2. What we’re going to cover today
•FAPI/Open Banking Conformance suite overview
•Conformance suite demo
•"Tips and Tricks" for successful conformance
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 2
3. Who am I?
• Joseph Heenan, CTO at fintechlabs & Senior Architect at Authlete
• Software engineer & architect with over 25 years’ experience
• Active contributor to the OpenID Connect FAPI specifications
• Team lead/product owner on the Open Banking Conformance Suite
• Assisted many of the largest UK (CMA9) banks with achieving
compliance to the UK OpenBanking specification
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 3
4. Conformance Suite Overview
• Tests compliance to:
• OpenBanking UK Security Profile
• FAPI (Financial-Grade API profile for OpenID connect)
• HEART (Health-related profile OpenID connect)
• As part of above, also testssome (but not all) OpenID Connect & OAuth2
• Tests are applicable to:
• IdP (identity provider – ie. Banks / ASPSP)
• RP (relying party – ie. Fintechs / TPP / AISP / PISP)
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 4
5. Why would you use conformance suite?
• Reduced support costs
• If your implementation is interoperable it will “just work” for third parties
• Evidence of compliance to show government regulators
• Evidence of compliance may reduce insurance costs, chances of
security breach, etc
• It will be embarrassing if other people test your server & you fail
• Anyone can test a server
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 5
6. Conformance Suite Design Goals
• Multi-party protocol testing
• Structured configuration
• Structured logging and results
• Deterministic, modular execution units
• Protect sensitive configuration and results data
• Transparent process
• Usable as part of CI
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 6
7. Overview of test process for banks
• Prepare test deployment of your server
• Must be accessible to the conformance suite
• Create keys & TLS certificates
• Register necessary clients to authorization server
• Create conformance suite configuration using frontend
• Read the instructions if you are not sure how
• Create “test plan” applicable to your configuration
• Start test plan
• Start each test module within the plan, one at a time
• Login to authorization server when instructed
• View results and confirm “PASS”.
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 7
9. Tips & tricks for successful FAPI
deployment
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 9
10. Before you even start
• Is OpenId Connect/FAPI part of your core competency?
• Is it part of your value add?
For fintechs, the answer is usually NO!
Don’t reinvent the wheel – use existing OpenID Connect client libraries
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 10
11. Conformance testing is not an afterthought
• Run conformance testing early and often
• Conformance test suite will help you
• Be secure
• Be inter-operable
• Conformance testing is the easy route to interoperability
• Banks generally return confusing or unhelpful error messages
• Banks often tolerate incorrect implementations – but not consistently
• Conformance testing can be part of your Continuous Integration
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 11
12. Problems banks had in the UK (1)
• Using software that was not OpenID Connect certified
• Required a lot of last minute changes from their vendors
• They missed government mandated “go live” date
• Large number of certified vendors available – use one!
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 12
13. Problems banks had in the UK (2)
• Not running conformance suite till development complete
• Required a lot of last minute changes from their vendors and their own
software teams
• They missed government mandated “go live” date
• Run conformance suite often during development!
• It can be deployed locally & integrated with your continuous integration
system
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 13
14. Problems banks had in the UK (3)
• Staffing teams with generic engineers & testers
• OAuth2, OpenID Connect & FAPI have some complexity
• Dependency on underlying RFCs – JWT, HTTP/1.1, TLS, etc.
• Some domain knowledge is essential
• Without knowledge, profile compliance and conformance testing will be slow
• Hire some experts for both development & test teams
• Many competentconsultants available, including fintechlabs
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 14
15. Problems banks had in the UK (4)
• Poor security architectures
• Some banks designed their architectures,then tried to retrofit FAPI
• If you change your implementation to not be standardscompliant, you will fail
conformance testing!
• Example: trying to change token_endpoint in .well-known/openid-
configuration to an array
• Hire some experts for architecture teams
• Many competentconsultants available, including fintechlabs
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 15
16. Problems banks had in the UK (5)
• Not reading instructions
• Surprising number of banks simply ignore the single page documentation
• RTFM!
• It’ll be much faster - honest
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 16
17. Problems banks had in the UK (6)
• Not designing for interoperability
• Security teams in many banks have a “send exactly what we say or your
request will fail” approach
• This isn’t compatible with open standards
• E.g. in HTTP/1.1, charset is case insensitive, banks must accept both:
• Accept: application/json; charset=utf-8
• Accept: application/json; charset=UTF-8
• Requires a mindset change in the security team
• Low friction interoperable APIs and ecosystemsare important
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 17
18. The End
• Source code etc publicly available on gitlab:
https://gitlab.com/fintechlabs/fapi-conformance-suite/
• Production deployment:
http://fintechlabs-fapi-conformance-suite.fintechlabs.io/
(Login with any google account)
• Open Source - contributions welcome, please ask if you’re like to help
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 18