SlideShare a Scribd company logo

FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

By Joseph Heenan (FinTechLabs.io)

1 of 18
FAPI/Open Banking Conformance
Joseph Heenan, CTO
July 2018
What we’re going to cover today
•FAPI/Open Banking Conformance suite overview
•Conformance suite demo
•"Tips and Tricks" for successful conformance
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 2
Who am I?
• Joseph Heenan, CTO at fintechlabs & Senior Architect at Authlete
• Software engineer & architect with over 25 years’ experience
• Active contributor to the OpenID Connect FAPI specifications
• Team lead/product owner on the Open Banking Conformance Suite
• Assisted many of the largest UK (CMA9) banks with achieving
compliance to the UK OpenBanking specification
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 3
Conformance Suite Overview
• Tests compliance to:
• OpenBanking UK Security Profile
• FAPI (Financial-Grade API profile for OpenID connect)
• HEART (Health-related profile OpenID connect)
• As part of above, also testssome (but not all) OpenID Connect & OAuth2
• Tests are applicable to:
• IdP (identity provider – ie. Banks / ASPSP)
• RP (relying party – ie. Fintechs / TPP / AISP / PISP)
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 4
Why would you use conformance suite?
• Reduced support costs
• If your implementation is interoperable it will “just work” for third parties
• Evidence of compliance to show government regulators
• Evidence of compliance may reduce insurance costs, chances of
security breach, etc
• It will be embarrassing if other people test your server & you fail
• Anyone can test a server
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 5
Conformance Suite Design Goals
• Multi-party protocol testing
• Structured configuration
• Structured logging and results
• Deterministic, modular execution units
• Protect sensitive configuration and results data
• Transparent process
• Usable as part of CI
24th July 2018 Joseph Heenan, CTO, fintechlabs.io 6

Recommended

Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...FinTechLabs.io
 
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...FinTechLabs.io
 
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...FinTechLabs.io
 
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...OpenIDFoundation
 
Banking is Now More Open: Open Banking Update
Banking is Now More Open: Open Banking UpdateBanking is Now More Open: Open Banking Update
Banking is Now More Open: Open Banking UpdateMikeLeszcz
 
銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisum銀行APIのトレンド #fapisum
銀行APIのトレンド #fapisumTatsuo Kudo
 
Fintech Belgium - Meetup on Compliance / KYC - Willem Lambrechts - Drebbel Te...
Fintech Belgium - Meetup on Compliance / KYC - Willem Lambrechts - Drebbel Te...Fintech Belgium - Meetup on Compliance / KYC - Willem Lambrechts - Drebbel Te...
Fintech Belgium - Meetup on Compliance / KYC - Willem Lambrechts - Drebbel Te...FinTech Belgium
 

More Related Content

What's hot

BizDay: Improving Remittances in the World's 2nd Largest Corridor, Digiledge
BizDay: Improving Remittances in the World's 2nd Largest Corridor, DigiledgeBizDay: Improving Remittances in the World's 2nd Largest Corridor, Digiledge
BizDay: Improving Remittances in the World's 2nd Largest Corridor, DigiledgeR3
 
[APIdays Singapore 2019] API Management in a Istio Service Mesh with WSO2 API...
[APIdays Singapore 2019] API Management in a Istio Service Mesh with WSO2 API...[APIdays Singapore 2019] API Management in a Istio Service Mesh with WSO2 API...
[APIdays Singapore 2019] API Management in a Istio Service Mesh with WSO2 API...WSO2
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIsTatsuo Kudo
 
Technology - Worksession
Technology - WorksessionTechnology - Worksession
Technology - WorksessionSWIFT
 
DevDay: Managing a Distributed Network on a Common Infra, NTT Data
DevDay: Managing a Distributed Network on a Common Infra, NTT DataDevDay: Managing a Distributed Network on a Common Infra, NTT Data
DevDay: Managing a Distributed Network on a Common Infra, NTT DataR3
 
What's New With WSO2 Open Banking
What's New With WSO2 Open BankingWhat's New With WSO2 Open Banking
What's New With WSO2 Open BankingWSO2
 
