An update on the OpenID Foundation's FAPI Certification Program as presented at the OpenID Foundation Workshop, European Identity Conference, May 2019.
2. Joseph Heenan: FAPI Certification Program – May 2019 Update
Who Am I?
Joseph Heenan, CTO at fintechlabs.io
OpenID Certification Team member
Software engineer & architect with over 25 years’ experience
Active contributor to the OpenID Connect FAPI/MODRNA WG & specifications
Team lead/product owner on the Open Banking Security Profile Conformance Suite
Assisted many of the largest UK banks with achieving compliance to the OpenID
specification
https://www.linkedin.com/in/josephheenan/
3. Joseph Heenan: FAPI Certification Program – May 2019 Update
OIDF FAPI-RW Certification Program
OP testing launched 1st April 2019
o Two implementors certified on day 1 & several more close to certifying
RP testing in ‘pilot phase’
oRP Certification free until June 2019
Visit https://openid.net/certification/instructions/ for details
4. Joseph Heenan: FAPI Certification Program – May 2019 Update
FAPI-RW Certification: Core goals
Interoperability
Security
Correct deployment of certified software
However:
Does not test all of OpenID Connect Core or OAuth
o ‘Pretty good’ coverage of relevant parts though
o Run python OpenID Connect Core tests as well
5. Joseph Heenan: FAPI Certification Program – May 2019 Update
Conformance Suite Design Goals
Multi-party protocol testing
Structured configuration
Structured logging and results
Separation of test logic & web frontend
Deterministic, modular execution units
Protect sensitive configuration and results data
Transparent process
Usable as part of CI
6. Joseph Heenan: FAPI Certification Program – May 2019 Update
Major differences vs current certification suite
private_key_jwt client authentication
Mutual TLS client authentication
Signed request objects
Certificate Bound access tokens
Browser automation
API
Automated public regression test
Automated regression testing of all source code changes
Predictable fixed redirect URIs
Two registered clients are required (to verify certificate binding etc)
Resource server (with a trivial protected API) is required
Extensible to support further profiles
o e.g. the UK OpenBanking profile of FAPI
7. Joseph Heenan: FAPI Certification Program – May 2019 Update
FAPI-RW: Help Wanted
Conformance suite has automated regression tests
Ensures that conformant implementations still pass the tests
We need access to conformant implementations!
o In return, our team will let you know about any potential non-
compliances
Only 1 OP vendor has signed up for ‘continuous conformance’
RP testers also wanted
8. Joseph Heenan: FAPI Certification Program – May 2019 Update
CIBA Certification
FAPI-CIBA OP tests
o Entering pilot phase imminently
o Spec still a little in flux
o Negative tests still being added
oDue to launch late June 2019
o Please email / talk to me if you have an implementation you’d like to
test!
FAPI-CIBA RP tests
oEntering pilot phase July 2019
9. Joseph Heenan: FAPI Certification Program – May 2019 Update
Other available tests
FAPI-R: Positive tests only
FAPI-RW-OB: FAPI-RW tests that register intent prior to
authorization
o Intent registration APIs are specific to UK OB ecosystem
HEART: Some tests available
Certification program does not cover above
Individual WGs should drive their tests & certification program
oCertification team can help/advise
o Fintechlabs.io can help
10. Joseph Heenan: FAPI Certification Program – May 2019 Update
Current roadmap
June 2019: Full launch: FAPI-RW RP & FAPI-CIBA OP
July 2019: Pilot launch: FAPI-CIBA RP
September 2019: Full Launch: FAPI-CIBA RP
Later (TBC):
o CIBA core OP tests
o FAPI-JARM OP tests
11. Joseph Heenan: FAPI Certification Program – May 2019 Update
Wrap up
Conformance Suite source code etc publicly available on gitlab:
https://gitlab.com/openid/conformance-suite
Contributions welcome!
Production deployment:
https://www.certification.openid.net/login.html
(Login with any google/gitlab/openid account)
Contact me if you’d like some help:
o joseph.heenan@oidf.org or certification@oidf.org
o https://twitter.com/josephheenan
Editor's Notes
EU regulators ask for conformance results as part of PSD2 complliance