Implementing FAPI2 Message Signing profile - Signing Authorization Requests with Authlete

Overview

This article explains “FAPI2 Message Signing profile - Signing Authorization Requests” (hereinafter referred to as FAPI2 MS Auth Req) and how to implement it with Authlete. For a detailed explanation, we illustrate FAPI2 MS Auth Req using Authorization Code Flow depicted below.

Authorization Code Flow in FAPI2 MS Auth Req

The following sections explain how to setup the service and the client and demonstrate this flow through actual API calls.

Service Configurations

At the service owner console, configure the service as follows.

Basic > Token Issuer Identifier

Set your authorization server’s issuer identifier.

Authorization > Supported Grant Types

Include AUTHORIZATION_CODE.

Authorization > Supported Response Types

Include CODE.

Authorization > Supported Service Profiles

Include FAPI.

Authorization > Authorization Endpoint > iss Response Parameter

Select Included. This is required by FAPI 2.0 Security Profile, 5.3.1.2. Authorization Code Flow:

“FAPI 2.0 Security Profile, 5.3.1.2. Authorization Code Flow”

For the Authorization Code flow, Authorization servers

7. shall return an iss parameter in the authorization response according to [RFC9207]

Authorization > Token Endpoint > Token Endpoint URI

Set your authorization server’s token endpoint URI.

Authorization > Token Endpoint > Supported Client Authentication Methods

MTLS or private_key_jwt is required as the client authentication method, according to FAPI2 Security profile, 5.3.1.1. General Requirements:

“FAPI2 Security profile, 5.3.1.1. General Requirements”

Authorization servers

6. shall authenticate clients using one of the following methods:

- MTLS as specified in section 2 of [RFC8705]

- private_key_jwt as specified in section 9 of [OIDC]

In the following API call simulation, we use private_key_jwt for client authentication. Then, this property must include PRIVATE_KEY_JWT.

Authorization > Request Object > nbf Claim

Select Required. This is required by FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers:

“FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers”

Authorization servers implementing FAPI2 authorization request signing

3. shall require the request object to contain an nbf claim that is no longer than 60 minutes in the past;

Authorization > Request Object > Audience Validation

Select Perform. This is required by FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers:

“FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers”

Authorization servers implementing FAPI2 authorization request signing

2. shall require the aud claim in the request object to be, or to be an array containing, the OP's Issuer Identifier URL;

Token > Access Token > Access Token Signature Algorithm

Select PS256, ES256 or EdDSA, according to FAPI2 Security Profile, 5.4. Cryptography and Secrets:

FAPI2 Security profile, 5.4. Cryptography and Secrets

Authorization Servers, Clients, and Resource Servers when creating or processing JWTs shall

2. use PS256, ES256, or EdDSA (using the Ed25519 subtype) algorithms

Token > Scope > Supported Scopes

Create a scope attribute and set the key to fapi2 and the value to ms-authreq. Then, link it to one of the supported scope. The below is an example of such a scope:

{
  "name": "myscope",
  "attributes": [
    {
      "key": "fapi2",
      "value": "ms-authreq"
    }
  ]
  ...
}

JWK Set > JWK Set Content

Set a JWK set containing required JWKs (e.g. JWT access token sign key).

JWK Set > JWK Set Endpoint URI

Set a URI that starts with https. The URI needs to point to a JWK set containing required JWKs (e.g. JWT access token sign key).

Client Configurations

At the client developer console, configure the client as follows.

Basic > Client Type

Select CONFIDENTIAL.

Authorization > Grant Types

Include AUTHORIZATION_CODE.

Authorization > Response Types

Include CODE.

Authorization > Redirect URIs

Create at least one redirect URI.

Authorization > Client Authentication Method

MTLS or private_key_jwt is required as the client authentication method, according to FAPI2 Security profile, 5.3.2.1. General Requirements:

“FAPI2 Security profile, 5.3.2.1. General Requirements”

Clients

2. shall support client authentication using one of the following methods:

- MTLS as specified in section 2 of [RFC8705]

- private_key_jwt as specified in section 9 of [OIDC]

In the following API call simulation, we use private_key_jwt for client authentication. Then, this property must be set to PRIVATE_KEY_JWT.