Invansys Technologies
Invansys TechnologiesInvansys Technologies
Invansys Technologiestarungupta19
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...WSO2
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...OpenIDFoundation
 
[WSO2 Integration Summit Nairobi 2019] Case Study - Telkom Kenya
[WSO2 Integration Summit Nairobi 2019] Case Study - Telkom Kenya[WSO2 Integration Summit Nairobi 2019] Case Study - Telkom Kenya
[WSO2 Integration Summit Nairobi 2019] Case Study - Telkom KenyaWSO2
 
LSEG Connectivity Services Overview
LSEG Connectivity Services   OverviewLSEG Connectivity Services   Overview
LSEG Connectivity Services OverviewIosif Itkin
 
OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group Update
OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group UpdateOIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group Update
OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group UpdateOpenIDFoundation
 
MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020Bjorn Hjelm
 
Getting your API Management Strategy on Point for PSD2 Compliance
Getting your API Management Strategy on Point for PSD2 ComplianceGetting your API Management Strategy on Point for PSD2 Compliance
Getting your API Management Strategy on Point for PSD2 ComplianceWSO2
 
Swift’s messaging, interfaces and integration portfolio for iso 20022
Swift’s messaging, interfaces and integration portfolio for iso 20022Swift’s messaging, interfaces and integration portfolio for iso 20022
Swift’s messaging, interfaces and integration portfolio for iso 20022SWIFT
 
ARC 2015 Post Trade Services
ARC 2015 Post Trade ServicesARC 2015 Post Trade Services
ARC 2015 Post Trade ServicesSWIFT
 
APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可Tatsuo Kudo
 

What's hot (20)

BizDay: Improving Remittances in the World's 2nd Largest Corridor, Digiledge
BizDay: Improving Remittances in the World's 2nd Largest Corridor, DigiledgeBizDay: Improving Remittances in the World's 2nd Largest Corridor, Digiledge
BizDay: Improving Remittances in the World's 2nd Largest Corridor, Digiledge
 
[APIdays Singapore 2019] API Management in a Istio Service Mesh with WSO2 API...
[APIdays Singapore 2019] API Management in a Istio Service Mesh with WSO2 API...[APIdays Singapore 2019] API Management in a Istio Service Mesh with WSO2 API...
[APIdays Singapore 2019] API Management in a Istio Service Mesh with WSO2 API...
 
Trends in Banking APIs
Trends in Banking APIsTrends in Banking APIs
Trends in Banking APIs
 
Technology - Worksession
Technology - WorksessionTechnology - Worksession
Technology - Worksession
 
DevDay: Managing a Distributed Network on a Common Infra, NTT Data
DevDay: Managing a Distributed Network on a Common Infra, NTT DataDevDay: Managing a Distributed Network on a Common Infra, NTT Data
DevDay: Managing a Distributed Network on a Common Infra, NTT Data
 
What's New With WSO2 Open Banking
What's New With WSO2 Open BankingWhat's New With WSO2 Open Banking
What's New With WSO2 Open Banking
 
Invansys Technologies
Invansys TechnologiesInvansys Technologies
Invansys Technologies
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
 
[WSO2 Integration Summit Nairobi 2019] Case Study - Telkom Kenya
[WSO2 Integration Summit Nairobi 2019] Case Study - Telkom Kenya[WSO2 Integration Summit Nairobi 2019] Case Study - Telkom Kenya
[WSO2 Integration Summit Nairobi 2019] Case Study - Telkom Kenya
 
LSEG Connectivity Services Overview
LSEG Connectivity Services   OverviewLSEG Connectivity Services   Overview
LSEG Connectivity Services Overview
 
OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group Update
OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group UpdateOIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group Update
OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group Update
 
MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020
 
Getting your API Management Strategy on Point for PSD2 Compliance
Getting your API Management Strategy on Point for PSD2 ComplianceGetting your API Management Strategy on Point for PSD2 Compliance
Getting your API Management Strategy on Point for PSD2 Compliance
 
Finologee's PSD2 Value Proposition
Finologee's PSD2 Value Proposition Finologee's PSD2 Value Proposition
Finologee's PSD2 Value Proposition
 
