OpenID FAPI Part 2 - V 0.6 - Draft, 2018

Owned by David Doret (Open Measure)
04-00-2021
2 min read

Title

Type

Standard

Year

2018

Authors

Sakimura, N., Bradley, J., Jay, E

Identifiers

  • Report #: OpenID FAPI Part 2 - V 0.6 - Draft

Abstract

Fintech is an area of future economic growth around the world and Fintech organizations need to improve the security of their operations and protect customer data. It is common practice of aggregation services to use screen scraping as a method to capture data by storing users' passwords. This brittle, inefficient, and insecure practice creates security vulnerabilities which require financial institutions to allow what appears to be an automated attack against their applications and to maintain a whitelist of aggregators. A new draft standard, proposed by this workgroup would instead utilize an API model with structured data and a token model, such as OAuth [RFC6749, RFC6750].

The Financial-grade API aims to provide specific implementation guidelines for online financial services to adopt by developing a REST/JSON data model protected by a highly secured OAuth profile. The Financial-grade API security profile can be applied to online services in any market area that requires a higher level of security than provided by standard OAuth or OpenID Connect.

This document is Part 2 of FAPI that specifies the Financial-grade API and it provides a profile of OAuth that is suitable to be used in write access to financial data (also known as transaction access) and other similar higher risk access. This document specifies the controls against attacks such as: authorization request tampering, authorization response tampering including code injection, state injection, and token request phishing. Additional details are available in the security considerations section.

Although it is possible to code an OpenID Provider and Relying Party from first principles using this specification, the main audience for this specification is parties who already have a certified implementation of OpenID Connect and want to achieve a higher level of security. Implementors are encouraged to understand the security considerations contained in section 7.6 before embarking on a 'from scratch' implementation.

(https://open-measure.atlassian.net/wiki/spaces/BIB/pages/1290076190, p. 1)

Citation

Sakimura, N., Bradley, J., Jay, E., 2018. Financial-grade API - Part 2: Read and Write API Security Profile - Draft 0.6 (Draft Standard). OpenID.

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.