The existing Open Banking Security Profile has been extended during 2018 to cover both re-direct and decoupled flows, based on the Open ID Foundation’s Financial Grade API (FAPI) and Client Initiated Backchannel Authentication (CIBA) profiles.
The OIDF Financial-grade API (FAPI) is a REST API that provides JSON data representing higher risk data. These APIs are protected by the OAuth 2.0 Authorization Framework that consists of [RFC6749], [RFC6750], [RFC7636], and other specifications. This profile describes security provisions for the server and client that are appropriate for Financial-grade APIs.
A profile of the OpenID Connect Client Initiated Backchannel Authentication Flow CIBA, that supports decoupled interaction method. This document profiles the CIBA specification to bring it in line with the other FAPI parts and provides security recommendations for its use with APIs that require financial-grade security.