Authorization > Token Endpoint > Assertion Signature Algorithm

Select PS256, ES256 or EdDSA, according to FAPI2 Security Profile, 5.4. Cryptography and Secrets:

FAPI2 Security profile, 5.4. Cryptography and Secrets

Authorization Servers, Clients, and Resource Servers when creating or processing JWTs shall

2. use PS256, ES256, or EdDSA (using the Ed25519 subtype) algorithms

ID Token > ID Token Signature Algorithm

Select an encryption algorithm other than NONE, according to FAPI2 Security Profile, 5.4. Cryptography and Secrets:

“FAPI2 Security profile, 5.4. Cryptography and Secrets”

Authorization Servers, Clients, and Resource Servers when creating or processing JWTs shall

not use or accept the none algorithm

ID Token > ID Token Encryption Algorithm

Select an encryption algorithm other than RSA1_5. This is required by FAPI2 Security Profile, 5.4. Cryptography and Secrets:

“FAPI2 Security profile, 5.4. Cryptography and Secrets”

Authorization Servers, Clients, and Resource Servers when creating or processing JWTs shall

1. adhere to [RFC8725]

Note that RFC8725, 3.2. Use Appropriate Algorithms states as follows:

“RFC8725, 3.2. Use Appropriate Algorithms”

Applications SHOULD follow these algorithm-specific recommendations:

- Avoid all RSA-PKCS1 v1.5 encryption algorithms ([RFC8017], Section 7.2), preferring RSAES-OAEP ([RFC8017], Section 7.1).

JWK Set > JWK Set Content

Set a JWK set containing required JWKs (e.g. client assertion sign key).

JWK Set > JWK Set URI

Set a URI that starts with https. The URI needs to point to a JWK set containing required JWKs (e.g. client assertion sign key).

API Call Simulation

In this section, we simulate API calls that the authorization server makes against Authlete APIs in the context of Authorization Code Flow in FAPI2 Security profile.

1. /pushed_auth_req API

Suppose that a FAPI2 MS Auth Req compliant client sends a valid request to the pushed authorization request endpoint of authorization server. The pushed authorization request endpoint must authenticate the client using MTLS or private_key_jwt at the pushed authorization request endpoint. This is required by FAPI2 Security profile, 5.3.2.1. General Requirements:

“FAPI2 Security profile, 5.3.2.1. General Requirements”

Clients

2. shall support client authentication using one of the following methods:

- MTLS as specified in section 2 of [RFC8705]

- private_key_jwt as specified in section 9 of [OIDC]

In this simulation, we use private_key_jwt as the client authentication method.

Additionally, the request object (the value of the request parameter) in the request must be a signed JWT, according to FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers and FAPI2 MS profile, 5.3.2. Requirements for Clients:

“FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers”

Authorization servers implementing FAPI2 authorization request signing

1. shall support, require use of, and verify signed request objects according to JAR [RFC9101] at the PAR endpoint [RFC9126];

“FAPI2 MS profile, 5.3.2. Requirements for Clients”

Clients implementing FAPI2 authorization request signing

1. shall send all authorization parameters to the PAR endpoint [RFC9126] in a JAR [RFC9101] signed requested object;

Claims in the request object must meet the following requirements:

iss claim

The iss claim must be the client ID, according to RFC 9126, 3. The “request” Request Parameter:

“RFC 9126, 3. The “request” Request Parameter”

The authorization server MUST take the following steps beyond the processing rules defined in Section 2.1:

3. If the client has authentication credentials established with the authorization server, reject the request if the authenticated client_id does not match the client_id claim in the Request Object. Additionally, requiring the iss claim to match the client_id is at the discretion of the authorization server.

scope claim

The scope claim must be set to a scope associated with an attribute whose key is fapi2 and value is ms-authreq, respectively. See this for more details.

response_type claim

The response_type claim must be set to code, according to FAPI2 Security profile, 5.3.2.2. Authorization Code Flow:

