Financial-grade API Security Profile overview

Get familiar with Financial-grade API Security Profile (FAPI): what it is and why it is important. Learn when it should be used and when you have to comply to its rules. Find out how Authorization Control Plane (ACP) can help you protect your APIs in a FAPI-compliant way.

FAPI in a nutshell

Financial-grade API (FAPI) is a highly secured OAuth profile that provides specific implementation guidelines that aim to improve the security and interoperability of your APIs. It is more strict than traditional OAuth and OIDC profiles. FAPI compliance is also an important factor for all participants of the Open Banking environments, such as Open Banking UK, Open Banking Brazil, and more.

ACP FAPI compliance

ACP is an certified financial-grade API (FAPI) OpenID provider.

Its compliant with the FAPI 1.0 guidelines on how to:

  • Obtain OAuth tokens in a secure manner for access to protected data

  • Use OIDC to identify the user

  • Use tokens to access REST APIs

FAPI 1.0 compliant flow

[mermaid-begin]
sequenceDiagram participant id1 as User participant id2 as Client application participant id3 as ACP participant id4 as API id1->>id2: Access id2->>id3: Authorization request note right of id2: The authorization request must contain a request object id3->>id3: Verify the request id3->>id1: Display consent note left of id3: If no authorization scope is to be granted, consent page is skipped id1->>id3: Give consent id3->>id2: Authorization code id2->>id3: Token request note right of id2: Client authentication must be made with the use of mTLS and client certificates id3->>id3: Verify the request id2->>id3: Certificate-bound access token id2->>id4: Request API note right of id2: Request should include the certificate-bound token and the client certificate id4->>id2: Respond
  1. The user tries to access the application.

  2. The client redirects the user to the authorize endpoint.

    Note

    The request must include a request object either using the request parameter or the request_uri parameter. FAPI requires the request objects to be signed with either PS256 or ES256 signing algorithm.

  3. ACP authenticates the user and displays a consent screen if there is an authorization scope to be granted.

  4. The user gives their consent.

  5. ACP issues an authorization code.

    Note

    After ACP generates the authorization code, ACP is redirected to the redirection endpoint configured for the registered client. The client must have at least one registered redirection URI. If there are multiple registered redirection URIs, the request to the authorize endpoint must always include the redirect_uri parameter.

  6. The client requests authentication to the token endpoint using authorization code provided in the previous step.

    Note

    The client application must be configured to use any of the mutual TLS client authentication methods.

  7. ACP validates the request.

  8. ACP returns a certificate-bound access token.

    Tip

    Having certificate-bound access tokens ensures that only a client that has the private key corresponding to the client’s certificate can access the resources. The binding of an access token to the client’s certificate prevents the resources from being accessed with the use of stolen tokens.

  9. The client requests protected resources from the resource server and submits the certificate-bound token it received in the previous step.

  10. The resource server validates the token and responds the requested resources.

ACP compliance in depth

ACP’s authorization servers (workspaces) can be configured to be fully compliant with FAPI’s guidelines for authorization servers. Additionally, while creating a workspace you can choose one of the preconfigured workspace profiles that already are FAPI compliant: Open Banking UK, Open Banking Brazil, and Fintech and mission-critical applications.

Enabling FAPI

To make your workspace FAPI compliant, you should: