FAPI checklist

This checklist extends the minimal deployment checklist with the required configurations for setting up the Connect2id server for the Advanced FAPI Security Profile (draft-06).

1. TLS terminator / HTTPS reverse proxy

  1. Make sure TLS 1.2 or later is used, and disable all weak ciphers.

    For OpenSSL (e.g. with Apache httpd):

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
    SSLProtocol -all +TLSv1.2
    
  2. Configure your TLS terminator / HTTPS reverse proxy to support client X.509 certificates. If a client certificate is found, it must be passed to the Connect2id server in a special HTTP header. Check the TLS guide for further instructions.

2. Connect2id server configuration

Required Connect2id server configuration settings for Advanced FAPI Security Profile conformance. Assumes Connect2id server 9.5.

  1. If public OAuth clients will be supported, make the PKCE security extension with the S256 code challenge method required:

    op.authz.requiredPKCE=S256
    
  2. Support and advertise one or more ACRs at LoA 2 or higher. Example configuration for some ACR:

    op.authz.advertisedACRs=urn:mace:incommon:iap:silver
    
  3. Require redirection URIs to use the https scheme:

    op.reg.rejectNonTLSRedirectionURIs=true
    
  4. Make sure only PS256 or ES256 signed ID tokens can get issued:

    op.idToken.jwsAlgs=PS256,ES256
    
  5. Include a state hash in the issued ID tokens:

    op.idToken.includeStateHash=true
    
  6. Allow only the code id_token response type:

    op.authz.responseTypes=code id_token
    
  7. Make sure only PS256 or ES256 signed request objects get accepted:

    op.authz.requestJWSAlgs=PS256,ES256
    
  8. Require an exp (expiration claim) in the request objects:

    op.authz.requireRequestJWTExpiration=true
    
  9. Require all authorisation request parameters to be present in the request object:

    op.authz.requireAllParamsInRequestJWT=true
    
  10. Prohibit clients to switch between the query and fragment response modes by setting the response_mode authorisation request parameter:

    op.authz.prohibitSwitchBetweenBasicResponseModes=true
    
  11. Allow only mTLS and private key JWT client authentication at the token endpoint. Note, mTLS authentication can be either configured in its PKI variant (tls_client_auth) or self-signed client X.509 certificate variant (self_signed_tls_client_auth), but not both.

    To allow private key JWT and self-signed certificate mTLS authentication:

    op.token.authMethods=private_key_jwt,self_signed_tls_client_auth
    

    To allow private key JWT and PKI mTLS authentication:

    op.token.authMethods=private_key_jwt,tls_client_auth
    
  12. Require clients to present an X.509 client certificate at the token endpoint to ensure the issued access tokens are certificate bound:

    op.token.requireClientX509Cert=true
    

3. Authorisation

When authorising requests:

  • Make sure the end-user is authenticated at the configured LoA 2 or higher level and the acr parameter for the user session is set to it. This will also set the acr claim in the issued ID token.

  • Always require explicit consent by the end-user to authorise the requested scope if not previously authorised (the consent was persisted).

  • When submitting the consent make sure the access token type is set to identifier-based (access_token -> encoding).

4. FAPI certification test suite

We recommend running the FAPI certification tests before putting a deployment into production.

To set up the certification tests two OAuth 2.0 clients need to be registered with the Connect2id server and their client_id's, redirection URIs and keys saved in the certification panel.

4.1 For client authentication type: private_key_jwt

Client 1

Sample client metadata to register the first client with the Connect2id server.

Note: The c2id in the redirection URI must be replaced with the test alias from certification panel.

{
   "preferred_client_id"             : "agpellrjakyzi",
   "grant_types"                     : [ "authorization_code", "refresh_token" ],
   "response_types"                  : [ "code id_token" ],
   "redirect_uris"                   : [ "https://www.certification.openid.net/test/a/c2id/callback" ],
   "request_object_signing_alg"      : "PS256",
   "id_token_signed_response_alg"    : "PS256",
   "token_endpoint_auth_method"      : "private_key_jwt",
   "token_endpoint_auth_signing_alg" : "PS256",
   "jwks" : {
      "keys" : [ {
         "kty" : "RSA",
         "alg" : "PS256",
         "use" : "sig",
         "kid" : "fapi--2115596559",
         "x5c" : [ "MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ==" ],
         "n"   : "nhtrDVbpYmXUF2yhM9Y3_9S9yyoO03VLCiJiEuY_q4GVE8vFT8XduRIxDEHonjJpoxbzq1OFSUSJGOb5VG8YrpCaZjLJv0LK_dhJs01c3PTRlve33dwEQ2qrKnM6jUfOkxtjj_oacnhwRNu6ptWBjRO6eBMImNGCo6mGjfSnoF96-4stXZI1jKqLj31thjLWQVPK3SIdEPOCQFuti3oK0BKyiv7R55IuLw3E9dD6fHwu284R6nLLszd6OGqqkgdde_Xg9DKEH43hICt0ebs53v5Lw9qBRqZDgwtMhyO_gSjQqCz8VyIrc3HaBc7qjVH8032FEnWkWqTNjOVeXSafJQ",
         "e"   : "AQAB"
      } ]
   }
}

The private client JWK set:

{"keys":[{"d":"UiZk5TV3Zk0KenFTASAZULA1PU7JDU4wgz-CPdes1WwrDXIfP2fL4NF28qt8NlZzVO4kBa0L4BngMjQw8JIY_PrdfqR89we5eVPcV3GnApeiHxLvUjNzc6QE87WTgr0AtKbSgIivHTM_Akg5H15oRekuRh19pgmWG3uGElRAlK62hXVjpqZ8nLq1JraCsCU4rp9cnMfvcMa_ZyxuIFmCEz6A-ynbyjW_WWxPlY7RJxZD9LQ82iquj_JMsLUM4F4DRK-sN2aeVjY0AUQFiRSs8dNP9ZzyITh5uXSlcQgxbT4Iw63jDrSWVC1iWj6GxTN8-Z1j_U_4h0S3D7wWUBfhsQ","e":"AQAB","use":"sig","kid":"fapi--2115596559","x5c":["MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ=="],"dp":"ZVUr2jFwtsGuYpQRrLXNo0EfnxjlbJLFfqQv4qHeEzLT5A2rl8SDAJQVfYhw3QkLCmZKZpzuhSvSJoxF9d5Ldg3y_6jnVA_rxnSGkcSF5pAEOtDVwkcQKvieDvNZ4FnqbTh075CeeXH7yCUAiyWUeZG2865jvHeJop3B7V3BvcU","dq":"SFEn9etlBD9NDs1qBE175fj2Z-nrIioOHDAMULW6T9yd7mAp14sOAwOLZLj-RqviBsFqWbNENraVEqNXSQonp7Azwteup_aguYvQ99XBtPZhUpUHLC4OHgVsVPJW3k3rPn0FqjfxjKKDKRx-399avmfMj49GmBbmN4AESq1KrbM","n":"nhtrDVbpYmXUF2yhM9Y3_9S9yyoO03VLCiJiEuY_q4GVE8vFT8XduRIxDEHonjJpoxbzq1OFSUSJGOb5VG8YrpCaZjLJv0LK_dhJs01c3PTRlve33dwEQ2qrKnM6jUfOkxtjj_oacnhwRNu6ptWBjRO6eBMImNGCo6mGjfSnoF96-4stXZI1jKqLj31thjLWQVPK3SIdEPOCQFuti3oK0BKyiv7R55IuLw3E9dD6fHwu284R6nLLszd6OGqqkgdde_Xg9DKEH43hICt0ebs53v5Lw9qBRqZDgwtMhyO_gSjQqCz8VyIrc3HaBc7qjVH8032FEnWkWqTNjOVeXSafJQ","p":"z-jMp2K_CSv6EkK_O5uc4oM8o8HHhoBYXQvNNeM_4mKzGYPFojsa9B16XNsSfkrKy4wuM_X5kruRCKi503D3ptNeFmAywXbzRqR3XuaXXvzM8CfiiA-p-OvkTF-rAva1miysmdv7qBmwOXRUDrtP_oLE6X1sM_Xau9LVoNEj0jc","kty":"RSA","q":"wq2dKmGX_3TfXxjAaOW-sWfYN_ImzZc0kc9GxE3N8R6r6v2zC2Bu2u2c13IdQCgibzom4IXnTzNdsgrZ6ATNaIMZ_qtQOBUJyrErsDHm2r6WBjqW_o0fCDUw7rrmkdu834_9jWs-xexrAHg2ju3eAuhx5bBAhDd2Rag8Qtpr24M","qi":"CyqqP_PWItoMy0_Y5tZeIynarnI0ISrhixyDJTpuLS-QwzYzUGwx_UloOP0fvMrMZMJAGmgaOZAdbGyhaFShPHjlIYAlFmV8pFUbBCwS7EoSsc0DWmTj54RTzpDpcBrWTZ2x84TwqARODulJiF2KvatMy-le5zZFI1egxvaTUEM","alg":"PS256"}]}

The PEM-encoded client certificate:

-----BEGIN CERTIFICATE-----
MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ==
-----END CERTIFICATE-----

The PEM-encoded private key:

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCeG2sNVuliZdQXbKEz1jf/1L3LKg7TdUsKImIS5j+rgZUTy8VPxd25EjEMQeieMmmjFvOrU4VJRIkY5vlUbxiukJpmMsm/Qsr92EmzTVzc9NGW97fd3ARDaqsqczqNR86TG2OP+hpyeHBE27qm1YGNE7p4EwiY0YKjqYaN9KegX3r7iy1dkjWMqouPfW2GMtZBU8rdIh0Q84JAW62LegrQErKK/tHnki4vDcT10Pp8fC7bzhHqcsuzN3o4aqqSB1179eD0MoQfjeEgK3R5uzne/kvD2oFGpkODC0yHI7+BKNCoLPxXIitzcdoFzuqNUfzTfYUSdaRapM2M5V5dJp8lAgMBAAECggEAUiZk5TV3Zk0KenFTASAZULA1PU7JDU4wgz+CPdes1WwrDXIfP2fL4NF28qt8NlZzVO4kBa0L4BngMjQw8JIY/PrdfqR89we5eVPcV3GnApeiHxLvUjNzc6QE87WTgr0AtKbSgIivHTM/Akg5H15oRekuRh19pgmWG3uGElRAlK62hXVjpqZ8nLq1JraCsCU4rp9cnMfvcMa/ZyxuIFmCEz6A+ynbyjW/WWxPlY7RJxZD9LQ82iquj/JMsLUM4F4DRK+sN2aeVjY0AUQFiRSs8dNP9ZzyITh5uXSlcQgxbT4Iw63jDrSWVC1iWj6GxTN8+Z1j/U/4h0S3D7wWUBfhsQKBgQDP6MynYr8JK/oSQr87m5zigzyjwceGgFhdC8014z/iYrMZg8WiOxr0HXpc2xJ+SsrLjC4z9fmSu5EIqLnTcPem014WYDLBdvNGpHde5pde/MzwJ+KID6n46+RMX6sC9rWaLKyZ2/uoGbA5dFQOu0/+gsTpfWwz9dq70tWg0SPSNwKBgQDCrZ0qYZf/dN9fGMBo5b6xZ9g38ibNlzSRz0bETc3xHqvq/bMLYG7a7ZzXch1AKCJvOibghedPM12yCtnoBM1ogxn+q1A4FQnKsSuwMebavpYGOpb+jR8INTDuuuaR27zfj/2Naz7F7GsAeDaO7d4C6HHlsECEN3ZFqDxC2mvbgwKBgGVVK9oxcLbBrmKUEay1zaNBH58Y5WySxX6kL+Kh3hMy0+QNq5fEgwCUFX2IcN0JCwpmSmac7oUr0iaMRfXeS3YN8v+o51QP68Z0hpHEheaQBDrQ1cJHECr4ng7zWeBZ6m04dO+Qnnlx+8glAIsllHmRtvOuY7x3iaKdwe1dwb3FAoGASFEn9etlBD9NDs1qBE175fj2Z+nrIioOHDAMULW6T9yd7mAp14sOAwOLZLj+RqviBsFqWbNENraVEqNXSQonp7Azwteup/aguYvQ99XBtPZhUpUHLC4OHgVsVPJW3k3rPn0FqjfxjKKDKRx+399avmfMj49GmBbmN4AESq1KrbMCgYALKqo/89Yi2gzLT9jm1l4jKdqucjQhKuGLHIMlOm4tL5DDNjNQbDH9SWg4/R+8ysxkwkAaaBo5kB1sbKFoVKE8eOUhgCUWZXykVRsELBLsShKxzQNaZOPnhFPOkOlwGtZNnbHzhPCoBE4O6UmIXYq9q0zL6V7nNkUjV6DG9pNQQw==
-----END PRIVATE KEY-----

