Introduction to  the FAPI Read & Write OAuth Profile - Jan 2018 Updates

Nomura Research Institute
Nat Sakimura(@_nat_en)
Introduction to  
the FAPI Read & Write OAuth Profile
• OpenID® is a registered trademark of the OpenID Foundation.
• *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.
2018-01-30
Foundation
#APIdays
Research FellowChairman of the board

© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
Q 2
Using iTunes? 
Using Android?  
Using Google?  
Using MS Office 365? 
…
2

3
Over 3 Billion served.
3

4
International standards
4
OpenID Connect
JSON Web Token (JWT)
JSON Web Signature (JWS)
OAuth PKCE(RFC7636)
OAuth JAR (RFC TBD)
ISO/IEC 29184
ISO/IEC 29100 AMD1
JIS X 9250
Etc.

5
An international standardization expert  
and a protocol designer  
 
on identity, access management, and privacy
5

Copyright（C） Nomura Research Institute, Ltd. All rights reserved. 6
Nat Sakimura 
■(Co-)Author of:
● OpenID Connect Core 1.0
● JSON Web Token [RFC7519]
● JSON Web Signature [7515]
● OAuth PKCE [RFC7636]
● OAuth JAR [IETF Last Call]
● Etc.
■(Co-)Editor of:
● ISO/IEC 29184 Guidelines for online notice and consent
● ISO/IEC 29100 AMD: Privacy Framework – Amendment 1
● ISO/IEC 27551 Requirements for attribute based unlinkable
entity authentication
● Etc.
• Chairman, OpenID Foundation
• Chair, Financial API WG
• Head of delegate from Japanese
National Body to ISO/IEC JTC 1/
SC 27/WG5
• WG5〜OECD/SPDE Liaison
• Research Fellow  
@ Nomura Research Institute  
(NRI)
• https://www.sakimura.org
• https://nat.sakimura.org
• @_nat_en (English)
• @_nat (Japanese)
• https://www.linkedin.com/in/
natsakimura
• https://ja.wikipedia.org/wiki/
崎村夏彦
6

7
FAPI Updates

Copyright（C） Nomura Research Institute, Ltd. All rights reserved.
A year ago in APIDays Paris
Introduced FAPI WG

9
OAuth is a framework – needs to be profiled
■ This framework was designed with the clear expectation that future
■ work will define prescriptive profiles and extensions necessary to
■ achieve full web-scale interoperability.

? 10
Which OAuth?

1111

12
That creates specification to take care of medium to high risk API access security.
12
Valueoftheresource
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit

Factory
application
Financial API  
– Read & Write
e.g.,
Basic choices ok.
Bearer token Not
OK
Basic choices

NOT OK
No need to satisfy all the security
requirments by OAuth
Financial API  
– Read only

13
That can serve all financial transactions  
including PSD2,  
but not limited to.

14
FAPI Security Profile is a general purpose higher
security API protection mechanism based on
OAuth framework.
14

15
It has been adopted by Open Banking UK
15

16
9 Major banks in UK goes live on January, 2018
(Source) Chris Mitchel, “Banking is now more open”, Identify 2017

17
It is also recommended by the Japanese Banker’s association
17
(source) https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_1.pdf

18
US FS-ISAC aligning their security
requirements
18

19
… and major IAM vendors are  
implementing it
19

Copyright（C） Nomura Research Institute, Ltd. All rights reserved. 20
II. What is OpenID Foundation
■A WG can be spun up by more than three
members proposing and by the approval
by the Specs Council and the Board
review (2 weeks).
■Specs Council is composed by the current
editors of the specs and checks the
overlaps with other WGs or SDOs.
■The board checks that it will not cause
IPR threats to the foundation.
It has been developed within OpenID Foundation
20

21
At FAPI WG since there are right people, IPR, and structure
• All the authors of OAuth, JWT, JWS,
OpenID Connect are here.
■ Right
People
• Loyalty free, mutual non-assert IPR:

• ! Anyone can freely implement.
■ Right
IPR
• No fee for joining a WG (Sponsors
welcome)

• WTO TBT Treaty compliant process.
■ Right
Structur
e
21

22
Working Together
22
OpenID FAPI
(Chair)
(Co-Chair)(Co-Chair)
(UK OBIE Liaison)
Liaison Organizations
TC 68
JTC 1/SC 27/WG 5
Nat Sakimura
Tony NadalinAnoop Saxena
fido 2.0 WG Chair

W3C Web Authn WG Chair

23
The work progresses with a weekly tele-conferences, mailing list discussions  
and project repository (https://bitbucket.org/openid/fapi/ )
23
Issue Tracker
Meeting notes
Commit History
Pull Requests
Draft Text

24
We have issued two implementer’s drafts
Valueoftheresource
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit

Factory
application
Financial API  
– Read & Write
e.g.,
Basic choices ok.
Financial API  
– Read only

25
Which are redirect approach
■Part 1: Read Only Security Profile
■Part 2: Read and Write Security Profile
25
Redirect

Approach
Decoupled

Approach
Embedded
Approach

26
While RFC6749 is not complete with source, destination, and message authentication,
UA
Client AS
TLS Protected
TLS ProtectedTLS Protected
TLS Terminated
Sender
AuthN
Receiver
AuthN
Message
AuthN
AuthZ Req Indirect None None
AuthZ Res None None None
Token Req Weak Good Good
Token Res Good Good Good

27
■ By using OpenID Connect’s Hybrid Flow and Request Object, you are pretty well covered.
FAPI Part 2 is complete with source, destination, and message authentication.
27
Sender
AuthN
Receiver
AuthN
Message
AuthN
AuthZ Req Request Object Request Object Request object
AuthZ Res Hybrid Flow Hybrid Flow Hybrid Flow
Token Req Good Good Good
Token Res Good Good Good

28
Tokens are Sender Constrained instead of being bearer
Security
Levels
Token Types Notes
Sender Constrained
Token
Only the entity that was issued
can used the token.
Bearer Token Stolen tokens can also be used

29
These are in the form of check lists.
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md

30
Crypto Requirements are tightened for interoperability and security
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md

? 31
How does it look like?
34

32
UA
Client ASSet Up
RS
POST /payments HTTP/1.1
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
x-idempotency-key: FRESCO.21302.GFX.20
x-fapi-financial-id: OB/2017/001
x-fapi-customer-last-logged-time: 2017-06-13T11:36:09
x-fapi-customer-ip-address: 104.25.212.99
x-fapi-interaction-id: 93bac548-d2de-4546-
b106-880a5018460d
Content-Type: application/json
Accept: application/json

{
  "Data": {
    "Initiation": {
      "InstructionIdentification": "ACME412",
      "EndToEndIdentification": "FRESCO.21302.GFX.20",
      "InstructedAmount": {
        "Amount": "165.88",
        "Currency": "GBP"
[…snip…]
      "TownName": "Sparsholt",
      "CountySubDivision": [
        "Wessex"
      ],
      "Country": "UK"
    }
  }
}

33
UA
Client ASReference
RS
HTTP/1.1 201 Created
b106-880a5018460d

{
  "Data": {
    "PaymentId": "58923",
    "Status": "AcceptedTechnicalValidation",
    "CreationDateTime": "2017-06-05T15:15:13+00:00",
    "Initiation": {
        "Amount": "165.88",
        "Currency": "GBP"
      },
      "CreditorAccount": {
[…snip…]
        "Wessex"
      ],
      "Country": "UK"
    }
  },
  "Links": {
    "Self": "https://api.alphabank.com/open-banking/v1.0/
payments/58923"
  },
  "Meta": {}
}