Sparebanken
SparebankenSparebanken
Sparebanken
 
Swift’s messaging, interfaces and integration portfolio for iso 20022
Swift’s messaging, interfaces and integration portfolio for iso 20022Swift’s messaging, interfaces and integration portfolio for iso 20022
Swift’s messaging, interfaces and integration portfolio for iso 20022
 
Encap security
Encap security  Encap security
Encap security
 
ARC 2015 Post Trade Services
ARC 2015 Post Trade ServicesARC 2015 Post Trade Services
ARC 2015 Post Trade Services
 
APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可APIエコノミー時代の認証・認可
APIエコノミー時代の認証・認可
 

Similar to FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

Industry@RuleML2015: Automated Decision Support for Financial Regulatory/Pol...
Industry@RuleML2015:  Automated Decision Support for Financial Regulatory/Pol...Industry@RuleML2015:  Automated Decision Support for Financial Regulatory/Pol...
Industry@RuleML2015: Automated Decision Support for Financial Regulatory/Pol...RuleML
 
9 Months and Counting with Jeff Borek of IBM OpenAPI Meetup 2016 09 15
9 Months and Counting with Jeff Borek of IBM OpenAPI Meetup 2016 09 159 Months and Counting with Jeff Borek of IBM OpenAPI Meetup 2016 09 15
9 Months and Counting with Jeff Borek of IBM OpenAPI Meetup 2016 09 15Open API Initiative (OAI)
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC:  Building a plan for 'going left'SAST in the SDLC:  Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'WHSZachJones
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...Paris Open Source Summit
 
Maximize Your Enterprise DevOps Efforts and Outcomes with Value Streams
Maximize Your Enterprise DevOps Efforts and Outcomes with Value StreamsMaximize Your Enterprise DevOps Efforts and Outcomes with Value Streams
Maximize Your Enterprise DevOps Efforts and Outcomes with Value StreamsDevOps.com
 
State street edmc swaps pilot
State street edmc swaps pilotState street edmc swaps pilot
State street edmc swaps pilotMarty Loughlin
 
The Empowered PMO: How to Get Your PMO On Board
The Empowered PMO: How to Get Your PMO On BoardThe Empowered PMO: How to Get Your PMO On Board
The Empowered PMO: How to Get Your PMO On BoardKeyedIn Projects
 
Open API Initiative: Six months and counting
Open API Initiative: Six months and countingOpen API Initiative: Six months and counting
Open API Initiative: Six months and countingOpen API Initiative (OAI)
 
Tanu_Gupta_ETL_Tester
Tanu_Gupta_ETL_TesterTanu_Gupta_ETL_Tester
Tanu_Gupta_ETL_Testertanu gupta
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceBlack Duck by Synopsys
 
Leveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and DeployLeveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and DeploySerena Software
 
Agile-plus-DevOps Testing for Packaged Applications
Agile-plus-DevOps Testing for Packaged ApplicationsAgile-plus-DevOps Testing for Packaged Applications
Agile-plus-DevOps Testing for Packaged ApplicationsWorksoft
 
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...XBOSoft
 
Metrics to Power DevOps
Metrics to Power DevOpsMetrics to Power DevOps
Metrics to Power DevOpsCollabNet
 
How to overcome challenges in it system evolution
How to overcome challenges in it system evolutionHow to overcome challenges in it system evolution
How to overcome challenges in it system evolutionGrupa Unity
 
How Customers are Building and Using their Own Connectors
How Customers are Building and Using their Own ConnectorsHow Customers are Building and Using their Own Connectors
How Customers are Building and Using their Own ConnectorsMuleSoft
 
5 Ways to Keep Your Interface Projects Under Control
5 Ways to Keep Your Interface Projects Under Control5 Ways to Keep Your Interface Projects Under Control
5 Ways to Keep Your Interface Projects Under ControlIatric Systems
 

Similar to FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018 (20)

Automation and Technical Debt
Automation and Technical DebtAutomation and Technical Debt
Automation and Technical Debt
 
Initiating a Successful Project for VoIP in 2016
Initiating a Successful Project for VoIP in 2016Initiating a Successful Project for VoIP in 2016
Initiating a Successful Project for VoIP in 2016
 
Industry@RuleML2015: Automated Decision Support for Financial Regulatory/Pol...
Industry@RuleML2015:  Automated Decision Support for Financial Regulatory/Pol...Industry@RuleML2015:  Automated Decision Support for Financial Regulatory/Pol...
Industry@RuleML2015: Automated Decision Support for Financial Regulatory/Pol...
 