“FAPI2 Security profile, 5.3.2.2. Authorization Code Flow”

For the Authorization Code flow, Clients

1. shall use the authorization code grant described in [RFC6749]

code_challenge claim and code_challenge_method claim

The code_challenge claim must be set and the code_challenge_method claim must be set to S256, according to FAPI2 Security profile, 5.3.2.2. Authorization Code Flow:

“FAPI2 Security profile, 5.3.2.2. Authorization Code Flow”

For the Authorization Code flow, Clients

3. shall use PKCE [RFC7636] with S256 as the code challenge method

redirect_uri claim

The redirect_uri claim must be a URI starting with https, according to FAPI2 Security profile, 5.3.1.2. Authorization Code Flow:

“FAPI2 Security profile, 5.3.2.2. Authorization Code Flow”

For the Authorization Code flow, Authorization servers

6. shall require the redirect_uri parameter in pushed authorization requests

8. shall not transmit authorization responses over unencrypted network connections, and, to this end, shall not allow redirect URIs that use the "http" scheme except for native clients that use Loopback Interface Redirection as described in [RFC8252], Section 7.3,

aud claim

The aud claim must be the OP’s Issuer Identifier URL or an array containing it, according to FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers and FAPI2 MS profile, 5.3.2. Requirements for Clients:

“FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers”

Authorization servers implementing FAPI2 authorization request signing

2. shall require the aud claim in the request object to be, or to be an array containing, the OP's Issuer Identifier URL;

“FAPI2 MS profile, 5.3.2. Requirements for Clients”

Clients implementing FAPI2 authorization request signing

2. shall send the aud claim in the request object as the OP's Issuer Identifier URL;

nbf claim and exp claim

The nbf claim is no longer than 60 minutes in the past, according to FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers and FAPI2 MS profile, 5.3.2. Requirements for Clients:

“FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers”

Authorization servers implementing FAPI2 authorization request signing

3. shall require the request object to contain an nbf claim that is no longer than 60 minutes in the past;

“FAPI2 MS profile, 5.3.2. Requirements for Clients”

Clients implementing FAPI2 authorization request signing

3. shall send a nbf claim in the request object;

Additionally, the lifetime of the request object (exp - nbf) is no longer than 60 minutes after the nbf claim, according to FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers and FAPI2 MS profile, 5.3.2. Requirements for Clients:

“FAPI2 MS profile, 5.3.1. Requirements for Authorization Servers”

Authorization servers implementing FAPI2 authorization request signing

4. shall require the request object to contain an exp claim that has a lifetime of no longer than 60 minutes after the nbf claim.

“FAPI2 MS profile, 5.3.2. Requirements for Clients”

Clients implementing FAPI2 authorization request signing

4. shall send an exp claim in the request object that has a lifetime of no longer than 60 minutes.

Taking all of the requirements above into account, the request that the client send to the pushed authorization endpoint would be like below.

POST /par HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

request=eyJhbGci...&
client_id={Client ID}&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGci...

The payload of the request object is as follows.

{
  "jti": "kcvE4Tn",
  "iss": "{Client ID}",
  "aud": "https://server.example.com",
  "response_type": "code",
  "code_challenge_method": "S256",
  "code_challenge": "pr2TmSd_...",
  "scope": "myscope",
  "redirect_uri": "https://client.example.com/cb",
  "nbf": 1701760807,
  "exp": 1701760867,
  "nonce": "aOLpUqqjMINQeclZ"
}

After the authorization server receives the request from the client, the authorization server calls Authlete /pushed_auth_req API including the received parameters. Below is a curl command that simulates a request from the authorization server to Authlete /pushed_auth_req API.

curl -s -X POST https://api.authlete.com/api/pushed_auth_req \
-u '{Service API Key}:{Service API Secret}' \
-H 'Content-type: application/json' \
-d '{"parameters":"request=eyJhbGci...&client_id={Client ID}&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGci..."}'
curl -s -X POST https://api.authlete.com/api/pushed_auth_req \
-H 'Bearer {Authlete API Access Token}'
-H 'Content-type: application/json' \
-d '{"parameters":"request=eyJhbGci...&client_id={Client ID}&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGci..."}'

A successful response from the API contains a request URI. The response would look like below.