34
UA
Client AS
JWT Authorization
Request incl.  
ref.
RS
{
    "alg": "",
    "kid": "GxlIiwianVqsDuushgjE0OTUxOTk"
}
.
{
   "aud": "https://api.alphanbank.com",
   "iss": "s6BhdRkqt3",
   "response_type": "code id_token",
   "client_id": "s6BhdRkqt3",
   "redirect_uri": "https://api.mytpp.com/cb",
   "scope": "openid payments accounts",
   "state": "af0ifjsldkj",
   "nonce": "n-0S6_WzA2Mj",
   "max_age": 86400,
   "claims":
    {
     "userinfo":
      {
       "openbanking_intent_id":
{"value": "urn:alphabank:intent:58923", "essential": true}
      },
     "id_token":
      {
       "openbanking_intent_id":
{"value": "urn:alphabank:intent:58923", "essential": true},
       "acr": {"essential": true,
                "values": ["urn:openbanking:psd2:sca",
                     "urn:openbanking:psd2:ca"]}}
      }
    }
}
.
<<signature>>

35
UA
Client AS
Secure Customer
Authentication 
(SCA)
RS
Any Authentication method can be used.
e.g. FIDO Authenticator, Mobile Connect
In this case, Phishing resistant
authenticator can be used as there is no
MITM.

36
UA
Client AS
AurthZ Res w/

ID Token as a
detached sig.
RS
{
  "alg": "RS256",
  "kid": "12345",
  "typ": "JWT"
}
.
{
   "iss": "https://api.alphabank.com",
   "iat": 1234569795,
   "sub": "ralph.bragg@raidiam.com",
   "acr": "urn:openbanking:psd2:sca",
   "address": "2 Thomas More Square",
   "phone": "+447890130559",
   "openbanking_intent_id": "urn:alphabank:payment:58923",
   "aud": "s6BhdRkqt3",
   "nonce": "n-0S6_WzA2Mj",
   "exp": 1311281970,
   "s_hash": "76sa5dd",
   "c_hash": "asd097d"
  }
.
{
<<Signature>>
}

37
UA
Client ASCode + MTLS
RS
POST /as/token.oauth2 HTTP/1.1
Host: https://authn.alphabank.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https://api.mytpp.com/cb
&client_assertion_type=
    urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRw
czovL2p3dC1pZHAuZXhhbXBsZS5jb20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmN
vbSIsIm5iZiI6MTQ5OTE4MzYwMSwiZXhwIjoxNDk5MTg3MjAxLCJpYXQiOjE0OTkxODM2MD
EsImp0aSI6ImlkMTIzNDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9yZWdpc3Rlc
iJ9.SAxPMaJK_wYl_W2idTQASjiEZ4UoI7-P2SbmnHKr6LvP8ZJZX6JlnpK_xClJswAni1T
p1UnHJslc08JrexctaeEIBrqwHG18iBcWKjhHK2Tv5m4nbTsSi1MFQOlMUTRFq3_LQiHqV2
M8Hf1v9q9YaQqxDa4MK0asDUtE_zYMHz8kKDb-jj-Vh4mVDeM4_FPiffd2C5ckjkrZBNOK0
01Xktm7xTqX6fk56KTrejeA4x6D_1ygJcGfjZCv6Knki7Jl-6MfwUKb9ZoZ9LiwHf5lLXPuy
_QrOyM0pONWKj9K4Mj7I4GPGvzyVqpaZUgjcOaZY_rlu_p9tnSlE781dDLuw
{
  "alg": "RS256",
  "kid": "12345",
  "typ": "JWT"
}
.
{
  "iss": "s6BhdRkqt3",
  "sub": "s6BhdRkqt3",
  "exp": 1499187201,
  "iat": 1499183601,
  "jti": "id123456",
  "aud": "https://authn.alphabank.com/as/token.oauth2"
}
.
<<signature>>

38
UA
Client AS
Sender
constrained
access token
RS
HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache

{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"expires_in": 3600
}

39
UA
Client AS
RS
REST Req w/

Sender Constrained

Access Token
GET /payment-submissions/58923-001 HTTP/1.1
Authorization: Bearer SlAV32hkKG
x-fapi-customer-last-logged-
time: 2017-06-13T11:36:09
b106-880a5018460d
It actually is not a bearer
token.

