FAPI checklist

This checklist extends the minimal deployment checklist with the required configurations for setting up the Connect2id server for the strong FAPI RW security profile (draft-06).

1. TLS terminator / HTTPS reverse proxy

Make sure TLS 1.2 or later is used, and disable all weak ciphers.

For OpenSSL (e.g. with Apache httpd):
```
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
SSLProtocol -all +TLSv1.2
```
Configure your TLS terminator / HTTPS reverse proxy to support self-signed client X.509 certificates. If a client certificate is found, it must be passed to the Connect2id server in a special HTTP header. More instructions can be found in the TLS guide.

For Apache httpd:
```
SSLVerifyClient optional_no_ca
SSLVerifyDepth 5
RequestHeader set Sec-Client-X509-Cert-liede5vaePeeMiYie0xu2jaudauleing ""
RequestHeader set Sec-Client-X509-Cert-liede5vaePeeMiYie0xu2jaudauleing "%{SSL_CLIENT_CERT}s"
```

2. Connect2id server configuration

Required Connect2id server configuration settings for FAPI RW profile conformance. Assumes Connect2id server 9.5.

If public OAuth clients will be supported, make the PKCE security extension with the S256 code challenge method required:
```
op.authz.requiredPKCE=S256
```
Support and advertise one or more ACRs at LoA 2 or higher. Example configuration for some ACR:
```
op.authz.advertisedACRs=urn:mace:incommon:iap:silver
```
Require redirection URIs to use the https scheme:
```
op.reg.rejectNonTLSRedirectionURIs=true
```
Make sure only PS256 or ES256 signed ID tokens can get issued:
```
op.idToken.jwsAlgs=PS256,ES256
```
Include a state hash in the issued ID tokens:
```
op.idToken.includeStateHash=true
```
Allow only the code id_token and code id_token token response types:
```
op.authz.responseTypes=code id_token,code id_token token
```
Make sure only PS256 or ES256 signed request objects get accepted:
```
op.authz.requestJWSAlgs=PS256,ES256
```
Require an exp (expiration claim) in the request objects:
```
op.authz.requireRequestJWTExpiration=true
```
Require all authorisation request parameters to be present in the request object:
```
op.authz.requireAllParamsInRequestJWT=true
```
Prohibit clients to switch between the query and fragment response modes by setting the response_mode authorisation request parameter:
```
op.authz.prohibitSwitchBetweenBasicResponseModes=true
```
Allows only mTLS and private key JWT client authentication at the token endpoint for confidential clients:
```
op.token.authMethods=private_key_jwt,self_signed_tls_client_auth
```
If public clients are going to be allowed add none:
```
op.token.authMethods=private_key_jwt,self_signed_tls_client_auth,none
```
Require clients to present an X.509 client certificate at the token endpoint to ensure the issued access tokens are certificate bound:
```
op.token.requireClientX509Cert=true
```

3. Authorisation

When authorising requests:

Make sure the end-user is authenticated at the configured LoA 2 or higher level and the acr parameter for the user session is set to it. This will also set the acr claim in the issued ID token.
Always require explicit consent by the end-user to authorise the requested scope if not previously authorised (the consent was persisted).
When submitting the consent make sure the access token type is set to identifier-based (access_token -> encoding).

4. FAPI certification test suite

We recommend running the FAPI certification tests before putting a deployment into production.

To set up the certification tests two OAuth 2.0 clients need to be registered with the Connect2id server and their client_id’s, redirection URIs and keys saved in the certification panel.

4.1 For client authentication type: private_key_jwt

Client 1

Sample client metadata to register the first client with the Connect2id server.

Note: The c2id in the redirection URI must be replaced with the test alias from certification panel.

