Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

1,048 views

Published on

By Joseph Heenan (FinTechLabs.io)

Published in: Internet
  • Be the first to comment

  • Be the first to like this

FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Summit 2018 - July 24, 2018

  1. 1. FAPI/Open Banking Conformance Joseph Heenan, CTO July 2018
  2. 2. What we’re going to cover today •FAPI/Open Banking Conformance suite overview •Conformance suite demo •"Tips and Tricks" for successful conformance 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 2
  3. 3. Who am I? • Joseph Heenan, CTO at fintechlabs & Senior Architect at Authlete • Software engineer & architect with over 25 years’ experience • Active contributor to the OpenID Connect FAPI specifications • Team lead/product owner on the Open Banking Conformance Suite • Assisted many of the largest UK (CMA9) banks with achieving compliance to the UK OpenBanking specification 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 3
  4. 4. Conformance Suite Overview • Tests compliance to: • OpenBanking UK Security Profile • FAPI (Financial-Grade API profile for OpenID connect) • HEART (Health-related profile OpenID connect) • As part of above, also testssome (but not all) OpenID Connect & OAuth2 • Tests are applicable to: • IdP (identity provider – ie. Banks / ASPSP) • RP (relying party – ie. Fintechs / TPP / AISP / PISP) 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 4
  5. 5. Why would you use conformance suite? • Reduced support costs • If your implementation is interoperable it will “just work” for third parties • Evidence of compliance to show government regulators • Evidence of compliance may reduce insurance costs, chances of security breach, etc • It will be embarrassing if other people test your server & you fail • Anyone can test a server 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 5
  6. 6. Conformance Suite Design Goals • Multi-party protocol testing • Structured configuration • Structured logging and results • Deterministic, modular execution units • Protect sensitive configuration and results data • Transparent process • Usable as part of CI 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 6
  7. 7. Overview of test process for banks • Prepare test deployment of your server • Must be accessible to the conformance suite • Create keys & TLS certificates • Register necessary clients to authorization server • Create conformance suite configuration using frontend • Read the instructions if you are not sure how • Create “test plan” applicable to your configuration • Start test plan • Start each test module within the plan, one at a time • Login to authorization server when instructed • View results and confirm “PASS”. 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 7
  8. 8. Conformance suite demo (video) 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 8
  9. 9. Tips & tricks for successful FAPI deployment 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 9
  10. 10. Before you even start • Is OpenId Connect/FAPI part of your core competency? • Is it part of your value add? For fintechs, the answer is usually NO! Don’t reinvent the wheel – use existing OpenID Connect client libraries 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 10
  11. 11. Conformance testing is not an afterthought • Run conformance testing early and often • Conformance test suite will help you • Be secure • Be inter-operable • Conformance testing is the easy route to interoperability • Banks generally return confusing or unhelpful error messages • Banks often tolerate incorrect implementations – but not consistently • Conformance testing can be part of your Continuous Integration 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 11
  12. 12. Problems banks had in the UK (1) • Using software that was not OpenID Connect certified • Required a lot of last minute changes from their vendors • They missed government mandated “go live” date • Large number of certified vendors available – use one! 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 12
  13. 13. Problems banks had in the UK (2) • Not running conformance suite till development complete • Required a lot of last minute changes from their vendors and their own software teams • They missed government mandated “go live” date • Run conformance suite often during development! • It can be deployed locally & integrated with your continuous integration system 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 13
  14. 14. Problems banks had in the UK (3) • Staffing teams with generic engineers & testers • OAuth2, OpenID Connect & FAPI have some complexity • Dependency on underlying RFCs – JWT, HTTP/1.1, TLS, etc. • Some domain knowledge is essential • Without knowledge, profile compliance and conformance testing will be slow • Hire some experts for both development & test teams • Many competentconsultants available, including fintechlabs 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 14
  15. 15. Problems banks had in the UK (4) • Poor security architectures • Some banks designed their architectures,then tried to retrofit FAPI • If you change your implementation to not be standardscompliant, you will fail conformance testing! • Example: trying to change token_endpoint in .well-known/openid- configuration to an array • Hire some experts for architecture teams • Many competentconsultants available, including fintechlabs 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 15
  16. 16. Problems banks had in the UK (5) • Not reading instructions • Surprising number of banks simply ignore the single page documentation • RTFM! • It’ll be much faster - honest 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 16
  17. 17. Problems banks had in the UK (6) • Not designing for interoperability • Security teams in many banks have a “send exactly what we say or your request will fail” approach • This isn’t compatible with open standards • E.g. in HTTP/1.1, charset is case insensitive, banks must accept both: • Accept: application/json; charset=utf-8 • Accept: application/json; charset=UTF-8 • Requires a mindset change in the security team • Low friction interoperable APIs and ecosystemsare important 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 17
  18. 18. The End • Source code etc publicly available on gitlab: https://gitlab.com/fintechlabs/fapi-conformance-suite/ • Production deployment: http://fintechlabs-fapi-conformance-suite.fintechlabs.io/ (Login with any google account) • Open Source - contributions welcome, please ask if you’re like to help 24th July 2018 Joseph Heenan, CTO, fintechlabs.io 18

×