DSB Item - FAPI 2.0 Profile Transition

[CDR-API-Stream]

Problem Statement

In Decision 182, the Data Standards Chair approved four recommendations. This Future Plan item covers Recommendation 2 and the targeted consultation to migrate the Data Standards from FAPI 1.0 to FAPI 2.0.

The OpenID Foundation (OIDF)—which governs the FAPI specifications—has developed the second version of their FAPI profile (FAPI 2.0). FAPI 2.0 applies key lessons from the implementation of FAPI 1.0 globally and makes improvements to security whilst as the same time simplifying the complexity and cost of implementation.

This recommendation is the target state after transition to FAPI 1.0. This recommendation is a mandatory target state prior to the introduction of Action Initiation within the CDR provided data holders and vendors can achieve the required timeframes before the obligation dates for introducing Action Initiation within the CDR.

Adoption should be in line with the requirements of the CDR and any appropriate security controls currently defined.

This includes the family of standards defined in the FAPI 2.0 profile including, but not limited to:

• Rich Authorization Requests (RAR): to support a rich CDR consent and permissioning model between third parties and data holders for data sharing, purpose-based consent, and action initiation.
• Pushed Authorization Requests (PAR): For lodging authorisation requests in a secure method in the back channel.
• Proof-Key For Code Exchange (PKCE): Enhances security whilst reducing implementation complexity for third parties
• FAPI Client Initiated Backchannel Authentication (FAPI-CIBA): To support decoupled authentication and two-factor authentication
• Grant Management API (GM-API): For the management of authorisation permissions

Beyond FAPI 2.0, data standards to be consulted upon include:

• Shared Signals and Events Framework (SS&E), OpenID Continuous Access Evaluation Profile (CAEP) , and OpenID Security Event Tokens (SET): to facilitate secure communication of state changes, events and notifications to third-parties
• OpenID Connect for Identity Assurance 1.0 (IDA): to support verified claims and identity assurance and/or KYC requirements in use cases such as account switching, origination and identification

Key Future Directions Recommendations

• Recommendation 5.21 – Identity verification assessments
• Recommendation 8.9 – Using open international standards where available
• Recommendation 8.10 – When diverging from open international standards

[JamesMBligh]

Significant planning on this item has been conducted but it has been shifted to Q1 2022 for ongoing work.

FAPI 1 planning is complete but a DP still remains to be created for FAPI 2