{
   "preferred_client_id"             : "agpellrjakyzi",
   "grant_types"                     : [ "authorization_code", "refresh_token" ],
   "response_types"                  : [ "code id_token" ],
   "redirect_uris"                   : [ "https://www.certification.openid.net/test/a/c2id/callback" ],
   "request_object_signing_alg"      : "PS256",
   "id_token_signed_response_alg"    : "PS256",
   "token_endpoint_auth_method"      : "private_key_jwt",
   "token_endpoint_auth_signing_alg" : "PS256",
   "jwks" : {
      "keys" : [ {
         "kty" : "RSA",
         "alg" : "PS256",
         "use" : "sig",
         "kid" : "fapi--2115596559",
         "x5c" : [ "MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ==" ],
         "n"   : "nhtrDVbpYmXUF2yhM9Y3_9S9yyoO03VLCiJiEuY_q4GVE8vFT8XduRIxDEHonjJpoxbzq1OFSUSJGOb5VG8YrpCaZjLJv0LK_dhJs01c3PTRlve33dwEQ2qrKnM6jUfOkxtjj_oacnhwRNu6ptWBjRO6eBMImNGCo6mGjfSnoF96-4stXZI1jKqLj31thjLWQVPK3SIdEPOCQFuti3oK0BKyiv7R55IuLw3E9dD6fHwu284R6nLLszd6OGqqkgdde_Xg9DKEH43hICt0ebs53v5Lw9qBRqZDgwtMhyO_gSjQqCz8VyIrc3HaBc7qjVH8032FEnWkWqTNjOVeXSafJQ",
         "e"   : "AQAB"
      } ]
   }
}

The private client JWK set:

{"keys":[{"d":"UiZk5TV3Zk0KenFTASAZULA1PU7JDU4wgz-CPdes1WwrDXIfP2fL4NF28qt8NlZzVO4kBa0L4BngMjQw8JIY_PrdfqR89we5eVPcV3GnApeiHxLvUjNzc6QE87WTgr0AtKbSgIivHTM_Akg5H15oRekuRh19pgmWG3uGElRAlK62hXVjpqZ8nLq1JraCsCU4rp9cnMfvcMa_ZyxuIFmCEz6A-ynbyjW_WWxPlY7RJxZD9LQ82iquj_JMsLUM4F4DRK-sN2aeVjY0AUQFiRSs8dNP9ZzyITh5uXSlcQgxbT4Iw63jDrSWVC1iWj6GxTN8-Z1j_U_4h0S3D7wWUBfhsQ","e":"AQAB","use":"sig","kid":"fapi--2115596559","x5c":["MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ=="],"dp":"ZVUr2jFwtsGuYpQRrLXNo0EfnxjlbJLFfqQv4qHeEzLT5A2rl8SDAJQVfYhw3QkLCmZKZpzuhSvSJoxF9d5Ldg3y_6jnVA_rxnSGkcSF5pAEOtDVwkcQKvieDvNZ4FnqbTh075CeeXH7yCUAiyWUeZG2865jvHeJop3B7V3BvcU","dq":"SFEn9etlBD9NDs1qBE175fj2Z-nrIioOHDAMULW6T9yd7mAp14sOAwOLZLj-RqviBsFqWbNENraVEqNXSQonp7Azwteup_aguYvQ99XBtPZhUpUHLC4OHgVsVPJW3k3rPn0FqjfxjKKDKRx-399avmfMj49GmBbmN4AESq1KrbM","n":"nhtrDVbpYmXUF2yhM9Y3_9S9yyoO03VLCiJiEuY_q4GVE8vFT8XduRIxDEHonjJpoxbzq1OFSUSJGOb5VG8YrpCaZjLJv0LK_dhJs01c3PTRlve33dwEQ2qrKnM6jUfOkxtjj_oacnhwRNu6ptWBjRO6eBMImNGCo6mGjfSnoF96-4stXZI1jKqLj31thjLWQVPK3SIdEPOCQFuti3oK0BKyiv7R55IuLw3E9dD6fHwu284R6nLLszd6OGqqkgdde_Xg9DKEH43hICt0ebs53v5Lw9qBRqZDgwtMhyO_gSjQqCz8VyIrc3HaBc7qjVH8032FEnWkWqTNjOVeXSafJQ","p":"z-jMp2K_CSv6EkK_O5uc4oM8o8HHhoBYXQvNNeM_4mKzGYPFojsa9B16XNsSfkrKy4wuM_X5kruRCKi503D3ptNeFmAywXbzRqR3XuaXXvzM8CfiiA-p-OvkTF-rAva1miysmdv7qBmwOXRUDrtP_oLE6X1sM_Xau9LVoNEj0jc","kty":"RSA","q":"wq2dKmGX_3TfXxjAaOW-sWfYN_ImzZc0kc9GxE3N8R6r6v2zC2Bu2u2c13IdQCgibzom4IXnTzNdsgrZ6ATNaIMZ_qtQOBUJyrErsDHm2r6WBjqW_o0fCDUw7rrmkdu834_9jWs-xexrAHg2ju3eAuhx5bBAhDd2Rag8Qtpr24M","qi":"CyqqP_PWItoMy0_Y5tZeIynarnI0ISrhixyDJTpuLS-QwzYzUGwx_UloOP0fvMrMZMJAGmgaOZAdbGyhaFShPHjlIYAlFmV8pFUbBCwS7EoSsc0DWmTj54RTzpDpcBrWTZ2x84TwqARODulJiF2KvatMy-le5zZFI1egxvaTUEM","alg":"PS256"}]}

