There’s a lot going on in the FAPI working group, including a CIBA security profile, the often overlooked JARM draft and some forward-looking work. The finalized 1.0 security profile, however, is particularly impactful right now and has already seen substantial adoption around the globe.
The security profile is made up of two parts, Baseline and Advanced, where the latter builds on the former with successive requirements. The split is unfortunate because the baseline is rarely, if ever, used on its own. So, for the most part, you can think about them as a single thing: FAPI 1.0.
In essence, it adds these security requirements to classic OAuth:
Despite looking pretty simple when broken down to a few bullet points like that, FAPI 1.0 has some very rough edges. Signed authorization requests are complicated by having been historically specified in both the IETF and OpenID Foundation, with some missing pieces and differences between the two. Mutual-TLS is useful but can be quite cumbersome (to put it politely). And while using the ID token as a detached signature to secure the authorization response makes some pragmatic sense, it is really a misuse of the ID token.
The ID token is intended to convey identity for sign-on for the security profile that is otherwise only about API access—a layering violation that has been cause for confusion and complexity. Although there’s a lot of value in FAPI 1.0, it is somewhat inaccessible to organizations without significant resources and specific expertise.
Aiming to make things more accessible, work on FAPI 2.0 was well underway before 1.0 went final. It’s still in draft and will take some time, as these things do. Furthermore, there’s little doubt the competing versions will cause some confusion, which this FAQ endeavors to mitigate. But I view the general direction of FAPI 2.0 as a major positive overall. With the benefit of hindsight, experience and some new specs and best practices to work with, FAPI 2.0 and its Baseline profile in particular look poised to be a significant improvement over the predecessor.
The FAPI 2.0 Baseline profile provides roughly equivalent security properties to the Advanced profile of FAPI 1.0, but achieves it in a simpler, more straightforward way. Notably, PAR and PKCE obviate the need for signatures on the authorization request and response, a major simplification that allows OpenID Connect to step out of the picture entirely. The option of DPoP for sender-constrained access tokens allows for the profile requirements to be met with application layer constructs, removing another big barrier to deployment accessibility.
There’s more work under the FAPI 2.0 umbrella, including a detailed threat model, an advanced profile that aims to provide nonrepudiation by adding a signature to just about everything, and a grant management draft that endeavors to give the client more predictable interoperable control over and visibility into its grants at the authorization server. But for now, the relative simplicity and value of the FAPI 2.0 Baseline security profile is the most exciting development, and I look forward to this next stage of the working group’s efforts.
Interested in learning more about API security as applied to financial services? Please read our whitepaper, “Strengthen Your Financial API Security.”