SlideShare ist ein Scribd-Unternehmen logo

Trends in Banking APIs

Tatsuo Kudo
Tatsuo Kudo

English version of https://www.slideshare.net/tkudo/banking-apis-authorization-practice-2018

Internet
1 von 20
Downloaden Sie, um offline zu lesen
Financial APIs Workshop - Japan/UK Open Banking and APIs Summit 2018 Trends in Banking APIs Tatsuo Kudo
Preface • A couple of standardization efforts on banking APIs are emerging around the world, especially in Europe. This presentation summarizes how such standards define API access authorization and gives insights on future directions. 2
About me • Tatsuo Kudo https://www.linkedin.com/in/tatsuokudo – Sun Microsystems (1998-2008) – Nomura Research Institute (2008-2018) – OpenID Foundation Japan (2013-2014) – NRI SecureTechnologies (2014-2018) – Authlete (2018-) • VP of Solution Strategy 3
What are ”Banking APIs?” • They vary, such as: – Providing “Open Data” (e.g. branch location) – White-labeled banking services (e.g. “Bank as a Service”) – Providing bank accounts’ information and accepting transaction requests based on end-user consent 371 APIs are listed in Banking category Source: https://www.programmableweb.com/category/banking 4
Leveraging “OAuth 2.0” in Banking APIs • The framework is often utilized to enable API access authorization with customer’s consent 5 Actors in “OAuth 2.0” and a typical authorization flow Source: https://www.slideshare.net/tkudo/api-meetup-oauth
Who Defines Banking APIs • Bank defines its own spec • Industry groups and consortia define common spec • (Vendor defines its proprietary spec) 6 • Open Banking UK • Berlin Group NextGenPSD2 • Polish Bank Association • Slovak Banking Association • (France Stet)
Open Banking UK • FAPI Part 2 • Client Credentials Grant Type (OAuth 2.0) / OIDC Hybrid Flow • Request Object • Mutual TLS 7 Source: Open Banking Security Profile - Implementer's Draft v1.1.2 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/83919096/Open+Banking+Security+Profile+-+Implementer+s+Draft+v1.1.2
Open Banking UK Account Information 1. PSU (Payment Service User) allows AISP (Account Information Service Provider) to make a request 2. AISP sends the request to ASPSP (Account Servicing Payment Service Provider) using POST /account-resource (Mutual TLS, Client Credentials Grant Type) 3. ASPSP provides PISP with “AccountRequestId” 4. AISP creates a Request Object that contains AccountRequestId and send it to ASPSP as authorization request (OIDC Hybrid Flow) 5. ASPSP authenticates PSU 6. ASPSP provides AISP with authorization code 7. AISP sends the code to ASPSP to obtain access token (Mutual TLS) 8. AISP sends a request using GET /accounts with the access token (Mutual TLS) 8 Source: Account and Transaction API - v2.0.0 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/127009546/Account+and+ Transaction+API+Specification+-+v2.0.0
Open Banking UK Payment Initiation 1. PSU allows PISP (Payment Initiation Service Provider) to make a payment initiation request 2. PISP sends the request to ASPSP using POST /payments (Mutual TLS, Client Credentials Grant Type) 3. ASPSP provides PISP with ”PaymentId” 4. PISP creates a Request Object that contains PaymentId and send it to ASPSP as authorization request (OIDC Hybrid Flow) 5. ASPSP authenticates PSU 6. ASPSP provides PISP with authorization code 7. PISP sends the code to ASPSP to obtain access token (Mutual TLS) 8. PISP sends a request using POST /payment-submissions with the access token (Mutual TLS) 9. PISP optionally retrieves the status of a payment setup or submission 9 Source: Payment Initiation API - v1.1.0 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/5786479/Payment+Initiation+API+Specification+-+v1.1.0