The PEM-encoded client certificate:

The PEM-encoded private key:

The client scope for the issued tokens can be set to:

openid offline_access

The resource URL can be set to the UserInfo endpoint of the Connect2id server, for example:

https://fapi.c2id.com/c2id/userinfo

Client 2

Sample client metadata to register the second client with the Connect2id server.

Note: The c2id in the redirection URI must be replaced with the test alias from certification panel.

{
   "preferred_client_id"             : "mdcvgzq6bhjjc",
   "grant_types"                     : [ "authorization_code", "refresh_token" ],
   "response_types"                  : [ "code id_token" ],
   "redirect_uris"                   : [ "https://www.certification.openid.net/test/a/c2id/callback?dummy1=lorem&dummy2=ipsum" ],
   "request_object_signing_alg"      : "PS256",
   "id_token_signed_response_alg"    : "PS256",
   "token_endpoint_auth_method"      : "private_key_jwt",
   "token_endpoint_auth_signing_alg" : "PS256",
   "jwks" : {
      "keys" : [ {
         "kty" : "RSA",
         "alg" : "PS256",
         "use" : "sig",
         "kid" : "fapi-566984082",
         "x5c" : ["MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ==" ],
         "n"   : "m-8SSAYDEnjNFkjFkOY_xUJHh2Tk_ghDDpU4djBwatcZqohs2H9G0bWm4YAYfIFMypFDg9elaJGRaADMnVQ-269ULB5Nr0s8qigcfLXfmLtzWG7CEGF1WgBBbEEbBLPARw1PqBThNc6a6klrGB6xXtzFLt6eAnWeEYjBVlec0wMroHKxGsNAYnQtdprp2uCiVIFUJ3CFy40qg90y-VQo1IjEPedgAZgCeSzIUBtxzQmNL0mPyi3Uyr_mXM_Ykt_N1lwNS_KsDR9uYF1c9k-6oFRR4VetzANttek3ZODWRC_ztRumyfC-k8BfL6nPWLjW6m15v2n1D8i1kscxczJwqQ",
         "e"   : "AQAB"
      } ]
   }
}

The private client JWK set:

