An update on the OpenID Foundation's FAPI Certification Program as presented at the OpenID Foundation Workshop, European Identity Conference, May 2019.

1. OpenID Foundation
FAPI Certification Program
May 2019 Update

2. Joseph Heenan: FAPI Certification Program – May 2019 Update
Who Am I?
 Joseph Heenan, CTO at fintechlabs.io
 OpenID Certification Team member
 Software engineer & architect with over 25 years’ experience
 Active contributor to the OpenID Connect FAPI/MODRNA WG & specifications
 Team lead/product owner on the Open Banking Security Profile Conformance Suite
 Assisted many of the largest UK banks with achieving compliance to the OpenID
specification
https://www.linkedin.com/in/josephheenan/

3. Joseph Heenan: FAPI Certification Program – May 2019 Update
OIDF FAPI-RW Certification Program
 OP testing launched 1st April 2019
o Two implementors certified on day 1 & several more close to certifying
 RP testing in ‘pilot phase’
oRP Certification free until June 2019
 Visit https://openid.net/certification/instructions/ for details

4. Joseph Heenan: FAPI Certification Program – May 2019 Update
FAPI-RW Certification: Core goals
 Interoperability
 Security
 Correct deployment of certified software
However:
 Does not test all of OpenID Connect Core or OAuth
o ‘Pretty good’ coverage of relevant parts though
o Run python OpenID Connect Core tests as well

5. Joseph Heenan: FAPI Certification Program – May 2019 Update
Conformance Suite Design Goals
 Multi-party protocol testing
 Structured configuration
 Structured logging and results
 Separation of test logic & web frontend
 Deterministic, modular execution units
 Protect sensitive configuration and results data
 Transparent process
 Usable as part of CI

6. Joseph Heenan: FAPI Certification Program – May 2019 Update
Major differences vs current certification suite
 private_key_jwt client authentication
 Mutual TLS client authentication
 Signed request objects
 Certificate Bound access tokens
 Browser automation
 API
 Automated public regression test
 Automated regression testing of all source code changes
 Predictable fixed redirect URIs
 Two registered clients are required (to verify certificate binding etc)
 Resource server (with a trivial protected API) is required
 Extensible to support further profiles
o e.g. the UK OpenBanking profile of FAPI

7. Joseph Heenan: FAPI Certification Program – May 2019 Update
FAPI-RW: Help Wanted
 Conformance suite has automated regression tests
 Ensures that conformant implementations still pass the tests
 We need access to conformant implementations!
o In return, our team will let you know about any potential non-
compliances
 Only 1 OP vendor has signed up for ‘continuous conformance’
 RP testers also wanted

8. Joseph Heenan: FAPI Certification Program – May 2019 Update
CIBA Certification
 FAPI-CIBA OP tests
o Entering pilot phase imminently
o Spec still a little in flux
o Negative tests still being added
oDue to launch late June 2019
o Please email / talk to me if you have an implementation you’d like to
test!
 FAPI-CIBA RP tests
oEntering pilot phase July 2019

9. Joseph Heenan: FAPI Certification Program – May 2019 Update
Other available tests
 FAPI-R: Positive tests only
 FAPI-RW-OB: FAPI-RW tests that register intent prior to
authorization
o Intent registration APIs are specific to UK OB ecosystem
 HEART: Some tests available
 Certification program does not cover above
 Individual WGs should drive their tests & certification program
oCertification team can help/advise
o Fintechlabs.io can help

10. Joseph Heenan: FAPI Certification Program – May 2019 Update
Current roadmap
 June 2019: Full launch: FAPI-RW RP & FAPI-CIBA OP
 July 2019: Pilot launch: FAPI-CIBA RP
 September 2019: Full Launch: FAPI-CIBA RP
 Later (TBC):
o CIBA core OP tests
o FAPI-JARM OP tests

11. Joseph Heenan: FAPI Certification Program – May 2019 Update
Wrap up
 Conformance Suite source code etc publicly available on gitlab:
https://gitlab.com/openid/conformance-suite
Contributions welcome!
 Production deployment:
https://www.certification.openid.net/login.html
(Login with any google/gitlab/openid account)
 Contact me if you’d like some help:
o joseph.heenan@oidf.org or certification@oidf.org
o https://twitter.com/josephheenan