Trends in Banking APIs
•2 recomendaciones•1,087 vistas
Denunciar
Compartir
Descargar para leer sin conexión
English version of https://www.slideshare.net/tkudo/banking-apis-authorization-practice-2018
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente(20)
Similar a Trends in Banking APIs
Similar a Trends in Banking APIs(20)
![[apidays LIVE HONK KONG] - Building an Integrated Supply Chain for APIs](https://cdn.slidesharecdn.com/ss_thumbnails/asanka-apidays-hkg-isca-210901070052-thumbnail.jpg?width=768&fit=bounds)
![[API Word 2021] - Quantum Duality of “API as a Business and a Technology”](https://cdn.slidesharecdn.com/ss_thumbnails/asanka-2021-apiworld-qdbata-v1-211108111307-thumbnail.jpg?width=768&fit=bounds)
Más de Tatsuo Kudo
Más de Tatsuo Kudo(20)
Último
Último(13)
Trends in Banking APIs
- 1. Financial APIs Workshop - Japan/UK Open Banking and APIs Summit 2018 Trends in Banking APIs Tatsuo Kudo
- 2. Preface • A couple of standardization efforts on banking APIs are emerging around the world, especially in Europe. This presentation summarizes how such standards define API access authorization and gives insights on future directions. 2
- 3. About me • Tatsuo Kudo https://www.linkedin.com/in/tatsuokudo – Sun Microsystems (1998-2008) – Nomura Research Institute (2008-2018) – OpenID Foundation Japan (2013-2014) – NRI SecureTechnologies (2014-2018) – Authlete (2018-) • VP of Solution Strategy 3
- 4. What are ”Banking APIs?” • They vary, such as: – Providing “Open Data” (e.g. branch location) – White-labeled banking services (e.g. “Bank as a Service”) – Providing bank accounts’ information and accepting transaction requests based on end-user consent 371 APIs are listed in Banking category Source: https://www.programmableweb.com/category/banking 4
- 5. Leveraging “OAuth 2.0” in Banking APIs • The framework is often utilized to enable API access authorization with customer’s consent 5 Actors in “OAuth 2.0” and a typical authorization flow Source: https://www.slideshare.net/tkudo/api-meetup-oauth
- 6. Who Defines Banking APIs • Bank defines its own spec • Industry groups and consortia define common spec • (Vendor defines its proprietary spec) 6 • Open Banking UK • Berlin Group NextGenPSD2 • Polish Bank Association • Slovak Banking Association • (France Stet)
- 7. Open Banking UK • FAPI Part 2 • Client Credentials Grant Type (OAuth 2.0) / OIDC Hybrid Flow • Request Object • Mutual TLS 7 Source: Open Banking Security Profile - Implementer's Draft v1.1.2 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/83919096/Open+Banking+Security+Profile+-+Implementer+s+Draft+v1.1.2
- 8. Open Banking UK Account Information 1. PSU (Payment Service User) allows AISP (Account Information Service Provider) to make a request 2. AISP sends the request to ASPSP (Account Servicing Payment Service Provider) using POST /account-resource (Mutual TLS, Client Credentials Grant Type) 3. ASPSP provides PISP with “AccountRequestId” 4. AISP creates a Request Object that contains AccountRequestId and send it to ASPSP as authorization request (OIDC Hybrid Flow) 5. ASPSP authenticates PSU 6. ASPSP provides AISP with authorization code 7. AISP sends the code to ASPSP to obtain access token (Mutual TLS) 8. AISP sends a request using GET /accounts with the access token (Mutual TLS) 8 Source: Account and Transaction API - v2.0.0 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/127009546/Account+and+ Transaction+API+Specification+-+v2.0.0
