Ex FAPI-SIG (Financial-grade API Security : Special Interest Group)

FAPI-SIG is a group whose activity is mainly supporting Financial-grade API (FAPI) and its related specifications to keycloak.

FAPI-SIG is open to everybody so that anyone can join it anytime. Nothing special need not to be done to join it. Who want to join it can only access to the communication channels shown below. All of its activities and outputs are public so that anyone can access them.

FAPI-SIG mainly treats FAPI and its related specifications but not limited to. E.g., Ecosystems employing FAPI for their API Security like UK OpenBanking, Open Banking Brasil and Australia Consumer Data Right (CDR).

Since June 2023, FAPI-SIG is evolved into OAuth SIG. OAuth SIG will mainly treats OAuth/OIDC and its related security features like FAPI 2.0 to Keycloak.

Supporting OAuth/OIDC and its related security features to Keycloak.

Currently, proposed goals are as follows.

• OAuth 2.0 Rich Authorization Requests (RAR)

• OpenID for Verifiable Credential Issuance

• EU : PSD2/eIDAS - QWAC Verification Extension

Currently, proposed open works are as follows.

• Integrating FAPI conformance tests run into keycloak’s CI/CD pipeline

• Implement security profiles for Apps run on mobile devices

  • RFC 8252 OAuth 2.0 for Native Apps
  • OAuth 2.0 for Browser-Based Apps

• FAPI-RW App2App

FAPI related accomplishments by FAPI-SIG and OAuth SIG, other contributors and keycloak development team is as follows.​

• Client Policies​

• Lightweight Access Token
• OAuth Grant Type SPI

• Brazil : Open Banking Brasil Financial-grade API Security Profile

  mainly by keycloak development team.

• Client Initiated Backchannel Authentication (CIBA) poll mode​

• FAPI 1.0 Baseline Security Profile​
• FAPI 1.0 Advanced Security Profile​

• Client Initiated Backchannel Authentication (CIBA) ping mode​

  mainly by keycloak development team.

• FAPI JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)​

  mainly by the contributor outside FAPI-SIG.

• FAPI Client Initiated Backchannel Authentication Profile (FAPI-CIBA)​

• RFC 9126 OAuth 2.0 Pushed Authorization Requests (PAR)

• OpenID Connect Logout 1.0 for Logout Profiles

  mainly by keycloak development team and the contributor outside FAPI-SIG.

• UK OpenBanking​ Security Profile

• RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
• RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
• FAPI 2.0 Security Profile Second Implementer’s Draft
• FAPI 2.0 Message Signing First Implementer’s Draft

• RFC 8032 Edwards-Curve Digital Signature Algorithm (EdDSA)
• The OAuth 2.1 Authorization Framework - Draft version 10

• Selective Disclosure for JWTs (SD-JWT)
• SD-JWT-based Verifiable Credentials (SD-JWT VC)
• JWT VC
• W3C Verfiable Credentials Data Format(VCDM)

• OpenID for Verifiable Credential Issuance

• OpenID Connect for Identity Assurance 1.0

The current environment uses the following software version.

• Keycloak version : 24.0.2
• Conformance-suite version : release-v5.1.16

• Client Authentication Method : MTLS, private_key_jwt​
• Signature Algorithm : PS256, ES256​
• Request Object Method : plain, PAR​
• Response Mode : plain, JARM​

Keycloak 15.0.2 have achieved certification for all 8 conformance profiles of FAPI 1 Advanced Final (Generic).

• Client Authentication Method : MTLS, private_key_jwt​
• Signature Algorithm : PS256, ES256​
• Mode : Poll, Ping

Keycloak 15.0.2 have achieved certification for all 4 conformance profiles of Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA).

• Client Authentication Method : MTLS, private_key_jwt​
• Signature Algorithm : PS256
• Request Object Method : plain, PAR​
• Response Mode : plain, JARM​

Keycloak 15.0.2 have achieved certification for 8 conformance profiles of Brazil Open Banking (Based on FAPI 1 Advanced Final) except for DCR (Dynamic Client Registration).

• Client Authentication Method : private_key_jwt​
• Signature Algorithm : PS256
• Request Object Method : PAR​
• Response Mode : plain
• ID token encryption : required

• Client Authentication Method : private_key_jwt​
• Signature Algorithm : PS256
• Request Object Method : plain, PAR​
• Response Mode : plain

Keycloak 15.0.2 have achieved certification for all 2 conformance profiles of Australia CDR (Based on FAPI 1 Advanced Final).

• Client Authentication Method : MTLS, private_key_jwt​
• Signature Algorithm : PS256
• Request Object Method : plain, PAR​
• Response Mode : plain

• Basic OP
• Implicit OP
• Hybrid OP
• Config OP
• Dynamic OP
• Form Post OP
• 3rd Party-Init OP

Keycloak 18.0.0 have re-achieved certification for 6 conformance profiles of Certified OpenID Providers except for 3rd Party-Init OP.

