Public Review Period for “Financial API – Part 2: Read and Write API Security Profile” Started

OpenID Foundation’s Financial API (FAPI) Working Group recommends approval of the following specification as OpenID Implementer’s Draft:

This document is a Part 2 of a set of documents that specifies a Financial API. It provides a profile of OAuth that is suitable to be used for write access to the financial data also known as the transactional access. To achieve it, this part of the document specifies the control against such attacks like authorization request tampering, the authorization response tampering including code injection and the state injection, token request phishing, etc.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45-day public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures. Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven-day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts. For the convenience of members, voting will actually begin a week before the start of the official voting period.

The relevant dates are:

  • Implementer’s Draft public review period: 2017-06-01 to 2017-07-16 (45 days)
  • Implementer’s Draft vote announcement: 2017-07-03
  • Implementer’s Draft voting period: 2017-07-10 to 2017-07-24 (7 days)*

* Note: Pre-voting before the start of the formal voting will be allowed.

Comments are to be submitted to the FAPI working group issue tracker. You must sign an IPR Contribution Agreement for the FAPI working group to file issues. See for more details.

— Michael B. Jones – OpenID Foundation Board Secretary