FAPI checklist

This checklist extends the minimal deployment checklist with the required configurations for setting up the Connect2id server for the strong FAPI RW security profile.

TLS terminator / HTTPS reverse proxy

  1. Make sure TLS 1.2 or later is used, and disable all weak ciphers.

    If you're using OpenSSL (e.g. with Apache httpd):

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
    SSLProtocol -all +TLSv1.2
    
  2. Configure your TLS terminator / HTTPS reverse proxy to support self-signed client X.509 certificates. If a client certificate is found, it must be passed to the Connect2id server in a special HTTP header. More instructions can be found in a separate guide.

    If you're using Apache httpd:

    SSLVerifyClient optional_no_ca
    SSLVerifyDepth 5
    RequestHeader set Sec-Client-X509-Cert-liede5vaePeeMiYie0xu2jaudauleing ""
    RequestHeader set Sec-Client-X509-Cert-liede5vaePeeMiYie0xu2jaudauleing "%{SSL_CLIENT_CERT}s"
    

Connect2id server configuration

  1. If public clients will be supported, make the PKCE security extension with the S256 code challenge method required:

    op.authz.requiredPKCE = S256
    
  2. Support and advertise an ACR at LoA 2 or higher, for example:

    op.authz.advertisedACRs = urn:mace:incommon:iap:silver
    
  3. Require redirection URIs to use the https scheme:

    op.reg.rejectNonTLSRedirectionURIs = true
    
  4. Make sure only signed ID tokens can get issued:

    op.idToken.jwsAlgs = RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512
    
  5. Include a state hash in the issued ID tokens:

    op.idToken.includeStateHash = true
    
  6. Allow only the code id_token and code id_token token response types:

    op.authz.responseTypes = code id_token, code id_token token
    
  7. Make sure only signed request objects get accepted:

    op.authz.requestJWSAlgs = RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512
    
  8. Require an expiration claim (exp) in the request objects:

    op.authz.requireRequestJWTExpiration = true
    
  9. Require all authorisation request parameters to be present in the request object:

    op.authz.requireAllParamsInRequestJWT = true
    

Authorisation

When authorising requests:

  • Always require explicit consent by the user to authorise the requested scope if not previously authorised (the consent was persisted).

  • When submitting the consent make sure the access token type is set to identifier-based (access_token -> encoding).