/
Security Profile - FAPI

This space is deprecated and no longer supported. Please use the latest available version here.

Security Profile - FAPI

1. Introduction

The Open Finance UAE Financial-grade API, a secure OAuth profile, is designed to offer detailed implementation guidelines for enhancing security and interoperability in UAE's Open Finance APIs. This Profile, a profile of the FAPI 2.0 Security Profile, aims to streamline optionality within the framework. Additionally, it incorporates specific features to address the Consent and Authorization Requirements pertinent to Open Finance UAE use cases

2. Security Profile

2.1 Authorisation Server Considerations ( Open ID Provider )

The Authorization Server shall support the provisions specified in the 5.3.1 clause of the FAPI 2.0 Security Profile.

In addition, the Authorization Server :

  1. Shall only issue sender-constrained access tokens using mTLS as described in RFC8705.

  2. Shall ensure that the access token expiry is no longer than 10 minutes.

  3. Shall authenticate the confidential client using private_key_jwt;

  4. Shall cache clients jwks_uris for a maximum period of 20 minutes.

  5. Shall support OAuth 2.0 Rich Authorization Requests (RAR) as a method of conveying information about the End User Authorization Request.

  6. Shall only process authorization requests if the type specified in the authorization_details attribute matches any of the types listed in the authorization_detail_types metadata attribute of the Relying Party.

  7. Shall use the query parameter as the mechanism for returning authorization response parameters as the response mode, which is the default for the code response type.

  8. Shall advertise support for all signing, authentication mechanisms, and standards required to support this Specification on its OpenID Connect Discovery (.well-known) endpoint.

  9. Shall support and require signed request objects according to the OAuth JWT-Secured Authorization Request (JAR) [RFC9101] at the PAR endpoint [RFC9126].

  10. Shall require the aud claim in the request object to be, or to be an array containing, the OP's Issuer Identifier URL.

  11. Shall require the request object to contain an exp claim that has a lifetime of no longer than 10 minutes after the nbf claim and an nbf claim that is not more than 10 minutes in the past.

  12. Shall only rely on the parameters included in the signed request object passed via the request_uri parameter except for the client_idparameter.

  13. Shall set the response header x-fapi-interaction-id to the value received from the corresponding client request header, or to a RFC4122 UUID if the request header was not provided, to track the interaction.

  14. Shall issue refresh_tokens with an expiration period set to the same length as the expiration period of the longest consent with which the token can be used. For consents that do not have an expiry period, the authorization server shall issue refresh_tokens without an expiration period, or, if not technically achievable, with an expiration period greater than 100 years.

  15. Shall enforce that all redirect URIs passed by the Relying Party are pre-registered in the client metadata as provided by the Trust Framework, in accordance with the Registration Framework, and shall reject any requests containing unregistered redirect URIs

  16. Shall advertise mtls_endpoint_alias's including Token Endpoint, Pushed Authorisation Request Endpoint (PAR) and all other endpoints where an authentication credential is presented

  17. Shall honour and enforce all clients to support and utilise mtls endpoints as defined by client metadata use_mtls_endpoints_alias's and follow the orientations defined on RFC8705

2.2 Client Considerations (Relying Party)

The Authorization Server shall support the provisions specified in the 5.3.2 clause of the FAPI 2.0 Security Profile.

  1. Shall support private_key_jwt as a token endpoint authentication mechanism (client authentication method).

  2. Shall include the request_uri parameter in the authorization request as defined in the 6.2 section of OpenID Connect Core specification.

  3. Shall send all parameters inside the authorization request's signed request object.

  4. Shall support and require signed request objects according to the OAuth JWT-Secured Authorization Request (JAR) [RFC9101] at the PAR endpoint [RFC9126].

  5. Shall send the aud claim in the request object as the OP's Issuer Identifier URL.

  6. Shall send an exp claim in the request object that has a lifetime of no longer than 10 minutes;

  7. Shall send an nbf claim in the request object.

  8. Shall send the x-fapi-interaction-id request header, with its value being a unique RFC4122 UUID for each request, to help correlate log entries between the client and server, e.g: x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a.

2.3 Algorithm Considerations

For JWS, both Client Applications and Authorization Servers shall use the PS256 algorithm.

For TLS, all of the Data Provider’s Authorization Server endpoints and Resource Server endpoints shall support mTLS connections with the algorithms specified in the 5.2 section of the FAPI 2.0 Security Profile.

For JWE, Client Applications and Authorization Servers shall use RSA-OAEP with A256GCM algorithm.

2.4 Consent and Authorization Mechanism Considerations

The Open Finance UAE leverages Rich Text Authorization Requests (RAR) to enable the granularity level required for the Open Finance Consents and Use Cases.

The Consent and Authorization Mechanism and lifecycle details are specified in the “Authentication and Authorization Document”.

The schema for the authorization_details attribute of the RAR payload can be identified on :

  • The "Bank Service Initiation API - Swagger " for the urn:openfinanceuae:service-initiation-consent:* type.