Although from the client
point of view,

It is bound to the client
certs used in the MTLS.

40
UA
Client AS
RS
Resource
HTTP/1.1 200 OK
b106-880a5018460d

{
  "Data": {
    "PaymentSubmissionId": "58923-001",
    "Status": "AcceptedSettlementInProcess",
    "CreationDateTime": "2017-06-05T15:15:22+00:00"
  },
  "Links": {
    "Self": "https://api.alphabank.com/open-banking/
v1.0/payment-submissions/58923-001"
  },
  "Meta": {}
}

41
For more detailed examples, go read
Open Banking Security Proﬁle - Implementer's Draft v1.1.0

42
And now working on the decoupled approach …
■CIBA (client initiated backchannel
authentication) profile.
31
Redirect

Approach
Decoupled

Approach
Embedded
Approach
https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md

43
UA
Client ASSet Up
RS
POST /payments HTTP/1.1
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
x-idempotency-key: FRESCO.21302.GFX.20
x-fapi-customer-last-logged-time: 2017-06-13T11:36:09
x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d

{
  "Data": {
    "Initiation": {
        "Amount": "165.88",
        "Currency": "GBP"
[…snip…]
      "TownName": "Sparsholt",
        "Wessex"
      ],
      "Country": "UK"
    }
  }
}

44
UA
Client ASReference
RS
HTTP/1.1 201 Created
x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d

{
  "Data": {
    "Status": "AcceptedTechnicalValidation",
    "CreationDateTime": "2017-06-05T15:15:13+00:00",
    "Initiation": {
        "Amount": "165.88",
        "Currency": "GBP"
      },
      "CreditorAccount": {
[…snip…]
        "Wessex"
      ],
      "Country": "UK"
    }
  },
  "Links": {
    "Self": "https://api.alphabank.com/open-banking/v1.0/payments/
58923"
  },
  "Meta": {}
}

45
UA
Client AS
Secure
Authentication

w/ push
RS
Any Authentication method can be used.
e.g. FIDO Authenticator
Polling/Push
AurthZ Res

46
We are not working on Embedded Approach
■Since we do not know how it can be phishing resistant
● W3C Web Authentication will not work.
● Come to the WG if you know how
▪ IPR release is necessary though.
■GDPR explicit consent for third party data transfer?
● What would be the liability implications?
32
Redirect

Approach
Decoupled

Approach
Embedded
Approach

47
Status
■Part 1: Read Only Security Profile —> 2nd Implementers Draft Imminent
■Part 2: Read & Write Security Profile —> ditto
■Part 3: Client Initiated Back Channel Authentication Profile —> March?

? 48
How can we tell that the implementation
conforms to the specification?
34

49
Once it passes the test, the implementer
can self-certify and publish.
• That gets the implementers under the premise of
the article 5 of the FTC Act.

• The log will be openly available so others can
also find out false claims.
See http://openid.net/certification/
for details
OpenID Foundation provides the online test environment for the implementers to test their
conformance. OpenBanking Profile has new set of test now available for their members.
35

50
Security and privacy  
cannot be an afterthought

51
Benefit of APIs rapidly diminishes  
if they do not interoperate.
37

52
Let’s not get into NIH* Syndrome.
38
* Not Invented Here

53
But work together in the open, IPR safe
environment.
39

Q 54
uestions?
40

Introduction to  the FAPI Read & Write OAuth Profile - Jan 2018 Updates

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Introduction to  the FAPI Read & Write OAuth Profile - Jan 2018 Updates

Ähnlich wie Introduction to  the FAPI Read & Write OAuth Profile - Jan 2018 Updates (20)

Mehr von Nat Sakimura

Mehr von Nat Sakimura (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)