<!DOCTYPE html>
<html lang="en" class="Internet-Draft">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<title>FAPI 2.0 Baseline Profile</title>
<meta content="Daniel Fett" name="author">
<meta content="
OIDF FAPI 2.0 is an API security profile based on the OAuth 2.0
Authorization Framework .
" name="description">
<meta content="xml2rfc 2.23.0" name="generator">
<meta content="security" name="keyword">
<meta content="openid" name="keyword">
<link href="FAPI_2_0_Baseline_Profile.xml" type="application/rfc+xml" rel="alternate">
<link href="#copyright" rel="license">
<style type="text/css">/* fonts */
@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */
@-ms-viewport {
width: extend-to-zoom;
zoom: 1.0;
}
/* general and mobile first */
html {
}
body {
max-width: 90%;
margin: 1.5em auto;
color: #222;
background-color: #fff;
font-size: 14px;
font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
line-height: 1.6;
scroll-behavior: smooth;
}
.ears {
display: none;
}
/* headings */
#title, h1, h2, h3, h4, h5, h6 {
margin: 1em 0 0.5em;
font-weight: bold;
line-height: 1.3;
}
#title {
clear: both;
border-bottom: 1px solid #ddd;
margin: 0 0 0.5em 0;
padding: 1em 0 0.5em;
}
.author {
padding-bottom: 4px;
}
h1 {
font-size: 26px;
margin: 1em 0;
}
h2 {
font-size: 22px;
margin-top: -20px; /* provide offset for in-page anchors */
padding-top: 33px;
}
h3 {
font-size: 18px;
margin-top: -36px; /* provide offset for in-page anchors */
padding-top: 42px;
}
h4 {
font-size: 16px;
margin-top: -36px; /* provide offset for in-page anchors */
padding-top: 42px;
}
h5, h6 {
font-size: 14px;
}
#n-copyright-notice {
border-bottom: 1px solid #ddd;
padding-bottom: 1em;
margin-bottom: 1em;
}
/* general structure */
p {
padding: 0;
margin: 0 0 1em 0;
text-align: left;
}
div, span {
position: relative;
}
div {
margin: 0;
}
.alignRight.art-text {
background-color: #f9f9f9;
border: 1px solid #eee;
border-radius: 3px;
padding: 1em 1em 0;
margin-bottom: 1.5em;
}
.alignRight.art-text pre {
padding: 0;
}
.alignRight {
margin: 1em 0;
}
.alignRight > *:first-child {
border: none;
margin: 0;
float: right;
clear: both;
}
.alignRight > *:nth-child(2) {
clear: both;
display: block;
border: none;
}
svg {
display: block;
}
.alignCenter.art-text {
background-color: #f9f9f9;
border: 1px solid #eee;
border-radius: 3px;
padding: 1em 1em 0;
margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
padding: 0;
}
.alignCenter {
margin: 1em 0;
}
.alignCenter > *:first-child {
border: none;
/* this isn't optimal, but it's an existence proof. PrinceXML doesn't
support flexbox yet.
*/
display: table;
margin: 0 auto;
}
/* lists */
ol, ul {
padding: 0;
margin: 0 0 1em 2em;
}
ol ol, ul ul, ol ul, ul ol {
margin-left: 1em;
}
li {
margin: 0 0 0.25em 0;
}
.ulCompact li {
margin: 0;
}
ul.empty, .ulEmpty {
list-style-type: none;
}
ul.empty li, .ulEmpty li {
margin-top: 0.5em;
}
ul.compact, .ulCompact,
ol.compact, .olCompact {
line-height: 100%;
margin: 0 0 0 2em;
}
/* definition lists */
dl {
}
dl > dt {
float: left;
margin-right: 1em;
}
dl > dd {
margin-bottom: .8em;
min-height: 1.3em;
}
dl.compact > dd, dlCompact > dd {
margin-bottom: 0em;
}
dl > dd > dl {
margin-top: 0.5em;
margin-bottom: 0em;
}
/* links */
a {
text-decoration: none;
z-index: 2;
}
a[href] {
color: #3E8EDE;
}
a[href]:hover {
background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef {
color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
background-color: transparent;
cursor: default;
} */
/* Figures */
tt, code, pre, code {
background-color: #f9f9f9;
font-family: 'Roboto Mono', monospace;
}
pre {
border: 1px solid #eee;
margin: 0;
padding: 1em;
}
img {
max-width: 100%;
}
figure {
margin: 0;
}
figure blockquote {
margin: 0.8em 0.4em 0.4em;
}
figcaption {
font-style: italic;
margin: 0 0 1em 0;
}
@media screen {
pre {
overflow-x: auto;
max-width: 100%;
max-width: calc(100% - 22px);
}
}
/* aside, blockquote */
aside, blockquote {
margin-left: 0;
padding: 1.2em 2em;
}
blockquote {
background-color: #f9f9f9;
border: 1px solid #ddd;
border-radius: 3px;
margin: 1em 0;
}
cite {
display: block;
text-align: right;
font-style: italic;
}
/* tables */
table {
width: 100%;
margin: 0 0 1em;
border-collapse: collapse;
border: 1px solid #eee;
}
th, td {
text-align: left;
vertical-align: top;
padding: 0.5em 0.75em;
}
th {
text-align: left;
background-color: #e9e9e9;
}
tr:nth-child(2n+1) > td {
background-color: #f5f5f5;
}
table caption {
font-style: italic;
margin: 0;
padding: 0;
text-align: left;
}
table p {
/* XXX to avoid bottom margin on table row signifiers. If paragraphs should
be allowed within tables more generally, it would be far better to select on a class. */
margin: 0;
}
/* pilcrow */
a.pilcrow {
color: #777;
text-decoration: none;
visibility: hidden;
user-select: none;
-ms-user-select: none;
-o-user-select:none;
-moz-user-select: none;
-khtml-user-select: none;
-webkit-user-select: none;
-webkit-touch-callout: none;
}
@media screen {
aside:hover > a.pilcrow,
p:hover > a.pilcrow,
blockquote:hover > a.pilcrow,
div:hover > a.pilcrow,
li:hover > a.pilcrow,
pre:hover > a.pilcrow {
visibility: visible;
}
a.pilcrow:hover {
background-color: transparent;
}
}
/* misc */
hr {
border: 0;
border-top: 1px solid #eee;
}
.bcp14 {
font-variant: small-caps;
}
.role {
font-variant: all-small-caps;
}
/* info block */
#identifiers {
margin: 0;
font-size: 0.9em;
}
#identifiers dt {
width: 3em;
clear: left;
}
#identifiers dd {
float: left;
margin-bottom: 0;
}
#identifiers .authors .author {
display: inline-block;
margin-right: 1.5em;
}
#identifiers .authors .org {
font-style: italic;
}
/* The prepared/rendered info at the very bottom of the page */
.docInfo {
color: #999;
font-size: 0.9em;
font-style: italic;
margin-top: 2em;
}
.docInfo .prepared {
float: left;
}
.docInfo .prepared {
float: right;
}
/* table of contents */
#toc {
padding: 0.75em 0 2em 0;
margin-bottom: 1em;
}
nav.toc ul {
margin: 0 0.5em 0 0;
padding: 0;
list-style: none;
}
nav.toc li {
line-height: 1.3em;
margin: 0.75em 0;
padding-left: 1.2em;
text-indent: -1.2em;
}
/* references */
.references dt {
text-align: right;
font-weight: bold;
min-width: 7em;
}
.references dd {
margin-left: 8em;
overflow: auto;
}
.refInstance {
margin-bottom: 1.25em;
}
.references .ascii {
margin-bottom: 0.25em;
}
/* index */
.index ul {
margin: 0 0 0 1em;
padding: 0;
list-style: none;
}
.index ul ul {
margin: 0;
}
.index li {
margin: 0;
text-indent: -2em;
padding-left: 2em;
padding-bottom: 5px;
}
.indexIndex {
margin: 0.5em 0 1em;
}
.index a {
font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
.index ul {
-moz-column-count: 2;
-moz-column-gap: 20px;
}
.index ul ul {
-moz-column-count: 1;
-moz-column-gap: 0;
}
}
/* authors */
address.vcard {
font-style: normal;
margin: 1em 0;
}
address.vcard .nameRole {
font-weight: 700;
margin-left: 0;
}
address.vcard .label {
font-family: "Noto Sans",Arial,Helvetica,sans-serif;