9 Months and Counting with Jeff Borek of IBM OpenAPI Meetup 2016 09 15
9 Months and Counting with Jeff Borek of IBM OpenAPI Meetup 2016 09 159 Months and Counting with Jeff Borek of IBM OpenAPI Meetup 2016 09 15
9 Months and Counting with Jeff Borek of IBM OpenAPI Meetup 2016 09 15
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC:  Building a plan for 'going left'SAST in the SDLC:  Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
 
Enabling Agility Through DevOps
Enabling Agility Through DevOpsEnabling Agility Through DevOps
Enabling Agility Through DevOps
 
Maximize Your Enterprise DevOps Efforts and Outcomes with Value Streams
Maximize Your Enterprise DevOps Efforts and Outcomes with Value StreamsMaximize Your Enterprise DevOps Efforts and Outcomes with Value Streams
Maximize Your Enterprise DevOps Efforts and Outcomes with Value Streams
 
State street edmc swaps pilot
State street edmc swaps pilotState street edmc swaps pilot
State street edmc swaps pilot
 
The Empowered PMO: How to Get Your PMO On Board
The Empowered PMO: How to Get Your PMO On BoardThe Empowered PMO: How to Get Your PMO On Board
The Empowered PMO: How to Get Your PMO On Board
 
Open API Initiative: Six months and counting
Open API Initiative: Six months and countingOpen API Initiative: Six months and counting
Open API Initiative: Six months and counting
 
Tanu_Gupta_ETL_Tester
Tanu_Gupta_ETL_TesterTanu_Gupta_ETL_Tester
Tanu_Gupta_ETL_Tester
 
JDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of ExcellenceJDA: Building an Open Source Center of Excellence
JDA: Building an Open Source Center of Excellence
 
Leveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and DeployLeveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and Deploy
 
Agile-plus-DevOps Testing for Packaged Applications
Agile-plus-DevOps Testing for Packaged ApplicationsAgile-plus-DevOps Testing for Packaged Applications
Agile-plus-DevOps Testing for Packaged Applications
 
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
 
Metrics to Power DevOps
Metrics to Power DevOpsMetrics to Power DevOps
Metrics to Power DevOps
 
How to overcome challenges in it system evolution
How to overcome challenges in it system evolutionHow to overcome challenges in it system evolution
How to overcome challenges in it system evolution
 
How Customers are Building and Using their Own Connectors
How Customers are Building and Using their Own ConnectorsHow Customers are Building and Using their Own Connectors
How Customers are Building and Using their Own Connectors
 
5 Ways to Keep Your Interface Projects Under Control
5 Ways to Keep Your Interface Projects Under Control5 Ways to Keep Your Interface Projects Under Control
5 Ways to Keep Your Interface Projects Under Control
 

More from FinTechLabs.io

Open Banking: The View from a Japanese Startup (Authlete) #fapisum - Japan/UK...
Open Banking: The View from a Japanese Startup (Authlete) #fapisum - Japan/UK...Open Banking: The View from a Japanese Startup (Authlete) #fapisum - Japan/UK...
Open Banking: The View from a Japanese Startup (Authlete) #fapisum - Japan/UK...FinTechLabs.io
 
FAPI / Open Banking Test Suite #fapisum - Japan/UK Open Banking and APIs Summ...
FAPI / Open Banking Test Suite #fapisum - Japan/UK Open Banking and APIs Summ...FAPI / Open Banking Test Suite #fapisum - Japan/UK Open Banking and APIs Summ...
FAPI / Open Banking Test Suite #fapisum - Japan/UK Open Banking and APIs Summ...FinTechLabs.io
 
Trust Frameworks and Open Banking #fapisum - Japan/UK Open Banking and APIs S...
Trust Frameworks and Open Banking #fapisum - Japan/UK Open Banking and APIs S...Trust Frameworks and Open Banking #fapisum - Japan/UK Open Banking and APIs S...
Trust Frameworks and Open Banking #fapisum - Japan/UK Open Banking and APIs S...FinTechLabs.io
 
