OpenID Financial-grade API (FAPI) Conformance Tests Now Available for Australian Consumer Data Rights Participants & Push Authorization Requests (PAR)

Published January 15, 2021

The OpenID Foundation is pleased to announce the availability of Financial-grade API (FAPI) conformance tests for banks and fintechs in Australia providing consumer data rights (CDR) compliant solutions.

The Foundation recently updated the FAPI conformance suite to ensure that servers following the CDR standards comply with the underlying FAPI specifications, specifically FAPI-RW. These updates include minor changes relative to the underlying FAPI-RW specification:

  • private_key_jwt must be used
  • x-v header must be sent to resource server endpoint
  • Refresh tokens must be supported
  • Returned id_tokens must be encrypted
  • For “acr” claims, a CDR-specific value is used: “urn:cds.au:cdr:2”

The Foundation is also announcing the availability of FAPI-RW with Pushed Authorization Requests (PAR) conformance tests. PAR is an IETF standard developed within the OAuth Working Group that is an evolution of the FAPI-RW’s request object endpoint. FAPI-RW with PAR avoids passing the authorization details via the front channel, which is better for privacy and avoids any size limits on URLs. This new certification service also optionally covers the new pushed authorization request (PAR) spec that CDR introduced in November 2020.

A number of Australian organizations have “tested the tests” against their CDR environments, finding a number of interoperability and security issues in the deployments of Data Holders – which were then addressed before they impacted a significant number of Data Recipients.

More information about running the new CDR and PAR conformance tests can be found here: https://openid.net/certification/fapi_op_testing/.

A list of FAPI certified implementations/deployments can be found here:

https://openid.net/certification/#FAPI_OPs.

Please reference the OpenID Certification page for more information about the certification program and to review the current directory of certified implementations. Any questions about OpenID Certification can be sent to certification@oidf.org.

For more information on the Financial-grade API (FAPI) Working Group, please visit: https://openid.net/wg/fapi/.

For more information about joining the OpenID Foundation please visit: https://openid.net/foundation/benefits-members/.

Tagged