Financial-grade API & CIBA (Client Initiated Backchannel Authentication)

From IIW

Financial Grade API (FAPI) & CIBA (Client Initiated Backchannel Authentication)

Wednesday 9G

Convener: Taka Kawasaki

Notes-taker(s): Nat Sakimura

Tags for the session - technology discussed/ideas considered:



Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Taka went over his slide, explaining the FAPI and using his slide including the history, security enhancement etc.

Client Authentication

RFC6749 uses Basic Authentication (client_secret_basic) or Form Parameters (client_secret_post). 

However, they are not allowed in FAPI. Only jWT-based or certificate-based client authentication. 

JWT-based client authentication (RFC7523) generates JWT and passes it to the token endpoint using client_assertion. The JWT is signed using either (a) client secret (client_secret_jwt) or (b) client_key_jwt. 

Certificate-based client authentication establishes mutual TLS connect to the token endpoint and the client certificate is presented for the client authentication. 

Certificate bound access token.

A stolen bearer access token can be used. A certificate-bound access token is not. 

In the case of a Certificate-bound access token, the client certificate used at the token endpoint will be bound to access token. 


Reponse_mode=query.jwt, frangment.jwt, form_post.jwt, jwt. Does the enveloped signature instead of detached signature in the case of response_mode=code id_token


CIBA introduces three new authorization flows: Poll, Ping, and Push. 

This is a decoupled flow for user not in presence use-case.

Travis called out the danger of CIBA being phishiable due to the login_hint being required. 

Nat mentioned that it is still going through formal verification, and all the holes will be closed during the process. 

Several people predicted that in the end, it would become device flow.