Other Payment Initiation with OIDC Hybrid Flow Example • Slovak Banking API Standard – Like OB UK, PISP obtains identifier of payment (orderId) from ASPSP, puts it in Request Object and invokes authorization request 10 Source: Slovak Banking API Standard Version 1.1 http://www.sbaonline.sk/files/subory/projekty/sbas/sbas_ver1.1-final.pdf
Other Payment Initiation with OIDC Hybrid Flow Example • MKB in Hungary – Utilizes Open Banking UK Security Profile – Like OB UK, PISP obtains identifier of payment (openbanking_intent_id) from ASPSP, puts it in Request Object and invokes authorization request 11 Source: Account and Transaction API Specification https://portal.sandbox.mkb.hu/api-documentation/account-info
Berlin Group “NextGenPSD2” • The spec defines four authn/authz flows in general – Redirect SCA Approach – OAuth2 SCA Approach – Decoupled SCA Approach – Embedded SCA Approach 12
Berlin Group “NextGenPSD2” Redirect / OAuth2 SCA Approach • PSU is redirected to ASPSP to confirm consent • “OAuth2” is a variant of Redirect – Redirection location is dynamically determined with Authorization Server Metadata 13 Source: NextGenPSD2 XS2A Framework Implementation Guidelines Version 1.1 https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
Berlin Group “NextGenPSD2” Decoupled SCA Approach • ASPSP confirms consent from PSU through a path bypassing PISP/AISP 14 Source: NextGenPSD2 XS2A Framework Implementation Guidelines Version 1.1 https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
Berlin Group “NextGenPSD2” Embedded SCA Approach • ASPSP confirms consent from PSU through PISP/AISP 15 Source: NextGenPSD2 XS2A Framework Implementation Guidelines Version 1.1 https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
Berlin Group “NextGenPSD2” Relation with OAuth 2.0 • The framework is positioned as “Optional Usage” • PISP/AISP eventually obtains access token from ASPSP as a result of “pre-step” and/or doing OAuth SCA Approach, and calls API (XS2A interface) with the token 16
Other Decoupled Authentication Example • Poland “PolishAPI” • Different approach from NextGenPSD2 – Utilizes OAuth 2.0 Authorization Code grant – TPP (Third-Party Provider) sends output from EAT (External Authorization Tool) to ASPSP 17 Source: PolishAPI Verison 2.0 https://docs.polishapi.org/files/ver2.0/PolishAPI-spec-v2.0-EN.pdf
Other Decoupled Authentication Example • France “STET” • Resource Owner Password Grant – AISP/PISP asks PSU to provide result of Strong Customer Authentication done by ASPSP, and send it to the ASPSP as “Password” 18 Source: PolishAPI Verison 2.0 https://www.stet.eu/assets/files/PSD2/1_3/API_DSP2_STET_V1_3.pdf
Conclusion • A flow of “intent” – TPP sends an intent to ASPSP using POST, crafts Request Object that contains identifier of the intent and makes an authorization request – is becoming a common practice. It is not only Open Banking UK but also other standardization initiatives • Mutual TLS authentication between TPP and ASPSP is a must • “Embedded” vs “Decoupled” 19
Thanks!

