In this episode of Identity. Unlocked, principal architect at Auth0 and podcast host, Vittorio Bertocci, interviews Torsten Lodderstedt. Torsten is the CTO of yes.com and is an all-star contributor to the IETF and the OpenID Foundation. The interview centers on Torsten’s work on Financial-Grade API (FAPI) WG.
FAPI is a security and interoperability profile for OAuth, and it was originally intended for use in open banking scenarios. Torsten explains how FAPI navigates two challenge areas of using OAuth in open banking, what one may find within the FAPI working group initiatives, and the differences between FAPI versions 1 and 2. Further, Torsten delves into some specific macro areas of FAPI and discusses JARM (JWT Secured Authorization Response Mode). He details cryptography measures such as MTLS and their relation to FAPI, his thoughts on the future of FAPI, prominent features in the specifications (such as CIBA, or Client Initiated Backchannel Authentication), and helps listeners interested in FAPI to determine what version might best suit them. Of course, if listeners have to integrate with another system, then they must see what that system can support. But for the listener who owns their own API, Torsten’s general recommendation is to consider FAPI version 2!
To learn more about the FAPI working group, how to participate, and information about the specification, visit https://openid.net/wg/fapi
To learn more about OpenID Foundation’s Global Open Banking initiatives, visit https://fapi.openid.net
[6:05] - What is FAPI?
The main entry point for all things FAPI can be found at https://openid.net/wg/fapi/
[9:56] - What can be found inside FAPI?
[12:11] - What is a detached signature?
The JWT secured authorization request Torsten mentions can be found in https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30.
[14:48] - What specification areas are defined in FAPI 1.0?
The specifications Torsten mentions can be accessed here:
- FAPI 1.0 — Part 1: Baseline API Security Profile (Draft towards the final specification).
- FAPI 1.0 — Part 2: Advanced Security Profile (Draft towards the final specification).
- FAPI 1.0 — JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) (Implementer’s Draft).
- FAPI 1.0 — CIBA Profile (Implementers Draft).
- Discussion about other security measures and their relation to FAPI.
MTLS and DPoP, mentioned by Torsten in this context, have been covered in Identity, Unlocked Season 1, Episode 1, available here.
[23:07] - The Future of FAPI and MTLS.
[25:12] - The third component of FAPI: CIBA
[31:25] - FAPI 2.0
[37:28] - Implementing FAPI 1.0 and FAPI 2.0
[41:07] - About the OpenID Foundation
About OpenID Foundation
The OpenID Foundation is a non-profit international standardization organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. OIDF assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.
Identity, Unlocked is the podcast that discusses identity specs and trends from a developer perspective. Identity, Unlocked is powered by Auth0. Vittorio Bertocci is Principal Architect at Auth0 and applies his vast knowledge of the identity industry to Auth0 in all aspects of the company, including internal and external education, product innovation, and customer integration.
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.