--- title: "Identity, Unlocked... Explained: Season 2, Ep. 1" description: "Torsten Lodderstedt joins the podcast today to talk about his work on Financial-Grade API (FAPI) WG." authors: - name: "Vittorio Bertocci" url: "https://auth0.com/blog/authors/vittorio-bertocci/" date: "Jan 25, 2021" category: "Developers,Campaigns,Identity Unlocked" tags: ["identity-unlocked", "podcast", "auth0"] url: "https://auth0.com/blog/identity-unlocked-explained-season-2-ep-1/" --- # Identity, Unlocked... Explained: Season 2, Ep. 1 ## The Overview In this episode of _Identity. Unlocked_, principal architect at [Auth0](https://auth0.com) and podcast host, Vittorio Bertocci, interviews Torsten Lodderstedt. Torsten is the CTO of [yes.com](https://yes.com/) and is an all-star contributor to the [IETF](https://www.ietf.org/) and the [OpenID Foundation](https://openid.net/foundation/). The interview centers on Torsten’s work on [Financial-Grade API (FAPI) WG](https://openid.net/wg/fapi/). FAPI is a security and interoperability profile for OAuth, and it was originally intended for use in open banking scenarios. Torsten explains how FAPI navigates two challenge areas of using OAuth in open banking, what one may find within the FAPI working group initiatives, and the differences between FAPI versions 1 and 2. Further, Torsten delves into some specific macro areas of FAPI and discusses [JARM (JWT Secured Authorization Response Mode)](https://bitbucket.org/openid/fapi/src/master/Financial_API_JWT_Secured_Authorization_Response_Mode.md). He details cryptography measures such as MTLS and their relation to FAPI, his thoughts on the future of FAPI, prominent features in the specifications (such as CIBA, or Client Initiated Backchannel Authentication), and helps listeners interested in FAPI to determine what version might best suit them. Of course, if listeners have to integrate with another system, then they must see what that system can support. But for the listener who owns their own API, Torsten’s general recommendation is to consider FAPI version 2! To learn more about the FAPI working group, how to participate, and information about the specification, visit [https://openid.net/wg/fapi](https://openid.net/wg/fapi) To learn more about OpenID Foundation’s Global Open Banking initiatives, visit [https://fapi.openid.net](https://fapi.openid.net) ## Key Takeaways **[6:05]** - What is FAPI? The main entry point for all things FAPI can be found at [https://openid.net/wg/fapi/](https://openid.net/wg/fapi/)
**[9:56]** - What can be found inside FAPI?
**[12:11]** - What is a detached signature? The JWT secured authorization request Torsten mentions can be found in [https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30).
**[14:48]** - What specification areas are defined in FAPI 1.0? The specifications Torsten mentions can be accessed here: * [FAPI 1.0 — Part 1: Baseline API Security Profile (Draft towards the final specification).](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_001.md) * [FAPI 1.0 — Part 2: Advanced Security Profile (Draft towards the final specification).](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md) * [FAPI 1.0 — JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) (Implementer’s Draft).](https://bitbucket.org/openid/fapi/src/master/Financial_API_JWT_Secured_Authorization_Response_Mode.md) * [FAPI 1.0 — CIBA Profile (Implementers Draft).](https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md)
**[20:08]** - Discussion about other security measures and their relation to FAPI. MTLS and DPoP, mentioned by Torsten in this context, have been covered in Identity, Unlocked Season 1, Episode 1, available [here](https://auth0.com/blog/identity-unlocked-explained-episode-1/).
**[23:07]** - The Future of FAPI and MTLS.
**[25:12]** - The third component of FAPI: CIBA
**[31:25]** - FAPI 2.0
**[37:28]** - Implementing FAPI 1.0 and FAPI 2.0
**[41:07]** - About the OpenID Foundation
## About OpenID Foundation The OpenID Foundation is a non-profit international standardization organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. OIDF assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID. ### Links/Resources: Learn more about [Torsten Lodderstedt](https://www.linkedin.com/in/torsten-lodderstedt-37528a1/) and follow him on [Twitter](https://twitter.com/tlodderstedt)
Connect with Vittorio Bertocci on [LinkedIn](https://www.linkedin.com/in/vittoriobertocci/) and follow him on [Twitter](https://twitter.com/vibronet)
Learn more about [Identity, Unlocked](https://identityunlocked.auth0.com/public/49/Identity%2C-Unlocked.--bed7fada/episodes)
Learn more about [Auth0](https://auth0.com/)
Learn more about the sponsor for this season, the [OpenID Foundation](https://openid.net/foundation/)