Empfohlen

銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisum銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisumTatsuo Kudo
 
APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可Tatsuo Kudo
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Tatsuo Kudo
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021Tatsuo Kudo
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
CIBA Profile Overview - OpenID Foundation/Open Banking Workshop - March 21, 2018
CIBA Profile Overview - OpenID Foundation/Open Banking Workshop - March 21, 2018CIBA Profile Overview - OpenID Foundation/Open Banking Workshop - March 21, 2018
CIBA Profile Overview - OpenID Foundation/Open Banking Workshop - March 21, 2018MikeLeszcz
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Torsten Lodderstedt
 
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...FinTechLabs.io
 

Empfohlen

銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisum銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisumTatsuo Kudo
 
APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可Tatsuo Kudo
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Tatsuo Kudo
 
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021
In-house OAuth/OIDC Infrastructure as a Competitive Advantage #eic2021Tatsuo Kudo
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyTatsuo Kudo
 
CIBA Profile Overview - OpenID Foundation/Open Banking Workshop - March 21, 2018
CIBA Profile Overview - OpenID Foundation/Open Banking Workshop - March 21, 2018CIBA Profile Overview - OpenID Foundation/Open Banking Workshop - March 21, 2018
CIBA Profile Overview - OpenID Foundation/Open Banking Workshop - March 21, 2018MikeLeszcz
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Torsten Lodderstedt
 
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...FinTechLabs.io
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessNordic APIs
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockForgeRock Identity Tech Talks
 
Intelligent authentication Identity tech talks
Intelligent authentication Identity tech talksIntelligent authentication Identity tech talks
Intelligent authentication Identity tech talksLeonard Moustacchis
 
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...FinTechLabs.io
 
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...FinTechLabs.io
 
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...FinTechLabs.io
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveWSO2
 
CIS 2017 - So you want to use standards to secure your APIs?
CIS 2017 - So you want to use standards to secure your APIs?CIS 2017 - So you want to use standards to secure your APIs?
CIS 2017 - So you want to use standards to secure your APIs?Bertrand Carlier
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demoBertrand Carlier
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Building a Fool Proof Security Strategy for PSD2 Compliance
Building a Fool Proof Security Strategy for PSD2 ComplianceBuilding a Fool Proof Security Strategy for PSD2 Compliance
Building a Fool Proof Security Strategy for PSD2 ComplianceWSO2
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Banking is Now More Open: Open Banking Update
Banking is Now More Open: Open Banking UpdateBanking is Now More Open: Open Banking Update
Banking is Now More Open: Open Banking UpdateMikeLeszcz
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsPriyanka Aash
 
Conformidade & Muito mais - Uma Demo da solução WSO2 Open Banking
Conformidade & Muito mais - Uma Demo da solução WSO2 Open BankingConformidade & Muito mais - Uma Demo da solução WSO2 Open Banking
Conformidade & Muito mais - Uma Demo da solução WSO2 Open BankingWSO2
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays
 
API-first Integration for Microservices
API-first Integration for MicroservicesAPI-first Integration for Microservices
API-first Integration for MicroservicesWSO2
 
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...FinTechLabs.io
 
PSD2: Latvijas Komercbanku asociācijas pozīcija
PSD2: Latvijas Komercbanku asociācijas pozīcijaPSD2: Latvijas Komercbanku asociācijas pozīcija
PSD2: Latvijas Komercbanku asociācijas pozīcijaLatvijas Banka
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 

Weitere ähnliche Inhalte

Was ist angesagt?

OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessNordic APIs
 
Intelligent authentication Identity tech talks
Intelligent authentication Identity tech talksIntelligent authentication Identity tech talks
Intelligent authentication Identity tech talksLeonard Moustacchis
 
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...FinTechLabs.io
 
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...FinTechLabs.io
 
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...FinTechLabs.io
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveWSO2
 
CIS 2017 - So you want to use standards to secure your APIs?
CIS 2017 - So you want to use standards to secure your APIs?CIS 2017 - So you want to use standards to secure your APIs?
CIS 2017 - So you want to use standards to secure your APIs?Bertrand Carlier
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demoBertrand Carlier
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Building a Fool Proof Security Strategy for PSD2 Compliance
Building a Fool Proof Security Strategy for PSD2 ComplianceBuilding a Fool Proof Security Strategy for PSD2 Compliance
Building a Fool Proof Security Strategy for PSD2 ComplianceWSO2
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Banking is Now More Open: Open Banking Update
Banking is Now More Open: Open Banking UpdateBanking is Now More Open: Open Banking Update
Banking is Now More Open: Open Banking UpdateMikeLeszcz
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsPriyanka Aash
 
Conformidade & Muito mais - Uma Demo da solução WSO2 Open Banking
Conformidade & Muito mais - Uma Demo da solução WSO2 Open BankingConformidade & Muito mais - Uma Demo da solução WSO2 Open Banking
Conformidade & Muito mais - Uma Demo da solução WSO2 Open BankingWSO2
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays
 