{
  "resultCode": "A245001",
  "resultMessage": "[A245001] Successfully registered a request object for client ({Client ID}), URI is urn:ietf:params:oauth:request_uri:H7XaM5FK2-RGcSRilYwe9FosTkk9XLMDZPEBA5uKsf8.",
  "action": "CREATED",
  "requestUri": "urn:ietf:params:oauth:request_uri:H7XaM5FK2-RGcSRilYwe9FosTkk9XLMDZPEBA5uKsf8",
  "responseContent": "{\"expires_in\":60,\"request_uri\":\"urn:ietf:params:oauth:request_uri:H7XaM5FK2-RGcSRilYwe9FosTkk9XLMDZPEBA5uKsf8\"}"
}

2. /auth/authorization API

After obtaining a request URI in step 1, the client sends an authorization request, including the request URI, to the authorization endpoint of the authorization server. The request appears as below.

GET /authorization?client_id={Client ID}&request_uri=urn:ietf:params:oauth:request_uri:H7XaM5FK2-RGcSRilYwe9FosTkk9XLMDZPEBA5uKsf8 HTTP/1.1
Host: server.example.com

When the authorization server receives the request from the client, the authorization sever calls Authlete /auth/authorization API. Below is a curl command that simulates a request from the authorization server to Authlete /auth/authorization API.

curl -s -X POST https://api.authlete.com/api/auth/authorization \
-u '{Service API Key}:{Service API Secret}' \
-H 'Content-type: application/json' \
-d '{"parameters":"client_id={Client ID}&request_uri=urn:ietf:params:oauth:request_uri:H7XaM5FK2-RGcSRilYwe9FosTkk9XLMDZPEBA5uKsf8"}'
curl -s -X POST https://api.authlete.com/api/auth/authorization \
-H 'Bearer {Authlete API Access Token}'
-H 'Content-type: application/json' \
-d '{"parameters":"client_id={Client ID}&request_uri=urn:ietf:params:oauth:request_uri:H7XaM5FK2-RGcSRilYwe9FosTkk9XLMDZPEBA5uKsf8"}'

A successful response from the API would be like below.

{
  "type": "authorizationResponse",
  "resultCode": "A004001",
  "resultMessage": "[A004001] Authlete has successfully issued a ticket to the service (API Key = 20699248885) for the authorization request from the client (ID = {Client ID}). [response_type=code, openid=false]",
  "ticket": "CBKnPeMO...",
  ...
}

3. /auth/authorization/issue API

After the authorization server receives a successful response from /auth/authorization API, the end-user authorizes/denies the client in the browser. The authorization result is then conveyed to the authorization server and the authorization server calls Authlete /auth/authorization/issue API with the result. Below is a curl command that simulates a request from the authorization server to Authlete /auth/authorization/issue API.

curl -s -X POST https://api.authlete.com/api/auth/authorization/issue \
-u '{Service API Key}:{Service API Secret}' \
-H 'Content-type: application/json' \
-d '{"ticket":"CBKnPeMO...","subject":"john","result":"AUTHORIZED"}'
curl -s -X POST https://api.authlete.com/api/auth/authorization/issue \
-H 'Bearer {Authlete API Access Token}'
-H 'Content-type: application/json' \
-d '{"ticket":"CBKnPeMO...","subject":"john","result":"AUTHORIZED"}'

A successful response from the API would be like below.

{
  "type": "authorizationIssueResponse",
  "resultCode": "A040001",
  "resultMessage": "[A040001] The authorization request was processed successfully.",
  "authorizationCode": "xY1Vd-rj...",
  ...
}

4. /auth/token API

After obtaining an authorization code in step 3, the client sends a token request, including the authorization code, to the token endpoint of the authorization server. Similar to the requirement at the pushed authorization request endpoint, the client must authenticate itself using either MTLS or private_key_jwt at the token endpoint. In this simulation, we use private_key_jwt for client authentication.

