Important notice to our Business Plan customers: Upcoming upgrade to Authlete 2.3 release

Dear Valued Customer,

We would like to inform you that there will be scheduled downtime for our Business Plan service on Monday, April 8, 2024 from 14:00 to 16:00 UTC. During this maintenance window, we will be upgrading the current Authlete 2.2 to Authlete 2.3 to introduce new features and improvements.

There will be no compatibility issues between version 2.2 and version 2.3.

We are committed to continuously supporting the latest specifications so that you can keep up with the evolving API security standards. Please find the list of new features and enhancements included in Authlete 2.3 below.

Highlights in Authlete 2.3

Implementations of FAPI 2.0, OIDC Federation and OIDC4IDA

FAPI 2.0 (FAPI 2.0 Security Profile)

  • FAPI 2.0 is a next version of “Financial-grade API 1.0,” a set of specifications to enable API security required in financial services industry (FSI). It introduces the latest OAuth/OIDC extensions, incorporates real world experience from deployments of the FAPI 1.0, and reorganizes structure of the specifications, to improve ease of implementation and to accelerate its adoption in industries including non-FSI. “FAPI 2.0 Security Profile”, one of the FAPI 2.0 specifications, is the substantial successor to “FAPI Security Profile 1.0 - Part 2: Advanced” in FAPI 1.0. The current version is 2nd Implementer’s Draft.

OIDC Federation (OpenID Connect Federation 1.0)

  • OIDC Federation is a specification for OIDC services (OpenID providers / relying parties) in a “multilateral federation model,” that have no direct prior trust relationship, to dynamically establish a connection with each other through the mediation of a trusted third party. It has been adopted as one of the technical specifications in PoC (Proof of Concept) of “GAIN (Global Assured Identity Network),” a project to build a worldwide trusted digital identity network on the Internet. The current version is Draft 25.

OIDC4IDA (OpenID Connect for Identity Assurance 1.0)

  • OIDC4IDA is a specification that extends OIDC to request and respond “verified claims” (user attribute information and its context indicating what, how, when, according to what rules, using what evidence etc.). It is intended to address use cases that require strong identity verification to comply with regulatory requirements such as Anti-Money Laundering laws or access to health data, risk mitigation, or fraud prevention. It has also been adopted as one of the technical specifications in the GAIN PoC. The current version is 4th Implementer’s Draft.

Support of new OAuth/OIDC extensions

  • RFC 8693 OAuth 2.0 Token Exchange
  • RFC 7523 Section 2.1 / JWT Authorization Grant
  • OAuth 2.0 Step-up Authentication Challenge Protocol
  • Grant Management for OAuth 2.0
  • Advanced Syntax for Claims(ASC) / Transformed Claims

Additional customizable settings and enhanced Authlete APIs

  • Setting for idempotent refresh tokens
  • Setting for flexible loopback redirection URIs
  • Setting for auto-generated access tokens for external attachments (OIDC4IDA)
  • Setting for removing openid scope on token refresh
  • Additional settings for clients (e.g., single access token per subject, PKCE enforcement)
  • Support for adding arbitrary claims in a payload part of JWT access tokens
  • Support for adding arbitrary claims in a header part of ID tokens
  • Support for modification of discovery documents (using JSON Patch)


Please reach out to us via contact form, or ask our sales representative.