The client scope for the issued tokens can be set to:

openid offline_access

The resource URL can be set to the UserInfo endpoint of the Connect2id server, for example:

https://fapi.c2id.com/c2id/userinfo

Client 2

Sample client metadata to register the second client with the Connect2id server.

Note: The c2id in the redirection URI must be replaced with the test alias from certification panel.

{
   "preferred_client_id"             : "mdcvgzq6bhjjc",
   "grant_types"                     : [ "authorization_code", "refresh_token" ],
   "response_types"                  : [ "code id_token" ],
   "redirect_uris"                   : [ "https://www.certification.openid.net/test/a/c2id/callback?dummy1=lorem&dummy2=ipsum" ],
   "request_object_signing_alg"      : "PS256",
   "id_token_signed_response_alg"    : "PS256",
   "token_endpoint_auth_method"      : "private_key_jwt",
   "token_endpoint_auth_signing_alg" : "PS256",
   "jwks" : {
      "keys" : [ {
         "kty" : "RSA",
         "alg" : "PS256",
         "use" : "sig",
         "kid" : "fapi-566984082",
         "x5c" : ["MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ==" ],
         "n"   : "m-8SSAYDEnjNFkjFkOY_xUJHh2Tk_ghDDpU4djBwatcZqohs2H9G0bWm4YAYfIFMypFDg9elaJGRaADMnVQ-269ULB5Nr0s8qigcfLXfmLtzWG7CEGF1WgBBbEEbBLPARw1PqBThNc6a6klrGB6xXtzFLt6eAnWeEYjBVlec0wMroHKxGsNAYnQtdprp2uCiVIFUJ3CFy40qg90y-VQo1IjEPedgAZgCeSzIUBtxzQmNL0mPyi3Uyr_mXM_Ykt_N1lwNS_KsDR9uYF1c9k-6oFRR4VetzANttek3ZODWRC_ztRumyfC-k8BfL6nPWLjW6m15v2n1D8i1kscxczJwqQ",
         "e"   : "AQAB"
      } ]
   }
}

The private client JWK set:

{"keys":[{"d":"fIgSboi2nWLyTvCxL4ZiuXO0UlHme2Y3v4a2f9UxgnHkooevfbsv4L0U2JSHea99l20poTpwdDGFEa1JvAAS7zl3nIBbBDqu6Sl9jq9lMcHKXX6e55wdr1Hy7bSVEk1Hqrbbvd1m-qTUnXUi3TFt79eadlL9l_M82L4BwaXYrb9a4d2Wug7GOuCxg8wA7QjUNtgrx5eCnE3cnbq2u3GGqf1hXeOjG12hfOYajsk2uKg6gmHUIRVHE0NP2nQL_9CX38wUovQ2mVEScEvbxDrNgxv1CtKJuFchoKV0xeCADbIHLC2PSP01wWXmUK-dmFJfX5WmMgPMmIiKQ5QCyHDtgQ","e":"AQAB","use":"sig","kid":"fapi-566984082","x5c":["MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ=="],"dp":"hbS6vTLbqVav5gFsc3bHjMvw6XBarvOQnVJyJWYVhWVB1gJdmYwGrnFRPl8Oetzjw0e6qUpdlP26sFOnx7G10yCze6m6xtlS5AuX1biGO78DnUXdSGm0MKBVS7DeYCLVpOva6kZdEiO-K5h4LyvoJTRKUu9e-hvXjcyc392789k","dq":"FVNXtNDEV9ELMXMjA6xEecZDeZ7CFCeP92PdErJorKGVYDnDWesN17BfxMslW50bzKJaGRMaqJsUXzuJEBeNG10C2naOtquuBZqHw9R_VR_MBVSCnIlEl_aJm-icMat6J3AVkPpnNi8xR4DEzQwwRwjt1Jt1Q4mbkHGj838JetE","n":"m-8SSAYDEnjNFkjFkOY_xUJHh2Tk_ghDDpU4djBwatcZqohs2H9G0bWm4YAYfIFMypFDg9elaJGRaADMnVQ-269ULB5Nr0s8qigcfLXfmLtzWG7CEGF1WgBBbEEbBLPARw1PqBThNc6a6klrGB6xXtzFLt6eAnWeEYjBVlec0wMroHKxGsNAYnQtdprp2uCiVIFUJ3CFy40qg90y-VQo1IjEPedgAZgCeSzIUBtxzQmNL0mPyi3Uyr_mXM_Ykt_N1lwNS_KsDR9uYF1c9k-6oFRR4VetzANttek3ZODWRC_ztRumyfC-k8BfL6nPWLjW6m15v2n1D8i1kscxczJwqQ","p":"_qISCB7VdSFjYic42S9MLh5KJdgsF_DSNFG8fzWevO2JuoGCzNbAjktLtHOFF2fvhC5BbTSX11FyoPQuHgUsizfhFgVrPPqHxdhZVn8abtYTgd_eEKu6PTKQCPkD5emuZE3uJbIbuL1uJSP3VplBE995FGNewx4S1T_ADrgOPDk","kty":"RSA","q":"nMVdEmuaIjYhGDd98P1kIfaPSamOqCYF4qXRRFtpngeUxTHAh333-x_jM_kOHwa7N_icxV5SwArwpWZD0M8hta_ybl20SIwJkgjw70Qs9TTl_L3dvlpBy0-AV9GZNL2_eTcxDFFxajsU1ryrqCiVpMa8tLdCcqhrkf8I9pS3t_E","qi":"zgMHgL45Osq5EyYwCdoYsCHa5G4Uvi1yc3w1Ol1zpGdS6w9J64NlqdYnkFnTh6bpJ0bbBva-lgKbhILzaJqx7yWu9j6eZAr2q40aNWSCAAn0AAg12Y3g1JEpDaDY0OPFY9NqzkOUUkFYwm4ny0HDFEfNKnQuOCl_Lmo46mC6XPc","alg":"PS256"}]}

