FAPI1Base

Financial-grade API Security Profile (FAPI) 1.0 – Part 1: Baseline

A secured OAuth profile that aims to provide specific implementation guidelines for security and interoperability. This document is an officially published standard.

Full text: https://openid.net/specs/openid-financial-api-part-1-1_0.html

Deprecated Features

This document deprecates a number of OAuth features. The OAuch tests related to these deprecated features are:

• Features.IsDeprecatedTlsSupportedTest
• Features.PlainPkceTest

Countermeasures

This document introduces a number of security countermeasures for OAuth. The OAuch tests related to these countermeasures are:

• AuthEndpoint.HasValidCertificateTest
• AuthEndpoint.IsHttpsRequiredTest
• AuthEndpoint.IsModernTlsSupportedTest
• TokenEndpoint.HasValidCertificateTest
• TokenEndpoint.IsHttpsRequiredTest
• TokenEndpoint.IsModernTlsSupportedTest
• ApiEndpoint.HasValidCertificateTest
• ApiEndpoint.IsHttpsRequiredTest
• ApiEndpoint.IsModernTlsSupportedTest
• Revocation.IsRevocationEndpointSecureTest
• Revocation.IsModernTlsSupportedTest
• IdTokens.ClientSecretLongEnoughTest
• IdTokens.SigningKeySecureTest
• TokenEndpoint.ClientKeySecureTest
• Pkce.IsPkceRequiredTest
• Pkce.HashedPkceDisabledTest
• Pkce.IsPkceDowngradeDetectedTest
• Pkce.IsPkceTokenDowngradeDetectedTest
• Pkce.IsPkcePlainDowngradeDetectedTest
• Pkce.ShortVerifierTest
• Pkce.PlainPkceDisabledTest
• AuthEndpoint.RedirectUriRequiredTest
• AuthEndpoint.RedirectUriPathMatchedTest
• AuthEndpoint.RedirectUriConfusionTest
• AuthEndpoint.RedirectUriFullyMatchedTest
• AuthEndpoint.CodePollutionTest
• TokenEndpoint.MultipleCodeExchangesTest
• Tokens.AuthorizationCodeEntropyMinReqTest
• Tokens.AuthorizationCodeEntropySugReqTest
• Tokens.RefreshTokenEntropyMinReqTest
• Tokens.RefreshTokenEntropySugReqTest
• Tokens.AccessTokenEntropyMinReqTest
• Tokens.AccessTokenEntropySugReqTest
• Tokens.ShortTokenTimeoutTest

Back to the documents overview