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...FinTechLabs.io
 
Banking API Trends in Japan #fapisum - Japan/UK Open Banking and APIs Summit ...
Banking API Trends in Japan #fapisum - Japan/UK Open Banking and APIs Summit ...Banking API Trends in Japan #fapisum - Japan/UK Open Banking and APIs Summit ...
Banking API Trends in Japan #fapisum - Japan/UK Open Banking and APIs Summit ...FinTechLabs.io
 
Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs S...
Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs S...Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs S...
Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs S...FinTechLabs.io
 
FAPI and Beyond: From an specification author's point of view #fapisum - Japa...
FAPI and Beyond: From an specification author's point of view #fapisum - Japa...FAPI and Beyond: From an specification author's point of view #fapisum - Japa...
FAPI and Beyond: From an specification author's point of view #fapisum - Japa...FinTechLabs.io
 
Basics: OAuth and OpenID Connect #fapisum - Japan/UK Open Banking and APIs Su...
Basics: OAuth and OpenID Connect #fapisum - Japan/UK Open Banking and APIs Su...Basics: OAuth and OpenID Connect #fapisum - Japan/UK Open Banking and APIs Su...
Basics: OAuth and OpenID Connect #fapisum - Japan/UK Open Banking and APIs Su...FinTechLabs.io
 
Trends in Banking APIs #fapisum - Japan/UK Open Banking and APIs Summit 2018 ...
Trends in Banking APIs #fapisum - Japan/UK Open Banking and APIs Summit 2018 ...Trends in Banking APIs #fapisum - Japan/UK Open Banking and APIs Summit 2018 ...
Trends in Banking APIs #fapisum - Japan/UK Open Banking and APIs Summit 2018 ...FinTechLabs.io
 
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...FinTechLabs.io
 

More from FinTechLabs.io (10)

Open Banking: The View from a Japanese Startup (Authlete) #fapisum - Japan/UK...
Open Banking: The View from a Japanese Startup (Authlete) #fapisum - Japan/UK...Open Banking: The View from a Japanese Startup (Authlete) #fapisum - Japan/UK...
Open Banking: The View from a Japanese Startup (Authlete) #fapisum - Japan/UK...
 
FAPI / Open Banking Test Suite #fapisum - Japan/UK Open Banking and APIs Summ...
FAPI / Open Banking Test Suite #fapisum - Japan/UK Open Banking and APIs Summ...FAPI / Open Banking Test Suite #fapisum - Japan/UK Open Banking and APIs Summ...
FAPI / Open Banking Test Suite #fapisum - Japan/UK Open Banking and APIs Summ...
 
Trust Frameworks and Open Banking #fapisum - Japan/UK Open Banking and APIs S...
Trust Frameworks and Open Banking #fapisum - Japan/UK Open Banking and APIs S...Trust Frameworks and Open Banking #fapisum - Japan/UK Open Banking and APIs S...
Trust Frameworks and Open Banking #fapisum - Japan/UK Open Banking and APIs S...
 
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...
 
Banking API Trends in Japan #fapisum - Japan/UK Open Banking and APIs Summit ...
Banking API Trends in Japan #fapisum - Japan/UK Open Banking and APIs Summit ...Banking API Trends in Japan #fapisum - Japan/UK Open Banking and APIs Summit ...
Banking API Trends in Japan #fapisum - Japan/UK Open Banking and APIs Summit ...
 
Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs S...
Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs S...Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs S...
Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs S...
 
FAPI and Beyond: From an specification author's point of view #fapisum - Japa...
FAPI and Beyond: From an specification author's point of view #fapisum - Japa...FAPI and Beyond: From an specification author's point of view #fapisum - Japa...
FAPI and Beyond: From an specification author's point of view #fapisum - Japa...
 
Basics: OAuth and OpenID Connect #fapisum - Japan/UK Open Banking and APIs Su...
Basics: OAuth and OpenID Connect #fapisum - Japan/UK Open Banking and APIs Su...Basics: OAuth and OpenID Connect #fapisum - Japan/UK Open Banking and APIs Su...
Basics: OAuth and OpenID Connect #fapisum - Japan/UK Open Banking and APIs Su...
 