• Front-Channel OP
• Back-Channel OP
• Session OP
• RP-Initiated OP

Keycloak 18.0.0 have achieved certification for all 4 conformance profiles of Certified OpenID Providers for Logout Profiles.

Note: Session OP and Front-Channel OP of OpenID Provider for Logout Profile conformance tests cannot be automated. These can be passed manually.

• FAPI2SP MTLS + MTLS
  • Client Authentication Method : mtls
  • Sender Constrain : mtls
  • OpenID : plain_oauth
  • FAPI Profile : plain​
• FAPI2SP private key + MTLS
  • Client Authentication Method : private_key_jwt
  • Sender Constrain : mtls
  • OpenID : plain_oauth
  • FAPI Profile : plain​
• FAPI2SP OpenID Connect
  • Client Authentication Method : mtls
  • Sender Constrain : mtls
  • OpenID : openid
  • FAPI Profile : plain​

• FAPI2MS JAR
  • Client Authentication Method : mtls
  • Sender Constrain : mtls
  • OpenID : plain_oauth
  • FAPI Profile : plain​
  • FAPI Request Method : signed_non_repudiation
  • FAPI Response Mode : plain_response
• FAPI2MS JARM
  • Client Authentication Method : mtls
  • Sender Constrain : mtls
  • OpenID : plain_oauth
  • FAPI Profile : plain​
  • FAPI Request Method : signed_non_repudiation
  • FAPI Response Mode : jarm

To ensure that every keycloak version can pass conformance tests, we check if a new Keycloak version pass conformance tests that the older Keycloak version could pass whenever the new Keycloak version is released.

We tagged the environment for every keycloak verion:

Note: Keycloak legacy (wildfly) is no longer supported since keycloak 20.

*1 : Up to Implementer's Draft version 2, Open Banking Brazil Security Profile. From Implementer's Draft version 3, Open Finance Brazil Security Profile. Its conformance test is no longer supported since conformance suite version 5.1.11. Therefore, its conformance test is conducted by the conformance suite version 5.1.10.

*2 : Its conformance test is supported by conformance suite version 5.1.11.

*3 : Except for Dynamic Client Registration (DCR) conformance profile.

*4 : Except for 3rd Party-Init OP conformance profile.

*5 : ISSUE-25022

• Title: The Leading Edge of AuthN and AuthZ by Keycloak
• URL: https://kccnceu2024.sched.com/event/1YhiQ/the-leading-edge-of-authn-and-authz-by-keycloak-takashi-norimatsu-hitachi-thomas-darimont-codecentric-ag

• Title: Implementing OAuth 2.0-based Security Profiles on Open-source Software
• URL: https://www.openid.or.jp/summit/2024/en/

• Title: 10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?
• URL: https://kccncna2023.sched.com/event/1R2mH/10-years-of-keycloak-whats-next-for-cloud-native-authentication-and-oidc-alexander-schwartz-red-hat-takashi-norimatsu-hitachi-ltd

please see keyconf 23.

• Title: Securing APIs in Open Banking - Financial-grade API security profile implementation to open-source software
• URL: https://speakerdeck.com/apidays/apidays-paris-2022-securing-apis-in-open-banking-takashi-norimatsu-hitachi

• Title: Consideration on how to apply multiple FAPI and its related security profiles dynamically
• URL: https://www.youtube.com/watch?app=desktop&v=_ei7e8aOfkY

• Journal: IEICE Transactions on Information and Systems, Volume E106.D-9, pp.1364-1379, Institute of Electronics, Information and Communications Engineers (IEICE), Septempber 1, 2023.
• DOI: https://doi.org/10.1587/transinf.2022icp0004
• URL: https://www.jstage.jst.go.jp/article/transinf/E106.D/9/E106.D_2022ICP0004/_pdf

• Proceedings: Lecture Notes in Informatics (LNI) Proceedings of Open Identity Summit 2022, P-325, pp.87-98, DTU Compute, Lyngby, Denmark, July 7-8, 2022.
• DOI: https://doi.org/10.18420/OID2022_07
• DBLP: https://dblp.uni-trier.de/rec/conf/openidentity/NorimatsuNY22
• URL: https://dblp.uni-trier.de/rec/conf/openidentity/2022
• URL: https://dblp.uni-trier.de/db/conf/openidentity/openidentity2022.html#NorimatsuNY22

Not only OAuth SIG member but others can communicate with each other by the following ways.

• Slack : Cloud Native Computing Foundation (CNCF) slack's channel #keycloak-oauth-sig
• Mail : Google Group keycloak developer mailing list
• Chat : Zulip Chat stream (#dev-sig-fapi)
• Meeting : Web meeting on a regular basis

Please see conformance-tests-env.

• Apache License, Version 2.0