{"keys":[{"d":"fIgSboi2nWLyTvCxL4ZiuXO0UlHme2Y3v4a2f9UxgnHkooevfbsv4L0U2JSHea99l20poTpwdDGFEa1JvAAS7zl3nIBbBDqu6Sl9jq9lMcHKXX6e55wdr1Hy7bSVEk1Hqrbbvd1m-qTUnXUi3TFt79eadlL9l_M82L4BwaXYrb9a4d2Wug7GOuCxg8wA7QjUNtgrx5eCnE3cnbq2u3GGqf1hXeOjG12hfOYajsk2uKg6gmHUIRVHE0NP2nQL_9CX38wUovQ2mVEScEvbxDrNgxv1CtKJuFchoKV0xeCADbIHLC2PSP01wWXmUK-dmFJfX5WmMgPMmIiKQ5QCyHDtgQ","e":"AQAB","use":"sig","kid":"fapi-566984082","x5c":["MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ=="],"dp":"hbS6vTLbqVav5gFsc3bHjMvw6XBarvOQnVJyJWYVhWVB1gJdmYwGrnFRPl8Oetzjw0e6qUpdlP26sFOnx7G10yCze6m6xtlS5AuX1biGO78DnUXdSGm0MKBVS7DeYCLVpOva6kZdEiO-K5h4LyvoJTRKUu9e-hvXjcyc392789k","dq":"FVNXtNDEV9ELMXMjA6xEecZDeZ7CFCeP92PdErJorKGVYDnDWesN17BfxMslW50bzKJaGRMaqJsUXzuJEBeNG10C2naOtquuBZqHw9R_VR_MBVSCnIlEl_aJm-icMat6J3AVkPpnNi8xR4DEzQwwRwjt1Jt1Q4mbkHGj838JetE","n":"m-8SSAYDEnjNFkjFkOY_xUJHh2Tk_ghDDpU4djBwatcZqohs2H9G0bWm4YAYfIFMypFDg9elaJGRaADMnVQ-269ULB5Nr0s8qigcfLXfmLtzWG7CEGF1WgBBbEEbBLPARw1PqBThNc6a6klrGB6xXtzFLt6eAnWeEYjBVlec0wMroHKxGsNAYnQtdprp2uCiVIFUJ3CFy40qg90y-VQo1IjEPedgAZgCeSzIUBtxzQmNL0mPyi3Uyr_mXM_Ykt_N1lwNS_KsDR9uYF1c9k-6oFRR4VetzANttek3ZODWRC_ztRumyfC-k8BfL6nPWLjW6m15v2n1D8i1kscxczJwqQ","p":"_qISCB7VdSFjYic42S9MLh5KJdgsF_DSNFG8fzWevO2JuoGCzNbAjktLtHOFF2fvhC5BbTSX11FyoPQuHgUsizfhFgVrPPqHxdhZVn8abtYTgd_eEKu6PTKQCPkD5emuZE3uJbIbuL1uJSP3VplBE995FGNewx4S1T_ADrgOPDk","kty":"RSA","q":"nMVdEmuaIjYhGDd98P1kIfaPSamOqCYF4qXRRFtpngeUxTHAh333-x_jM_kOHwa7N_icxV5SwArwpWZD0M8hta_ybl20SIwJkgjw70Qs9TTl_L3dvlpBy0-AV9GZNL2_eTcxDFFxajsU1ryrqCiVpMa8tLdCcqhrkf8I9pS3t_E","qi":"zgMHgL45Osq5EyYwCdoYsCHa5G4Uvi1yc3w1Ol1zpGdS6w9J64NlqdYnkFnTh6bpJ0bbBva-lgKbhILzaJqx7yWu9j6eZAr2q40aNWSCAAn0AAg12Y3g1JEpDaDY0OPFY9NqzkOUUkFYwm4ny0HDFEfNKnQuOCl_Lmo46mC6XPc","alg":"PS256"}]}

The PEM-encoded client certificate:

The PEM-encoded private key:

The client scope for the issued tokens can be set to:

openid offline_access

The resource URL can be set to the UserInfo endpoint of the Connect2id server, for example:

https://fapi.c2id.com/c2id/userinfo

4.2 For client authentication type: mtls

Client 1

Sample client metadata to register the first client with the Connect2id server.

Note: The c2id in the redirection URI must be replaced with the test alias from certification panel.

{
   "preferred_client_id"             : "agpellrjakyzi",
   "grant_types"                     : [ "authorization_code", "refresh_token" ],
   "response_types"                  : [ "code id_token" ],
   "redirect_uris"                   : [ "https://www.certification.openid.net/test/a/c2id/callback" ],
   "request_object_signing_alg"      : "PS256",
   "id_token_signed_response_alg"    : "PS256",
   "token_endpoint_auth_method"      : "self_signed_tls_client_auth",
   "jwks" : {
      "keys" : [ {
         "kty" : "RSA",
         "alg" : "PS256",
         "use" : "sig",
         "kid" : "fapi--2115596559",
         "x5c" : [ "MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ==" ],
         "n"   : "nhtrDVbpYmXUF2yhM9Y3_9S9yyoO03VLCiJiEuY_q4GVE8vFT8XduRIxDEHonjJpoxbzq1OFSUSJGOb5VG8YrpCaZjLJv0LK_dhJs01c3PTRlve33dwEQ2qrKnM6jUfOkxtjj_oacnhwRNu6ptWBjRO6eBMImNGCo6mGjfSnoF96-4stXZI1jKqLj31thjLWQVPK3SIdEPOCQFuti3oK0BKyiv7R55IuLw3E9dD6fHwu284R6nLLszd6OGqqkgdde_Xg9DKEH43hICt0ebs53v5Lw9qBRqZDgwtMhyO_gSjQqCz8VyIrc3HaBc7qjVH8032FEnWkWqTNjOVeXSafJQ",
         "e"   : "AQAB"
      } ]
   }
}