Trends in Banking APIs #fapisum - Japan/UK Open Banking and APIs Summit 2018 ...
Trends in Banking APIs #fapisum - Japan/UK Open Banking and APIs Summit 2018 ...Trends in Banking APIs #fapisum - Japan/UK Open Banking and APIs Summit 2018 ...
Trends in Banking APIs #fapisum - Japan/UK Open Banking and APIs Summit 2018 ...
 
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...
 

Recently uploaded

Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPTPraveenKumarThota7
 
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solutionConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solutionŁukasz Chruściel
 
Seagate HDD Firmware Repair Tool Datasheet 2024
Seagate HDD Firmware Repair Tool Datasheet 2024Seagate HDD Firmware Repair Tool Datasheet 2024
Seagate HDD Firmware Repair Tool Datasheet 2024Dolphin Data Lab
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
Information Technology Project to Create a Business
Information Technology Project to Create a BusinessInformation Technology Project to Create a Business
Information Technology Project to Create a Businessmbowl010
 
ConFoo 2024 - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024  - Need for Speed: Removing speed bumps in API ProjectsConFoo 2024  - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024 - Need for Speed: Removing speed bumps in API ProjectsŁukasz Chruściel
 
WAN-IFRA: World Press Trends Outlook 2023-2024
WAN-IFRA: World Press Trends Outlook 2023-2024WAN-IFRA: World Press Trends Outlook 2023-2024
WAN-IFRA: World Press Trends Outlook 2023-2024Damian Radcliffe
 
Reactive programming with Spring Webflux.pptx
Reactive programming with Spring Webflux.pptxReactive programming with Spring Webflux.pptx
Reactive programming with Spring Webflux.pptxJoão Esperancinha
 
Practical SEO for WordPress Bloggers.pdf
Practical SEO for WordPress Bloggers.pdfPractical SEO for WordPress Bloggers.pdf
Practical SEO for WordPress Bloggers.pdfNile Flores
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 

Recently uploaded (10)

Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPT
 
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solutionConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
 
Seagate HDD Firmware Repair Tool Datasheet 2024
Seagate HDD Firmware Repair Tool Datasheet 2024Seagate HDD Firmware Repair Tool Datasheet 2024
Seagate HDD Firmware Repair Tool Datasheet 2024
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
Information Technology Project to Create a Business
Information Technology Project to Create a BusinessInformation Technology Project to Create a Business
Information Technology Project to Create a Business
 
ConFoo 2024 - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024  - Need for Speed: Removing speed bumps in API ProjectsConFoo 2024  - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024 - Need for Speed: Removing speed bumps in API Projects
 
WAN-IFRA: World Press Trends Outlook 2023-2024
WAN-IFRA: World Press Trends Outlook 2023-2024WAN-IFRA: World Press Trends Outlook 2023-2024
WAN-IFRA: World Press Trends Outlook 2023-2024
 
Reactive programming with Spring Webflux.pptx
Reactive programming with Spring Webflux.pptxReactive programming with Spring Webflux.pptx
Reactive programming with Spring Webflux.pptx
 
Practical SEO for WordPress Bloggers.pdf
Practical SEO for WordPress Bloggers.pdfPractical SEO for WordPress Bloggers.pdf
Practical SEO for WordPress Bloggers.pdf
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 

FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

  • 1. FAPI/Open Banking Conformance Joseph Heenan, CTO July 2018
  • 2. What we’re going to cover today •FAPI/Open Banking Conformance suite overview •Conformance suite demo •"Tips and Tricks" for successful conformance 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 2
  • 3. Who am I? • Joseph Heenan, CTO at fintechlabs & Senior Architect at Authlete • Software engineer & architect with over 25 years’ experience • Active contributor to the OpenID Connect FAPI specifications • Team lead/product owner on the Open Banking Conformance Suite • Assisted many of the largest UK (CMA9) banks with achieving compliance to the UK OpenBanking specification 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 3
  • 4. Conformance Suite Overview • Tests compliance to: • OpenBanking UK Security Profile • FAPI (Financial-Grade API profile for OpenID connect) • HEART (Health-related profile OpenID connect) • As part of above, also testssome (but not all) OpenID Connect & OAuth2 • Tests are applicable to: • IdP (identity provider – ie. Banks / ASPSP) • RP (relying party – ie. Fintechs / TPP / AISP / PISP) 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 4
  • 5. Why would you use conformance suite? • Reduced support costs • If your implementation is interoperable it will “just work” for third parties • Evidence of compliance to show government regulators • Evidence of compliance may reduce insurance costs, chances of security breach, etc • It will be embarrassing if other people test your server & you fail • Anyone can test a server 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 5
  • 6. Conformance Suite Design Goals • Multi-party protocol testing • Structured configuration • Structured logging and results • Deterministic, modular execution units • Protect sensitive configuration and results data • Transparent process • Usable as part of CI 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 6
  • 7. Overview of test process for banks • Prepare test deployment of your server • Must be accessible to the conformance suite • Create keys & TLS certificates • Register necessary clients to authorization server • Create conformance suite configuration using frontend • Read the instructions if you are not sure how • Create “test plan” applicable to your configuration • Start test plan • Start each test module within the plan, one at a time • Login to authorization server when instructed • View results and confirm “PASS”. 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 7
  • 8. Conformance suite demo (video) 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 8
  • 9. Tips & tricks for successful FAPI deployment 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 9
  • 10. Before you even start • Is OpenId Connect/FAPI part of your core competency? • Is it part of your value add? For fintechs, the answer is usually NO! Don’t reinvent the wheel – use existing OpenID Connect client libraries 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 10
  • 11. Conformance testing is not an afterthought • Run conformance testing early and often • Conformance test suite will help you • Be secure • Be inter-operable • Conformance testing is the easy route to interoperability • Banks generally return confusing or unhelpful error messages • Banks often tolerate incorrect implementations – but not consistently • Conformance testing can be part of your Continuous Integration 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 11
  • 12. Problems banks had in the UK (1) • Using software that was not OpenID Connect certified • Required a lot of last minute changes from their vendors • They missed government mandated “go live” date • Large number of certified vendors available – use one! 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 12
  • 13. Problems banks had in the UK (2) • Not running conformance suite till development complete • Required a lot of last minute changes from their vendors and their own software teams • They missed government mandated “go live” date • Run conformance suite often during development! • It can be deployed locally & integrated with your continuous integration system 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 13
  • 14. Problems banks had in the UK (3) • Staffing teams with generic engineers & testers • OAuth2, OpenID Connect & FAPI have some complexity • Dependency on underlying RFCs – JWT, HTTP/1.1, TLS, etc. • Some domain knowledge is essential • Without knowledge, profile compliance and conformance testing will be slow • Hire some experts for both development & test teams • Many competentconsultants available, including fintechlabs 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 14
  • 15. Problems banks had in the UK (4) • Poor security architectures • Some banks designed their architectures,then tried to retrofit FAPI • If you change your implementation to not be standardscompliant, you will fail conformance testing! • Example: trying to change token_endpoint in .well-known/openid- configuration to an array • Hire some experts for architecture teams • Many competentconsultants available, including fintechlabs 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 15
  • 16. Problems banks had in the UK (5) • Not reading instructions • Surprising number of banks simply ignore the single page documentation • RTFM! • It’ll be much faster - honest 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 16
  • 17. Problems banks had in the UK (6) • Not designing for interoperability • Security teams in many banks have a “send exactly what we say or your request will fail” approach • This isn’t compatible with open standards • E.g. in HTTP/1.1, charset is case insensitive, banks must accept both: • Accept: application/json; charset=utf-8 • Accept: application/json; charset=UTF-8 • Requires a mindset change in the security team • Low friction interoperable APIs and ecosystemsare important 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 17
  • 18. The End • Source code etc publicly available on gitlab: https://gitlab.com/fintechlabs/fapi-conformance-suite/ • Production deployment: http://fintechlabs-fapi-conformance-suite.fintechlabs.io/ (Login with any google account) • Open Source - contributions welcome, please ask if you’re like to help 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 18