FAPI / Open Banking Test Suite #fapisum - Japan/UK Open Banking and APIs Summ...FinTechLabs.io
This document describes a test suite for OAuth and OpenID Connect protocols. It discusses the need for conformance testing to ensure interoperability between authorization servers, clients, and protected resources. The test suite is designed to test the protocols in a multi-party manner using a structured configuration, logging, and modular execution units. It aims to test both normal and error cases to avoid a false sense of security from only testing happy paths. The architecture involves conditions, modules, plans, environments, and logging to API endpoints. The goal is to make the testing fully scriptable and transparent.
Trust Frameworks and Open Banking #fapisum - Japan/UK Open Banking and APIs S...FinTechLabs.io
RAiDiAM is a consulting firm focused on identity and regulatory challenges posed by open banking and PSD2. It provides business and technical consulting services using a modular and scalable identity architecture. RAiDiAM has experience delivering services to open banking organizations, financial institutions, and software vendors. The document discusses the changing landscape in financial services due to open banking and data privacy regulations in Europe and globally. It outlines the various actors in the ecosystem and proposes a trust framework using a hub-and-spoke topology to help establish identity and authorization between parties. The Open Banking Implementation Entity in the UK established a trust framework and directory based on this approach to facilitate standard interfaces and integration between authorized banks and third parties.
Issues towards Open Banking ecosystem and how OpenID Foundation tackles them ...FinTechLabs.io
The document discusses the work of the OpenID Foundation Financial API working group (FAPI WG) to develop standards for financial-grade APIs. It describes how the FAPI WG was formed in 2016 to address the lack of API protection standards and inconsistent request/response formats. The goal of the FAPI WG is to provide JSON schemas, REST specifications, and security recommendations to enable applications to access and interact with user financial data while protecting privacy and security. The document outlines the FAPI WG's draft specifications and approaches to address password sharing requirements in a way that does not compromise user security or privacy.
Open Banking: Lessons from the UK #fapisum - Japan/UK Open Banking and APIs S...FinTechLabs.io
The document discusses the implementation of Open Banking in the UK by the Open Banking Implementation Entity (OBIE). It provides the following key details:
- OBIE was set up by the UK Competition and Markets Authority (CMA) in 2016 to deliver the Open Banking API standards and ensure consistent implementation.
- OBIE has created standards for identity, reference data, APIs, and security to enable the development of an Open Banking ecosystem in the UK.
- The timeline for the rollout of the OBIE's Open Banking API specifications includes four versions, with the full scope of payments services to be included in version 3 from 2019.
- Challenges in implementation have included varying
FAPI / Open Banking Conformance #fapisum - Japan/UK Open Banking and APIs Sum...FinTechLabs.io
The document discusses FAPI/Open Banking conformance testing. It provides an overview of the conformance suite, including what it tests and its design goals. It then describes the test process for banks, demonstrates the conformance suite, and provides tips for successful FAPI deployment, including common problems banks faced in the UK and advice for running conformance testing early in development.
The Great British API Client Bake Off #fapisum - Japan/UK Open Banking and AP...FinTechLabs.io
This document discusses the author's experience building an integration with the UK's Open Banking Directory as the CTO of Moneyhub. It provides background on the author and Moneyhub, an overview of their road to using Open Banking APIs after previously screen scraping, details on onboarding to the Directory, how they built their integration using OpenID Connect and separating by financial institution, and lessons learned around the importance of verifiable conformance and not assuming banks have automated testing.
Authlete FAPI Implementation Part 1 #fapisum - Japan/UK Open Banking and APIs...FinTechLabs.io
This document discusses Authlete's semi-hosted approach to OAuth and API security. Authlete provides an API that customers can call from their own OAuth-speaking services to handle OAuth processing and management. The API allows customers to add new features to their services over time, such as PKCE, and supports various client authentication methods including mutual TLS with certificates. For mutual TLS, the customer validates the TLS connection but Authlete verifies the certificate to act as a trust anchor.
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...FinTechLabs.io
The document discusses RAiDiAM and its Open Banking Identity product. It summarizes:
- RAiDiAM was created to help with identity challenges of Open Banking and PSD2 regulations. It provides consulting and modular/scalable identity architecture services.
- The Open Banking Directory was developed as a trust framework "hub" to enable secure transactions between authorized financial companies using standards like OAuth2 and OIDC.
- It describes the Directory's key components, onboarding process to issue credentials to companies, and role in later transactions to validate claims between financial entities.
Open Banking for Developers #fapisum - Japan/UK Open Banking and APIs Summit ...FinTechLabs.io
The document discusses Open Banking in the UK and the role of the Open Banking Implementation Entity (OBIE). OBIE was set up by the UK Competition and Markets Authority (CMA) to deliver the Open Banking API standards and security architecture. OBIE is working to create standards around identity, reference data, APIs, and security to build an ecosystem for developers and ensure consistent implementation across the largest UK banks. The presentation outlines Open Banking's timeline and versions, how the API flows work, and how developers can access specifications and test facilities.