API-first Integration for Microservices
API-first Integration for MicroservicesAPI-first Integration for Microservices
API-first Integration for MicroservicesWSO2
 
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...FinTechLabs.io
 

Was ist angesagt? (20)

OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party Access
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRock
 
Intelligent authentication Identity tech talks
Intelligent authentication Identity tech talksIntelligent authentication Identity tech talks
Intelligent authentication Identity tech talks
 
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
 
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
 
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep Dive
 
CIS 2017 - So you want to use standards to secure your APIs?
CIS 2017 - So you want to use standards to secure your APIs?CIS 2017 - So you want to use standards to secure your APIs?
CIS 2017 - So you want to use standards to secure your APIs?
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demo
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Building a Fool Proof Security Strategy for PSD2 Compliance
Building a Fool Proof Security Strategy for PSD2 ComplianceBuilding a Fool Proof Security Strategy for PSD2 Compliance
Building a Fool Proof Security Strategy for PSD2 Compliance
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
Banking is Now More Open: Open Banking Update
Banking is Now More Open: Open Banking UpdateBanking is Now More Open: Open Banking Update
Banking is Now More Open: Open Banking Update
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client EcosystemsAdventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
 
Conformidade & Muito mais - Uma Demo da solução WSO2 Open Banking
Conformidade & Muito mais - Uma Demo da solução WSO2 Open BankingConformidade & Muito mais - Uma Demo da solução WSO2 Open Banking
Conformidade & Muito mais - Uma Demo da solução WSO2 Open Banking
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
 
API-first Integration for Microservices
API-first Integration for MicroservicesAPI-first Integration for Microservices
API-first Integration for Microservices
 
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...
 

Ähnlich wie Trends in Banking APIs

PSD2: Latvijas Komercbanku asociācijas pozīcija
PSD2: Latvijas Komercbanku asociācijas pozīcijaPSD2: Latvijas Komercbanku asociācijas pozīcija
PSD2: Latvijas Komercbanku asociācijas pozīcijaLatvijas Banka
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep diveCisco DevNet
 
Blockchin Architecture on Azure-Part-3
Blockchin Architecture on Azure-Part-3Blockchin Architecture on Azure-Part-3
Blockchin Architecture on Azure-Part-3Mohammad Asif
 
A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...HostedbyConfluent
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
[apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs
[apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs [apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs
[apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs WSO2
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
Event-Based API Patterns and Practices
Event-Based API Patterns and PracticesEvent-Based API Patterns and Practices
Event-Based API Patterns and PracticesLaunchAny
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0Krishna-Kumar
 
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event basedWSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event basedProfesia Srl, Lynx Group
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-OnAaron King
 
Digital Transformation for Karnataka Bank Through API-led Integration
Digital Transformation for Karnataka Bank Through API-led IntegrationDigital Transformation for Karnataka Bank Through API-led Integration
Digital Transformation for Karnataka Bank Through API-led IntegrationWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 
Streaming Visualization
Streaming VisualizationStreaming Visualization
Streaming VisualizationGuido Schmutz
 

Ähnlich wie Trends in Banking APIs (20)

PSD2: Latvijas Komercbanku asociācijas pozīcija
PSD2: Latvijas Komercbanku asociācijas pozīcijaPSD2: Latvijas Komercbanku asociācijas pozīcija
PSD2: Latvijas Komercbanku asociācijas pozīcija
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep dive
 
APITalkMeetupSharable
APITalkMeetupSharableAPITalkMeetupSharable
APITalkMeetupSharable
 
Blockchin Architecture on Azure-Part-3
Blockchin Architecture on Azure-Part-3Blockchin Architecture on Azure-Part-3
Blockchin Architecture on Azure-Part-3
 