margin: 0.5em 0;
}
address.vcard .type {
display: none;
}
.alternative-contact {
margin: 1.5em 0 1em;
}
hr.addr {
border-top: 1px dashed;
margin: 0;
color: #ddd;
max-width: calc(100% - 16px);
}
/* temporary notes */
.rfcEditorRemove::before {
position: absolute;
top: 0.2em;
right: 0.2em;
padding: 0.2em;
content: "The RFC Editor will remove this note";
color: #b76427;
background-color: rgba(249, 232, 105, 0.3);
}
.rfcEditorRemove {
position: relative;
padding-top: 1.8em;
background-color: rgba(249, 232, 105, 0.3);
border-radius: 3px;
}
.cref {
background-color: rgba(249, 232, 105, 0.3);
padding: 2px 4px;
}
.crefSource {
font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
body {
padding-top: 2em;
}
#title {
padding: 1em 0;
}
h1 {
font-size: 24px;
}
h2 {
font-size: 20px;
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 38px;
}
#identifiers dd {
max-width: 60%;
}
#toc {
position: fixed;
z-index: 2;
top: 0;
right: 0;
padding: 0;
margin: 0;
background-color: inherit;
border-bottom: 1px solid #ccc;
}
#toc h2 {
margin: -1px 0 0 0;
padding: 4px 0 4px 6px;
padding-right: 1em;
min-width: 190px;
font-size: 1.1em;
text-align: right;
background-color: #444;
color: white;
cursor: pointer;
}
#toc h2::before { /* css hamburger */
float: right;
position: relative;
width: 1em;
height: 1px;
left: -164px;
margin: 6px 0 0 0;
background: white none repeat scroll 0 0;
box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
content: "";
}
#toc nav {
display: none;
padding: 0.5em 1em 1em;
overflow: auto;
height: calc(100vh - 48px);
border-left: 1px solid #ddd;
}
}
/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
body {
max-width: 724px;
margin: 42px auto;
padding-left: 1.5em;
padding-right: 29em;
}
#toc {
position: fixed;
top: 42px;
right: 42px;
width: 25%;
margin: 0;
padding: 0 1em;
z-index: 1;
}
#toc h2 {
border-top: none;
border-bottom: 1px solid #ddd;
font-size: 1em;
font-weight: normal;
margin: 0;
padding: 0.25em 1em 1em 0;
}
#toc nav {
display: block;
height: calc(90vh - 84px);
bottom: 0;
padding: 0.5em 0 0;
overflow: auto;
}
img { /* future proofing */
max-width: 100%;
height: auto;
}
}
/* pagination */
@media print {
body {
width: 100%;
}
p {
orphans: 3;
widows: 3;
}
#n-copyright-notice {
border-bottom: none;
}
#toc, #n-introduction {
page-break-before: always;
}
#toc {
border-top: none;
padding-top: 0;
}
figure, pre {
page-break-inside: avoid;
}
figure {
overflow: scroll;
}
h1, h2, h3, h4, h5, h6 {
page-break-after: avoid;
}
h2+*, h3+*, h4+*, h5+*, h6+* {
page-break-before: avoid;
}
pre {
white-space: pre-wrap;
word-wrap: break-word;
font-size: 10pt;
}
table {
border: 1px solid #ddd;
}
td {
border-top: 1px solid #ddd;
}
}
@page :first {
padding-top: 0;
@top-left {
content: normal;
border: none;
}
@top-center {
content: normal;
border: none;
}
@top-right {
content: normal;
border: none;
}
}
@page {
size: A4;
margin-bottom: 45mm;
padding-top: 20px;
}
/* Changes introduced to fix issues found during implementation */
/* Separate body from document info even without intervening H1 */
section {
clear: both;
}
/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
vertical-align: top;
}
/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
width: 8em;
}
/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
margin-left: 1em;
}
/* Give floating toc a background color (needed when it's a div inside section */
#toc {
background-color: white;
}
/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
#toc h2 a,
#toc h2 a:link,
#toc h2 a:focus,
#toc h2 a:hover,
#toc a.toplink,
#toc a.toplink:hover {
color: white;
background-color: #444;
text-decoration: none;
}
}
/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
#toc {
padding: 0 0 1em 1em;
}
}
/* Style section numbers with more space between number and title */
.section-number {
padding-right: 0.5em;
}
/* prevent monospace from becoming overly large */
tt, code, pre, code {
font-size: 95%;
}
/* Fix the height/width aspect for ascii art*/
.art-text pre {
line-height: 1.12;
}
/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
float: right;
margin-right: 0.5em;
}
/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
float: left;
margin-right: 1em;
}
dl.dlNewline > dt {
float: none;
}
/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
text-align: left;
}
table td.text-center,
table th.text-center {
text-align: center;
}
table td.text-right,
table th.text-right {
text-align: right;
}
/* Make the alternative author contact informatio look less like just another
author, and group it closer with the primary author contact information */
.alternative-contact {
margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
margin: 0 0 0 2em;
}
/* With it being possible to set tables with alignment
left, center, and right, { width: 100%; } does not make sense */
table {
width: auto;
}
/* Avoid reference text that sits in a block with very wide left margin,
because of a long floating dt label.*/
.references dd {
overflow: visible;
}
/* Control caption placement */
caption {
caption-side: bottom;
}
/* Limit the width of the author address vcard, so names in right-to-left
script don't end up on the other side of the page. */
address.vcard {
max-width: 20em;
margin-right: auto;
}
/* For address alignment dependent on LTR or RTL scripts */
address div.left {
text-align: left;
}
address div.right {
text-align: right;
}
/* Provide table alignment support. We can't use the alignX classes above
since they do unwanted things with caption and other styling. */
table.right {
margin-left: auto;
margin-right: 0;
}
table.center {
margin-left: auto;
margin-right: auto;
}
table.left {
margin-left: 0;
margin-right: auto;
}
/* Give the table caption label the same styling as the figcaption */
caption a[href] {
color: #222;
}
@media print {
.toplink {
display: none;
}
/* avoid overwriting the top border line with the ToC header */
#toc {
padding-top: 1px;
}
/* Avoid page breaks inside dl and author address entries */
dd {
page-break-before: avoid;
}
.vcard {
page-break-inside: avoid;
}
}
/* Avoid wrapping of URLs in references */
.references a {
white-space: nowrap;
}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
font-variant: small-caps;
font-weight: bold;
font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
h2 {
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 31px;
}
h3 {
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 24px;
}
h4 {
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 24px;
}
</style>
<link href="rfc-local.css" type="text/css" rel="stylesheet">
</head>
<body>
<script>
window.addEventListener('load',addMetadata);
async function addMetadata() {
// Copy all CSS rules for "#identifiers" to "#metadata"
try {
const cssRules = document.styleSheets[0].cssRules;
for (let i = 0; i < cssRules.length; i++) {
if (/#identifiers/.exec(cssRules[i].selectorText)) {
const rule = cssRules[i].cssText.
replace('#identifiers','#metadata');
document.styleSheets[0].
insertRule(rule, document.styleSheets[0].cssRules.length);
}
}
} catch (e) {
console.log(e);
}
// Retrieve the "metadata" element from the document
const div = document.getElementById('metadata');
if (!div) {
console.log("Could not locate metadata <div> element");
return;
}
div.style.background='#eee';
// Insert the metadata block
// [TODO: make this more sophisticated and linkify the values]
try {
const jsonFile = document.URL.replace(/html$/,'json');
const response = await fetch(jsonFile);
const metadata = (await response.json())[0];
const label = {
'STATUS': 'Status',
'OBSOLETES': 'Obsoletes',
'OBSOLETED-BY': 'Obsoleted By',
'UPDATES': 'Updates',
'UPDATED-BY': 'Updated By',
'SEE-ALSO': 'See Also',
'ERRATA-URL': 'Errata',
};
let metadataHTML = "<dl style='overflow:hidden'>";
['STATUS', 'OBSOLETES', 'OBSOLETED-BY', 'UPDATES',
'UPDATED-BY', 'SEE-ALSO', 'ERRATA-URL'].forEach(key => {
if (metadata[key]) {
metadataHTML += `<dt>${label[key]}:</dt><dd>${metadata[key]}</dd>`;
}
})
metadataHTML += "</dl>";
div.innerHTML = metadataHTML;
} catch (e) {
console.log(e);
}
}
</script>
<table class="ears">
<thead><tr>
<td class="left">Internet-Draft</td>
<td class="center">fapi-evolution</td>
<td class="right">February 2020</td>
</tr></thead>
<tfoot><tr>
<td class="left">Fett</td>
<td class="center">Expires 29 August 2020</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div class="document-information">
<dl id="identifiers">
<dt class="label-workgroup">Workgroup:</dt>
<dd class="workgroup">connect</dd>
<dt class="label-internet-draft">Internet-Draft:</dt>
<dd class="internet-draft">fapi-2_0-00</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2020-02-26" class="published">26 February 2020</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Standards Track</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2020-08-29">29 August 2020</time></dd>
<dt class="label-authors">Author:</dt>
<dd class="authors">
<div class="author">
<div class="author-name">D. Fett</div>
<div class="org">yes.com</div>
</div>
</dd>
</dl>
</div>
<h1 id="title">FAPI 2.0 Baseline Profile</h1>
<section id="section-abstract">
<h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">OIDF FAPI 2.0 is an API security profile based on the OAuth 2.0
Authorization Framework <span>[<a href="#RFC6749" class="xref">RFC6749</a>]</span>.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<div id="status-of-memo">
<section id="section-boilerplate.1">
<h2 id="name-status-of-this-memo">
<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
</h2>
<p id="section-boilerplate.1-1">
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-2">
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is
at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-3">
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on 29 August 2020.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright">
<section id="section-boilerplate.2">
<h2 id="name-copyright-notice">
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
</h2>
<p id="section-boilerplate.2-1">
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-boilerplate.3">
<a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
</h2>
<nav class="toc"><ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-boilerplate.3-1.1">
<p id="section-boilerplate.3-1.1.1"><a href="#section-1" class="xref">1</a>. <a href="#name-introduction" class="xref">Introduction</a><a href="#section-boilerplate.3-1.1.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-boilerplate.3-1.1.2.1">
<p id="section-boilerplate.3-1.1.2.1.1"><a href="#section-1.1" class="xref">1.1</a>. <a href="#name-warning" class="xref">Warning</a><a href="#section-boilerplate.3-1.1.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.1.2.2">
<p id="section-boilerplate.3-1.1.2.2.1"><a href="#section-1.2" class="xref">1.2</a>. <a href="#name-copyright-notice-license" class="xref">Copyright notice & license</a><a href="#section-boilerplate.3-1.1.2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.1.2.3">
<p id="section-boilerplate.3-1.1.2.3.1"><a href="#section-1.3" class="xref">1.3</a>. <a href="#name-notational-conventions" class="xref">Notational Conventions</a><a href="#section-boilerplate.3-1.1.2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.2">
<p id="section-boilerplate.3-1.2.1"><a href="#section-2" class="xref">2</a>. <a href="#name-baseline-profile" class="xref">Baseline Profile</a><a href="#section-boilerplate.3-1.2.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-boilerplate.3-1.2.2.1">
<p id="section-boilerplate.3-1.2.2.1.1"><a href="#section-2.1" class="xref">2.1</a>. <a href="#name-network-layer" class="xref">Network Layer</a><a href="#section-boilerplate.3-1.2.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.2.2.2">
<p id="section-boilerplate.3-1.2.2.2.1"><a href="#section-2.2" class="xref">2.2</a>. <a href="#name-profile" class="xref">Profile</a><a href="#section-boilerplate.3-1.2.2.2.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-boilerplate.3-1.2.2.2.2.1">
<p id="section-boilerplate.3-1.2.2.2.2.1.1"><a href="#section-2.2.1" class="xref">2.2.1</a>. <a href="#name-requirements-for-authorizat" class="xref">Requirements for Authorization Servers</a><a href="#section-boilerplate.3-1.2.2.2.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.2.2.2.2.2">
<p id="section-boilerplate.3-1.2.2.2.2.2.1"><a href="#section-2.2.2" class="xref">2.2.2</a>. <a href="#name-requirements-for-clients" class="xref">Requirements for Clients</a><a href="#section-boilerplate.3-1.2.2.2.2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.2.2.2.2.3">
<p id="section-boilerplate.3-1.2.2.2.2.3.1"><a href="#section-2.2.3" class="xref">2.2.3</a>. <a href="#name-requirements-for-resource-s" class="xref">Requirements for Resource Servers</a><a href="#section-boilerplate.3-1.2.2.2.2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.2.2.3">
<p id="section-boilerplate.3-1.2.2.3.1"><a href="#section-2.3" class="xref">2.3</a>. <a href="#name-cryptography-and-secrets" class="xref">Cryptography and Secrets</a><a href="#section-boilerplate.3-1.2.2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.2.2.4">
<p id="section-boilerplate.3-1.2.2.4.1"><a href="#section-2.4" class="xref">2.4</a>. <a href="#name-differences-to-fapi-10" class="xref">Differences to FAPI 1.0</a><a href="#section-boilerplate.3-1.2.2.4.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.2.2.5">
<p id="section-boilerplate.3-1.2.2.5.1"><a href="#section-2.5" class="xref">2.5</a>. <a href="#name-open-questions" class="xref">Open questions:</a><a href="#section-boilerplate.3-1.2.2.5.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.3">
<p id="section-boilerplate.3-1.3.1"><a href="#section-3" class="xref">3</a>. <a href="#name-normative-references" class="xref">Normative References</a><a href="#section-boilerplate.3-1.3.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.4">
<p id="section-boilerplate.3-1.4.1"><a href="#section-4" class="xref">4</a>. <a href="#name-informative-references" class="xref">Informative References</a><a href="#section-boilerplate.3-1.4.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-boilerplate.3-1.5">
<p id="section-boilerplate.3-1.5.1"><a href="#section-appendix.a" class="xref"></a> <a href="#name-authors-address" class="xref">Author's Address</a><a href="#section-boilerplate.3-1.5.1" class="pilcrow">¶</a></p>
</li>
</ul>
</nav>
</section>
</div>
<div id="introduction">
<section id="section-1">
<h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
</h2>
<div id="warning">
<section id="section-1.1">
<h3 id="name-warning">
<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-warning" class="section-name selfRef">Warning</a>
</h3>
<p id="section-1.1-1">This document is not an OIDF International Standard. It is distributed
for review and comment. It is subject to change without notice and may
not be referred to as an International Standard.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
<p id="section-1.1-2">Recipients of this draft are invited to submit, with their comments,
notification of any relevant patent rights of which they are aware and
to provide supporting documentation.<a href="#section-1.1-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright-notice-license">
<section id="section-1.2">
<h3 id="name-copyright-notice-license">
<a href="#section-1.2" class="section-number selfRef">1.2. </a><a href="#name-copyright-notice-license" class="section-name selfRef">Copyright notice & license</a>
</h3>
<p id="section-1.2-1">The OpenID Foundation (OIDF) grants to any Contributor, developer,
implementer, or other interested party a non-exclusive, royalty free,
worldwide copyright license to reproduce, prepare derivative works
from, distribute, perform and display, this Implementers Draft or
Final Specification solely for the purposes of (i) developing
specifications, and (ii) implementing Implementers Drafts and Final
Specifications based on such documents, provided that attribution be
made to the OIDF as the source of the material, but that such
attribution does not indicate an endorsement by the OIDF.<a href="#section-1.2-1" class="pilcrow">¶</a></p>
<p id="section-1.2-2">The technology described in this specification was made available from
contributions from various sources, including members of the OpenID
Foundation and others. Although the OpenID Foundation has taken steps
to help ensure that the technology is available for distribution, it
takes no position regarding the validity or scope of any intellectual
property or other rights that might be claimed to pertain to the
implementation or use of the technology described in this
specification or the extent to which any license under such rights
might or might not be available; neither does it represent that it has
made any independent effort to identify any such rights. The OpenID
Foundation and the contributors to this specification make no (and
hereby expressly disclaim any) warranties (express, implied, or
otherwise), including implied warranties of merchantability,
non-infringement, fitness for a particular purpose, or title, related
to this specification, and the entire risk as to implementing this
specification is assumed by the implementer. The OpenID Intellectual
Property Rights policy requires contributors to offer a patent promise
not to assert certain patent claims against other contributors and
against implementers. The OpenID Foundation invites any interested
party to bring to its attention any copyrights, patents, patent
applications, or other proprietary rights that may cover technology
that may be required to practice this specification.<a href="#section-1.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="notational-conventions">
<section id="section-1.3">
<h3 id="name-notational-conventions">
<a href="#section-1.3" class="section-number selfRef">1.3. </a><a href="#name-notational-conventions" class="section-name selfRef">Notational Conventions</a>
</h3>
<p id="section-1.3-1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119].<a href="#section-1.3-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="baseline-profile">
<section id="section-2">
<h2 id="name-baseline-profile">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-baseline-profile" class="section-name selfRef">Baseline Profile</a>
</h2>
<p id="section-2-1">OIDF FAPI is an API security profile based on the OAuth 2.0
Authorization Framework <span>[<a href="#RFC6749" class="xref">RFC6749</a>]</span>. It aims to reach the security
goals laid out in the [Attacker Model].<a href="#section-2-1" class="pilcrow">¶</a></p>
<div id="network-layer">
<section id="section-2.1">
<h3 id="name-network-layer">
<a href="#section-2.1" class="section-number selfRef">2.1. </a><a href="#name-network-layer" class="section-name selfRef">Network Layer</a>
</h3>
<p id="section-2.1-1">To protect against network attackers, all interactions MUST be
encrypted using TLS version 1.2 or later and follow <span>[<a href="#RFC7525" class="xref">RFC7525</a>]</span>.<a href="#section-2.1-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="profile">
<section id="section-2.2">
<h3 id="name-profile">
<a href="#section-2.2" class="section-number selfRef">2.2. </a><a href="#name-profile" class="section-name selfRef">Profile</a>
</h3>
<p id="section-2.2-1">In the following, a profile of the following technologies is defined:<a href="#section-2.2-1" class="pilcrow">¶</a></p>
<ul>
<li id="section-2.2-2.1">
<p id="section-2.2-2.1.1">OAuth 2.0 Authorization Framework <span>[<a href="#RFC6749" class="xref">RFC6749</a>]</span><a href="#section-2.2-2.1.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2-2.2">
<p id="section-2.2-2.2.1">OAuth 2.0 Bearer Tokens <span>[<a href="#RFC6750" class="xref">RFC6750</a>]</span><a href="#section-2.2-2.2.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2-2.3">
<p id="section-2.2-2.3.1">OAuth 2.0 PKCE <span>[<a href="#RFC7636" class="xref">RFC7636</a>]</span><a href="#section-2.2-2.3.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2-2.4">
<p id="section-2.2-2.4.1">OAuth 2.0 Mutual-TLS Client Authentication <span>[<a href="#RFC8705" class="xref">RFC8705</a>]</span><a href="#section-2.2-2.4.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2-2.5">
<p id="section-2.2-2.5.1">OAuth 2.0 Pushed Authorization Requests (PAR) <span>[<a href="#I-D.lodderstedt-oauth-par" class="xref">I-D.lodderstedt-oauth-par</a>]</span><a href="#section-2.2-2.5.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2-2.6">
<p id="section-2.2-2.6.1">OAuth 2.0 Rich Authorization Requests (RAR) <span>[<a href="#I-D.lodderstedt-oauth-rar" class="xref">I-D.lodderstedt-oauth-rar</a>]</span><a href="#section-2.2-2.6.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2-2.7">
<p id="section-2.2-2.7.1">OAuth 2.0 Authorization Server Metadata <span>[<a href="#RFC8414" class="xref">RFC8414</a>]</span><a href="#section-2.2-2.7.1" class="pilcrow">¶</a></p>
</li>
</ul>
<div id="requirements-for-authorization-servers">
<section id="section-2.2.1">
<h4 id="name-requirements-for-authorizat">
<a href="#section-2.2.1" class="section-number selfRef">2.2.1. </a><a href="#name-requirements-for-authorizat" class="section-name selfRef">Requirements for Authorization Servers</a>
</h4>
<p id="section-2.2.1-1">Authorization servers<a href="#section-2.2.1-1" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal" id="section-2.2.1-2">
<li id="section-2.2.1-2.1">
<p id="section-2.2.1-2.1.1">MUST adhere to <span>[<a href="#I-D.ietf-oauth-security-topics" class="xref">I-D.ietf-oauth-security-topics</a>]</span><a href="#section-2.2.1-2.1.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.2">
<p id="section-2.2.1-2.2.1">MUST support the authorization code grant described in <span>[<a href="#RFC6749" class="xref">RFC6749</a>]</span><a href="#section-2.2.1-2.2.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.3">
<p id="section-2.2.1-2.3.1">MUST support client-authenticated pushed authorization requests
according to <span>[<a href="#I-D.lodderstedt-oauth-par" class="xref">I-D.lodderstedt-oauth-par</a>]</span><a href="#section-2.2.1-2.3.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.4">
<p id="section-2.2.1-2.4.1">MUST NOT support authorization requests sent without
<span>[<a href="#I-D.lodderstedt-oauth-par" class="xref">I-D.lodderstedt-oauth-par</a>]</span> or authorization request parameters
sent outside of the PAR request, except for
<code>request_uri</code><a href="#section-2.2.1-2.4.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.5">
<p id="section-2.2.1-2.5.1">MUST NOT support pushed authorization requests without client authentication<a href="#section-2.2.1-2.5.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.6">
<p id="section-2.2.1-2.6.1">MUST support rich authorization requests according to <span>[<a href="#I-D.lodderstedt-oauth-rar" class="xref">I-D.lodderstedt-oauth-rar</a>]</span><a href="#section-2.2.1-2.6.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.7">
<p id="section-2.2.1-2.7.1">MUST support confidential clients as defined in <span>[<a href="#RFC6749" class="xref">RFC6749</a>]</span><a href="#section-2.2.1-2.7.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.8">
<p id="section-2.2.1-2.8.1">MUST support client authentication and sender-constraining of access tokens using Mutual TLS as described in <span>[<a href="#RFC8705" class="xref">RFC8705</a>]</span><a href="#section-2.2.1-2.8.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.9">
<p id="section-2.2.1-2.9.1">MUST require PKCE <span>[<a href="#RFC7636" class="xref">RFC7636</a>]</span> with <code>S256</code> as the code challenge method<a href="#section-2.2.1-2.9.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.10">
<p id="section-2.2.1-2.10.1">MUST only issue authorization codes, access tokens, and refresh tokens that are sender-constrained<a href="#section-2.2.1-2.10.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.11">
<p id="section-2.2.1-2.11.1">MUST require the <code>redirect_uri</code> parameter in authorization requests and evaluate only this parameter to ensure authenticity and integrity of the redirect URI<a href="#section-2.2.1-2.11.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.12">
<p id="section-2.2.1-2.12.1">MUST require that redirect URIs use the <code>https</code> scheme<a href="#section-2.2.1-2.12.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1-2.13">
<p id="section-2.2.1-2.13.1">MUST verify, if possible, that the authorization code (section 1.3.1 of [RFC6749]) has not been previously used<a href="#section-2.2.1-2.13.1" class="pilcrow">¶</a></p>
</li>
</ol>
<p id="section-2.2.1-3"><strong>NOTE</strong>: If replay identification of the authorization code is not possible, it is desirable to set the validity period of the authorization code to one minute or a suitable short period of time. The validity period may act as a cache control indicator of when to clear the authorization code cache if one is used.<a href="#section-2.2.1-3" class="pilcrow">¶</a></p>
<div id="returning-authenticated-user-s-identifier">
<section id="section-2.2.1.1">
<h5 id="name-returning-authenticated-use">
<a href="#section-2.2.1.1" class="section-number selfRef">2.2.1.1. </a><a href="#name-returning-authenticated-use" class="section-name selfRef">Returning Authenticated User's Identifier</a>
</h5>
<p id="section-2.2.1.1-1">If it is desired to provide the authenticated user's identifier to the client in the token response, the authorization server:<a href="#section-2.2.1.1-1" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal" id="section-2.2.1.1-2">
<li id="section-2.2.1.1-2.1">
<p id="section-2.2.1.1-2.1.1">MUST support signed ID Tokens<a href="#section-2.2.1.1-2.1.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1.1-2.2">
<p id="section-2.2.1.1-2.2.1">SHOULD support signed and encrypted ID Tokens<a href="#section-2.2.1.1-2.2.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1.1-2.3">
<p id="section-2.2.1.1-2.3.1">MUST support the authentication request as in Section 3.1.2.1 of [OIDC];<a href="#section-2.2.1.1-2.3.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1.1-2.4">
<p id="section-2.2.1.1-2.4.1">MUST perform the authentication request verification as in Section 3.1.2.2 of [OIDC];<a href="#section-2.2.1.1-2.4.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1.1-2.5">
<p id="section-2.2.1.1-2.5.1">MUST authenticate the user as in Section 3.1.2.2 and 3.1.2.3 of [OIDC];<a href="#section-2.2.1.1-2.5.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1.1-2.6">
<p id="section-2.2.1.1-2.6.1">MUST provide the authentication response as in Section 3.1.2.4 and 3.1.2.5 of [OIDC] depending on the outcome of the authentication;<a href="#section-2.2.1.1-2.6.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1.1-2.7">
<p id="section-2.2.1.1-2.7.1">MUST perform the token request verification as in Section 3.1.3.2 of [OIDC]; and<a href="#section-2.2.1.1-2.7.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.1.1-2.8">
<p id="section-2.2.1.1-2.8.1">MUST issue an ID Token in the token response when <code>openid</code> was included in the requested <code>scope</code>
as in Section 3.1.3.3 of [OIDC] with its <code>sub</code> value corresponding to the authenticated user
and optional <code>acr</code> value in ID Token.<a href="#section-2.2.1.1-2.8.1" class="pilcrow">¶</a></p>
</li>
</ol>
</section>
</div>
</section>
</div>
<div id="requirements-for-clients">
<section id="section-2.2.2">
