In Decision 182, the Data Standards Chair approved four recommendations. This Future Plan item covers Recommendation 2 and the targeted consultation to migrate the Data Standards from FAPI 1.0 to FAPI 2.0.
The OpenID Foundation (OIDF)—which governs the FAPI specifications—has developed the second version of their FAPI profile (FAPI 2.0). FAPI 2.0 applies key lessons from the implementation of FAPI 1.0 globally and makes improvements to security whilst as the same time simplifying the complexity and cost of implementation.
This recommendation is the target state after transition to FAPI 1.0. This recommendation is a mandatory target state prior to the introduction of Action Initiation within the CDR provided data holders and vendors can achieve the required timeframes before the obligation dates for introducing Action Initiation within the CDR.
Adoption should be in line with the requirements of the CDR and any appropriate security controls currently defined.
This includes the family of standards defined in the FAPI 2.0 profile including, but not limited to:
Rich Authorization Requests (RAR): to support a rich CDR consent and permissioning model between third parties and data holders for data sharing, purpose-based consent, and action initiation.
Pushed Authorization Requests (PAR): For lodging authorisation requests in a secure method in the back channel.
Proof-Key For Code Exchange (PKCE): Enhances security whilst reducing implementation complexity for third parties
FAPI Client Initiated Backchannel Authentication (FAPI-CIBA): To support decoupled authentication and two-factor authentication
Grant Management API (GM-API): For the management of authorisation permissions
Beyond FAPI 2.0, data standards to be consulted upon include:
Shared Signals and Events Framework (SS&E), OpenID Continuous Access Evaluation Profile (CAEP) , and OpenID Security Event Tokens (SET): to facilitate secure communication of state changes, events and notifications to third-parties
OpenID Connect for Identity Assurance 1.0 (IDA): to support verified claims and identity assurance and/or KYC requirements in use cases such as account switching, origination and identification
Problem Statement
In Decision 182, the Data Standards Chair approved four recommendations. This Future Plan item covers Recommendation 2 and the targeted consultation to migrate the Data Standards from FAPI 1.0 to FAPI 2.0.
The OpenID Foundation (OIDF)—which governs the FAPI specifications—has developed the second version of their FAPI profile (FAPI 2.0). FAPI 2.0 applies key lessons from the implementation of FAPI 1.0 globally and makes improvements to security whilst as the same time simplifying the complexity and cost of implementation.
This recommendation is the target state after transition to FAPI 1.0. This recommendation is a mandatory target state prior to the introduction of Action Initiation within the CDR provided data holders and vendors can achieve the required timeframes before the obligation dates for introducing Action Initiation within the CDR.
Adoption should be in line with the requirements of the CDR and any appropriate security controls currently defined.
This includes the family of standards defined in the FAPI 2.0 profile including, but not limited to:
Beyond FAPI 2.0, data standards to be consulted upon include:
Key Future Directions Recommendations