Mike Leszcz, OpenID Foundation Operations Director

This was a hybrid event with some CMF and ecosystem members participating in person in Santiago. OIDF was very fortunate to have founding member and long-time board member, John Bradley with Yubico, representing OIDF in person. The goal of the workshop was to introduce OIDF and OpenID specifications with a focus on FAPI 2.0 to the ecosystem as Chile will require FAPI 2.0 when the Chilean Open Finance System goes live.

OIDF Standards Overview

Victor Andrade, Senior Analyst with the CMF, opened the workshop welcoming approximately 190 participants. Gail Hodges, OIDF Executive Director, kicked off the agenda with a brief introduction to OIDF including how the Foundation operates including with other ecosystems and then highlighted how to get involved.

Mark Haine, OIDF Technical Director, presented an overview of current OpenID specifications including recommendations for new vs. existing ecosystems. This introduced a deeper dive into FAPI 2.0, delivered by Domingos Creado who represents OIDF certification team and is a valued FAPI Contributor. Domingos discussed key technical details from FAPI 2.0, including how it builds on FAPI 1.0 and is intended to be easier to implement. Domingos also confirmed that FAPI 2.0 is on track to be a Final Specification by the end of 2024.

At the request of the CMF, the workshop also included a high-level overview of the Shared Signals Framework (SSF) specification that improves API efficiency and security by providing privacy-protected, secure webhooks. It is in use by some of the largest cloud services to communicate security alerts and status changes of users, continuously and securely to prevent and mitigate security breaches. It is currently leveraged by two applications – the Continuous Access Evaluation Protocol (CAEP) and Risk Incident Sharing and Coordination (RISC) to achieve this result. Shared Signals WG co-chairs, Atul Tulshibagwale, CTO at SGNL, and Sean O'Dell, Senior Staff Security Engineer at Disney, provided this overview and addressed SSF questions.

Joseph Heenan, OIDF Specifications Specialist and Certification Director as well as a FAPI 2.0 Editor, provided an overview of the OpenID Certification Program. This included the value of certification including how ecosystems that mandate FAPI and FAPI certification are achieving high security within their ecosystems as well as enabling interoperability. He noted that FAPI 2.0 conformance tests and certifications are currently available with a number of OP and RP certifications from the ConnectID private ecosystem in Australia. Joseph highlighted a number of other conformance test suites for other OpenID specifications are currently in development and will be made available for certifications once in production.

Ecosystem Engagement

The workshop then turned to ecosystem engagement, facilitated by OIDF Operations Director, Mike Leszcz. Mike spoke about the ecosystems that OIDF has partnered with in recommending or mandating FAPI adoption and FAPI certifications. He noted that OIDF is also supporting some ecosystems that are in the process of going live with their open finance/open data ecosystems.

This overview introduced the strong partnership that OIDF has had with Open Finance Brazil (OFB) the last several years as OFB mandates FAPI adoption and certifications with annual recertifications required. We were privileged to have Elcio Calefi, CIO at OFB and OIF board member present, “Technology in Finance - Innovation, Security and Inclusion”, highlighting OFB’s journey from including FAPI into the Brazilian open finance regulation and then operationalizing the mandate for FAPI adoption and certification.

Questions Answered

After a lunch break, OIDF presenters and workshop participants reconvened for a Q&A session that addressed hot topic such as the lifecycle of the standards, the use of mTLS, the implementation of refresh tokens, the practical aspects of changing the scope of authorizations or grants, among others. Other topics during this session included:

• Certification costs and OIDF's recommendations regarding the implementation of certification processes.
• Adaptations to the applicable profile(s) for Chile and OIDF's position on possible deviations that a local implementation may have from the plain vanilla standard.
• OIDF recommendations regarding the use of RAR / PAR, especially in replay attack threat scenarios.
• Questions on DCR single profile.
• Inclusion of data finality principles and their relationship to the FAPI standard.
• Questions on how OIDF has approached to embedded finance for FAPI compliance, in particular where authorizations come from or are managed by third parties.

John Bradley, representing OIDF and an author on a number of the specifications being discussed, took the lead on many of the topics during the Q&A session with support from the workshop presenters. The Q&A session allowed additional time for the Chilean Open Finance System participants to dive deeper into the workshop topics.

OIDF thanks our colleagues at the CMF for their support and coordination of these two important events in support of the Chilean Open Finance System.

Links to the session recordings and workshop deck can be found on the OpenID Foundation's Presentations and Media page.

About the OpenID Foundation