<h4 id="name-requirements-for-clients">
<a href="#section-2.2.2" class="section-number selfRef">2.2.2. </a><a href="#name-requirements-for-clients" class="section-name selfRef">Requirements for Clients</a>
</h4>
<p id="section-2.2.2-1">Clients<a href="#section-2.2.2-1" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal" id="section-2.2.2-2">
<li id="section-2.2.2-2.1">
<p id="section-2.2.2-2.1.1">MUST use the authorization code grant described in <span>[<a href="#RFC6749" class="xref">RFC6749</a>]</span><a href="#section-2.2.2-2.1.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.2-2.2">
<p id="section-2.2.2-2.2.1">MUST use pushed authorization requests according to
<span>[<a href="#I-D.lodderstedt-oauth-par" class="xref">I-D.lodderstedt-oauth-par</a>]</span><a href="#section-2.2.2-2.2.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.2-2.3">
<p id="section-2.2.2-2.3.1">MUST use client authentication and sender-constrained access
tokens using Mutual TLS as described in <span>[<a href="#RFC8705" class="xref">RFC8705</a>]</span><a href="#section-2.2.2-2.3.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.2-2.4">
<p id="section-2.2.2-2.4.1">MUST use PKCE <span>[<a href="#RFC7636" class="xref">RFC7636</a>]</span> with <code>S256</code> as the code challenge method<a href="#section-2.2.2-2.4.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.2-2.5">
<p id="section-2.2.2-2.5.1">MUST send access tokens in the HTTP header as in Section 2.1 of
OAuth 2.0 Bearer Token Usage [RFC6750];<a href="#section-2.2.2-2.5.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.2-2.6">
<p id="section-2.2.2-2.6.1">MUST support signed and encrypted ID Tokens<a href="#section-2.2.2-2.6.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.2-2.7">
<p id="section-2.2.2-2.7.1">MAY send the last time the customer logged into the client in the
<code>x-fapi-auth-date</code> header where the value is supplied as a
HTTP-date as in section 7.1.1.1 of [RFC7231], e.g.,
<code>x-fapi-auth-date: Tue, 11 Sep 2012 19:43:31 GMT</code>; and<a href="#section-2.2.2-2.7.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.2-2.8">
<p id="section-2.2.2-2.8.1">MAY send the customer's IP address if this data is available in
the <code>x-fapi-customer-ip-address</code> header, e.g.,
<code>x-fapi-customer-ip-address: 198.51.100.119</code>; and<a href="#section-2.2.2-2.8.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.2-2.9">
<p id="section-2.2.2-2.9.1">MAY send the <code>x-fapi-interaction-id</code> request header whose value is
a [RFC4122] UUID to the server to help correlate log entries
between client and server, e.g., <code>x-fapi-interaction-id:
c770aef3-6784-41f7-8e0e-ff5f97bddb3a</code>.<a href="#section-2.2.2-2.9.1" class="pilcrow">¶</a></p>
</li>
</ol>
</section>
</div>
<div id="requirements-for-resource-servers">
<section id="section-2.2.3">
<h4 id="name-requirements-for-resource-s">
<a href="#section-2.2.3" class="section-number selfRef">2.2.3. </a><a href="#name-requirements-for-resource-s" class="section-name selfRef">Requirements for Resource Servers</a>
</h4>
<p id="section-2.2.3-1">The FAPI 2.0 endpoints are OAuth 2.0 protected resource endpoints that return protected information for the resource owner associated with the submitted access token.<a href="#section-2.2.3-1" class="pilcrow">¶</a></p>
<p id="section-2.2.3-2">Resource servers with the FAPI endpoints<a href="#section-2.2.3-2" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal" id="section-2.2.3-3">
<li id="section-2.2.3-3.1">
<p id="section-2.2.3-3.1.1">MUST accept access tokens in the HTTP header as in Section 2.1 of OAuth 2.0 Bearer Token Usage [RFC6750];<a href="#section-2.2.3-3.1.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.3-3.2">
<p id="section-2.2.3-3.2.1">MUST not accept access tokens in the query parameters stated in Section 2.3 of OAuth 2.0 Bearer Token Usage [RFC6750];<a href="#section-2.2.3-3.2.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.3-3.3">
<p id="section-2.2.3-3.3.1">MUST verify that the access token is neither expired nor revoked;<a href="#section-2.2.3-3.3.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.3-3.4">
<p id="section-2.2.3-3.4.1">MUST verify that the scope associated with the access token authorizes the reading of the resource it is representing;<a href="#section-2.2.3-3.4.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.3-3.5">
<p id="section-2.2.3-3.5.1">MUST verify sender-constraining for access tokens<a href="#section-2.2.3-3.5.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.3-3.6">
<p id="section-2.2.3-3.6.1">MUST identify the associated entity to the access token;<a href="#section-2.2.3-3.6.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.3-3.7">
<p id="section-2.2.3-3.7.1">MUST only return the resource identified by the combination of the entity implicit in the access and the granted scope and otherwise return errors as in section 3.1 of [RFC6750]<a href="#section-2.2.3-3.7.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.3-3.8">
<p id="section-2.2.3-3.8.1">MUST set the response header <code>x-fapi-interaction-id</code> to the value received from the corresponding fapi client request header or to a [RFC4122] UUID value if the request header was not provided to track the interaction, e.g., <code>x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a</code><a href="#section-2.2.3-3.8.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.2.3-3.9">
<p id="section-2.2.3-3.9.1">MUST log the value of <code>x-fapi-interaction-id</code> in the log entry<a href="#section-2.2.3-3.9.1" class="pilcrow">¶</a></p>
</li>
</ol>
</section>
</div>
</section>
</div>
<div id="cryptography-and-secrets">
<section id="section-2.3">
<h3 id="name-cryptography-and-secrets">
<a href="#section-2.3" class="section-number selfRef">2.3. </a><a href="#name-cryptography-and-secrets" class="section-name selfRef">Cryptography and Secrets</a>
</h3>
<ol start="1" type="1" class="normal" id="section-2.3-1">
<li id="section-2.3-1.1">
<p id="section-2.3-1.1.1">RSA keys MUST have a minimum length of 2048 bits.<a href="#section-2.3-1.1.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.3-1.2">
<p id="section-2.3-1.2.1">Elliptic curve keys MUST have a minimum length of 160 bits.<a href="#section-2.3-1.2.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.3-1.3">
<p id="section-2.3-1.3.1">authorization servers MUST provide a client secret that adheres to the requirements in section 16.19 of [OIDC] if a symmetric key is used<a href="#section-2.3-1.3.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.3-1.4">
<p id="section-2.3-1.4.1">Access tokens MUST be non-guessable with a minimum of 128 bits of entropy where the probability of an attacker guessing the generated token is less than or equal to 2^(-160) as per [RFC6749] section 10.10.<a href="#section-2.3-1.4.1" class="pilcrow">¶</a></p>
</li>
</ol>
</section>
</div>
<div id="differences-to-fapi-1-0">
<section id="section-2.4">
<h3 id="name-differences-to-fapi-10">
<a href="#section-2.4" class="section-number selfRef">2.4. </a><a href="#name-differences-to-fapi-10" class="section-name selfRef">Differences to FAPI 1.0</a>
</h3>
<table class="center" id="table-1">
<caption><a href="#table-1">Table 1</a></caption>
<thead>
<tr>
<th class="text-left" rowspan="1" colspan="1">FAPI 1.0 Read/Write</th>
<th class="text-left" rowspan="1" colspan="1">FAPI 2.0</th>
<th class="text-left" rowspan="1" colspan="1">Reasons</th>
</tr>
</thead>
<tbody>
<tr>
<td class="text-left" rowspan="1" colspan="1">JAR, JARM</td>
<td class="text-left" rowspan="1" colspan="1">PAR</td>
<td class="text-left" rowspan="1" colspan="1">integrity protection and compatibility improvements for authorization requests; only code in response</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">-</td>
<td class="text-left" rowspan="1" colspan="1">RAR</td>
<td class="text-left" rowspan="1" colspan="1">support complex and structured information about authorizations</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">
<code>s_hash</code>
</td>
<td class="text-left" rowspan="1" colspan="1">-</td>
<td class="text-left" rowspan="1" colspan="1">state integrity is protected by PAR; protection provided by state is now provided by PKCE</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">symmetric client authentication</td>
<td class="text-left" rowspan="1" colspan="1">only asymmetric methods</td>
<td class="text-left" rowspan="1" colspan="1">improve security</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">
<code>private_key_jwt</code>
</td>
<td class="text-left" rowspan="1" colspan="1">OAuth Mutual TLS</td>
<td class="text-left" rowspan="1" colspan="1">improve interoperability (?)</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">pre-registered redirect URIs</td>
<td class="text-left" rowspan="1" colspan="1">redirect URIs in PAR</td>
<td class="text-left" rowspan="1" colspan="1">pre-registration is not required with client authentication and PAR</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">-</td>
<td class="text-left" rowspan="1" colspan="1">MUST adhere to Security BCP</td>
<td class="text-left" rowspan="1" colspan="1"></td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">response types <code>code id_token</code> or <code>code</code>
</td>
<td class="text-left" rowspan="1" colspan="1">response type <code>code</code>
</td>
<td class="text-left" rowspan="1" colspan="1">improve security: no ID token in front-channel; not needed</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">ID Token as detached signature</td>
<td class="text-left" rowspan="1" colspan="1">-</td>
<td class="text-left" rowspan="1" colspan="1">ID token does not need to serve as a detached signature</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">
<code>exp</code> claim in request object</td>
<td class="text-left" rowspan="1" colspan="1">-</td>
<td class="text-left" rowspan="1" colspan="1">?</td>
</tr>
</tbody>
</table>
</section>
</div>
<div id="open-questions">
<section id="section-2.5">
<h3 id="name-open-questions">
<a href="#section-2.5" class="section-number selfRef">2.5. </a><a href="#name-open-questions" class="section-name selfRef">Open questions:</a>
</h3>
<ul>
<li id="section-2.5-1.1">
<p id="section-2.5-1.1.1">disallow scopes? if yes, use RAR transport for openid claim<a href="#section-2.5-1.1.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.2">
<p id="section-2.5-1.2.1">Response types? ID Token in front channel?<a href="#section-2.5-1.2.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.3">
<p id="section-2.5-1.3.1"><a href="#section-2.5-1.3.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.4">
<p id="section-2.5-1.4.1">lifetime for request objects?<a href="#section-2.5-1.4.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.5">
<p id="section-2.5-1.5.1">(to be moved to grant management):<a href="#section-2.5-1.5.1" class="pilcrow">¶</a></p>
<ul>
<li id="section-2.5-1.5.2.1">
<p id="section-2.5-1.5.2.1.1">shall require explicit consent by the user to authorize the requested scope if it has not been previously authorized;<a href="#section-2.5-1.5.2.1.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.5.2.2">
<p id="section-2.5-1.5.2.2.1">should clearly identify long-term grants to the user during authorization as in 16.18 of [OIDC]; and<a href="#section-2.5-1.5.2.2.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.5.2.3">
<p id="section-2.5-1.5.2.3.1">should provide a mechanism for the end-user to revoke access tokens and refresh tokens granted to a client as in 16.18 of [OIDC].<a href="#section-2.5-1.5.2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li id="section-2.5-1.6">
<p id="section-2.5-1.6.1">(relevance/meaning unclear):<a href="#section-2.5-1.6.1" class="pilcrow">¶</a></p>
<ul>
<li id="section-2.5-1.6.2.1">
<p id="section-2.5-1.6.2.1.1">shall return token responses that conform to section 4.1.4 of [RFC6749];<a href="#section-2.5-1.6.2.1.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.6.2.2">
<p id="section-2.5-1.6.2.2.1">shall return an invalid_client error as defined in 5.2 of [RFC6749] when mis-matched client identifiers were provided through the client authentication methods that permits sending the client identifier in more than one way;<a href="#section-2.5-1.6.2.2.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.6.2.3">
<p id="section-2.5-1.6.2.3.1">The Financial-grade API server may limit the scopes for the purpose of not implementing certain APIs.<a href="#section-2.5-1.6.2.3.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.6.2.4">
<p id="section-2.5-1.6.2.4.1">(RS) MUST encode the response in UTF-8 if applicable;<a href="#section-2.5-1.6.2.4.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.6.2.5">
<p id="section-2.5-1.6.2.5.1">(RS) MUST send the <code>Content-type</code> HTTP header <code>Content-Type: application/json; charset=UTF-8</code> if applicable;<a href="#section-2.5-1.6.2.5.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.6.2.6">
<p id="section-2.5-1.6.2.6.1">(RS) MUST send the server date in HTTP Date header as in section 7.1.1.2 of [RFC7231];<a href="#section-2.5-1.6.2.6.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.6.2.7">
<p id="section-2.5-1.6.2.7.1">(RS) SHOULD support CORS for JS clients<a href="#section-2.5-1.6.2.7.1" class="pilcrow">¶</a></p>
</li>
<li id="section-2.5-1.6.2.8">
<p id="section-2.5-1.6.2.8.1">(Client) SHOULD require both JWS signed and JWE encrypted ID Tokens to be returned from endpoints to protect any sensitive personally identifiable information (PII) contained in the ID Token provided as a detached signature in the authorization response<a href="#section-2.5-1.6.2.8.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li id="section-2.5-1.7">