A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...A Practical Deep Dive into Observability of Streaming Applications with Kosta...
A Practical Deep Dive into Observability of Streaming Applications with Kosta...
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
[apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs
[apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs [apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs
[apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Event-Based API Patterns and Practices
Event-Based API Patterns and PracticesEvent-Based API Patterns and Practices
Event-Based API Patterns and Practices
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event basedWSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-On
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Digital Transformation for Karnataka Bank Through API-led Integration
Digital Transformation for Karnataka Bank Through API-led IntegrationDigital Transformation for Karnataka Bank Through API-led Integration
Digital Transformation for Karnataka Bank Through API-led Integration
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
 
Streaming Visualization
Streaming VisualizationStreaming Visualization
Streaming Visualization
 

Mehr von Tatsuo Kudo

Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Tatsuo Kudo
 
金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性Tatsuo Kudo
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachTatsuo Kudo
 
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizdayTatsuo Kudo
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteいまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteTatsuo Kudo
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideTatsuo Kudo
 
Financial-grade API Hands-on with Authlete
Financial-grade API Hands-on with AuthleteFinancial-grade API Hands-on with Authlete
Financial-grade API Hands-on with AuthleteTatsuo Kudo
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要Tatsuo Kudo
 
オープン API と Authlete のソリューション
オープン API と Authlete のソリューションオープン API と Authlete のソリューション
オープン API と Authlete のソリューションTatsuo Kudo
 
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションOAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションTatsuo Kudo
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...Tatsuo Kudo
 
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019Tatsuo Kudo
 
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...Tatsuo Kudo
 
Japan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOIJapan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOITatsuo Kudo
 
アイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれからアイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれからTatsuo Kudo
 
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsOAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsTatsuo Kudo
 
OAuth Security Workshop 2017 #osw17
OAuth Security Workshop 2017 #osw17OAuth Security Workshop 2017 #osw17
OAuth Security Workshop 2017 #osw17Tatsuo Kudo
 
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #apiTatsuo Kudo
 
APIdays Australia 2017 TOI #APIdaysAU
APIdays Australia 2017 TOI #APIdaysAUAPIdays Australia 2017 TOI #APIdaysAU
APIdays Australia 2017 TOI #APIdaysAUTatsuo Kudo
 
利用者本位のAPI提供に向けたアイデンティティ (ID) 標準仕様の動向
利用者本位のAPI提供に向けたアイデンティティ (ID) 標準仕様の動向利用者本位のAPI提供に向けたアイデンティティ (ID) 標準仕様の動向
利用者本位のAPI提供に向けたアイデンティティ (ID) 標準仕様の動向Tatsuo Kudo
 

Mehr von Tatsuo Kudo (20)

Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
Apigee の FAPI & CIBA 対応を実現する「Authlete (オースリート)」
 
金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性金融APIセキュリティの動向・事例と今後の方向性
金融APIセキュリティの動向・事例と今後の方向性
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
 
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
銀行 API における OAuth 2.0 / FAPI の動向 #openid #bizday
 
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authleteいまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
いまどきの OAuth / OpenID Connect (OIDC) 一挙おさらい (2020 年 2 月) #authlete
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
 
Financial-grade API Hands-on with Authlete
Financial-grade API Hands-on with AuthleteFinancial-grade API Hands-on with Authlete
Financial-grade API Hands-on with Authlete
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要
 
オープン API と Authlete のソリューション
オープン API と Authlete のソリューションオープン API と Authlete のソリューション
オープン API と Authlete のソリューション
 
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューションOAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
OAuth / OpenID Connect (OIDC) の最新動向と Authlete のソリューション
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
 
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
#OAuth Security Workshop 2019 Recap @ #Authlete Partner Meetup Spring 2019
 
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
CIBA (Client Initiated Backchannel Authentication) の可能性 #authlete #api #oauth...
 
