ— Includes new specifications as required
FAPI Family Tree Baseline Advanced FAPI 1 2016-06 2017-07 2018-10 I D 1 I D 2 2019-08 2021-07* Baseline Advanced 2021-02 I D 1 * Projection Only F I N A L uses existing OpenID Connect security mechanisms to patch OAuth security issues Adopted by UK OpenBanking, FDX (US/CA), CDR (Australia), and Brasil FAPI 2 Open Banking Survey OAuth Security Best Current Practice (BCP) the next evolutionary step, simpler to use and with a broader scope Adopted in yes open banking scheme (~1000 banks)
FAPI 1
FAPI 1 vs Plain OAuth โ— Patches OAuth security issues, e.g. code replay, authorization request tampering, and mix-up โ— Formal security analysis by University Stuttgart โ— Adds CIBA (Decoupled) interaction mode (beside Redirect) โ— Defines interoperable OAuth profile that can be tested for conformance โ— Introduces conformance testing
Signed Requests { "scope":"openid consent:urn-amazingbank-0be7a3bb-33e6-4d73-b60a-9523aee6cc0d accounts", "response_type":"code id_token", "redirect_uri":"https://tpp.localhost/cb", "code_challenge":"0q5idWeuyFAGeHHpawD3k4mjE7WzPhw6hOdKbnAQY7s", "code_challenge_method":"S256", "state":"19a1456013b8be71e6ce89916c9723e0642e1eb42a9360146cc84178f2bc928e", "nonce":"8dedaf2c53f7ba7294825ca25e45aa544c3feda8fd4ac16220c216e973ad5fd7", "claims":{ "id_token":{ "auth_time":{ "essential":true }, "cpf":{ "values":[ "16386335767" ], "essential":true }, "given_name":{ "essential":true }, "acr":{ "values":[ "brasil:openbanking:standard" ], "essential":true } } }, "max_age":300, "iss":"clientIdFromAmazingBank", "aud":"https://auth.amazingbank.com.br", "client_id":"clientIdFromAmazingBank", "jti":"_fj7iamgC1wDzh8KXaJ7XzJiEK_s25DhoDs7uAxpU-k", "iat":1618672338, "exp":1618672638, "nbf":1618672338 } โ— Protect integrity and authenticity of request โ— Request can also be encrypted to protect confidentiality https://server.example.com/authorize? response_type=code%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb& &request=eyJhbGciOiJSU...zCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzw
ID Token as Detached Signature HTTP/1.1 302 Found Location: https://tpp.localhost/cb# code=SplxlOBeZQQYbYS6WxSbIA &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso &state=af0ifjsldkj { "iss": "http://server.example.com", "sub": "248289761001", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "c_hash": "LDktKdoQak3Pk0cnXxCltA" "s_hash": "Zjk2Y2VhMTk4YWQxZGQ1Nj" } โ— Protects against โ—‹ code replay (nonce+c_hash) โ—‹ mix-up (iss) โ—‹ CSRF โ— Requires โ€œsubโ€ (even if no federated id is required) โ— End-User claims might be released in front channel (additional encryption might be required)
JARM (JWT Secured Authorization Response Mode) โ— Response parameters are wrapped in a signed (optionally encrypted) JWT โ— No user claims required โ— works with plain OAuth { "iss":"https://accounts.example.com", "aud":"s6BhdRkqt3", "exp":1311281970, "code":"PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA", "state":"S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw" } HTTP/1.1 302 Found Location: https://client.example.com/cb? response=eyJraWQiOiJsYWViIiwiYWxnIjoiRVMyNTYifQ.eyAgImlzcyI6ICJodHRwczov L2FjY291bnRzLmV4YW1wbGUuY29tIiwgICJhdWQiOiAiczZCaGRSa3F0MyIsICAiZXhwIjog MTMxMTI4MTk3MCwgICJjb2RlIjogIlB5eUZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4 YWt2OUNlUkRTZDBRQSIsICAic3RhdGUiOiAiUzhOSjd1cWs1Zlk0RWpOdlBfR19GdHlKdTZw VXN2SDlqc1luaTlkTUFKdyJ9.4VdtknVZ9zFYDVLagJpVBD436bjPMcSgOaPDPFgTEkNyCs2 uIHYJ2XML6d2w1AUsm5GBG77DBisZNhLWfug6dA
