Browsing by Author "Mohamed, Aly Mohamed Abdalkarim Salheen"

Filter results by typing the first few letters
Now showing 1 - 1 of 1
  • Thumbnail Image
    ItemOpen Access
    A prototype implementation of the OpenID Financial-grade API
    (2021) Mohamed, Aly Mohamed Abdalkarim Salheen
    With the rise of the financial technology (FinTech) industry and the introduction of the Payment Services Directive 2 (PSD 2) [33], banks are moving towards digitization. With this comes the ability for third-party companies and service providers to provide bank account holders their services independently of the banks themselves. For example, one such provider might utilize machine learning to gauge the credit score of a bank account holder based on their transaction history. To provide their services, these third-party providers need to access the bank account holder’s data. Methods such as screen scraping were used to provide this access. However, its insecurity and weaknesses in such a high-stake high-risk environment necessitated a secure alternative. With that in mind, the OpenID Financial-grade API (FAPI) specification describes a hardened version of the OAuth 2.0 Authorization Framework and the OpenID Connect Core 1.0 (OIDC) Authentication Layer. It makes use of several new extensions such as Pushed Authorization Requests (PARs) and Rich Authorization Requests (RARs) as well as JSON Web Signature (JWS) to offer non-repudiation, which is critical should, e.g., a client attempts to refute they ever initiated a payment request. While the first version of the FAPI, namely FAPI 1.0, has been finalized in early 2021, its successor, FAPI 2.0, is still in its infancy. Despite this, the FAPI 2.0 is designed to provide the same strong security guarantees while mitigating attacks on the first version that were discovered [17, 26]. As the specification is still being drafted, it has garnered relatively little public attention. Even so, end-users and developers alike, especially in the FinTech industry, should benefit from a demonstration of this new specification, specifically as a software implementation. This thesis covers the development of a prototype for the FAPI 2.0 with which end-users can simulate the Baseline and Advanced profile flows. Developers can gain insight into the specifics of an example implementation of the profiles.