Japan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOIJapan/UK Open Banking and APIs Summit 2018 TOI
Japan/UK Open Banking and APIs Summit 2018 TOI
 
アイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれからアイデンティティ (ID) 技術の最新動向とこれから
アイデンティティ (ID) 技術の最新動向とこれから
 
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawawsOAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
OAuth / OpenID Connectを中心とするAPIセキュリティについて #yuzawaws
 
OAuth Security Workshop 2017 #osw17
OAuth Security Workshop 2017 #osw17OAuth Security Workshop 2017 #osw17
OAuth Security Workshop 2017 #osw17
 
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api
 
APIdays Australia 2017 TOI #APIdaysAU
APIdays Australia 2017 TOI #APIdaysAUAPIdays Australia 2017 TOI #APIdaysAU
APIdays Australia 2017 TOI #APIdaysAU
 
利用者本位のAPI提供に向けたアイデンティティ (ID) 標準仕様の動向
利用者本位のAPI提供に向けたアイデンティティ (ID) 標準仕様の動向利用者本位のAPI提供に向けたアイデンティティ (ID) 標準仕様の動向
利用者本位のAPI提供に向けたアイデンティティ (ID) 標準仕様の動向
 

Kürzlich hochgeladen

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 

Kürzlich hochgeladen (20)

