FAPI Working Group - Specifications
FAPI is a general-purpose high-security API protection profile over OAuth. It has been adopted as nation-wide standard in many countries. FAPI WG is currently working on FAPI 2.0 suite of specifications.
FAPI Working Group
OVERVIEW
FAPI Working Group
CHARTER
FAPI Working Group
SPECIFICATIONS
FAPI Working Group
REPOSITORY
The working group has been developing the following specifications:
Final Specifications
- Financial-grade API Security Profile (FAPI) 1.0 – Part 1: Baseline – A secured OAuth profile that aims to provide specific implementation guidelines for security and interoperability.
- Financial-grade API Security Profile (FAPI) 1.0 – Part 2: Advanced – A highly secured OAuth profile that aims to provide specific implementation guidelines for security and interoperability.
- JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) – This specification was created to bring some of the security features defined as part of OpenID Connect to OAuth 2.0
Implementer's Drafts
- FAPI: Client Initiated Backchannel Authentication (CIBA) Profile – FAPI CIBA is a profile of the OpenID Connect’s CIBA specification that supports the decoupled flow
– Most recent Implementer’s Draft - FAPI 2.0 Security Profile and Attacker Model – FAPI 2.0 has a broader scope than FAPI 1.0 as it aims for complete interoperability at the interface between client and authorization server as well as interoperable security mechanisms at the interface between client and resource server
– Most recent FAPI 2.0 Security Profile Implementer’s Draft
– Most recent Attacker Model Implementer’s Draft - Grant Management for OAuth 2.0 – This profile specifies a standards based approach to managing “grants” that represent the consent a data subject has given. It was born out of experience with the roll out of PSD2 and requirements in Australia
– Most recent Implementer’s Draft
Drafts
- FAPI 2.0: Message Signing – an extension of the baseline profile that provides non-repudiation for all exchanges including responses from resource servers
- FAPI 1.0 — Lodging Intent ===> Now OAuth PAR + OAuth RAR