Ex FAPI-SIG (Financial-grade API Security : Special Interest Group)
FAPI-SIG is a group whose activity is mainly supporting Financial-grade API (FAPI) and its related specifications to keycloak.
FAPI-SIG is open to everybody so that anyone can join it anytime. Nothing special need not to be done to join it. Who want to join it can only access to the communication channels shown below. All of its activities and outputs are public so that anyone can access them.
FAPI-SIG mainly treats FAPI and its related specifications but not limited to. E.g., Ecosystems employing FAPI for their API Security like UK OpenBanking, Open Banking Brasil and Australia Consumer Data Right (CDR).
Since June 2023, FAPI-SIG is evolved into OAuth SIG. OAuth SIG will mainly treats OAuth/OIDC and its related security features like FAPI 2.0 to Keycloak.
Supporting OAuth/OIDC and its related security features to Keycloak.
Tech Lead : Takashi Norimatsu
Please refer to the list.
Currently, proposed goals are as follows.
- EU : PSD2/eIDAS - QWAC Verification Extension
Currently, proposed open works are as follows.
-
Integrating FAPI conformance tests run into keycloak’s CI/CD pipeline
-
Implement security profiles for Apps run on mobile devices
FAPI related accomplishments by FAPI-SIG and OAuth SIG, other contributors and keycloak development team is as follows.
-
Brazil : Open Banking Brasil Financial-grade API Security Profile
mainly by keycloak development team.
-
Client Initiated Backchannel Authentication (CIBA) ping mode
mainly by keycloak development team.
-
FAPI JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
mainly by the contributor outside FAPI-SIG.
-
FAPI Client Initiated Backchannel Authentication Profile (FAPI-CIBA)
-
OpenID Connect Logout 1.0 for Logout Profiles
mainly by keycloak development team and the contributor outside FAPI-SIG.
- UK OpenBanking Security Profile
- RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
- RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
- FAPI 2.0 Security Profile Second Implementer’s Draft
- FAPI 2.0 Message Signing First Implementer’s Draft
- RFC 8032 Edwards-Curve Digital Signature Algorithm (EdDSA)
- The OAuth 2.1 Authorization Framework - Draft version 10
- Selective Disclosure for JWTs (SD-JWT)
- SD-JWT-based Verifiable Credentials (SD-JWT VC)
- JWT VC
- W3C Verfiable Credentials Data Format(VCDM)
The current environment uses the following software version.
- Keycloak version : 26.0.5
- Conformance-suite version : release-v5.1.22
- Client Authentication Method : MTLS, private_key_jwt
- Signature Algorithm : PS256, ES256
- Request Object Method : plain, PAR
- Response Mode : plain, JARM
Keycloak 15.0.2 have achieved certification for all 8 conformance profiles of FAPI 1 Advanced Final (Generic).
- Client Authentication Method : MTLS, private_key_jwt
- Signature Algorithm : PS256, ES256
- Mode : Poll, Ping
Keycloak 15.0.2 have achieved certification for all 4 conformance profiles of Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA).
- Client Authentication Method : MTLS, private_key_jwt
- Signature Algorithm : PS256
- Request Object Method : plain, PAR
- Response Mode : plain, JARM
Keycloak 15.0.2 have achieved certification for 8 conformance profiles of Brazil Open Banking (Based on FAPI 1 Advanced Final) except for DCR (Dynamic Client Registration).
- Client Authentication Method : private_key_jwt
- Signature Algorithm : PS256
- Request Object Method : PAR
- Response Mode : plain
- ID token encryption : required
- Client Authentication Method : private_key_jwt
- Signature Algorithm : PS256
- Request Object Method : plain, PAR
- Response Mode : plain
Keycloak 15.0.2 have achieved certification for all 2 conformance profiles of Australia CDR (Based on FAPI 1 Advanced Final).
- Client Authentication Method : MTLS, private_key_jwt
- Signature Algorithm : PS256
- Request Object Method : plain, PAR
- Response Mode : plain
- Basic OP
- Implicit OP
- Hybrid OP
- Config OP
- Dynamic OP
- Form Post OP
- 3rd Party-Init OP
Keycloak 18.0.0 have re-achieved certification for 6 conformance profiles of Certified OpenID Providers except for 3rd Party-Init OP.
- Front-Channel OP
- Back-Channel OP
- Session OP
- RP-Initiated OP
Keycloak 18.0.0 have achieved certification for all 4 conformance profiles of Certified OpenID Providers for Logout Profiles.
Note: Session OP and Front-Channel OP of OpenID Provider for Logout Profile conformance tests cannot be automated. These can be passed manually.
- FAPI2SP MTLS + MTLS
- Client Authentication Method : mtls
- Sender Constrain : mtls
- OpenID : plain_oauth
- FAPI Profile : plain
- FAPI2SP private key + MTLS
- Client Authentication Method : private_key_jwt
- Sender Constrain : mtls
- OpenID : plain_oauth
- FAPI Profile : plain
- FAPI2SP OpenID Connect
- Client Authentication Method : mtls
- Sender Constrain : mtls
- OpenID : openid
- FAPI Profile : plain
- FAPI2MS JAR
- Client Authentication Method : mtls
- Sender Constrain : mtls
- OpenID : plain_oauth
- FAPI Profile : plain
- FAPI Request Method : signed_non_repudiation
- FAPI Response Mode : plain_response
- FAPI2MS JARM
- Client Authentication Method : mtls
- Sender Constrain : mtls
- OpenID : plain_oauth
- FAPI Profile : plain
- FAPI Request Method : signed_non_repudiation
- FAPI Response Mode : jarm
To ensure that every keycloak version can pass conformance tests, we check if a new Keycloak version pass conformance tests that the older Keycloak version could pass whenever the new Keycloak version is released.
We tagged the environment for every keycloak verion:
| Tag | Keycloak version | Conformance-suite version |
|---|---|---|
| kc-15.0.2 | 15.0.2 | release-v4.1.38 |
| kc-17.0.0 | 17.0.0 | release-v4.1.41 |
| kc-17.0.1 | 17.0.1 | release-v4.1.41 |
| kc-18.0.0 | 18.0.0 | release-v4.1.42 |
| kc-18.0.2 | 18.0.2 | release-v4.1.42 |
| kc-19.0.1 | 19.0.1 | release-v4.1.45 |
| kc-19.0.2 | 19.0.2 | release-v5.0.3 |
| kc-20.0.0 | 20.0.0 | release-v5.0.6 |
| kc-20.0.1 | 20.0.1 | release-v5.0.6 |
| kc-20.0.2 | 20.0.2 | release-v5.0.7 |
| kc-20.0.3 | 20.0.3 | release-v5.0.12 |
| kc-20.0.5 | 20.0.5 | release-v5.0.14 |
| kc-21.0.0 | 21.0.0 | release-v5.1.0 |
| kc-21.0.1 | 21.0.1 | release-v5.1.0 |
| kc-21.0.2 | 21.0.2 | release-v5.1.2 |
| kc-21.1.0 | 21.1.0 | release-v5.1.2 |
| kc-21.1.1 | 21.1.1 | release-v5.1.2 |
| kc-21.1.2 | 21.1.2 | release-v5.1.5 |
| kc-22.0.0 | 22.0.0 | release-v5.1.5 |
| kc-22.0.1 | 22.0.1 | release-v5.1.5 |
| kc-22.0.2 | 22.0.2 | release-v5.1.5 |
| kc-22.0.3 | 22.0.3 | release-v5.1.7 |
| kc-22.0.4 | 22.0.4 | release-v5.1.8 |
| kc-22.0.5 | 22.0.5 | release-v5.1.9 |
| kc-23.0.0 | 23.0.0 | release-v5.1.15 |
| kc-23.0.1 | 23.0.1 | release-v5.1.15 |
| kc-23.0.2 | 23.0.2 | release-v5.1.15 |
| kc-23.0.3 | 23.0.3 | release-v5.1.15 |
| kc-23.0.4 | 23.0.4 | release-v5.1.15 |
| kc-23.0.5 | 23.0.5 | release-v5.1.15 |
| kc-23.0.6 | 23.0.6 | release-v5.1.15 |
| kc-23.0.7 | 23.0.7 | release-v5.1.15 |
| kc-24.0.0 | 24.0.0 | release-v5.1.15 |
| kc-24.0.1 | 24.0.1 | release-v5.1.15 |
| kc-24.0.2 | 24.0.2 | release-v5.1.16 |
| kc-24.0.3 | 24.0.3 | release-v5.1.16 |
| kc-24.0.4 | 24.0.4 | release-v5.1.16 |
| kc-24.0.5 | 24.0.5 | release-v5.1.16 |
| kc-25.0.0 | 25.0.0 | release-v5.1.17 |
| kc-25.0.1 | 25.0.1 | release-v5.1.17 |
| kc-25.0.2 | 25.0.2 | release-v5.1.17 |
| kc-25.0.4 | 25.0.4 | release-v5.1.21 |
| kc-25.0.5 | 25.0.5 | release-v5.1.22 |
| kc-25.0.6 | 25.0.6 | release-v5.1.22 |
| kc-26.0.0 | 26.0.0 | release-v5.1.22 |
| kc-26.0.1 | 26.0.1 | release-v5.1.22 |
| kc-26.0.2 | 26.0.2 | release-v5.1.22 |
| kc-26.0.4 | 26.0.4 | release-v5.1.22 |
| kc-26.0.5 | 26.0.5 | release-v5.1.22 |