Open Banking Survey ... โ€ฆ revealed that Open Banking Use Cases require: (1) authorization beyond scope values and (2) grant management capabilities Examples: - Lodging Intent (UK OB & NextGenPSD2) - Scope value + JSON object (Polish API) { "instructedAmount":{ "currency":"EUR", "amount":"123.50" }, "debtorAccount":{ "iban":"DE40100100103307118608" }, "creditorName":"Merchant123", "creditorAccount":{ "iban":"DE02100100109307118603" }, "remittanceInformationUnstructured":"Ref Number Merchant" } see https://cutt.ly/oauth-transaction-authorization for details
FAPI 2
FAPI 2 as next step โ— Broader interoperability โ—‹ through coverage of rich authorization / consent management and secure access to APIs โ— Simpler to use โ—‹ through new mechanisms (e.g. Pushed Authorization Requests/PAR, no ID Token as detached signature required) โ— Well-understood and better-defined security โ—‹ Formal attacker model โ—‹ FAPI 2 Baseline fully protects against attacker model โ—‹ FAPI 2 Baseline has same protection level as FAPI 1 Advanced โ— More versatile โ—‹ through alternative mechanism for token replay protection (DPoP)
Pushed Authorization Requests (PAR) Authorization request data is pushed to the AS before user dialog is startet โ†’ Can replace signed authorization requests โ†’ Simplified development through vendor support and reliance on TLS (signed requests possible) โ†’ Minimize data in front-channel to improve security and increase robustness POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb <voluminous payload goes here> HTTP/1.1 201 Created Cache-Control: no-cache, no-store Content-Type: application/json { "request_uri":"urn:example:bwc4JK-ESC0w8acc1...", "expires_in": 90 } https://server.example.com/authorize? client_id=s6BhdRkqt3& request_uri=urn:example:bwc4JK-ESC0w8acc1...
Rich Authorization Requests (RAR) enable fine-grained and complex consents captured as JSON objects. โ— Structure of authorization details can be defined as needed (e.g. per jurisdiction and AAP) โ— Supports Multi-Consents โ†’ Can replace scopes + related authorization data (e.g. in lodging intents) [ { "type":"payment_initiation", "instructedAmount":{ "currency":"AUD", "amount":"123.50" }, "creditorName":"Merchant123", "creditorAccount":{ "bsb":"123-456", "accountNumber":"1234567890" }, "paymentDescription":"INV123456 Description123" } ] [ { "type":"brasil:openbanking:standard:data", "permissions":[ "ACCOUNTS_READ" ], "expirationDateTime":"2021-05-21T08:30:00Z", "transactionFromDateTime":"2021-01-01T00:00:00Z", "transactionToDateTime":"2021-02-01T23:59:59Z" } ]
Grant Management Grant Management enables support for โ— consent state synchronization โ— consent revocation โ— concurrent consents โ— consent update & renewal โ— Dashboards Closely aligned with Australian requirements because it was started during AU CDR consent proposal discussions.
Grant Management (request new grant id) POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rm... response_type=code& client_id=s6BhdRkqt3 &grant_management_action=create &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=K2-ltc83acc4h... &authorization_details=%5B%7B%2... HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-cache, no-store { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "grant_id":"0a15a804-b5b4-4a45-9cd9-18b1a44f3383", "authorization_details": [... ] } (Pushed) Authorization Request) Token Response