The private client JWK set:

{"keys":[{"d":"UiZk5TV3Zk0KenFTASAZULA1PU7JDU4wgz-CPdes1WwrDXIfP2fL4NF28qt8NlZzVO4kBa0L4BngMjQw8JIY_PrdfqR89we5eVPcV3GnApeiHxLvUjNzc6QE87WTgr0AtKbSgIivHTM_Akg5H15oRekuRh19pgmWG3uGElRAlK62hXVjpqZ8nLq1JraCsCU4rp9cnMfvcMa_ZyxuIFmCEz6A-ynbyjW_WWxPlY7RJxZD9LQ82iquj_JMsLUM4F4DRK-sN2aeVjY0AUQFiRSs8dNP9ZzyITh5uXSlcQgxbT4Iw63jDrSWVC1iWj6GxTN8-Z1j_U_4h0S3D7wWUBfhsQ","e":"AQAB","use":"sig","kid":"fapi--2115596559","x5c":["MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ=="],"dp":"ZVUr2jFwtsGuYpQRrLXNo0EfnxjlbJLFfqQv4qHeEzLT5A2rl8SDAJQVfYhw3QkLCmZKZpzuhSvSJoxF9d5Ldg3y_6jnVA_rxnSGkcSF5pAEOtDVwkcQKvieDvNZ4FnqbTh075CeeXH7yCUAiyWUeZG2865jvHeJop3B7V3BvcU","dq":"SFEn9etlBD9NDs1qBE175fj2Z-nrIioOHDAMULW6T9yd7mAp14sOAwOLZLj-RqviBsFqWbNENraVEqNXSQonp7Azwteup_aguYvQ99XBtPZhUpUHLC4OHgVsVPJW3k3rPn0FqjfxjKKDKRx-399avmfMj49GmBbmN4AESq1KrbM","n":"nhtrDVbpYmXUF2yhM9Y3_9S9yyoO03VLCiJiEuY_q4GVE8vFT8XduRIxDEHonjJpoxbzq1OFSUSJGOb5VG8YrpCaZjLJv0LK_dhJs01c3PTRlve33dwEQ2qrKnM6jUfOkxtjj_oacnhwRNu6ptWBjRO6eBMImNGCo6mGjfSnoF96-4stXZI1jKqLj31thjLWQVPK3SIdEPOCQFuti3oK0BKyiv7R55IuLw3E9dD6fHwu284R6nLLszd6OGqqkgdde_Xg9DKEH43hICt0ebs53v5Lw9qBRqZDgwtMhyO_gSjQqCz8VyIrc3HaBc7qjVH8032FEnWkWqTNjOVeXSafJQ","p":"z-jMp2K_CSv6EkK_O5uc4oM8o8HHhoBYXQvNNeM_4mKzGYPFojsa9B16XNsSfkrKy4wuM_X5kruRCKi503D3ptNeFmAywXbzRqR3XuaXXvzM8CfiiA-p-OvkTF-rAva1miysmdv7qBmwOXRUDrtP_oLE6X1sM_Xau9LVoNEj0jc","kty":"RSA","q":"wq2dKmGX_3TfXxjAaOW-sWfYN_ImzZc0kc9GxE3N8R6r6v2zC2Bu2u2c13IdQCgibzom4IXnTzNdsgrZ6ATNaIMZ_qtQOBUJyrErsDHm2r6WBjqW_o0fCDUw7rrmkdu834_9jWs-xexrAHg2ju3eAuhx5bBAhDd2Rag8Qtpr24M","qi":"CyqqP_PWItoMy0_Y5tZeIynarnI0ISrhixyDJTpuLS-QwzYzUGwx_UloOP0fvMrMZMJAGmgaOZAdbGyhaFShPHjlIYAlFmV8pFUbBCwS7EoSsc0DWmTj54RTzpDpcBrWTZ2x84TwqARODulJiF2KvatMy-le5zZFI1egxvaTUEM","alg":"PS256"}]}

The PEM-encoded client certificate:

The PEM-encoded private key:

The client scope for the issued tokens can be set to:

openid offline_access

The resource URL can be set to the UserInfo endpoint of the Connect2id server, for example:

https://fapi.c2id.com/c2id/userinfo

Client 2

Sample client metadata to register the second client with the Connect2id server.

