FAPI compliant OAuth 2.0 server

Driven by the demands of Open Banking, PSD2 and the finance industry the Financial-grade API Working Group (FAPI) devised a set of security profiles based on the OAuth 2.0 framework. The FAPI profiles offer the most elevated security settings in OAuth 2.0 and we strongly recommend them for all kinds of applications, not only in banking.

The FAPI security features

Private key

Strong client authentication

Private-key based authentication via mutual TLS or with a signed JWT. The client keys can be stored in a HSM or similarly secured module.

X.509 Certificate

Client certificate bound tokens

The issued access tokens can be optionally bound to a client X.509 certificate, preventing their replay in the case of a leak.

OAuth 2.0

Upgraded OAuth 2.0

Use of OAuth extensions to upgrade security, such as PKCE for preventing code interception and JAR for signed authZ requests.

TLS

Modern TLS

TLS 1.2 and 1.3 with proven ciphers is required for securing the HTTP messages between clients and server. STS and DNSSEC is recommended.

FAPI compliance

The Connect2id server covers the FAPI 1.0 profiles:

  • Baseline -- Intended for applications that need access tokens and / or OpenID Connect login and where moderate security is sufficient.
  • Advanced -- For applications that demand the highest OAuth 2.0 and OpenID Connect security, such as applications that perform financial transactions.

The FAPI WG is currently developing a set of future 2.0 profiles to support rich authorisations (RAR) and the ability to manage granted consent via an API.