Grant Management (API) GET /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383 Host: as.example-bank.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA HTTP/1.1 200 OK Cache-Control: no-cache, no-store Content-Type: application/json { "authorization_details":[...] } DELETE /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383 Host: as.example-bank.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA HTTP/1.1 204 No Content Query Revoke
Grant Management (request use of certain grant) POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rm... response_type=code& client_id=s6BhdRkqt3 &grant_management_action=update &grant_id=0a15a804-b5b4-4a45-9cd9-18b1a44f3383 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=K2-ltc83acc4h... &authorization_details=%5B%7B%2... (Pushed) Authorization Request) Use cases โ— Renew grant (because it is about to be expire) โ— Update existing grant โ— Ensure authorization process is performed with same user โ— Allows identification of user (alternative login hint for CIBA)
PKCE POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM ... POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk PKCE (RFC 7636) is used to detect code replay and CSRF Dynamically generated cryptographically random key used to bind transaction to browser/device โ†’ simple and robust โ†’ security check moved to AS โ†’ Can replace ID token as detached signature
Feature Comparison Topic FAPI 1 FAPI 2 Request Integrity Signed Request Objects PAR CSRF state + s_hash in ID Token PKCE Code Replay ID Token as detached signature or JARM or PKCE PKCE Mix-Up iss claim in ID token or JARM iss response parameter Access Token Replay mTLS mTLS or DPoP Rich authorizations data custom solutions, e.g. Lodging Intent PAR+RAR Consent management custom solutions, e.g. Lodging Intent Grant Management Non-repudiation Signed Request Objects, ID Token as detached signature API not covered JAR, JARM, Signed Introspection Response, Simple HTTP Message Integrity Protocol B a s e l i n e A d v
FAPI 1 (lodging intent) vs FAPI 2 (PAR+RAR)
MTLS FAPI Family Tree Baseline Advanced ver.1 2016-06 2017-07 2018-10 I D 1 I D 2 JARM ID 1 FAPI-CIBA 2019-08 2021-07* โ€œPublicโ€ Client Prof. ID 1 Baseline=JAR+PAR+RAR Advanced PAR RFC8705 2021-02 F I N A L I D 1 * Projection Only ver.2 F I N A L RAR L C
FAPI adoption in new ecosystems โ— Reasons to use FAPI 1 โ—‹ If vendors in an ecosystem already support FAPI 1 โ—‹ FAPI 1 is a mature and widely supported security profile. โ— Reasons to use FAPI 2 โ—‹ FAPI 2 is easier to implement โ—‹ FAPI 2 covers complex authorization requests and grant lifecycle management aspects โ—‹ FAPI 2 (as profile for API access authorization) better fits with OpenID Connect (for identity claims provisioning) then FAPI 1
Ecosystems already using FAPI 1 โ— Benefit for adoption: โ—‹ Simpler protocol and improved interoperability โ—‹ Specification aligned with the latest OAuth best practices and security advice โ— Incremental adoption of FAPI 2 modules possible: โ—‹ Example: Australia adopted PAR with FAPI 1 โ—‹ RAR + Grant Management as full lifecycle consent management solution for FAPI 1 โ— Running both profile in parallel is possible โ—‹ Would allow new clients to utilize the simpler protocol (and existing clients to migrate)
Q & A