- 9. Open Banking UK Payment Initiation 1. PSU allows PISP (Payment Initiation Service Provider) to make a payment initiation request 2. PISP sends the request to ASPSP using POST /payments (Mutual TLS, Client Credentials Grant Type) 3. ASPSP provides PISP with ”PaymentId” 4. PISP creates a Request Object that contains PaymentId and send it to ASPSP as authorization request (OIDC Hybrid Flow) 5. ASPSP authenticates PSU 6. ASPSP provides PISP with authorization code 7. PISP sends the code to ASPSP to obtain access token (Mutual TLS) 8. PISP sends a request using POST /payment-submissions with the access token (Mutual TLS) 9. PISP optionally retrieves the status of a payment setup or submission 9 Source: Payment Initiation API - v1.1.0 https://openbanking.atlassian.net/wiki/spaces/DZ/pages/5786479/Payment+Initiation+API+Specification+-+v1.1.0
- 10. Other Payment Initiation with OIDC Hybrid Flow Example • Slovak Banking API Standard – Like OB UK, PISP obtains identifier of payment (orderId) from ASPSP, puts it in Request Object and invokes authorization request 10 Source: Slovak Banking API Standard Version 1.1 http://www.sbaonline.sk/files/subory/projekty/sbas/sbas_ver1.1-final.pdf
- 11. Other Payment Initiation with OIDC Hybrid Flow Example • MKB in Hungary – Utilizes Open Banking UK Security Profile – Like OB UK, PISP obtains identifier of payment (openbanking_intent_id) from ASPSP, puts it in Request Object and invokes authorization request 11 Source: Account and Transaction API Specification https://portal.sandbox.mkb.hu/api-documentation/account-info
- 12. Berlin Group “NextGenPSD2” • The spec defines four authn/authz flows in general – Redirect SCA Approach – OAuth2 SCA Approach – Decoupled SCA Approach – Embedded SCA Approach 12
- 13. Berlin Group “NextGenPSD2” Redirect / OAuth2 SCA Approach • PSU is redirected to ASPSP to confirm consent • “OAuth2” is a variant of Redirect – Redirection location is dynamically determined with Authorization Server Metadata 13 Source: NextGenPSD2 XS2A Framework Implementation Guidelines Version 1.1 https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
- 14. Berlin Group “NextGenPSD2” Decoupled SCA Approach • ASPSP confirms consent from PSU through a path bypassing PISP/AISP 14 Source: NextGenPSD2 XS2A Framework Implementation Guidelines Version 1.1 https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
- 15. Berlin Group “NextGenPSD2” Embedded SCA Approach • ASPSP confirms consent from PSU through PISP/AISP 15 Source: NextGenPSD2 XS2A Framework Implementation Guidelines Version 1.1 https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf
- 16. Berlin Group “NextGenPSD2” Relation with OAuth 2.0 • The framework is positioned as “Optional Usage” • PISP/AISP eventually obtains access token from ASPSP as a result of “pre-step” and/or doing OAuth SCA Approach, and calls API (XS2A interface) with the token 16
- 17. Other Decoupled Authentication Example • Poland “PolishAPI” • Different approach from NextGenPSD2 – Utilizes OAuth 2.0 Authorization Code grant – TPP (Third-Party Provider) sends output from EAT (External Authorization Tool) to ASPSP 17 Source: PolishAPI Verison 2.0 https://docs.polishapi.org/files/ver2.0/PolishAPI-spec-v2.0-EN.pdf
- 18. Other Decoupled Authentication Example • France “STET” • Resource Owner Password Grant – AISP/PISP asks PSU to provide result of Strong Customer Authentication done by ASPSP, and send it to the ASPSP as “Password” 18 Source: PolishAPI Verison 2.0 https://www.stet.eu/assets/files/PSD2/1_3/API_DSP2_STET_V1_3.pdf
- 19. Conclusion • A flow of “intent” – TPP sends an intent to ASPSP using POST, crafts Request Object that contains identifier of the intent and makes an authorization request – is becoming a common practice. It is not only Open Banking UK but also other standardization initiatives • Mutual TLS authentication between TPP and ASPSP is a must • “Embedded” vs “Decoupled” 19
- 20. Thanks!