Appendix B - FAPI recommendation
Ready for review
FAPI is a banking standard that contains recommendations for securing APIs. For many Banking standards these standards are now enforced.
This section reviews the three FAPI standards and provides direction on which recommendations SHOULD be included in the Health Sector API security standard when protecting SENSITIVE data.
It is RECOMMENDED that these three standards should be reviewed on a regular basis as they are being updated on a regular basis, and the details of specific Cryptographic algorithms should be referenced in the current specification.
1. Financial-grade API Security Profile (FAPI) 1.0 – Part 1: Baseline [https://openid.net/specs/openid-financial-api-part-1-1_0.html]
A secured OAuth profile that aims to provide specific implementation guidelines for security and interoperability.
2. Financial-grade API Security Profile (FAPI) 1.0 – Part 2: Advanced [https://openid.net/specs/openid-financial-api-part-2-1_0.html] A highly secured OAuth profile that aims to provide specific implementation guidelines for security and interoperability.
3. JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) [https://openid.net/specs/oauth-v2-jarm-final.html] This specification was created to bring some of the security features defined as part of OpenID Connect to OAuth 2.0
Recommendations
FAPI has recommendations for the:
- API Consumer (Client both confidential and public)
- API Provider (Authorisation Server and Resource Server)
The recommendations in FAPI are very similar across these components and the following is a list that can be applied to all the components as they each need to support the security capability defined:
| Capability | Recommendation |
|---|---|
| Client authentication to token endpoint | Implement one of the following: - Mutual TLS for OAuth: tls_client_auth - client_secret_jwt - private_key_jwt |
| RSA Algorithms Key size | 2048 bits |
| Elliptic Curve algorithms Key size | 160 bits |
| PKCE | MUST implement and use s256 hash method |
| Return and Verify Scope list | MUST support |
| Enforce and Verify Redirect URI against pre-defined URIs | MUST support |
| The code must be revoked after it us used | Must support |
| Access TOken Lifetime | MUST be less than 10 minutes |
| Long lived access requirements | Refresh and Access Tokens MUST be used |
| openid scope | MUST always be applied in all flows |
| Authentication Request content | Must contain Scope response_type client_id redirect_uri state nonce |
| Token revocation | MUST be supported |
| Level of Assurance | MUST be applied |
| Scopes | MUST be verified |
| Access Token must be in query parameter | MUST support |
| TLS | MUST support 1.3 or greater |
| Issue and use JWT tokens | Must support |
| Id Token as a Detached SIgnature | MUST support |
| No PII information in the first Id token | This MUST be applied to the id token returned from the Authorise endpoint |
| Supported response types | One of the following MUST be supported response_type value code id_token response_type value code in conjunction with the response_mode value jwt |
| issue sender-constrained access tokens | SHA:: support LS as mechanism for constraining the legitimate senders of access tokens |