Note: The c2id in the redirection URI must be replaced with the test alias from certification panel.

{
   "preferred_client_id"             : "mdcvgzq6bhjjc",
   "grant_types"                     : [ "authorization_code", "refresh_token" ],
   "response_types"                  : [ "code id_token" ],
   "redirect_uris"                   : [ "https://www.certification.openid.net/test/a/c2id/callback?dummy1=lorem&dummy2=ipsum" ],
   "request_object_signing_alg"      : "PS256",
   "id_token_signed_response_alg"    : "PS256",
   "token_endpoint_auth_method"      : "self_signed_tls_client_auth",
   "jwks" : {
      "keys" : [ {
         "kty" : "RSA",
         "alg" : "PS256",
         "use" : "sig",
         "kid" : "fapi-566984082",
         "x5c" : ["MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ==" ],
         "n"   : "m-8SSAYDEnjNFkjFkOY_xUJHh2Tk_ghDDpU4djBwatcZqohs2H9G0bWm4YAYfIFMypFDg9elaJGRaADMnVQ-269ULB5Nr0s8qigcfLXfmLtzWG7CEGF1WgBBbEEbBLPARw1PqBThNc6a6klrGB6xXtzFLt6eAnWeEYjBVlec0wMroHKxGsNAYnQtdprp2uCiVIFUJ3CFy40qg90y-VQo1IjEPedgAZgCeSzIUBtxzQmNL0mPyi3Uyr_mXM_Ykt_N1lwNS_KsDR9uYF1c9k-6oFRR4VetzANttek3ZODWRC_ztRumyfC-k8BfL6nPWLjW6m15v2n1D8i1kscxczJwqQ",
         "e"   : "AQAB"
      } ]
   }
}

The private client JWK set:

{"keys":[{"d":"fIgSboi2nWLyTvCxL4ZiuXO0UlHme2Y3v4a2f9UxgnHkooevfbsv4L0U2JSHea99l20poTpwdDGFEa1JvAAS7zl3nIBbBDqu6Sl9jq9lMcHKXX6e55wdr1Hy7bSVEk1Hqrbbvd1m-qTUnXUi3TFt79eadlL9l_M82L4BwaXYrb9a4d2Wug7GOuCxg8wA7QjUNtgrx5eCnE3cnbq2u3GGqf1hXeOjG12hfOYajsk2uKg6gmHUIRVHE0NP2nQL_9CX38wUovQ2mVEScEvbxDrNgxv1CtKJuFchoKV0xeCADbIHLC2PSP01wWXmUK-dmFJfX5WmMgPMmIiKQ5QCyHDtgQ","e":"AQAB","use":"sig","kid":"fapi-566984082","x5c":["MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ=="],"dp":"hbS6vTLbqVav5gFsc3bHjMvw6XBarvOQnVJyJWYVhWVB1gJdmYwGrnFRPl8Oetzjw0e6qUpdlP26sFOnx7G10yCze6m6xtlS5AuX1biGO78DnUXdSGm0MKBVS7DeYCLVpOva6kZdEiO-K5h4LyvoJTRKUu9e-hvXjcyc392789k","dq":"FVNXtNDEV9ELMXMjA6xEecZDeZ7CFCeP92PdErJorKGVYDnDWesN17BfxMslW50bzKJaGRMaqJsUXzuJEBeNG10C2naOtquuBZqHw9R_VR_MBVSCnIlEl_aJm-icMat6J3AVkPpnNi8xR4DEzQwwRwjt1Jt1Q4mbkHGj838JetE","n":"m-8SSAYDEnjNFkjFkOY_xUJHh2Tk_ghDDpU4djBwatcZqohs2H9G0bWm4YAYfIFMypFDg9elaJGRaADMnVQ-269ULB5Nr0s8qigcfLXfmLtzWG7CEGF1WgBBbEEbBLPARw1PqBThNc6a6klrGB6xXtzFLt6eAnWeEYjBVlec0wMroHKxGsNAYnQtdprp2uCiVIFUJ3CFy40qg90y-VQo1IjEPedgAZgCeSzIUBtxzQmNL0mPyi3Uyr_mXM_Ykt_N1lwNS_KsDR9uYF1c9k-6oFRR4VetzANttek3ZODWRC_ztRumyfC-k8BfL6nPWLjW6m15v2n1D8i1kscxczJwqQ","p":"_qISCB7VdSFjYic42S9MLh5KJdgsF_DSNFG8fzWevO2JuoGCzNbAjktLtHOFF2fvhC5BbTSX11FyoPQuHgUsizfhFgVrPPqHxdhZVn8abtYTgd_eEKu6PTKQCPkD5emuZE3uJbIbuL1uJSP3VplBE995FGNewx4S1T_ADrgOPDk","kty":"RSA","q":"nMVdEmuaIjYhGDd98P1kIfaPSamOqCYF4qXRRFtpngeUxTHAh333-x_jM_kOHwa7N_icxV5SwArwpWZD0M8hta_ybl20SIwJkgjw70Qs9TTl_L3dvlpBy0-AV9GZNL2_eTcxDFFxajsU1ryrqCiVpMa8tLdCcqhrkf8I9pS3t_E","qi":"zgMHgL45Osq5EyYwCdoYsCHa5G4Uvi1yc3w1Ol1zpGdS6w9J64NlqdYnkFnTh6bpJ0bbBva-lgKbhILzaJqx7yWu9j6eZAr2q40aNWSCAAn0AAg12Y3g1JEpDaDY0OPFY9NqzkOUUkFYwm4ny0HDFEfNKnQuOCl_Lmo46mC6XPc","alg":"PS256"}]}