  • The "Bank Data API - Swagger" for the urn:openfinanceuae:account-access-consent:* type.

All of the documents defined above should be used in conjunction with this specification to ensure that all the parties can create and manage consents to resources in a standardized and secure way.\

3. Consent Authorization Sequence Diagram

The diagram below provides a high-level visualization of the redirect journey, also known as authorization_code flow expected to be executed by Data Receivers ( Relying Parties) with Data Transmitters (Open ID Providers) when obtaining an authorization grant from a customer that is willing to share data across institutions :

 

image-20240419-223048.png

 

4. Design Considerations

4.1 Security

The CBUAE security profile has been based on the FAPI 2.0 Security Profile which is an API security profile based on the OAuth 2.0 Authorization Framework [RFC6749], that aims to reach the security goals laid out in the Attacker Model [Attacker Model]. The FAPI 2.0 Security Profile has been assessed by University of Stuttgart using formal analysis methods which is available for public review. By baselining the CBUAE Security Profile on FAPI 2.0 the ecosystem is leveraging the very latest in API Security Design.

4.2 Ecosystem Interoperability

A primary goal in reducing the available optionality is to increase and simplify interoperability across the Ecosystem. By narrowing the range of options in the Security Profile, it aims to decrease the number of allowed variations in the implementations of the FAPI 2.0 Security Profile.

While a high degree of optionality may offer Data Providers more flexibility in their Authorization Server implementation, it poses significant and material challenges for Data Receivers. Data Receivers (TPPs) must develop implementations capable of connecting to all Data Providers implementations, resulting in increased onboarding challenges and higher non-productive connectivity maintenance costs which otherwise can be spent on the delivery of value added propositions.

This move towards optionality reduction has been seen in modern Open Banking ecosystems including Open Finance Brazil and ConnectID in Australia where the FAPI 1.0 Advanced Profile was first used.

Initially, in 2021, the ecosystem's profile supported two token authentication methods – tls_client_auth and private_key_jwt – and made pushed authorization requests optional. This approach resulted in four possible variations of the same profile for Data Providers. Consequently, Data Receivers had to support all four profiles to achieve interoperability with all Ecosystem Data Providers. This design choice was originally made to facilitate the swift implementation by banks, allowing the ecosystem to go live quickly using some Banks legacy OpenID vendors.

However, from 2021 to 2023, the focus shifted from initial go-live to prioritising interoperability and participant onboarding simplicity. This change in focus has resulted in the Ecosystem eliminating wherever possible any areas in the specification where optionality was given providers implementations. In March 2024, Open Finance Brazil mandated the introduction of Pushed Authorization Requests (PAR) and adopted the use of private_key_jwt as the token authentication mechanism of choice. This change unified the ecosystem under a single profile, simplified and eradicated bank choice in favour of interoperability whilst simultaneously improving ecosystem security.

Given the above design considerations, the following recommendations are made to further profile the ‘FAPI 2.0 Security Profile’ to ensure a more interoperability domestic ecosystem:

Topic

What FAPI 2.0 Proposes

What CBUAE FAPI 2.0 Requires

Topic

What FAPI 2.0 Proposes

What CBUAE FAPI 2.0 Requires

Client Authentication Methods

  • tls_client_auth

  • private_key_jwt

  • private_key_jwt

Method for Sender Constrained Access Tokens

  • MTLS

  • DPoP

  • MTLS

Access Token Life Time

  • Not Specified

  • 10 Minutes

JSW Signing Algorithms

  • PS256

  • ES256

  • EdDSA - Ed25519

  • PS256

Authorization Mechanism

  • Suggests RAR

  • Requires RAR

Message Tracing

  • No longer referenced.

  • Required - x-fapi-* headers for Logging and Tracking Purposes

Client Key Set Management

  • JWKS URI Recommended

  • Required - JWKS Uri

Authorization Non Repudiation

  • If Required - Signed Request Object (FAPI 2.0 Message Signing)

  • Required - Signed Request Object

Whilst not strictly a security consideration, to facilitate wider potential aspirations of the CBUAE ecosystem it is recommended that the ecosystem retain the use of Signed Request Objects as defined in OpenID Connect Core Section 6 and the OpenID FAPI Message Signing Profile. The use of signed request objects has two main benefits:

  • It ensures that non-repudiation of Authorisation Requests is easily achieved.

  • Ensures broad interoperability for Relying Parties engaging in multiple Open Finance Initiatives around the world including the United Kingdom, Australia, The United States and Brazil.

4.3 Clarification around OFP and LFI Integrations

All documentation relating to the integrations and security layers between the Open Finance Platform (OFP) and the LFI will be provided as part of the OFP Documentation and are not part of the Ecosystem Security Profile, which should be used only for communications that happen directly between the Open ID Providers (Servers) and Open ID Relying Parties (Client)

Communications between the Open Finance Platform and the chosen LFIs will take place using certificates issued by the Trust Framework.