It the presentation used in APIDays Berlin (2017-11-08) to explain the Financial API Read & Write Security profile's rationale and how it fulfilled the requirements.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Introduction to the FAPI Read & Write OAuth Profile
1. Nomura Research Institute
Nat Sakimura(@_nat_en)
Introduction to
the FAPI Read & Write OAuth Profile
• OpenID® is a registered trademark of the OpenID Foundation.
• *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.
2017-11-08
Foundation
Research FellowChairman of the board
6. Copyright(C) Nomura Research Institute, Ltd. All rights reserved. 6
Nat Sakimura
(Co-)Author of:
OpenID Connect Core 1.0
JSON Web Token [RFC7519]
JSON Web Signature [7515]
OAuth PKCE [RFC7636]
OAuth JAR [IETF Last Call]
Etc.
(Co-)Editor of:
ISO/IEC 29184 Guidelines for online notice and consent
ISO/IEC 29100 AMD: Privacy Framework – Amendment 1
ISO/IEC 27551 Requirements for attribute based unlinkable
entity authentication
Etc.
• Chairman, OpenID Foundation
• Chair, Financial API WG
• Head of delegate from
Japanese National Body to
ISO/IEC JTC 1/SC 27/WG5
• WG5〜OECD/SPDE Liaison
• Research Fellow
@ Nomura Research Institute
(NRI)
• https://www.sakimura.org
• https://nat.sakimura.org
• @_nat_en (English)
• @_nat (Japanese)
• https://www.linkedin.com/in/
natsakimura
• https://ja.wikipedia.org/wiki/
崎村夏彦
6
20. Copyright(C) Nomura Research Institute, Ltd. All rights reserved. 20
II. What is OpenID Foundation
A WG can be spun up by more than
three members proposing and by the
approval by the Specs Council and the
Board review (2 weeks).
Specs Council is composed by the
current editors of the specs and checks
the overlaps with other WGs or SDOs.
The board checks that it will not cause
IPR threats to the foundation.
It has been developed within OpenID Foundation
20
Hi, I’m Nat Sakimura, the chairman of the OpenID Foundation and a research fellow at Nomura Research Institute.
I am honored to be invited here to talk about OpenID Connect and the potential collaboration with AGL, but before going into the main topics, let me introduce myself briefly.
How many of you use iTunes? Can you raise your hand? Android? Google? MS Office 365?That’s pretty much everybody, right? If you do, then you are using the specs that I wrote.
I have never counted it myself but people say that over 3 billion people are using the specifications that I co-wrote.
They include
… and so on.
I am an iS expert on …
Beside being co-editor of many of the well used specs, I ware many other hats. Like I said before, I am the chairman of the board of a US based organization, OpenID Foundation, and chair Fiancial API WG there, I am the head of delegate from JP NB to ISO.., Liaison officer from OECD to ISO, and Research Fellow @ NRI. While I am completely new to AGL, NRI is not quite.
One of the problem of just using RFC6749 is the integrity protection of the authorization request and response.
OAuth relies heavily on TLS for its security, but TLS gets terminated in the User Agent (UA).
The exposes attack surface. In this table, I have …
You can see that there are problems with them. There is another perspective as well.
By using OpenID Connect’s Hybrid Flow and Request Object, you are pretty well covered.
In fact, all these are written down as part of the Financial API Security Profile – the name says Financial, but there is not much financial in it as it only talks about the security. So, you might want to have a look at it.