7. Open Banking UK
• FAPI Part 2
• Client Credentials Grant Type (OAuth 2.0) / OIDC Hybrid
Flow
• Request Object
• Mutual TLS
7
Source: Open Banking Security Profile - Implementer's Draft v1.1.2
https://openbanking.atlassian.net/w iki/spaces/DZ/pages/83919096/Open+Banking+Security+Profile+-+Implementer+s+Draft+v1.1.2
8. Open Banking UK
口座情報等取得のフロー
1. PSU (Payment Service User) がAISP (Account
Information Service Provider) に情報取得開始を許可
2. AISPがASPSP (Account Servicing Payment Service
Provider) にPOST /account-resource
(Mutual TLS, Client Credentials Grant Type)
3. ASPSPがPISPに “AccountRequestId” を返却
4. AISPがAccountRequestIdを含む Request Objectを生成し
ASPSPに認可リクエスト
(OIDC Hybrid Flow)
5. ASPSPがPSUを認証
6. ASPSPがAISPに認可コードを返却
7. AISPがASPSPに認可コードを送信しアクセストークンを取得
(Mutual TLS)
8. AISPがアクセストークンを使ってGET /accounts
(Mutual TLS)
8
Source: Account and Transaction API - v2.0.0
https://openbanking.atlassian.net/w iki/spaces/DZ/pages/127009546/Account+and+
Transaction+API+Specification+-+v2.0.0
9. Open Banking UK
決済指示のフロー
1. PSUがPISP (Payment Initiation Service Provider) に決済指示
開始を許可
2. PISPがASPSPにPOST /payments
(Mutual TLS, Client Credentials Grant Type)
3. ASPSPがPISPに ”PaymentId” を返却
4. PISPが PaymentId を含む Request Objectを生成し、ASPSPに
認可リクエスト
(OIDC Hybrid Flow)
5. ASPSPがPSUを認証
6. ASPSPがPISPに認可コードを返却
7. PISPがASPSPに認可コードを送信しアクセストークンを取得
(Mutual TLS)
8. PISPがアクセストークンを使ってPOST /payment-submissions
(Mutual TLS)
9. Optionally retrieve the status of a payment setup or
submission
9
Source: Payment Initiation API - v1.1.0
https://openbanking.atlassian.net/w iki/spaces/DZ/pages/5786479/Payment+Initiation+API+Specification+-+v1.1.0
10. OIDC Hybrid Flowによる決済指示フローの例 (1)
• Slovak Banking API Standard
– OB UKと同様、PISPは決済のID (orderId) をASPSPから取得後、それをRequest Objectに格納し、認可
リクエストを開始する
10
Source: Slovak Banking API Standard Version 1.1 http://w ww.sbaonline.sk/files/subory/projekty/sbas/sbas_ver1.1-final.pdf
11. OIDC Hybrid Flowによる決済指示フローの例 (2)
• ハンガリー MKB銀行
– Open Banking UKのSecurity
Profileを活用
– OB UKと同様、PISPは決済の
ID (openbanking_intent_id)を
ASPSPから取得後、それを
RequestObjectに格納し、認可
リクエストを開始する
11
Source: Account and Transaction API Specification
https://portal.sandbox.mkb.hu/api-documentation/account-info
12. Berlin Group “NextGenPSD2”
• 認証・認可フローが大別して4種類ある
– Redirect SCAApproach
– OAuth2 SCAApproach
– Decoupled SCAApproach
– Embedded SCAApproach
12
13. Berlin Group “NextGenPSD2”
Redirect / OAuth2 SCA Approach
• PSUをASPSPにリダイレ
クトしてPSUの同意を確
認
• “OAuth2” はRedirectの
一種
– Authorization Server
Metadataを用いてリダイ
レクト先を動的に決定
13
Source: NextGenPSD2 XS2A Framew orkImplementation Guidelines Version 1.1
https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
14. Berlin Group “NextGenPSD2”
Decoupled SCA Approach
• ASPSPがPISP/AISPと
は別の経路を介して
PSUの同意を確認
14
Source: NextGenPSD2 XS2A Framew orkImplementation Guidelines Version 1.1
https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
15. Berlin Group “NextGenPSD2”
Embedded SCA Approach
• ASPSPがPISP/AISPを介して
PSUの同意を確認
15
Source: NextGenPSD2 XS2A Framew orkImplementation Guidelines Version 1.1
https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
16. Berlin Group “NextGenPSD2”
OAuth 2.0との関係
• “Optional Usage” という位置付け
• PISP/AISPは、“pre-step” の結果として、もしくはOAuth
SCA Approachを実行した結果として、ASPSPからアクセス
トークンを取得し、API (XS2A interface) を呼び出し
16