Recommended

Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
ย 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization RequestsTorsten Lodderstedt
ย 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization RequestsTorsten Lodderstedt
ย 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectTorsten Lodderstedt
ย 
Writing REST APIs with OpenAPI and Swagger Ada
Writing REST APIs with OpenAPI and Swagger AdaWriting REST APIs with OpenAPI and Swagger Ada
Writing REST APIs with OpenAPI and Swagger AdaStephane Carrez
ย 
REST API testing with SpecFlow
REST API testing with SpecFlowREST API testing with SpecFlow
REST API testing with SpecFlowAiste Stikliute
ย 
Azure OpenAI ๋ฐ ChatGPT ์‹ค์Šต๊ฐ€์ด๋“œ (Hands-on-lab)
Azure OpenAI ๋ฐ ChatGPT ์‹ค์Šต๊ฐ€์ด๋“œ (Hands-on-lab) Azure OpenAI ๋ฐ ChatGPT ์‹ค์Šต๊ฐ€์ด๋“œ (Hands-on-lab)
Azure OpenAI ๋ฐ ChatGPT ์‹ค์Šต๊ฐ€์ด๋“œ (Hands-on-lab) Minnie Seungmin Cho
ย 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WGTorsten Lodderstedt
ย 

Recommended

Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
ย 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization RequestsTorsten Lodderstedt
ย 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization RequestsTorsten Lodderstedt
ย 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectTorsten Lodderstedt
ย 
Writing REST APIs with OpenAPI and Swagger Ada
Writing REST APIs with OpenAPI and Swagger AdaWriting REST APIs with OpenAPI and Swagger Ada
Writing REST APIs with OpenAPI and Swagger AdaStephane Carrez
ย 
REST API testing with SpecFlow
REST API testing with SpecFlowREST API testing with SpecFlow
REST API testing with SpecFlowAiste Stikliute
ย 
Azure OpenAI ๋ฐ ChatGPT ์‹ค์Šต๊ฐ€์ด๋“œ (Hands-on-lab)
Azure OpenAI ๋ฐ ChatGPT ์‹ค์Šต๊ฐ€์ด๋“œ (Hands-on-lab) Azure OpenAI ๋ฐ ChatGPT ์‹ค์Šต๊ฐ€์ด๋“œ (Hands-on-lab)
Azure OpenAI ๋ฐ ChatGPT ์‹ค์Šต๊ฐ€์ด๋“œ (Hands-on-lab) Minnie Seungmin Cho
ย 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WGTorsten Lodderstedt
ย 
Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)Hyungwook Lee
ย 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLPrabath Siriwardena
ย 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...Brian Campbell
ย 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
ย 
Introducing Playwright's New Test Runner
Introducing Playwright's New Test RunnerIntroducing Playwright's New Test Runner
Introducing Playwright's New Test RunnerApplitools
ย 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
ย 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
ย 
OpenAPI and gRPC Side by-Side
OpenAPI and gRPC Side by-SideOpenAPI and gRPC Side by-Side
OpenAPI and gRPC Side by-SideTim Burks
ย 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
ย 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
ย 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
ย 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the WildVictor Rentea
ย 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
ย 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
ย 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn TutorialFIDO Alliance
ย 
Community call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformCommunity call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformMicrosoft 365 Developer
ย 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
ย 
Python์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐ
Python์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐPython์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐ
Python์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐKi-Hwan Kim
ย 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
ย 
์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli
์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli
์•Œ์•„๋ณด์ž Dependency Injection๊ณผ DeliJungwon An
ย 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
ย 
InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...
InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...
InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...iMasters
ย 

More Related Content

What's hot

Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)Hyungwook Lee
ย 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLPrabath Siriwardena
ย 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...Brian Campbell
ย 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
ย 
Introducing Playwright's New Test Runner
Introducing Playwright's New Test RunnerIntroducing Playwright's New Test Runner
Introducing Playwright's New Test RunnerApplitools
ย 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
ย 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
ย 
OpenAPI and gRPC Side by-Side
OpenAPI and gRPC Side by-SideOpenAPI and gRPC Side by-Side
OpenAPI and gRPC Side by-SideTim Burks
ย 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
ย 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
ย 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
ย 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the WildVictor Rentea
ย 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
ย 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
ย 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn TutorialFIDO Alliance
ย 
Community call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformCommunity call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformMicrosoft 365 Developer
ย 
Python์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐ
Python์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐPython์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐ
Python์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐKi-Hwan Kim
ย 
์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli
์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli
์•Œ์•„๋ณด์ž Dependency Injection๊ณผ DeliJungwon An
ย 

What's hot (20)

Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)
ย 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACML
ย 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
ย 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
ย 
Introducing Playwright's New Test Runner
Introducing Playwright's New Test RunnerIntroducing Playwright's New Test Runner
Introducing Playwright's New Test Runner
ย 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
ย 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
ย 
OpenAPI and gRPC Side by-Side
OpenAPI and gRPC Side by-SideOpenAPI and gRPC Side by-Side
OpenAPI and gRPC Side by-Side
ย 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
ย 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
ย 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
ย 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
ย 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
ย 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
ย 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
ย 
Community call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformCommunity call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platform
ย 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
ย 
Python์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐ
Python์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐPython์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐ
Python์˜ ๊ณ„์‚ฐ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ์œ„ํ•ด Fortran, C, CUDA-C, OpenCL-C ์ฝ”๋“œ๋“ค๊ณผ ์—ฐ๋™ํ•˜๊ธฐ
ย 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
ย 
์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli
์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli
์•Œ์•„๋ณด์ž Dependency Injection๊ณผ Deli
ย 

Similar to Comprehensive overview FAPI 1 and 2

iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
ย 
InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...
InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...
InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...iMasters
ย 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStackpiyush_harsh
ย 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
ย 
PSD2: Latvijas Komercbanku asociฤcijas pozฤซcija
PSD2: Latvijas Komercbanku asociฤcijas pozฤซcijaPSD2: Latvijas Komercbanku asociฤcijas pozฤซcija
PSD2: Latvijas Komercbanku asociฤcijas pozฤซcijaLatvijas Banka
ย 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz
ย 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
ย 
OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessNordic APIs
ย 
ietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsDucAnhLe56
ย 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE ArchitecturesFIWARE
ย 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
ย 
UDDI from JAVA Web services
UDDI from JAVA Web services UDDI from JAVA Web services
UDDI from JAVA Web services uday katti
ย 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
ย 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
ย 
High Availability by Design
High Availability by DesignHigh Availability by Design
High Availability by DesignDavid Prinzing
ย 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2
ย 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...HostedbyConfluent
ย 
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2SWXG 2010.6.9 v2
SWXG 2010.6.9 v2Paul Trevithick
ย 

Similar to Comprehensive overview FAPI 1 and 2 (20)

iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
ย 
InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...
InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...
InterCon 2016 - Seguranรงa de identidade digital levando em consideraรงรฃo uma a...
ย 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStack
ย 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
ย 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
ย 
PSD2: Latvijas Komercbanku asociฤcijas pozฤซcija
PSD2: Latvijas Komercbanku asociฤcijas pozฤซcijaPSD2: Latvijas Komercbanku asociฤcijas pozฤซcija
PSD2: Latvijas Komercbanku asociฤcijas pozฤซcija
ย 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
ย 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
ย 
OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party Access
ย 
ietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfsietf oauth proof-of-possession.ppt sdfsdfs
ietf oauth proof-of-possession.ppt sdfsdfs
ย 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
ย 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
ย 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
ย 
UDDI from JAVA Web services
UDDI from JAVA Web services UDDI from JAVA Web services
UDDI from JAVA Web services
ย 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
ย 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
ย 
High Availability by Design
High Availability by DesignHigh Availability by Design
High Availability by Design
ย 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
ย 
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makka...
ย 
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
ย 

More from Torsten Lodderstedt

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes DecentralizedTorsten Lodderstedt
ย 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
ย 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
ย 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
ย 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
ย 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)Torsten Lodderstedt
ย 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
ย 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)Torsten Lodderstedt
ย 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32Torsten Lodderstedt
ย 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
ย 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
ย 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceTorsten Lodderstedt
ย 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
ย 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityTorsten Lodderstedt
ย 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedTorsten Lodderstedt
ย 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27Torsten Lodderstedt
ย 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectTorsten Lodderstedt
ย 

More from Torsten Lodderstedt (19)

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
ย 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
ย 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
ย 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
ย 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
ย 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
ย 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
ย 
GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
ย 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
ย 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
ย 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
ย 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
ย 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
ย 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
ย 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
ย 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
ย 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
ย 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
ย 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
ย 

Recently uploaded

AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
ย 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
ย 
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
ย 
Hot Call Girls |Delhi |Hauz Khas โ˜Ž 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas โ˜Ž 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas โ˜Ž 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas โ˜Ž 9711199171 Book Your One night Standkumarajju5765
ย 
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445ruhi
ย 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
ย 
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
ย 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
ย 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
ย 
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
ย 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
ย 
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...Delhi Call girls
ย 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiEscorts Call Girls
ย 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
ย 
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRLLucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRLimonikaupta
ย 
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...Diya Sharma
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service9953056974 Low Rate Call Girls In Saket, Delhi NCR
ย 
Call Girls Service Chandigarh Lucky โค๏ธ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky โค๏ธ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky โค๏ธ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky โค๏ธ 7710465962 Independent Call Girls In C...Sheetaleventcompany
ย 

Recently uploaded (20)

AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
ย 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
ย 
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund โŸŸ 6297143586 โŸŸ Call Me For Genuine Sex Servi...
ย 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
ย 
Hot Call Girls |Delhi |Hauz Khas โ˜Ž 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas โ˜Ž 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas โ˜Ž 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas โ˜Ž 9711199171 Book Your One night Stand
ย 
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
ย 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
ย 
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
๐“€คCall On 7877925207 ๐“€ค Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
ย 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
ย 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
ย 
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
WhatsApp ๐Ÿ“ž 8448380779 โœ…Call Girls In Mamura Sector 66 ( Noida)
ย 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
ย 
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
Hireโ† Young Call Girls in Tilak nagar (Delhi) โ˜Ž๏ธ 9205541914 โ˜Ž๏ธ Independent Esc...
ย 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
ย 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
ย 
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRLLucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
ย 
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
ย 
Call Girls Service Chandigarh Lucky โค๏ธ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky โค๏ธ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky โค๏ธ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky โค๏ธ 7710465962 Independent Call Girls In C...
ย 

Comprehensive overview FAPI 1 and 2

  • 1. Comprehensive Overview FAPI 1 and 2 Dr. Torsten Lodderstedt, yes.com
  • 2. What is FAPI? โ— A security and interoperability profile for OAuth for open banking and other use cases with high security requirements โ— Includes new specifications as required
  • 3. FAPI Family Tree Baseline Advanced FAPI 1 2016-06 2017-07 2018-10 I D 1 I D 2 2019-08 2021-07* Baseline Advanced 2021-02 I D 1 * Projection Only F I N A L uses existing OpenID Connect security mechanisms to patch OAuth security issues Adopted by UK OpenBanking, FDX (US/CA), CDR (Australia), and Brasil FAPI 2 Open Banking Survey OAuth Security Best Current Practice (BCP) the next evolutionary step, simpler to use and with a broader scope Adopted in yes open banking scheme (~1000 banks)
  • 5. FAPI 1 vs Plain OAuth โ— Patches OAuth security issues, e.g. code replay, authorization request tampering, and mix-up โ— Formal security analysis by University Stuttgart โ— Adds CIBA (Decoupled) interaction mode (beside Redirect) โ— Defines interoperable OAuth profile that can be tested for conformance โ— Introduces conformance testing
  • 6. Signed Requests { "scope":"openid consent:urn-amazingbank-0be7a3bb-33e6-4d73-b60a-9523aee6cc0d accounts", "response_type":"code id_token", "redirect_uri":"https://tpp.localhost/cb", "code_challenge":"0q5idWeuyFAGeHHpawD3k4mjE7WzPhw6hOdKbnAQY7s", "code_challenge_method":"S256", "state":"19a1456013b8be71e6ce89916c9723e0642e1eb42a9360146cc84178f2bc928e", "nonce":"8dedaf2c53f7ba7294825ca25e45aa544c3feda8fd4ac16220c216e973ad5fd7", "claims":{ "id_token":{ "auth_time":{ "essential":true }, "cpf":{ "values":[ "16386335767" ], "essential":true }, "given_name":{ "essential":true }, "acr":{ "values":[ "brasil:openbanking:standard" ], "essential":true } } }, "max_age":300, "iss":"clientIdFromAmazingBank", "aud":"https://auth.amazingbank.com.br", "client_id":"clientIdFromAmazingBank", "jti":"_fj7iamgC1wDzh8KXaJ7XzJiEK_s25DhoDs7uAxpU-k", "iat":1618672338, "exp":1618672638, "nbf":1618672338 } โ— Protect integrity and authenticity of request โ— Request can also be encrypted to protect confidentiality https://server.example.com/authorize? response_type=code%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb& &request=eyJhbGciOiJSU...zCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzw
  • 7. ID Token as Detached Signature HTTP/1.1 302 Found Location: https://tpp.localhost/cb# code=SplxlOBeZQQYbYS6WxSbIA &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso &state=af0ifjsldkj { "iss": "http://server.example.com", "sub": "248289761001", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "c_hash": "LDktKdoQak3Pk0cnXxCltA" "s_hash": "Zjk2Y2VhMTk4YWQxZGQ1Nj" } โ— Protects against โ—‹ code replay (nonce+c_hash) โ—‹ mix-up (iss) โ—‹ CSRF โ— Requires โ€œsubโ€ (even if no federated id is required) โ— End-User claims might be released in front channel (additional encryption might be required)
  • 8. JARM (JWT Secured Authorization Response Mode) โ— Response parameters are wrapped in a signed (optionally encrypted) JWT โ— No user claims required โ— works with plain OAuth { "iss":"https://accounts.example.com", "aud":"s6BhdRkqt3", "exp":1311281970, "code":"PyyFaux2o7Q0YfXBU32jhw.5FXSQpvr8akv9CeRDSd0QA", "state":"S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw" } HTTP/1.1 302 Found Location: https://client.example.com/cb? response=eyJraWQiOiJsYWViIiwiYWxnIjoiRVMyNTYifQ.eyAgImlzcyI6ICJodHRwczov L2FjY291bnRzLmV4YW1wbGUuY29tIiwgICJhdWQiOiAiczZCaGRSa3F0MyIsICAiZXhwIjog MTMxMTI4MTk3MCwgICJjb2RlIjogIlB5eUZhdXgybzdRMFlmWEJVMzJqaHcuNUZYU1FwdnI4 YWt2OUNlUkRTZDBRQSIsICAic3RhdGUiOiAiUzhOSjd1cWs1Zlk0RWpOdlBfR19GdHlKdTZw VXN2SDlqc1luaTlkTUFKdyJ9.4VdtknVZ9zFYDVLagJpVBD436bjPMcSgOaPDPFgTEkNyCs2 uIHYJ2XML6d2w1AUsm5GBG77DBisZNhLWfug6dA
  • 9. Open Banking Survey ... โ€ฆ revealed that Open Banking Use Cases require: (1) authorization beyond scope values and (2) grant management capabilities Examples: - Lodging Intent (UK OB & NextGenPSD2) - Scope value + JSON object (Polish API) { "instructedAmount":{ "currency":"EUR", "amount":"123.50" }, "debtorAccount":{ "iban":"DE40100100103307118608" }, "creditorName":"Merchant123", "creditorAccount":{ "iban":"DE02100100109307118603" }, "remittanceInformationUnstructured":"Ref Number Merchant" } see https://cutt.ly/oauth-transaction-authorization for details
  • 11. FAPI 2 as next step โ— Broader interoperability โ—‹ through coverage of rich authorization / consent management and secure access to APIs โ— Simpler to use โ—‹ through new mechanisms (e.g. Pushed Authorization Requests/PAR, no ID Token as detached signature required) โ— Well-understood and better-defined security โ—‹ Formal attacker model โ—‹ FAPI 2 Baseline fully protects against attacker model โ—‹ FAPI 2 Baseline has same protection level as FAPI 1 Advanced โ— More versatile โ—‹ through alternative mechanism for token replay protection (DPoP)
  • 12. Pushed Authorization Requests (PAR) Authorization request data is pushed to the AS before user dialog is startet โ†’ Can replace signed authorization requests โ†’ Simplified development through vendor support and reliance on TLS (signed requests possible) โ†’ Minimize data in front-channel to improve security and increase robustness POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb <voluminous payload goes here> HTTP/1.1 201 Created Cache-Control: no-cache, no-store Content-Type: application/json { "request_uri":"urn:example:bwc4JK-ESC0w8acc1...", "expires_in": 90 } https://server.example.com/authorize? client_id=s6BhdRkqt3& request_uri=urn:example:bwc4JK-ESC0w8acc1...
  • 13. Rich Authorization Requests (RAR) enable fine-grained and complex consents captured as JSON objects. โ— Structure of authorization details can be defined as needed (e.g. per jurisdiction and AAP) โ— Supports Multi-Consents โ†’ Can replace scopes + related authorization data (e.g. in lodging intents) [ { "type":"payment_initiation", "instructedAmount":{ "currency":"AUD", "amount":"123.50" }, "creditorName":"Merchant123", "creditorAccount":{ "bsb":"123-456", "accountNumber":"1234567890" }, "paymentDescription":"INV123456 Description123" } ] [ { "type":"brasil:openbanking:standard:data", "permissions":[ "ACCOUNTS_READ" ], "expirationDateTime":"2021-05-21T08:30:00Z", "transactionFromDateTime":"2021-01-01T00:00:00Z", "transactionToDateTime":"2021-02-01T23:59:59Z" } ]
  • 14. Grant Management Grant Management enables support for โ— consent state synchronization โ— consent revocation โ— concurrent consents โ— consent update & renewal โ— Dashboards Closely aligned with Australian requirements because it was started during AU CDR consent proposal discussions.
