Versions Compared

Version Old Version 1 New Version 2
Changes made by

Chris Michael

Erick Domingues

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Shall only issue sender-constrained access tokens using mTLS as described in RFC8705.

  2. Shall ensure that the access token expiry is no longer than 10 minutes.

  3. Shall authenticate the confidential client using private_key_jwt;

  4. Shall cache clients jwks_uris for a maximum period of 20 minutes.

  5. Shall support OAuth 2.0 Rich Authorization Requests (RAR) as a method of conveying information about the End User Authorization Request.

  6. Shall only process authorization requests if the type specified in the authorization_details attribute matches any of the types listed in the authorization_detail_types metadata attribute of the Relying Party.

  7. Shall use the query parameter as the mechanism for returning authorization response parameters as the response mode, which is the default for the code response type.

  8. Shall advertise support for all signing, authentication mechanisms, and standards required to support this Specification on its OpenID Connect Discovery (.well-known) endpoint.

  9. Shall support and require signed request objects according to the OAuth JWT-Secured Authorization Request (JAR) [RFC9101] at the PAR endpoint [RFC9126].

  10. Shall require the aud claim in the request object to be, or to be an array containing, the OP's Issuer Identifier URL.

  11. Shall require the request object to contain an exp claim that has a lifetime of no longer than 10 minutes after the nbf claim and an nbf claim that is not more than 10 minutes in the past.

  12. Shall only rely on the parameters included in the signed request object passed via the request_uri parameter except for the client_idparameter.

  13. Shall set the response header x-fapi-interaction-id to the value received from the corresponding client request header, or to a RFC4122 UUID if the request header was not provided, to track the interaction.

  14. Shall issue refresh_tokens with an expiration period set to the same length as the expiration period of the longest consent with which the token can be used. For consents that do not have an expiry period, the authorization server shall issue refresh_tokens without an expiration period, or, if not technically achievable, with an expiration period greater than 100 years.

  15. Shall enforce that all redirect URIs passed by the Relying Party are pre-registered in the client metadata as provided by the Trust Framework, in accordance with the Registration Framework, and shall reject any requests containing unregistered redirect URIs

  16. Shall require mTLS for the Pushed Authorization Requests(PAR) endpoint.

2.2 Client Considerations (Relying Party)

...

For TLS, all of the Data Provider’s Authorization Server endpoints and Resource Server endpoints shall support mTLS connections with the algorithms specified in the 5.2 section of the FAPI 2.0 Security Profile.

For JWE, both clients and Authorization Servers

shall use RSA-OAEP with A256GCM

2.4 Consent and Authorization Mechanism Considerations

...