Register a FAPI-compliant application¶
Financial-Grade API (FAPI) specification is an extension to the OAuth and OIDC frameworks that defines additional technical requirements to enhance API security. This guide explains how you can create a FAPI-compliant application in WSO2 Identity Server.
Prerequisites¶
Open the deployment.toml
file found in the <IS_HOME>/repository/conf/
folder, enter the following configurations and restart the WSO2 Identity Server.
- Limit cipher suites for TLSv1.2.
[transport.https.sslHostConfig.properties] ciphers="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- Specify a FAPI-compliant signing algorithm for ID tokens (PS256, ES256).
[oauth.oidc] id_token.signature_algorithm="PS256"
- Specify a signing algorithm for tokens issued at the token endpoint.
[oauth.oidc.token_endpoint] signing_algorithms=["PS256","ES256"]
- Specify a signing algorithm for the userinfo response.
[oauth.oidc.user_info] jwt_signature_algorithm="PS256"
- If your implementation involves TLS termination, specify the following MTLS header name.
[oauth.mutualtls] client_certificate_header = "x-wso2-mtls-cert"
Create a FAPI-compliant application¶
Follow the guides below to create a FAPI-compliant application either using the Console or using Dynamic Client Registration (DCR).
Use the Console¶
If you wish to register your application manually using the Console, follow the steps below to make it FAPI-compliant.
-
On the WSO2 Identity Server Console, go to Applications.
-
Click New Application and select Standard-Based Application.
-
Provide an application name.
-
Select OAuth2.0 OpenID Connect as the protocol and select FAPI Compliant Application.
Note
When an application is made FAPI-compliant, WSO2 Identity Server restricts several configurations to only allow FAPI-compliant options.
-
Click Register to complete the registration.
-
Enable the application when it is ready for users to log in.
Use Dynamic Client Registration (DCR)¶
If you have applications that need to dynamically register with WSO2 Identity Server during runtime, follow the steps below to make them FAPI-compliant.
-
Open the
deployment.toml
file found in the<IS_HOME>/repository/conf/
directory, add the following configuration and restart WSO2 Identity Server.[oauth.dcr] enable_fapi_enforcement=true
Note
This configuration enforces FAPI compliance for applications registering with DCR.
-
Refer to the Dynamic Client Registration (DCR) API documentation to learn how to register an application with DCR.
What's next?¶
Refer to the Financial-grade API documentation to learn about the FAPI-compliant configurations available in WSO2 Identity Server and how to configure them.