Roland Guijt

FAPI is a security profile that protects APIs in high-value scenarios where heightened security is needed. To be considered a FAPI 2.0 compliant implementation, your implementation must use the right set of OAuth's best current practices. Some of these practices are to use sender-constrained access tokens, to only support confidential clients, not public clients, to not use client secrets but private_key_jwt and to practice the principle of least privilege when using access tokens. In this session you'll learn the concepts of each part and see a practical example on how it is implemented on both identity provider and client. You might come to the conclusion that your organization need to be FAPI compliant at the end of the session but if not you'll take away at least one tip that will make a big difference in protecting your application landscape.