Skip to main content

Security Profiles as Integral Parts of Trust Frameworks

A security profile is a set of configurations or rules that define how security is applied to protect data and ensure secure access to resources. Security profiles govern how data is exchanged between client applications and authorization servers.

A security profile typically imposes specific security requirements on the authorization server, enforcing access through various OAuth and OpenID Connect (OIDC) security standards. Only client applications that authenticate using the prescribed methods can obtain an access token and access protected resources.

FAPI 1.0 and FAPI 1.0 Advanced

FAPI 1.0 Baseline Profile: Provides a basic level of security for APIs, focusing on essential OAuth and OpenID Connect features to mitigate common threats.

  • OAuth 2.0 Compliance: Adherence to OAuth 2.0 standards for authorization.

  • Client Authentication: Use of client authentication mechanisms like client ID and client secret.

  • Authorization Server: Requirements for secure authorization server configurations.

FAPI 1.0 Advanced Profile: Enhances security beyond the baseline by enforcing additional authentication and authorization mechanisms, addressing more sophisticated attack vectors.

  • Enhanced Client Authentication: Additional authentication methods such as mutual TLS or private key JWT.

  • Signed Request Objects: Use of signed JWTs to ensure request integrity.

  • Token Binding: Techniques to bind tokens to specific clients, reducing token misuse risks.

FAPI 2.0

FAPI 2.0 builds upon and surpasses FAPI 1.0 by reducing complexity while maintaining strong security guarantees. It introduces a Baseline Profile and an Attacker Model to define security goals and potential threats.

  • Baseline Profile Requirements:

    • OAuth 2.0 and OpenID Connect: Compliance with OAuth 2.0 and OpenID Connect standards.

    • Attacker Model: Alignment with the FAPI 2.0 Attacker Model to address specific security threats.

    • Authorization and Resource Servers: Requirements for secure configuration of these components.

  • Message Signing Profile Requirements:

    • Non-Repudiation: Ensures that parties cannot deny sending or receiving messages through application-level signatures.

    • Signed Requests and Responses: Use of signed JWTs to ensure integrity and authenticity.

  • General Security Requirements:

    • Strong Customer Authentication (SCA): Implementation of multi-factor authentication.

    • Request Object Signing: Signed JWTs containing authorization request parameters.

    • Token Binding: Binding tokens to specific clients to prevent unauthorized use.

Superiority of FAPI 2.0

  • Stronger Security Enforcement: Implements the latest OAuth and OIDC security best practices, including improved protection against token leakage and unauthorized access.

  • More Predictable Access Control: Reduces optionality, enforcing stricter requirements for client authentication and token issuance.

  • Enhanced Developer Experience: Lowers implementation complexity while maintaining high-security standards, reducing integration effort.

  • Flexibility: Allows for optional use of OpenID Connect, simplifying adoption for use cases that do not require full identity federation.

In summary, FAPI 2.0 represents a significant improvement over FAPI 1.0 and FAPI 1.0 Advanced. By reducing complexity, enforcing stricter security controls, and improving authentication and message integrity, it provides a more robust framework for securing APIs in high-value transactions.

Open Book IconTABLE OF CONTENT