  • 15. Grant Management (request new grant id) POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rm... response_type=code& client_id=s6BhdRkqt3 &grant_management_action=create &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=K2-ltc83acc4h... &authorization_details=%5B%7B%2... HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-cache, no-store { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "grant_id":"0a15a804-b5b4-4a45-9cd9-18b1a44f3383", "authorization_details": [... ] } (Pushed) Authorization Request) Token Response
  • 16. Grant Management (API) GET /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383 Host: as.example-bank.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA HTTP/1.1 200 OK Cache-Control: no-cache, no-store Content-Type: application/json { "authorization_details":[...] } DELETE /grants/0a15a804-b5b4-4a45-9cd9-18b1a44f3383 Host: as.example-bank.com Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA HTTP/1.1 204 No Content Query Revoke
  • 17. Grant Management (request use of certain grant) POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rm... response_type=code& client_id=s6BhdRkqt3 &grant_management_action=update &grant_id=0a15a804-b5b4-4a45-9cd9-18b1a44f3383 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=K2-ltc83acc4h... &authorization_details=%5B%7B%2... (Pushed) Authorization Request) Use cases โ— Renew grant (because it is about to be expire) โ— Update existing grant โ— Ensure authorization process is performed with same user โ— Allows identification of user (alternative login hint for CIBA)
  • 18. PKCE POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. response_type=code &client_id=s6BhdRkqt3&state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_challenge_method=S256 &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM ... POST /as/par HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3Rmp.. grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk PKCE (RFC 7636) is used to detect code replay and CSRF Dynamically generated cryptographically random key used to bind transaction to browser/device โ†’ simple and robust โ†’ security check moved to AS โ†’ Can replace ID token as detached signature
  • 19. Feature Comparison Topic FAPI 1 FAPI 2 Request Integrity Signed Request Objects PAR CSRF state + s_hash in ID Token PKCE Code Replay ID Token as detached signature or JARM or PKCE PKCE Mix-Up iss claim in ID token or JARM iss response parameter Access Token Replay mTLS mTLS or DPoP Rich authorizations data custom solutions, e.g. Lodging Intent PAR+RAR Consent management custom solutions, e.g. Lodging Intent Grant Management Non-repudiation Signed Request Objects, ID Token as detached signature API not covered JAR, JARM, Signed Introspection Response, Simple HTTP Message Integrity Protocol B a s e l i n e A d v
  • 20. FAPI 1 (lodging intent) vs FAPI 2 (PAR+RAR)
  • 21. MTLS FAPI Family Tree Baseline Advanced ver.1 2016-06 2017-07 2018-10 I D 1 I D 2 JARM ID 1 FAPI-CIBA 2019-08 2021-07* โ€œPublicโ€ Client Prof. ID 1 Baseline=JAR+PAR+RAR Advanced PAR RFC8705 2021-02 F I N A L I D 1 * Projection Only ver.2 F I N A L RAR L C
  • 22. FAPI adoption in new ecosystems โ— Reasons to use FAPI 1 โ—‹ If vendors in an ecosystem already support FAPI 1 โ—‹ FAPI 1 is a mature and widely supported security profile. โ— Reasons to use FAPI 2 โ—‹ FAPI 2 is easier to implement โ—‹ FAPI 2 covers complex authorization requests and grant lifecycle management aspects โ—‹ FAPI 2 (as profile for API access authorization) better fits with OpenID Connect (for identity claims provisioning) then FAPI 1
  • 23. Ecosystems already using FAPI 1 โ— Benefit for adoption: โ—‹ Simpler protocol and improved interoperability โ—‹ Specification aligned with the latest OAuth best practices and security advice โ— Incremental adoption of FAPI 2 modules possible: โ—‹ Example: Australia adopted PAR with FAPI 1 โ—‹ RAR + Grant Management as full lifecycle consent management solution for FAPI 1 โ— Running both profile in parallel is possible โ—‹ Would allow new clients to utilize the simpler protocol (and existing clients to migrate)
  • 24. Q & A