<p id="section-2.5-1.7.1">Check Sections 7/8<a href="#section-2.5-1.7.1" class="pilcrow">¶</a></p>
</li>
</ul>
</section>
</div>
</section>
</div>
<section id="section-3">
<h2 id="name-normative-references">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
</h2>
<dl class="references">
<dt id="RFC6749">[RFC6749]</dt>
<dd>
<span class="refAuthor">Hardt, D., Ed.</span>, <span class="refTitle">"The OAuth 2.0 Authorization Framework"</span>, <span class="seriesInfo">RFC 6749</span>, <span class="seriesInfo">DOI 10.17487/RFC6749</span>, <time datetime="2012-10">October 2012</time>
<span>, <<a href="https://www.rfc-editor.org/info/rfc6749">https://www.rfc-editor.org/info/rfc6749</a>></span>. </dd>
<dt id="RFC6750">[RFC6750]</dt>
<dd>
<span class="refAuthor">Jones, M.</span><span class="refAuthor"> and D. Hardt</span>, <span class="refTitle">"The OAuth 2.0 Authorization Framework: Bearer Token Usage"</span>, <span class="seriesInfo">RFC 6750</span>, <span class="seriesInfo">DOI 10.17487/RFC6750</span>, <time datetime="2012-10">October 2012</time>
<span>, <<a href="https://www.rfc-editor.org/info/rfc6750">https://www.rfc-editor.org/info/rfc6750</a>></span>. </dd>
<dt id="RFC7525">[RFC7525]</dt>
<dd>
<span class="refAuthor">Sheffer, Y.</span><span class="refAuthor">, Holz, R.</span><span class="refAuthor">, and P. Saint-Andre</span>, <span class="refTitle">"Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)"</span>, <span class="seriesInfo">BCP 195</span>, <span class="seriesInfo">RFC 7525</span>, <span class="seriesInfo">DOI 10.17487/RFC7525</span>, <time datetime="2015-05">May 2015</time>
<span>, <<a href="https://www.rfc-editor.org/info/rfc7525">https://www.rfc-editor.org/info/rfc7525</a>></span>. </dd>
<dt id="RFC7636">[RFC7636]</dt>
<dd>
<span class="refAuthor">Sakimura, N., Ed.</span><span class="refAuthor">, Bradley, J.</span><span class="refAuthor">, and N. Agarwal</span>, <span class="refTitle">"Proof Key for Code Exchange by OAuth Public Clients"</span>, <span class="seriesInfo">RFC 7636</span>, <span class="seriesInfo">DOI 10.17487/RFC7636</span>, <time datetime="2015-09">September 2015</time>
<span>, <<a href="https://www.rfc-editor.org/info/rfc7636">https://www.rfc-editor.org/info/rfc7636</a>></span>. </dd>
<dt id="RFC8414">[RFC8414]</dt>
<dd>
<span class="refAuthor">Jones, M.</span><span class="refAuthor">, Sakimura, N.</span><span class="refAuthor">, and J. Bradley</span>, <span class="refTitle">"OAuth 2.0 Authorization Server Metadata"</span>, <span class="seriesInfo">RFC 8414</span>, <span class="seriesInfo">DOI 10.17487/RFC8414</span>, <time datetime="2018-06">June 2018</time>
<span>, <<a href="https://www.rfc-editor.org/info/rfc8414">https://www.rfc-editor.org/info/rfc8414</a>></span>. </dd>
<dt id="RFC8705">[RFC8705]</dt>
<dd>
<span class="refAuthor">Campbell, B.</span><span class="refAuthor">, Bradley, J.</span><span class="refAuthor">, Sakimura, N.</span><span class="refAuthor">, and T. Lodderstedt</span>, <span class="refTitle">"
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
"</span>, <time datetime="2020-02">February 2020</time>
<span>, <<a href="https://www.rfc-editor.org/info/rfc8705">https://www.rfc-editor.org/info/rfc8705</a>></span>. </dd>
</dl>
</section>
<section id="section-4">
<h2 id="name-informative-references">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
</h2>
<dl class="references">
<dt id="I-D.ietf-oauth-security-topics">[I-D.ietf-oauth-security-topics]</dt>
<dd>
<span class="refAuthor">Lodderstedt, T.</span><span class="refAuthor">, Bradley, J.</span><span class="refAuthor">, Labunets, A.</span><span class="refAuthor">, and D. Fett</span>, <span class="refTitle">"OAuth 2.0 Security Best Current Practice"</span>, <span class="seriesInfo">Internet-Draft draft-ietf-oauth-security-topics-14</span>, <time datetime="2020-02-10">10 February 2020</time>
<span>, <<a href="https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-14">https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-14</a>></span>. </dd>
<dt id="I-D.lodderstedt-oauth-par">[I-D.lodderstedt-oauth-par]</dt>
<dd>
<span class="refAuthor">Lodderstedt, T.</span><span class="refAuthor">, Campbell, B.</span><span class="refAuthor">, Sakimura, N.</span><span class="refAuthor">, Tonge, D.</span><span class="refAuthor">, and F. Skokan</span>, <span class="refTitle">"OAuth 2.0 Pushed Authorization Requests"</span>, <span class="seriesInfo">Internet-Draft draft-lodderstedt-oauth-par-01</span>, <time datetime="2019-11-03">3 November 2019</time>
<span>, <<a href="https://www.ietf.org/archive/id/draft-lodderstedt-oauth-par-01">https://www.ietf.org/archive/id/draft-lodderstedt-oauth-par-01</a>></span>. </dd>
<dt id="I-D.lodderstedt-oauth-rar">[I-D.lodderstedt-oauth-rar]</dt>
<dd>
<span class="refAuthor">Lodderstedt, T.</span><span class="refAuthor">, Richer, J.</span><span class="refAuthor">, and B. Campbell</span>, <span class="refTitle">"OAuth 2.0 Rich Authorization Requests"</span>, <span class="seriesInfo">Internet-Draft draft-lodderstedt-oauth-rar-03</span>, <time datetime="2019-11-04">4 November 2019</time>
<span>, <<a href="https://www.ietf.org/archive/id/draft-lodderstedt-oauth-rar-03">https://www.ietf.org/archive/id/draft-lodderstedt-oauth-rar-03</a>></span>. </dd>
</dl>
</section>
<div id="authors-addresses">
<section id="section-appendix.a">
<h2 id="name-authors-address">
<a href="#name-authors-address" class="section-name selfRef">Author's Address</a>
</h2>
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Daniel Fett</span></div>
<div dir="auto" class="left"><span class="org">yes.com</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:mail@danielfett.de" class="email">mail@danielfett.de</a>
</div>
</address>
</section>
</div>
<script>var toc = document.getElementById("toc");
var tocToggle = toc.querySelector("h2");
var tocNav = toc.querySelector("nav");
// mobile menu toggle
tocToggle.onclick = function(event) {
if (window.innerWidth < 1024) {
var tocNavDisplay = tocNav.currentStyle ? tocNav.currentStyle.display : getComputedStyle(tocNav, null).display;
if (tocNavDisplay == "none") {
tocNav.style.display = "block";
} else {
tocNav.style.display = "none";
}
}
}
// toc anchor scroll to anchor
tocNav.addEventListener("click", function (event) {
event.preventDefault();
if (event.target.nodeName == 'A') {
if (window.innerWidth < 1024) {
tocNav.style.display = "none";
}
var href = event.target.getAttribute("href");
var anchorId = href.substr(1);
var anchor = document.getElementById(anchorId);
anchor.scrollIntoView(true);
window.history.pushState("","",href);
}
});
// switch toc mode when window resized
window.onresize = function () {
if (window.innerWidth < 1024) {
tocNav.style.display = "none";
} else {
tocNav.style.display = "block";
}
}
</script>
</body>
</html>