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 

Trends in Banking APIs

  • 1. Financial APIs Workshop - Japan/UK Open Banking and APIs Summit 2018 Trends in Banking APIs Tatsuo Kudo
  • 2. Preface • A couple of standardization efforts on banking APIs are emerging around the world, especially in Europe. This presentation summarizes how such standards define API access authorization and gives insights on future directions. 2
  • 3. About me • Tatsuo Kudo https://www.linkedin.com/in/tatsuokudo – Sun Microsystems (1998-2008) – Nomura Research Institute (2008-2018) – OpenID Foundation Japan (2013-2014) – NRI SecureTechnologies (2014-2018) – Authlete (2018-) • VP of Solution Strategy 3
  • 4. What are ”Banking APIs?” • They vary, such as: – Providing “Open Data” (e.g. branch location) – White-labeled banking services (e.g. “Bank as a Service”) – Providing bank accounts’ information and accepting transaction requests based on end-user consent 371 APIs are listed in Banking category Source: https://www.programmableweb.com/category/banking 4
  • 5. Leveraging “OAuth 2.0” in Banking APIs • The framework is often utilized to enable API access authorization with customer’s consent 5 Actors in “OAuth 2.0” and a typical authorization flow Source: https://www.slideshare.net/tkudo/api-meetup-oauth
  • 6. Who Defines Banking APIs • Bank defines its own spec • Industry groups and consortia define common spec • (Vendor defines its proprietary spec) 6 • Open Banking UK • Berlin Group NextGenPSD2 • Polish Bank Association • Slovak Banking Association • (France Stet)
  • 7. Open Banking UK • FAPI Part 2 • Client Credentials Grant Type (OAuth 2.0) / OIDC Hybrid Flow • Request Object • Mutual TLS 7 Source: Open Banking Security Profile - Implementer's Draft v1.1.2 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/83919096/Open+Banking+Security+Profile+-+Implementer+s+Draft+v1.1.2
  • 8. Open Banking UK Account Information 1. PSU (Payment Service User) allows AISP (Account Information Service Provider) to make a request 2. AISP sends the request to ASPSP (Account Servicing Payment Service Provider) using POST /account-resource (Mutual TLS, Client Credentials Grant Type) 3. ASPSP provides PISP with “AccountRequestId” 4. AISP creates a Request Object that contains AccountRequestId and send it to ASPSP as authorization request (OIDC Hybrid Flow) 5. ASPSP authenticates PSU 6. ASPSP provides AISP with authorization code 7. AISP sends the code to ASPSP to obtain access token (Mutual TLS) 8. AISP sends a request using GET /accounts with the access token (Mutual TLS) 8 Source: Account and Transaction API - v2.0.0 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/127009546/Account+and+ Transaction+API+Specification+-+v2.0.0
  • 9. Open Banking UK Payment Initiation 1. PSU allows PISP (Payment Initiation Service Provider) to make a payment initiation request 2. PISP sends the request to ASPSP using POST /payments (Mutual TLS, Client Credentials Grant Type) 3. ASPSP provides PISP with ”PaymentId” 4. PISP creates a Request Object that contains PaymentId and send it to ASPSP as authorization request (OIDC Hybrid Flow) 5. ASPSP authenticates PSU 6. ASPSP provides PISP with authorization code 7. PISP sends the code to ASPSP to obtain access token (Mutual TLS) 8. PISP sends a request using POST /payment-submissions with the access token (Mutual TLS) 9. PISP optionally retrieves the status of a payment setup or submission 9 Source: Payment Initiation API - v1.1.0 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/5786479/Payment+Initiation+API+Specification+-+v1.1.0
  • 10. Other Payment Initiation with OIDC Hybrid Flow Example • Slovak Banking API Standard – Like OB UK, PISP obtains identifier of payment (orderId) from ASPSP, puts it in Request Object and invokes authorization request 10 Source: Slovak Banking API Standard Version 1.1 http://www.sbaonline.sk/files/subory/projekty/sbas/sbas_ver1.1-final.pdf
  • 11. Other Payment Initiation with OIDC Hybrid Flow Example • MKB in Hungary – Utilizes Open Banking UK Security Profile – Like OB UK, PISP obtains identifier of payment (openbanking_intent_id) from ASPSP, puts it in Request Object and invokes authorization request 11 Source: Account and Transaction API Specification https://portal.sandbox.mkb.hu/api-documentation/account-info
  • 12. Berlin Group “NextGenPSD2” • The spec defines four authn/authz flows in general – Redirect SCA Approach – OAuth2 SCA Approach – Decoupled SCA Approach – Embedded SCA Approach 12
  • 13. Berlin Group “NextGenPSD2” Redirect / OAuth2 SCA Approach • PSU is redirected to ASPSP to confirm consent • “OAuth2” is a variant of Redirect – Redirection location is dynamically determined with Authorization Server Metadata 13 Source: NextGenPSD2 XS2A Framework Implementation Guidelines Version 1.1 https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
  • 14. Berlin Group “NextGenPSD2” Decoupled SCA Approach • ASPSP confirms consent from PSU through a path bypassing PISP/AISP 14 Source: NextGenPSD2 XS2A Framework Implementation Guidelines Version 1.1 https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
  • 15. Berlin Group “NextGenPSD2” Embedded SCA Approach • ASPSP confirms consent from PSU through PISP/AISP 15 Source: NextGenPSD2 XS2A Framework Implementation Guidelines Version 1.1 https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
  • 16. Berlin Group “NextGenPSD2” Relation with OAuth 2.0 • The framework is positioned as “Optional Usage” • PISP/AISP eventually obtains access token from ASPSP as a result of “pre-step” and/or doing OAuth SCA Approach, and calls API (XS2A interface) with the token 16
  • 17. Other Decoupled Authentication Example • Poland “PolishAPI” • Different approach from NextGenPSD2 – Utilizes OAuth 2.0 Authorization Code grant – TPP (Third-Party Provider) sends output from EAT (External Authorization Tool) to ASPSP 17 Source: PolishAPI Verison 2.0 https://docs.polishapi.org/files/ver2.0/PolishAPI-spec-v2.0-EN.pdf
  • 18. Other Decoupled Authentication Example • France “STET” • Resource Owner Password Grant – AISP/PISP asks PSU to provide result of Strong Customer Authentication done by ASPSP, and send it to the ASPSP as “Password” 18 Source: PolishAPI Verison 2.0 https://www.stet.eu/assets/files/PSD2/1_3/API_DSP2_STET_V1_3.pdf
  • 19. Conclusion • A flow of “intent” – TPP sends an intent to ASPSP using POST, crafts Request Object that contains identifier of the intent and makes an authorization request – is becoming a common practice. It is not only Open Banking UK but also other standardization initiatives • Mutual TLS authentication between TPP and ASPSP is a must • “Embedded” vs “Decoupled” 19