Authlete 2.3 has been released

The new version supports the latest draft specifications of FAPI 2.0, OIDC Federation, and OIDC4IDA, and enhances capabilities to enable broad OAuth/OIDC use cases

On Tuesday, January 10, 2023, Authlete, Inc. has released “Authlete 2.3.”

“Authlete” is the OAuth/OIDC Component as a Service solution, providing core functionalities of OAuth 2.0 and OpenID Connect (OIDC) as API components. It has been adopted by various customers in financial services, e-commerce, media, B2B SaaS etc., and has also been the industry leader in implementing the latest OAuth/OIDC specifications, including being the first in the world to receive all “Certified FAPI OpenID Providers” certifications.

Authlete 2.3, the newest version of Authlete, supports the latest draft specifications of FAPI 2.0, OIDC Federation, and OIDC4IDA, being developed by working groups under the OpenID Foundation in the United States. Our customers can immediately start implementing their ID/API infrastructure compliant with the next-generation open standards.

The new Authlete also offers greater flexibility in OAuth/OIDC profiling with support for new OAuth/OIDC extensions, additional customizable settings, and enhanced Authlete APIs. Our customers can leverage the solution to quickly and securely implement their OAuth/OIDC services that best fit their use cases.

Highlights in Authlete 2.3

Implementations of FAPI 2.0, OIDC Federation and OIDC4IDA

FAPI 2.0 (FAPI 2.0 Security Profile)

  • FAPI 2.0 is a next version of “Financial-grade API 1.0,” a set of specifications to enable API security required in financial services industry (FSI). It introduces the latest OAuth/OIDC extensions, incorporates real world experience from deployments of the FAPI 1.0, and reorganizes structure of the specifications, to improve ease of implementation and to accelerate its adoption in industries including non-FSI. “FAPI 2.0 Security Profile”, one of the FAPI 2.0 specifications, is the substantial successor to “FAPI Security Profile 1.0 - Part 2: Advanced” in FAPI 1.0. The current version is 2nd Implementer’s Draft.

OIDC Federation (OpenID Connect Federation 1.0)

  • OIDC Federation is a specification for OIDC services (OpenID providers / relying parties) in a “multilateral federation model,” that have no direct prior trust relationship, to dynamically establish a connection with each other through the mediation of a trusted third party. It has been adopted as one of the technical specifications in PoC (Proof of Concept) of “GAIN (Global Assured Identity Network),” a project to build a worldwide trusted digital identity network on the Internet. The current version is Draft 25.

OIDC4IDA (OpenID Connect for Identity Assurance 1.0)

  • OIDC4IDA is a specification that extends OIDC to request and respond “verified claims” (user attribute information and its context indicating what, how, when, according to what rules, using what evidence etc.). It is intended to address use cases that require strong identity verification to comply with regulatory requirements such as Anti-Money Laundering laws or access to health data, risk mitigation, or fraud prevention. It has also been adopted as one of the technical specifications in the GAIN PoC. The current version is 4th Implementer’s Draft.

Support of new OAuth/OIDC extensions

  • RFC 8693 OAuth 2.0 Token Exchange
  • RFC 7523 Section 2.1 / JWT Authorization Grant
  • OAuth 2.0 Step-up Authentication Challenge Protocol
  • Grant Management for OAuth 2.0
  • Advanced Syntax for Claims(ASC) / Transformed Claims

Additional customizable settings and enhanced Authlete APIs

  • Setting for idempotent refresh tokens
  • Setting for flexible loopback redirection URIs
  • Setting for auto-generated access tokens for external attachments (OIDC4IDA)
  • Setting for removing openid scope on token refresh
  • Additional settings for clients (e.g., single access token per subject, PKCE enforcement)
  • Support for adding arbitrary claims in a payload part of JWT access tokens
  • Support for adding arbitrary claims in a header part of ID tokens
  • Support for modification of discovery documents (using JSON Patch)

For details, please read the Authlete 2.3 Release Notes to be released soon.