Additionally, access tokens must be sender-constrained with MTLS or DPoP, according to FAPI2 Security profile, 5.3.1.1. General Requirements and FAPI2 Security profile, 5.3.2.1. General Requirements:

“FAPI2 Security profile, 5.3.1.1. General Requirements”

Authorization servers

4. shall only issue sender-constrained access tokens,

5. shall use one of the following methods for sender-constrained access tokens:

- MTLS as described in [RFC8705]

- DPoP as described in [I-D.ietf-oauth-dpop]

“FAPI2 Security profile, 5.3.2.1. General Requirements”

For the Authorization Code flow, Clients

1. shall support sender-constrained access tokens using one of the following methods:

- MTLS as described in [RFC8705]

- DPoP as described in [I-D.ietf-oauth-dpop]

In this simulation, we use DPoP as the sender-constrained access token mechanism. Therefore, the client must present a DPoP proof JWT for the authorization server to obtain a sender-constrained access token.

Note that DPoP proof JWT must be signed with PS256, ES256 or EdDSA, according to FAPI2 Security Profile, 5.4. Cryptography and Secrets.

FAPI2 Security profile, 5.4. Cryptography and Secrets

Authorization Servers, Clients, and Resource Servers when creating or processing JWTs shall

2. use PS256, ES256, or EdDSA (using the Ed25519 subtype) algorithms

Taking the requirements above into account, the token request would look like as below.

POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
DPoP: eyJ0eXAi...

client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGci...
&client_id={Client ID}
&code=xY1Vd-rj...
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&grant_type=authorization_code
&code_verifier=dBjftJeZ...

After the token endpoint receives a request from the client, the authorization server calls Authlete /auth/token API. Below is a curl command that simulates a request from the authorization server to Authlete /auth/token API.

curl -s -X POST https://api.authlete.com/auth/token \
-u '{Service API Key}:{Service API Secret}' \
-H 'Content-type: application/json' \
-d '{"parameters":"client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyJhbGci...&client_id={Client ID}&code=xY1Vd-rj...&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb&grant_type=authorization_code&code_verifier=dBjftJeZ...","dpop":"eyJ0eXAi..."}'
curl -s -X POST https://api.authlete.com/auth/token \
-H 'Bearer {Authlete API Access Token}'
-H 'Content-type: application/json' \
-d '{"parameters":"client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyJhbGci...&client_id={Client ID}&code=xY1Vd-rj...&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb&grant_type=authorization_code&code_verifier=dBjftJeZ...","dpop":"eyJ0eXAi..."}'

A successful response from the API would be like below.

{
  "resultCode": "A050001",
  "resultMessage": "[A050001] The token request (grant_type=authorization_code) was processed successfully.",
  "accessToken": "7i9xPkbk...",
  ...
}

5. /auth/introspection API

After completing all the steps above, the client gets an access token and can access a resource server’s endpoint with the access token like below.

GET /api/sample HTTP/1.1
Authorization: DPoP 7i9xPkbk...
DPoP: eyJ0eXAi...
Host: resource.example.com

Note that the client needs to present a DPoP proof JWT to the resource server’s endpoint along with the access token.

When the resource server receives the request from the client, it calls Authlete /auth/introspection API to verify the access token. Below is a curl command that simulates a request from the resource server to Authlete /auth/introspection API.

curl -s -X POST https://api.authlete.com/api/auth/introspection \
-u '{Service API Key}:{Service API Secret}' \
-H 'Content-type: application/json' \
-d '{"token":"7i9xPkbk...","dpop":"eyJ0eXAi...","htm":"GET","htu":"https://resource.example.com/api/sample"}'
curl -s -X POST https://api.authlete.com/api/auth/introspection \
-H 'Bearer {Authlete API Access Token}'
-H 'Content-type: application/json' \
-d '{"token":"7i9xPkbk...","dpop":"eyJ0eXAi...","htm":"GET","htu":"https://resource.example.com/api/sample"}'

A successful response from the API would be like below.

{
  "resultCode": "A056001",
  "resultMessage": "[A056001] The access token is valid.",
  "action": "OK",
  ...
}