Software Engineering Daily

Enhancing OAuth Security and Interoperability Using FAPI with Joseph Heenan

Nov 14, 2024

42:49

Snipd AI

Joseph Heenan, CTO at Authlete and leader at the OpenID Foundation, dives into the development of the Financial-grade API (FAPI), a security upgrade for OAuth aimed at the financial sector. He explores its journey from financial applications to broader high-security uses. Alongside Gregor Vand, they discuss the rise of open banking in the UK, the need for security in financial APIs, and the impact of FAPI on user experiences across industries. They also highlight how Authlete simplifies FAPI implementation, even extending its benefits to healthcare data sharing.

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

FAPI enhances OAuth security specifically for the financial sector by introducing stricter client authentication mechanisms and advanced cryptographic methods.

The application of FAPI is expanding beyond finance into industries like healthcare and insurance, promoting user-centric data management and interoperability.

Deep dives

Overview of FAPI

FAPI, or Financial-grade API, is an enhancement of the OAuth standard designed to address the unique security needs of the financial sector. Its primary aim is to create a consistent approach to API security, promoting better interoperability for financial data exchange. While initially focused on financial applications, FAPI has gained traction in other industries requiring robust authorization security. The shift from 'financial API' to 'financial-grade API' reflects its broader applicability, culminating in the recent simplification where 'FAPI' no longer represents an acronym.

Intro

3min

The Evolution of FAPI and Open Standards

4min

The Rise of Open Banking in the UK

5min

Navigating Financial APIs: Security and Interoperability

24min

Simplifying FAPI Implementation

5min

Enhancing Data Transmission Security with FAPI

2min

FAPI is a refinement of the OAuth standard developed by the OpenID Foundation. It was conceived to solve a core problem of providing a consistent approach to API security across the financial industry, with the goal of enhancing interoperability of financial data exchange. It has now been adopted across many different industries in applications where there is an API that requires a heightened authorization security implementation.

Authlete is a service that provides a set of APIs to implement OAuth Authorization Servers and OpenID Connect identity providers, allowing either to be easily made FAPI-compliant.

Joseph Heenan is the CTO at Authlete, and he also leads the certification program at the OpenID foundation. He joins the podcast with Gregor Vand to talk about the origins of FAPI, the motivations for its creation, the status of FAPI development, and more.

Full Disclosure: This episode is sponsored by Authlete.

Software Engineering Daily listeners can get a free 90 day trial of Authlete at https://authlete.com/sed

Gregor Vand is a security-focused technologist, and is the founder and CTO of Mailpass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at vand.hk.