The PEM-encoded client certificate:

-----BEGIN CERTIFICATE-----
MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ==
-----END CERTIFICATE-----

The PEM-encoded private key:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCb7xJIBgMSeM0WSMWQ5j/FQkeHZOT+CEMOlTh2MHBq1xmqiGzYf0bRtabhgBh8gUzKkUOD16VokZFoAMydVD7br1QsHk2vSzyqKBx8td+Yu3NYbsIQYXVaAEFsQRsEs8BHDU+oFOE1zprqSWsYHrFe3MUu3p4CdZ4RiMFWV5zTAyugcrEaw0BidC12muna4KJUgVQncIXLjSqD3TL5VCjUiMQ952ABmAJ5LMhQG3HNCY0vSY/KLdTKv+Zcz9iS383WXA1L8qwNH25gXVz2T7qgVFHhV63MA2216Tdk4NZEL/O1G6bJ8L6TwF8vqc9YuNbqbXm/afUPyLWSxzFzMnCpAgMBAAECggEAfIgSboi2nWLyTvCxL4ZiuXO0UlHme2Y3v4a2f9UxgnHkooevfbsv4L0U2JSHea99l20poTpwdDGFEa1JvAAS7zl3nIBbBDqu6Sl9jq9lMcHKXX6e55wdr1Hy7bSVEk1Hqrbbvd1m+qTUnXUi3TFt79eadlL9l/M82L4BwaXYrb9a4d2Wug7GOuCxg8wA7QjUNtgrx5eCnE3cnbq2u3GGqf1hXeOjG12hfOYajsk2uKg6gmHUIRVHE0NP2nQL/9CX38wUovQ2mVEScEvbxDrNgxv1CtKJuFchoKV0xeCADbIHLC2PSP01wWXmUK+dmFJfX5WmMgPMmIiKQ5QCyHDtgQKBgQD+ohIIHtV1IWNiJzjZL0wuHkol2CwX8NI0Ubx/NZ687Ym6gYLM1sCOS0u0c4UXZ++ELkFtNJfXUXKg9C4eBSyLN+EWBWs8+ofF2FlWfxpu1hOB394Qq7o9MpAI+QPl6a5kTe4lshu4vW4lI/dWmUET33kUY17DHhLVP8AOuA48OQKBgQCcxV0Sa5oiNiEYN33w/WQh9o9JqY6oJgXipdFEW2meB5TFMcCHfff7H+Mz+Q4fBrs3+JzFXlLACvClZkPQzyG1r/JuXbRIjAmSCPDvRCz1NOX8vd2+WkHLT4BX0Zk0vb95NzEMUXFqOxTWvKuoKJWkxry0t0JyqGuR/wj2lLe38QKBgQCFtLq9MtupVq/mAWxzdseMy/DpcFqu85CdUnIlZhWFZUHWAl2ZjAaucVE+Xw563OPDR7qpSl2U/bqwU6fHsbXTILN7qbrG2VLkC5fVuIY7vwOdRd1IabQwoFVLsN5gItWk69rqRl0SI74rmHgvK+glNEpS7176G9eNzJzf3bvz2QKBgBVTV7TQxFfRCzFzIwOsRHnGQ3mewhQnj/dj3RKyaKyhlWA5w1nrDdewX8TLJVudG8yiWhkTGqibFF87iRAXjRtdAtp2jrarrgWah8PUf1UfzAVUgpyJRJf2iZvonDGreidwFZD6ZzYvMUeAxM0MMEcI7dSbdUOJm5Bxo/N/CXrRAoGBAM4DB4C+OTrKuRMmMAnaGLAh2uRuFL4tcnN8NTpdc6RnUusPSeuDZanWJ5BZ04em6SdG2wb2vpYCm4SC82iase8lrvY+nmQK9quNGjVkggAJ9AAINdmN4NSRKQ2g2NDjxWPTas5DlFJBWMJuJ8tBwxRHzSp0Ljgpfy5qOOpgulz3
-----END PRIVATE KEY-----

The client scope for the issued tokens can be set to:

openid offline_access

The resource URL can be set to the UserInfo endpoint of the Connect2id server, for example:

https://fapi.c2id.com/c2id/userinfo

4.2 For client authentication type: mtls

Client 1

Sample client metadata to register the first client with the Connect2id server.

Note: The c2id in the redirection URI must be replaced with the test alias from certification panel.

{
   "preferred_client_id"             : "agpellrjakyzi",
   "grant_types"                     : [ "authorization_code", "refresh_token" ],
   "response_types"                  : [ "code id_token" ],
   "redirect_uris"                   : [ "https://www.certification.openid.net/test/a/c2id/callback" ],
   "request_object_signing_alg"      : "PS256",
   "id_token_signed_response_alg"    : "PS256",
   "token_endpoint_auth_method"      : "self_signed_tls_client_auth",
   "jwks" : {
      "keys" : [ {
         "kty" : "RSA",
         "alg" : "PS256",
         "use" : "sig",
         "kid" : "fapi--2115596559",
         "x5c" : [ "MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ==" ],
         "n"   : "nhtrDVbpYmXUF2yhM9Y3_9S9yyoO03VLCiJiEuY_q4GVE8vFT8XduRIxDEHonjJpoxbzq1OFSUSJGOb5VG8YrpCaZjLJv0LK_dhJs01c3PTRlve33dwEQ2qrKnM6jUfOkxtjj_oacnhwRNu6ptWBjRO6eBMImNGCo6mGjfSnoF96-4stXZI1jKqLj31thjLWQVPK3SIdEPOCQFuti3oK0BKyiv7R55IuLw3E9dD6fHwu284R6nLLszd6OGqqkgdde_Xg9DKEH43hICt0ebs53v5Lw9qBRqZDgwtMhyO_gSjQqCz8VyIrc3HaBc7qjVH8032FEnWkWqTNjOVeXSafJQ",
         "e"   : "AQAB"
      } ]
   }
}

The private client JWK set:

{"keys":[{"d":"UiZk5TV3Zk0KenFTASAZULA1PU7JDU4wgz-CPdes1WwrDXIfP2fL4NF28qt8NlZzVO4kBa0L4BngMjQw8JIY_PrdfqR89we5eVPcV3GnApeiHxLvUjNzc6QE87WTgr0AtKbSgIivHTM_Akg5H15oRekuRh19pgmWG3uGElRAlK62hXVjpqZ8nLq1JraCsCU4rp9cnMfvcMa_ZyxuIFmCEz6A-ynbyjW_WWxPlY7RJxZD9LQ82iquj_JMsLUM4F4DRK-sN2aeVjY0AUQFiRSs8dNP9ZzyITh5uXSlcQgxbT4Iw63jDrSWVC1iWj6GxTN8-Z1j_U_4h0S3D7wWUBfhsQ","e":"AQAB","use":"sig","kid":"fapi--2115596559","x5c":["MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ=="],"dp":"ZVUr2jFwtsGuYpQRrLXNo0EfnxjlbJLFfqQv4qHeEzLT5A2rl8SDAJQVfYhw3QkLCmZKZpzuhSvSJoxF9d5Ldg3y_6jnVA_rxnSGkcSF5pAEOtDVwkcQKvieDvNZ4FnqbTh075CeeXH7yCUAiyWUeZG2865jvHeJop3B7V3BvcU","dq":"SFEn9etlBD9NDs1qBE175fj2Z-nrIioOHDAMULW6T9yd7mAp14sOAwOLZLj-RqviBsFqWbNENraVEqNXSQonp7Azwteup_aguYvQ99XBtPZhUpUHLC4OHgVsVPJW3k3rPn0FqjfxjKKDKRx-399avmfMj49GmBbmN4AESq1KrbM","n":"nhtrDVbpYmXUF2yhM9Y3_9S9yyoO03VLCiJiEuY_q4GVE8vFT8XduRIxDEHonjJpoxbzq1OFSUSJGOb5VG8YrpCaZjLJv0LK_dhJs01c3PTRlve33dwEQ2qrKnM6jUfOkxtjj_oacnhwRNu6ptWBjRO6eBMImNGCo6mGjfSnoF96-4stXZI1jKqLj31thjLWQVPK3SIdEPOCQFuti3oK0BKyiv7R55IuLw3E9dD6fHwu284R6nLLszd6OGqqkgdde_Xg9DKEH43hICt0ebs53v5Lw9qBRqZDgwtMhyO_gSjQqCz8VyIrc3HaBc7qjVH8032FEnWkWqTNjOVeXSafJQ","p":"z-jMp2K_CSv6EkK_O5uc4oM8o8HHhoBYXQvNNeM_4mKzGYPFojsa9B16XNsSfkrKy4wuM_X5kruRCKi503D3ptNeFmAywXbzRqR3XuaXXvzM8CfiiA-p-OvkTF-rAva1miysmdv7qBmwOXRUDrtP_oLE6X1sM_Xau9LVoNEj0jc","kty":"RSA","q":"wq2dKmGX_3TfXxjAaOW-sWfYN_ImzZc0kc9GxE3N8R6r6v2zC2Bu2u2c13IdQCgibzom4IXnTzNdsgrZ6ATNaIMZ_qtQOBUJyrErsDHm2r6WBjqW_o0fCDUw7rrmkdu834_9jWs-xexrAHg2ju3eAuhx5bBAhDd2Rag8Qtpr24M","qi":"CyqqP_PWItoMy0_Y5tZeIynarnI0ISrhixyDJTpuLS-QwzYzUGwx_UloOP0fvMrMZMJAGmgaOZAdbGyhaFShPHjlIYAlFmV8pFUbBCwS7EoSsc0DWmTj54RTzpDpcBrWTZ2x84TwqARODulJiF2KvatMy-le5zZFI1egxvaTUEM","alg":"PS256"}]}

The PEM-encoded client certificate:

-----BEGIN CERTIFICATE-----
MIICozCCAYugAwIBAgIJAMGhzYtwkpbsMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzVaFw0yMDA3MjMwOTA2MzZaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4baw1W6WJl1BdsoTPWN//UvcsqDtN1SwoiYhLmP6uBlRPLxU/F3bkSMQxB6J4yaaMW86tThUlEiRjm+VRvGK6QmmYyyb9Cyv3YSbNNXNz00Zb3t93cBENqqypzOo1HzpMbY4/6GnJ4cETbuqbVgY0TungTCJjRgqOpho30p6BfevuLLV2SNYyqi499bYYy1kFTyt0iHRDzgkBbrYt6CtASsor+0eeSLi8NxPXQ+nx8LtvOEepyy7M3ejhqqpIHXXv14PQyhB+N4SArdHm7Od7+S8PagUamQ4MLTIcjv4Eo0Kgs/FciK3Nx2gXO6o1R/NN9hRJ1pFqkzYzlXl0mnyUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGW8rpIKNQuKdUMiJLoiLce0G4lFq0DoQJ7NXKIVclig3kx8kF6X5IcohhLApAKcarghG6GjDXT7nGTEWwYy2QG+ML/z2dRT6znCS0zSiodM1tdSo2WsveZCYGYWbknZpMR/tfJhD29mSu61O8aiyVIXh5FL5givpsu+w1oMqZ0ADsCQN+3GKit+ybzgyAatCKldwCE4qp79I5T4Dxi5EADDjs8PUnwYZm8YdR7CP3N1Ubq99/PfWNxt8XlKunK1f+BjBKENi+rIrvYNBHxWK9Fn7KLR7slWf0HaXHU4QbdEWkBsJ8HbMyg+/HN/eNX+lrSNJ1i1GRKWrDTTlS1pcTQ==
-----END CERTIFICATE-----

The PEM-encoded private key:

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCeG2sNVuliZdQXbKEz1jf/1L3LKg7TdUsKImIS5j+rgZUTy8VPxd25EjEMQeieMmmjFvOrU4VJRIkY5vlUbxiukJpmMsm/Qsr92EmzTVzc9NGW97fd3ARDaqsqczqNR86TG2OP+hpyeHBE27qm1YGNE7p4EwiY0YKjqYaN9KegX3r7iy1dkjWMqouPfW2GMtZBU8rdIh0Q84JAW62LegrQErKK/tHnki4vDcT10Pp8fC7bzhHqcsuzN3o4aqqSB1179eD0MoQfjeEgK3R5uzne/kvD2oFGpkODC0yHI7+BKNCoLPxXIitzcdoFzuqNUfzTfYUSdaRapM2M5V5dJp8lAgMBAAECggEAUiZk5TV3Zk0KenFTASAZULA1PU7JDU4wgz+CPdes1WwrDXIfP2fL4NF28qt8NlZzVO4kBa0L4BngMjQw8JIY/PrdfqR89we5eVPcV3GnApeiHxLvUjNzc6QE87WTgr0AtKbSgIivHTM/Akg5H15oRekuRh19pgmWG3uGElRAlK62hXVjpqZ8nLq1JraCsCU4rp9cnMfvcMa/ZyxuIFmCEz6A+ynbyjW/WWxPlY7RJxZD9LQ82iquj/JMsLUM4F4DRK+sN2aeVjY0AUQFiRSs8dNP9ZzyITh5uXSlcQgxbT4Iw63jDrSWVC1iWj6GxTN8+Z1j/U/4h0S3D7wWUBfhsQKBgQDP6MynYr8JK/oSQr87m5zigzyjwceGgFhdC8014z/iYrMZg8WiOxr0HXpc2xJ+SsrLjC4z9fmSu5EIqLnTcPem014WYDLBdvNGpHde5pde/MzwJ+KID6n46+RMX6sC9rWaLKyZ2/uoGbA5dFQOu0/+gsTpfWwz9dq70tWg0SPSNwKBgQDCrZ0qYZf/dN9fGMBo5b6xZ9g38ibNlzSRz0bETc3xHqvq/bMLYG7a7ZzXch1AKCJvOibghedPM12yCtnoBM1ogxn+q1A4FQnKsSuwMebavpYGOpb+jR8INTDuuuaR27zfj/2Naz7F7GsAeDaO7d4C6HHlsECEN3ZFqDxC2mvbgwKBgGVVK9oxcLbBrmKUEay1zaNBH58Y5WySxX6kL+Kh3hMy0+QNq5fEgwCUFX2IcN0JCwpmSmac7oUr0iaMRfXeS3YN8v+o51QP68Z0hpHEheaQBDrQ1cJHECr4ng7zWeBZ6m04dO+Qnnlx+8glAIsllHmRtvOuY7x3iaKdwe1dwb3FAoGASFEn9etlBD9NDs1qBE175fj2Z+nrIioOHDAMULW6T9yd7mAp14sOAwOLZLj+RqviBsFqWbNENraVEqNXSQonp7Azwteup/aguYvQ99XBtPZhUpUHLC4OHgVsVPJW3k3rPn0FqjfxjKKDKRx+399avmfMj49GmBbmN4AESq1KrbMCgYALKqo/89Yi2gzLT9jm1l4jKdqucjQhKuGLHIMlOm4tL5DDNjNQbDH9SWg4/R+8ysxkwkAaaBo5kB1sbKFoVKE8eOUhgCUWZXykVRsELBLsShKxzQNaZOPnhFPOkOlwGtZNnbHzhPCoBE4O6UmIXYq9q0zL6V7nNkUjV6DG9pNQQw==
-----END PRIVATE KEY-----

The client scope for the issued tokens can be set to:

openid offline_access

The resource URL can be set to the UserInfo endpoint of the Connect2id server, for example:

https://fapi.c2id.com/c2id/userinfo

Client 2

Sample client metadata to register the second client with the Connect2id server.

Note: The c2id in the redirection URI must be replaced with the test alias from certification panel.

{
   "preferred_client_id"             : "mdcvgzq6bhjjc",
   "grant_types"                     : [ "authorization_code", "refresh_token" ],
   "response_types"                  : [ "code id_token" ],
   "redirect_uris"                   : [ "https://www.certification.openid.net/test/a/c2id/callback?dummy1=lorem&dummy2=ipsum" ],
   "request_object_signing_alg"      : "PS256",
   "id_token_signed_response_alg"    : "PS256",
   "token_endpoint_auth_method"      : "self_signed_tls_client_auth",
   "jwks" : {
      "keys" : [ {
         "kty" : "RSA",
         "alg" : "PS256",
         "use" : "sig",
         "kid" : "fapi-566984082",
         "x5c" : ["MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ==" ],
         "n"   : "m-8SSAYDEnjNFkjFkOY_xUJHh2Tk_ghDDpU4djBwatcZqohs2H9G0bWm4YAYfIFMypFDg9elaJGRaADMnVQ-269ULB5Nr0s8qigcfLXfmLtzWG7CEGF1WgBBbEEbBLPARw1PqBThNc6a6klrGB6xXtzFLt6eAnWeEYjBVlec0wMroHKxGsNAYnQtdprp2uCiVIFUJ3CFy40qg90y-VQo1IjEPedgAZgCeSzIUBtxzQmNL0mPyi3Uyr_mXM_Ykt_N1lwNS_KsDR9uYF1c9k-6oFRR4VetzANttek3ZODWRC_ztRumyfC-k8BfL6nPWLjW6m15v2n1D8i1kscxczJwqQ",
         "e"   : "AQAB"
      } ]
   }
}

The private client JWK set:

{"keys":[{"d":"fIgSboi2nWLyTvCxL4ZiuXO0UlHme2Y3v4a2f9UxgnHkooevfbsv4L0U2JSHea99l20poTpwdDGFEa1JvAAS7zl3nIBbBDqu6Sl9jq9lMcHKXX6e55wdr1Hy7bSVEk1Hqrbbvd1m-qTUnXUi3TFt79eadlL9l_M82L4BwaXYrb9a4d2Wug7GOuCxg8wA7QjUNtgrx5eCnE3cnbq2u3GGqf1hXeOjG12hfOYajsk2uKg6gmHUIRVHE0NP2nQL_9CX38wUovQ2mVEScEvbxDrNgxv1CtKJuFchoKV0xeCADbIHLC2PSP01wWXmUK-dmFJfX5WmMgPMmIiKQ5QCyHDtgQ","e":"AQAB","use":"sig","kid":"fapi-566984082","x5c":["MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ=="],"dp":"hbS6vTLbqVav5gFsc3bHjMvw6XBarvOQnVJyJWYVhWVB1gJdmYwGrnFRPl8Oetzjw0e6qUpdlP26sFOnx7G10yCze6m6xtlS5AuX1biGO78DnUXdSGm0MKBVS7DeYCLVpOva6kZdEiO-K5h4LyvoJTRKUu9e-hvXjcyc392789k","dq":"FVNXtNDEV9ELMXMjA6xEecZDeZ7CFCeP92PdErJorKGVYDnDWesN17BfxMslW50bzKJaGRMaqJsUXzuJEBeNG10C2naOtquuBZqHw9R_VR_MBVSCnIlEl_aJm-icMat6J3AVkPpnNi8xR4DEzQwwRwjt1Jt1Q4mbkHGj838JetE","n":"m-8SSAYDEnjNFkjFkOY_xUJHh2Tk_ghDDpU4djBwatcZqohs2H9G0bWm4YAYfIFMypFDg9elaJGRaADMnVQ-269ULB5Nr0s8qigcfLXfmLtzWG7CEGF1WgBBbEEbBLPARw1PqBThNc6a6klrGB6xXtzFLt6eAnWeEYjBVlec0wMroHKxGsNAYnQtdprp2uCiVIFUJ3CFy40qg90y-VQo1IjEPedgAZgCeSzIUBtxzQmNL0mPyi3Uyr_mXM_Ykt_N1lwNS_KsDR9uYF1c9k-6oFRR4VetzANttek3ZODWRC_ztRumyfC-k8BfL6nPWLjW6m15v2n1D8i1kscxczJwqQ","p":"_qISCB7VdSFjYic42S9MLh5KJdgsF_DSNFG8fzWevO2JuoGCzNbAjktLtHOFF2fvhC5BbTSX11FyoPQuHgUsizfhFgVrPPqHxdhZVn8abtYTgd_eEKu6PTKQCPkD5emuZE3uJbIbuL1uJSP3VplBE995FGNewx4S1T_ADrgOPDk","kty":"RSA","q":"nMVdEmuaIjYhGDd98P1kIfaPSamOqCYF4qXRRFtpngeUxTHAh333-x_jM_kOHwa7N_icxV5SwArwpWZD0M8hta_ybl20SIwJkgjw70Qs9TTl_L3dvlpBy0-AV9GZNL2_eTcxDFFxajsU1ryrqCiVpMa8tLdCcqhrkf8I9pS3t_E","qi":"zgMHgL45Osq5EyYwCdoYsCHa5G4Uvi1yc3w1Ol1zpGdS6w9J64NlqdYnkFnTh6bpJ0bbBva-lgKbhILzaJqx7yWu9j6eZAr2q40aNWSCAAn0AAg12Y3g1JEpDaDY0OPFY9NqzkOUUkFYwm4ny0HDFEfNKnQuOCl_Lmo46mC6XPc","alg":"PS256"}]}

The PEM-encoded client certificate:

-----BEGIN CERTIFICATE-----
MIICozCCAYugAwIBAgIJALZFH9WBJqDNMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBmNsaWVudDAeFw0xOTA3MjQwOTA2MzZaFw0yMDA3MjMwOTA2MzdaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJvvEkgGAxJ4zRZIxZDmP8VCR4dk5P4IQw6VOHYwcGrXGaqIbNh/RtG1puGAGHyBTMqRQ4PXpWiRkWgAzJ1UPtuvVCweTa9LPKooHHy135i7c1huwhBhdVoAQWxBGwSzwEcNT6gU4TXOmupJaxgesV7cxS7engJ1nhGIwVZXnNMDK6BysRrDQGJ0LXaa6drgolSBVCdwhcuNKoPdMvlUKNSIxD3nYAGYAnksyFAbcc0JjS9Jj8ot1Mq/5lzP2JLfzdZcDUvyrA0fbmBdXPZPuqBUUeFXrcwDbbXpN2Tg1kQv87UbpsnwvpPAXy+pz1i41upteb9p9Q/ItZLHMXMycKkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdsVmVZ0m9L6wWKaNCYP5GWSB8nUC/CT7sj3XL0oZzD4FvnhVAeovnoDath0JETDpmZhxgbnKVldmHgK/ozR5cs27pug4FpePy8S0L8UZozpOfhBmHBoQG/13xiBL4Ntg87iKvrcHN1nxx95deJOCw9/jm1w+KxCN1YZwEuJhaYfttZwFu2xodrnzGODhwZnketJG25Jiqa4ofzJ2JAASppWFN99C/TF/BorKMjjyQVxU6OvRecqW+dp0MicIGPThHvc8MoMKs/9PkxbKd9dskr/4aY/K/UDTNEHTnKS2n9wpbmg1YlyjhZiveZ+Aypuc+DXwrzluFSm5v+N4MxakWQ==
-----END CERTIFICATE-----

The PEM-encoded private key:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCb7xJIBgMSeM0WSMWQ5j/FQkeHZOT+CEMOlTh2MHBq1xmqiGzYf0bRtabhgBh8gUzKkUOD16VokZFoAMydVD7br1QsHk2vSzyqKBx8td+Yu3NYbsIQYXVaAEFsQRsEs8BHDU+oFOE1zprqSWsYHrFe3MUu3p4CdZ4RiMFWV5zTAyugcrEaw0BidC12muna4KJUgVQncIXLjSqD3TL5VCjUiMQ952ABmAJ5LMhQG3HNCY0vSY/KLdTKv+Zcz9iS383WXA1L8qwNH25gXVz2T7qgVFHhV63MA2216Tdk4NZEL/O1G6bJ8L6TwF8vqc9YuNbqbXm/afUPyLWSxzFzMnCpAgMBAAECggEAfIgSboi2nWLyTvCxL4ZiuXO0UlHme2Y3v4a2f9UxgnHkooevfbsv4L0U2JSHea99l20poTpwdDGFEa1JvAAS7zl3nIBbBDqu6Sl9jq9lMcHKXX6e55wdr1Hy7bSVEk1Hqrbbvd1m+qTUnXUi3TFt79eadlL9l/M82L4BwaXYrb9a4d2Wug7GOuCxg8wA7QjUNtgrx5eCnE3cnbq2u3GGqf1hXeOjG12hfOYajsk2uKg6gmHUIRVHE0NP2nQL/9CX38wUovQ2mVEScEvbxDrNgxv1CtKJuFchoKV0xeCADbIHLC2PSP01wWXmUK+dmFJfX5WmMgPMmIiKQ5QCyHDtgQKBgQD+ohIIHtV1IWNiJzjZL0wuHkol2CwX8NI0Ubx/NZ687Ym6gYLM1sCOS0u0c4UXZ++ELkFtNJfXUXKg9C4eBSyLN+EWBWs8+ofF2FlWfxpu1hOB394Qq7o9MpAI+QPl6a5kTe4lshu4vW4lI/dWmUET33kUY17DHhLVP8AOuA48OQKBgQCcxV0Sa5oiNiEYN33w/WQh9o9JqY6oJgXipdFEW2meB5TFMcCHfff7H+Mz+Q4fBrs3+JzFXlLACvClZkPQzyG1r/JuXbRIjAmSCPDvRCz1NOX8vd2+WkHLT4BX0Zk0vb95NzEMUXFqOxTWvKuoKJWkxry0t0JyqGuR/wj2lLe38QKBgQCFtLq9MtupVq/mAWxzdseMy/DpcFqu85CdUnIlZhWFZUHWAl2ZjAaucVE+Xw563OPDR7qpSl2U/bqwU6fHsbXTILN7qbrG2VLkC5fVuIY7vwOdRd1IabQwoFVLsN5gItWk69rqRl0SI74rmHgvK+glNEpS7176G9eNzJzf3bvz2QKBgBVTV7TQxFfRCzFzIwOsRHnGQ3mewhQnj/dj3RKyaKyhlWA5w1nrDdewX8TLJVudG8yiWhkTGqibFF87iRAXjRtdAtp2jrarrgWah8PUf1UfzAVUgpyJRJf2iZvonDGreidwFZD6ZzYvMUeAxM0MMEcI7dSbdUOJm5Bxo/N/CXrRAoGBAM4DB4C+OTrKuRMmMAnaGLAh2uRuFL4tcnN8NTpdc6RnUusPSeuDZanWJ5BZ04em6SdG2wb2vpYCm4SC82iase8lrvY+nmQK9quNGjVkggAJ9AAINdmN4NSRKQ2g2NDjxWPTas5DlFJBWMJuJ8tBwxRHzSp0Ljgpfy5qOOpgulz3
-----END PRIVATE KEY-----

The client scope for the issued tokens can be set to:

openid offline_access

The resource URL can be set to the UserInfo endpoint of the Connect2id server, for example:

https://fapi.c2id.com/c2id/userinfo

4.3 Sample JWK set code

Sample Java code to generate a FAPI client RSA JWK (alg=PS256) with a self-signed certificate. Requires a recent version of the OAuth 2.0 / OpenID Connect SDK:

import java.security.cert.X509Certificate;
import java.util.*;
import com.nimbusds.jose.*;
import com.nimbusds.jose.jwk.*;
import com.nimbusds.jose.jwk.gen.*;
import com.nimbusds.jose.util.*;
import com.nimbusds.jwt.util.*;
import com.nimbusds.oauth2.sdk.id.*;
import com.nimbusds.oauth2.sdk.util.*;

// Generate an RSA JWK
RSAKey rsaJWK = new RSAKeyGenerator(2048)
    .keyIDFromThumbprint(true)
    .keyUse(KeyUse.SIGNATURE)
    .algorithm(JWSAlgorithm.PS256)
    .generate();

// Use RSA JWK to sign self-issued client certificate
Date now = new Date();
Date nbf = now;
long oneYearInSeconds = 3600 * 24 * 365;
Date exp = DateUtils.fromSecondsSinceEpoch(DateUtils.toSecondsSinceEpoch(now) + oneYearInSeconds);

X509Certificate clientCert = X509CertificateUtils.generateSelfSigned(
    new Issuer("oauth-client"),
    nbf,
    exp,
    rsaJWK.toRSAPublicKey(),
    rsaJWK.toPrivateKey());

// Append client certificate to RSA JWK
rsaJWK = new RSAKey.Builder(rsaJWK)
    .x509CertChain(Collections.singletonList(Base64.encode(clientCert.getEncoded())))
    .build();

// Print out the public JWK set, required for the client metadata
System.out.println(new JWKSet(rsaJWK.toPublicJWK()));

// Print out the PEM-encoded client certificate
System.out.println(X509CertUtils.toPEMString(clientCert));

// Print out the PEM-encoded private key
System.out.println(
    "-----BEGIN PRIVATE KEY-----\n" +
    Base64.encode(rsaJWK.toPrivateKey().getEncoded()) + "\n" +
    "-----END PRIVATE KEY-----\n");