Financial-grade API Security Profile 1.0 - Part 1: Baseline

Spec: https://openid.net/specs/openid-financial-api-part-1-1_0.html

## Work Required

* [ ] Support mTLS (>= 1.2)
* [ ] Add configuration that restricts the client to more safe settings
  * [ ] Require `nonce` or `state` depending on `openid` scope
  * [ ] Public Client: require PKCE
  * [ ] Store `redirect_uri` in session and compare on redirect back
  * [ ] Require CSRF
  * [ ] Compare scopes (no additional ones compared to requested scopes)
  * [ ] Confidential Client: RSA >= 2048, EC >= 160, Symmetric Key >= 128
  * [ ] No params in query, only request body / request jwt
  * [ ] Set `Date` header on requests
  * [ ] Set `x-fapi-interaction-id` header
  * [ ] Put `x-fapi-interaction-id` value into telemetry events
  * [ ] Set `x-fapi-customer-ip-address` header
  * [ ] Set `x-fapi-auth-date` header

:pushpin: This issue is here to track interest for the implementation. Leave a :+1: if you would like this implemented.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Financial-grade API Security Profile 1.0 - Part 1: Baseline #246

Work Required

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Financial-grade API Security Profile 1.0 - Part 1: Baseline #246

Description

Work Required

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions