OAuth 2.0 Security Conformance
The Financial-Grade API 2.0, FAPI 2.0, is an API security profile based on the OAuth 2.0 Authorization Framework, currently still in draft form with the newest update in 2024.
Ensuring that an OAuth 2.0 API call sequence is properly formed allows critical workflows to operate reliably. We evaluate a number of specific criteria required for a valid OAuth 2.0 sequence, across various endpoints.
Authorization endpoint
We review a variety of characteristics including HTTPS scheme, TLS, query parameters, tags, and URL fragments.
Token endpoint
We review a variety of characteristics including HTTPS scheme, TLS, header and body parameters, JWT criteria, and claims.
Resource server endpoint
We review a variety of characteristics including HTTPS scheme, TLS, header and body parameters, token type criteria, and claims.
Updated about 2 months ago