libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Release notes and documentation for FAPI 2 (#22228)

Browse source 
Closes #21945


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
This commit is contained in:
Marek Posolda 2023-08-04 08:21:27 +02:00 committed by GitHub
parent fa5ddf97ac
commit d954dfec5e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
docs/documentation/release_notes/topics/23_0_0.adoc
View file

@ -4,4 +4,9 @@ Message properties files for themes are now read in UTF-8 encoding, with an auto
See the migration guide for more details.
= FAPI 2 drafts support
Keycloak has new client profiles `fapi-2-security-profile` and `fapi-2-message-signing`, which ensure Keycloak enforces compliance with
the latest FAPI 2 draft specifications when communicating with your clients. Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution.

4
docs/documentation/securing_apps/topics/oidc/fapi-support.adoc
View file

@ -6,6 +6,8 @@
* https://openid.net/specs/openid-financial-api-part-1-1_0.html[Financial-grade API Security Profile 1.0 - Part 1: Baseline]
* https://openid.net/specs/openid-financial-api-part-2-1_0.html[Financial-grade API Security Profile 1.0 - Part 2: Advanced]
* https://openid.net/specs/openid-financial-api-ciba-ID1.html[Financial-grade API: Client Initiated Backchannel Authentication Profile] (FAPI CIBA)
* https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html[FAPI 2.0 Security Profile (Draft)]
* https://openid.bitbucket.io/fapi/fapi-2_0-message-signing.html[FAPI 2.0 Message Signing (Draft)]
This compliance means that the {project_name} server will verify the requirements
for the authorization server, which are mentioned in the specifications. {project_name} adapters do not have any specific support for the FAPI, hence the required validations on the client (application)
@ -15,7 +17,7 @@ side may need to be still done manually or through some other third-party soluti
To make sure that your clients are FAPI compliant, you can configure Client Policies in your realm as described in the link:{adminguide_link}#_client_policies[{adminguide_name}]
and link them to the global client profiles for FAPI support, which are automatically available in each realm. You can use either `fapi-1-baseline` or `fapi-1-advanced` profile based on which FAPI
profile you need your clients to conform with.
profile you need your clients to conform with. You can use also profiles `fapi-2-security-profile` or `fapi-2-message-signing` for the compliance with FAPI 2 Draft specifications.
In case you want to use link:{adminguide_link}#_oidc_clients[Pushed Authorization Request (PAR)], it is recommended that your client use
both the `fapi-1-baseline` profile and `fapi-1-advanced` for PAR requests. Specifically, the `fapi-1-baseline` profile contains `pkce-enforcer` executor, which makes sure

4
docs/documentation/server_admin/topics/clients/client-policies.adoc
View file

@ -31,7 +31,7 @@ Validation of client configurations::
Conformance to a required security standards and profiles such as FAPI::
The _Global client profiles_ are client profiles pre-configured in {project_name} by default. They are pre-configured to be compliant with standard security profiles like link:{adapterguide_link}#_fapi-support[FAPI],
which makes it easy for the administrator to secure their client application to be compliant with the particular security profile. At this moment, {project_name} has global
profiles for the support of FAPI 1 specification. The administrator will just need to configure the client policies to specify which clients should
profiles for the support of FAPI specifications. The administrator will just need to configure the client policies to specify which clients should
be compliant with the FAPI. The administrator can configure client profiles and client policies, so that {project_name} clients can be easily made compliant with various other
security profiles like SPA, Native App, Open Banking and so on.
@ -132,7 +132,7 @@ One of several purposes for this executor is to realize the security requirement
=== Profile
A profile consists of several executors, which can realize a security profile like FAPI. Profile can be configured by the Admin REST API (Admin Console) together with its executors.
Three _global profiles_ exist and they are configured in {project_name} by default with pre-configured executors compliant with the FAPI Baseline, FAPI Advanced and FAPI CIBA specifications.
Three _global profiles_ exist and they are configured in {project_name} by default with pre-configured executors compliant with the FAPI 1 Baseline, FAPI 1 Advanced, FAPI CIBA and FAPI 2 specifications.
More details exist in the FAPI section of the link:{adapterguide_link}#_fapi-support[{adapterguide_name}].
[[_client_policy_policy]]