The PEM-encoded client certificate:

The PEM-encoded private key:

The client scope for the issued tokens can be set to:

openid offline_access

The resource URL can be set to the UserInfo endpoint of the Connect2id server, for example:

https://fapi.c2id.com/c2id/userinfo

4.3 Sample JWK set code

Sample Java code to generate a FAPI client RSA JWK (alg=PS256) with a self-signed certificate. Requires a recent version of the OAuth 2.0 / OpenID Connect SDK:

import java.security.cert.X509Certificate;
import java.util.*;
import com.nimbusds.jose.*;
import com.nimbusds.jose.jwk.*;
import com.nimbusds.jose.jwk.gen.*;
import com.nimbusds.jose.util.*;
import com.nimbusds.jwt.util.*;
import com.nimbusds.oauth2.sdk.id.*;
import com.nimbusds.oauth2.sdk.util.*;

// Generate an RSA JWK
RSAKey rsaJWK = new RSAKeyGenerator(2048)
    .keyIDFromThumbprint(true)
    .keyUse(KeyUse.SIGNATURE)
    .algorithm(JWSAlgorithm.PS256)
    .generate();

// Use RSA JWK to sign self-issued client certificate
Date now = new Date();
Date nbf = now;
long oneYearInSeconds = 3600 * 24 * 365;
Date exp = DateUtils.fromSecondsSinceEpoch(DateUtils.toSecondsSinceEpoch(now) + oneYearInSeconds);

X509Certificate clientCert = X509CertificateUtils.generateSelfSigned(
    new Issuer("oauth-client"),
    nbf,
    exp,
    rsaJWK.toRSAPublicKey(),
    rsaJWK.toPrivateKey());

// Append client certificate to RSA JWK
rsaJWK = new RSAKey.Builder(rsaJWK)
    .x509CertChain(Collections.singletonList(Base64.encode(clientCert.getEncoded())))
    .build();

// Print out the public JWK set, required for the client metadata
System.out.println(new JWKSet(rsaJWK.toPublicJWK()));

// Print out the PEM-encoded client certificate
System.out.println(X509CertUtils.toPEMString(clientCert));

// Print out the PEM-encoded private key
System.out.println(
    "-----BEGIN PRIVATE KEY-----\n" +
    Base64.encode(rsaJWK.toPrivateKey().getEncoded()) + "\n" +
    "-----END PRIVATE KEY-----\n");