| Keycloak version | FAPI 1.0 Advanced | FAPI-CIBA | Open Banking Brasil FAPI 1.0 (*1,*2) | Open Finance Brasil FAPI 1.0 (*3) | Australia Consumer Data Right (CDR) | UK Open Banking | OpenID Connect OP (*4) | OpenID Connect OP for Logout Profile | FAPI 2.0 Security Profile Implementer’s Draft | FAPI 2.0 Message Signing Implementer’s Draft |
|---|---|---|---|---|---|---|---|---|---|---|
| 15.0.2 | x | x | x | - | x | - | - | - | - | - |
| 17.0.0 | x | x | x | - | x | - | - | - | - | - |
| 17.0.0-legacy | x | x | x | - | x | - | - | - | - | - |
| 17.0.1 | x | x | x | - | x | - | - | - | - | - |
| 17.0.1-legacy | x | x | x | - | x | - | - | - | - | - |
| 18.0.0 | x | x | x | - | x | - | x | x | - | - |
| 18.0.0-legacy | x | x | x | - | x | - | x | x | - | - |
| 18.0.2 | x | x | x | - | x | - | x | x | - | - |
| 18.0.2-legacy | x | x | x | - | x | - | x | x | - | - |
| 19.0.1 | x | x | x | - | x | - | x | x | - | - |
| 19.0.1-legacy | x | x | x | - | x | - | x | x | - | - |
| 19.0.2 | x | x | x | - | x | - | x | x | - | - |
| 19.0.2-legacy | x | x | x | - | x | - | x | x | - | - |
| 20.0.0 | x | x | x | - | x | x | x | x | - | - |
| 20.0.1 | x | x | x | - | x | x | x | x | - | - |
| 20.0.2 | x | x | x | - | x | x | x | x | - | - |
| 20.0.3 | x | x | x | - | x | x | x | x | - | - |
| 20.0.5 | x | x | x | - | x | x | x | x | - | - |
| 21.0.0 | x | x | x | - | x | x | x | x | - | - |
| 21.0.1 | x | x | x | - | x | x | x | x | - | - |
| 21.0.2 | x | x | x | - | x | x | x | x | - | - |
| 21.1.0 | x | x | x | - | x | x | x | x | - | - |
| 21.1.1 | x | x | x | - | x | x | x | x | - | - |
| 21.1.2 | x | x | x | - | x | x | x | x | - | - |
| 22.0.0 | x | x | x | - | x | x | x | x | - | - |
| 22.0.1 | x | x | x | - | x | x | x | x | - | - |
| 22.0.2 | x | x | x | - | x | x | x | x | - | - |
| 22.0.3 | x | x | x | - | x | x | x | x | - | - |
| 22.0.4 | x | x | x | - | x | x | x | x | - | - |
| 22.0.5 | x | x | x | - | x | x | x | x | - | - |
| 23.0.0 | x | x | -(*5) | -(*5) | x | x | x | x | x | x |
| 23.0.1 | x | x | x | x | x | x | x | x | x | x |
| 23.0.2 | x | x | x | x | x | x | x | x | x | x |
| 23.0.3 | x | x | x | x | x | x | x | x | x | x |
| 23.0.4 | x | x | x | x | x | x | x | x | x | x |
| 23.0.5 | x | x | x | x | x | x | x | x | x | x |
| 23.0.6 | x | x | x | x | x | x | x | x | x | x |
| 23.0.7 | x | x | x | x | x | x | x | x | x | x |
| 24.0.0 | x | x | x | x | x | x | x | x | x | x |
| 24.0.1 | x | x | x | x | x | x | x | x | x | x |
| 24.0.2 | x | x | x | x | x | x | x | x | x | x |
| 24.0.3 | x | x | x | x | x | x | x | x | x | x |
| 24.0.4 | x | x | x | x | x | x | x | x | x | x |
| 24.0.5 | x | x | x | x | x | x | x | x | x | x |
| 25.0.0 | x | x | x | x | x | x | x | x | x | x |
| 25.0.1 | x | x | x | x | x | x | x | x | x | x |
| 25.0.2 | x | x | x | x | x | x | x | x | x | x |
| 25.0.4 | x | x | x | x | x | x | x | x | x | x |
| 25.0.5 | x | x | x | x | x | x | x | x | x | x |
| 25.0.6 | x | x | x | x | x | x | x | x | x | x |
| 26.0.0 | x | x | x | x | x | x | x | x | x | x |
| 26.0.1 | x | x | x | x | x | x | x | x | x | x |
| 26.0.2 | x | x | x | x | x | x | x | x | x | x |
| 26.0.4 | x | x | x | x | x | x | x | x | x | x |
| 26.0.5 | x | x | x | x | x | x | x | x | x | x |
Note: Keycloak legacy (wildfly) is no longer supported since keycloak 20.
*1 : Up to Implementer's Draft version 2, Open Banking Brazil Security Profile. From Implementer's Draft version 3, Open Finance Brazil Security Profile. Its conformance test is no longer supported since conformance suite version 5.1.11. Therefore, its conformance test is conducted by the conformance suite version 5.1.10.
*2 : Its conformance test is supported by conformance suite version 5.1.11.
*3 : Except for Dynamic Client Registration (DCR) conformance profile.
*4 : Except for 3rd Party-Init OP conformance profile.
*5 : ISSUE-25022
Please see keyconf 24.
- Title: Supporting OAuth 2.0 Based Security Profiles to Open-source Software - from Implementation to Operation
- URL: https://oauth.secworkshop.events/osw2024/agenda-thursday-osw-2024
KubeCon + CloudNativeCon Europe 2024 (Paris Expo Porte de Versailles, Paris, France, March 22, 2024)
- Title: The Leading Edge of AuthN and AuthZ by Keycloak
- URL: https://kccnceu2024.sched.com/event/1YhiQ/the-leading-edge-of-authn-and-authz-by-keycloak-takashi-norimatsu-hitachi-thomas-darimont-codecentric-ag
- Title: Implementing OAuth 2.0-based Security Profiles on Open-source Software
- URL: https://www.openid.or.jp/summit/2024/en/
KubeCon + CloudNativeCon North America 2023 (McCormick Place West, Chicago, Illinois, United States of America, November 7, 2023)
- Title: 10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?
- URL: https://kccncna2023.sched.com/event/1R2mH/10-years-of-keycloak-whats-next-for-cloud-native-authentication-and-oidc-alexander-schwartz-red-hat-takashi-norimatsu-hitachi-ltd
please see keyconf 23.
- Title: Securing APIs in Open Banking - Financial-grade API security profile implementation to open-source software
- URL: https://speakerdeck.com/apidays/apidays-paris-2022-securing-apis-in-open-banking-takashi-norimatsu-hitachi
- Title: Consideration on how to apply multiple FAPI and its related security profiles dynamically
- URL: https://www.youtube.com/watch?app=desktop&v=_ei7e8aOfkY
- Journal: IEICE Transactions on Information and Systems, Volume E106.D-9, pp.1364-1379, Institute of Electronics, Information and Communications Engineers (IEICE), Septempber 1, 2023.
- DOI: https://doi.org/10.1587/transinf.2022icp0004
- URL: https://www.jstage.jst.go.jp/article/transinf/E106.D/9/E106.D_2022ICP0004/_pdf
- Proceedings: Lecture Notes in Informatics (LNI) Proceedings of Open Identity Summit 2022, P-325, pp.87-98, DTU Compute, Lyngby, Denmark, July 7-8, 2022.
- DOI: https://doi.org/10.18420/OID2022_07
- DBLP: https://dblp.uni-trier.de/rec/conf/openidentity/NorimatsuNY22
- URL: https://dblp.uni-trier.de/rec/conf/openidentity/2022
- URL: https://dblp.uni-trier.de/db/conf/openidentity/openidentity2022.html#NorimatsuNY22
Not only OAuth SIG member but others can communicate with each other by the following ways.
- Slack : Cloud Native Computing Foundation (CNCF) slack's channel #keycloak-oauth-sig
- Mail : Google Group keycloak developer mailing list
- Chat : Zulip Chat stream (#dev-sig-fapi)
- Meeting : Web meeting on a regular basis
Please see conformance-tests-env.