Enhancing OAuth Security Using FAPI

Friction is a common issue in financial transactions, where secure transmission of confidential data is paramount. FAPI, which builds on the OAuth security framework, provides an effective solution for securely transmitting sensitive financial information. Initially conceived of for financial services organizations like banks and brokerage firms, FAPI’s utility has since expanded into other sectors such as insurance, public sector and healthcare, where secure data exchange is equally critical.

 

Expert Perspectives on FAPI and Financial Transaction Challenges

 

Joseph Heenan, CTO of Authlete and leader of the OpenID Foundation’s certification program, and Gregor Vand, recently discussed the complexities of financial transactions and how FAPI simplifies security on Software Engineering Daily. Their insights underscore how the increasing complexity of payment systems and financial interactions has made secure, reliable solutions like FAPI essential for enterprises. You can find their full conversation here.

 

The Growing Complexity of Financial Systems

 

Money is central to business operations, so many applications revolve around processing, paying, and reconciling financial transactions. As payment system options expand and financial interactions become more intricate, enterprises often struggle to integrate business applications that handle different aspects of these transactions. Historically, this work has been time-consuming and complex, consuming valuable development resources.

 

Open Banking and FAPI’s Role

 

Open banking is an initiative designed to provide third-party financial service providers with secure access to consumer financial data through standardized APIs. The OpenID Foundation’s FAPI working group developed the FAPI Security Profile, a global open banking API specification, to achieve this goal.

FAPI enhances the OAuth security framework while addressing some of its key limitations. It introduces a standardized set of OAuth configurations, creating a more secure and opinionated framework. These standardized configurations simplify client-server implementations, reducing the need for developers to create custom security modifications. By using OAuth to generate an access token that encapsulates both user rights and the identity of delegated software, FAPI enables secure interactions between clients and servers without exposing user credentials, minimizing the risk of sensitive information leaks.

 

Solving Security Issues: FAPI’s Impact

 

Before FAPI, banks often relied on less secure methods like screen scraping to exchange data. This process posed security risks, as customers were required to share their banking credentials with third-party applications. These credentials often granted broad access, including the ability to make payments on behalf of the user—a privilege customers might not want to extend. FAPI eliminates this risk by allowing compliant applications to access account transaction data or make payments without the ability to modify the account itself.

 

How FAPI Works: A Technical Overview

 

FAPI has two methods to authenticate third party applications that enhance security:

  1. mTLS (Mutual TLS): An extension of the standard TLS protocol, mTLS requires both the client and server to authenticate each other, providing an additional layer of security.
  2. Private Key JWT (JSON Web Token) Client Authentication: Part of OAuth 2.0 and OpenID Connect, this method allows clients to securely access APIs by using a private key to sign a JWT, rather than relying on a shared secret.

Both methods use public and private key cryptography, ensuring that only authorized clients can initiate transactions. The authorization server verifies the client’s public key, ensuring the integrity of the transaction.

 

Diagram of the process of authentication using private key signed JWT showing the creation of the signed JWT on the client, the sending of that key to the server, and the server verification of the signed JWT using the public key.

 

 

Widespread Adoption of FAPI

 

FAPI’s adoption is difficult to measure due to its open-source nature. As Joseph Heenan of Authlete notes, no central authority tracks implementations, but the number is likely in the thousands, possibly tens of thousands.

Several notable use cases have emerged. One example is Australian Payments Plus (AP+). This organization consolidates three domestic payment providers (BPAY Group, eftpos, and NPP Australia) and uses FAPI to facilitate secure customer information exchanges.

Another high profile example is UK financial institutions. Banks in the UK use FAPI to integrate with accounting software, automating transactions and reducing manual entry errors. For example, His Majesty’s Revenue and Customs (HMRC) implemented open banking to simplify tax payments, reducing human error and manual processing time.

 

Expanding Beyond Financial Services

 

Though FAPI began in financial services, its applications have extended into other industries. In healthcare, for example, FAPI is helping unlock medical records previously siloed in proprietary systems. European countries are incorporating FAPI into their healthcare technology ecosystems to enable more efficient and secure data sharing.

Brazil, too, has embraced FAPI, expanding from personal banking transactions into areas such as investments, credit cards, and even insurance applications. The energy sector is also exploring FAPI’s potential to secure its data ecosystems.

 

Overcoming Adoption Challenges with Services Like Authlete

 

Despite its growing adoption, many organizations lack experience working with FAPI. Companies like Authlete offer solutions that simplify FAPI’s implementation. Authlete’s hosted service supports OAuth and OpenID Connect functions, allowing customers to integrate these protocols without extensive development effort. Uniquely, Authlete doesn’t manage the entire authentication platform. Instead, it focuses on handling the OAuth and OpenID Connect components, allowing customers to use their preferred programming languages and frameworks for their authorization servers.

 

The Future of FAPI

 

As financial ecosystems become increasingly complex, frameworks like FAPI offer a streamlined approach to application security. With services like Authlete making the technology accessible to organizations with minimal development overhead, FAPI is poised to gain even more traction across industries that require secure, scalable solutions for transmitting sensitive data.

 

Full Disclosure: Authlete is a sponsor of Software Engineering Daily

Software Daily

Software Daily

 
Subscribe to Software Daily, a curated newsletter featuring the best and newest from the software engineering community.