Skip to content

keycloak/kc-sig-fapi

OAuth SIG (OAuth : Special Interest Group)

Ex FAPI-SIG (Financial-grade API Security : Special Interest Group)

Overview

FAPI-SIG is a group whose activity is mainly supporting Financial-grade API (FAPI) and its related specifications to keycloak.

FAPI-SIG is open to everybody so that anyone can join it anytime. Nothing special need not to be done to join it. Who want to join it can only access to the communication channels shown below. All of its activities and outputs are public so that anyone can access them.

FAPI-SIG mainly treats FAPI and its related specifications but not limited to. E.g., Ecosystems employing FAPI for their API Security like UK OpenBanking, Open Banking Brasil and Australia Consumer Data Right (CDR).

Since June 2023, FAPI-SIG is evolved into OAuth SIG. OAuth SIG will mainly treats OAuth/OIDC and its related security features like FAPI 2.0 to Keycloak.

Scope

Supporting OAuth/OIDC and its related security features to Keycloak.

Roles

Tech Lead : Takashi Norimatsu

Members

Please refer to the list.

Goals

Currently, proposed goals are as follows.

OAuth and OIDC related security features

Nation/Region/Market Specific Features

  • EU : PSD2/eIDAS - QWAC Verification Extension

Open Works

Currently, proposed open works are as follows.

Contributions

FAPI related accomplishments by FAPI-SIG and OAuth SIG, other contributors and keycloak development team is as follows.​

Common Security Features

keycloak 14

keycloak 24

Nation/Region/Market Specific Features

keycloak 15

Standards​

keycloak 13

keycloak 14

keycloak 15

keycloak 18

keycloak 20

  • UK OpenBanking​ Security Profile

keycloak 23

keycloak 24

keycloak 25

In progress

OpenID for Verifiable Credentials
Format
Issurance Protocol
Other OpenID Connect Extension

Automated Conformance Test Run Environment by this kc-fapi-sig repository

The current environment uses the following software version.

  • Keycloak 26.0.7
  • Conformance-suite version : release-v5.1.26

FAPI 1.0 Advanced (Final)​

  • Client Authentication Method : MTLS, private_key_jwt​
  • Signature Algorithm : PS256, ES256​
  • Request Object Method : plain, PAR​
  • Response Mode : plain, JARM​

Keycloak 15.0.2 have achieved certification for all 8 conformance profiles of FAPI 1 Advanced Final (Generic).

FAPI-CIBA (Implementer’s Draft)​

  • Client Authentication Method : MTLS, private_key_jwt​
  • Signature Algorithm : PS256, ES256​
  • Mode : Poll, Ping

Keycloak 15.0.2 have achieved certification for all 4 conformance profiles of Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA).

Open Banking Brasil FAPI 1.0

  • Client Authentication Method : MTLS, private_key_jwt​
  • Signature Algorithm : PS256
  • Request Object Method : plain, PAR​
  • Response Mode : plain, JARM​

Keycloak 15.0.2 have achieved certification for 8 conformance profiles of Brazil Open Banking (Based on FAPI 1 Advanced Final) except for DCR (Dynamic Client Registration).

Open Finance Brasil FAPI 1.0 (Open Banking Brasil FAPI 1.0 was evolved)

  • Client Authentication Method : private_key_jwt​
  • Signature Algorithm : PS256
  • Request Object Method : PAR​
  • Response Mode : plain
  • ID token encryption : required

Australia Consumer Data Right (CDR)

  • Client Authentication Method : private_key_jwt​
  • Signature Algorithm : PS256
  • Request Object Method : plain, PAR​
  • Response Mode : plain

Keycloak 15.0.2 have achieved certification for all 2 conformance profiles of Australia CDR (Based on FAPI 1 Advanced Final).

UK Open Banking

  • Client Authentication Method : MTLS, private_key_jwt​
  • Signature Algorithm : PS256
  • Request Object Method : plain, PAR​
  • Response Mode : plain

OpenID Connect: OpenID Providers

  • Basic OP
  • Implicit OP
  • Hybrid OP
  • Config OP
  • Dynamic OP
  • Form Post OP
  • 3rd Party-Init OP

Keycloak 18.0.0 have re-achieved certification for 6 conformance profiles of Certified OpenID Providers except for 3rd Party-Init OP.

OpenID Connect: OpenID Providers for Logout Profile

  • Front-Channel OP
  • Back-Channel OP
  • Session OP
  • RP-Initiated OP

Keycloak 18.0.0 have achieved certification for all 4 conformance profiles of Certified OpenID Providers for Logout Profiles.

Note: Session OP and Front-Channel OP of OpenID Provider for Logout Profile conformance tests cannot be automated. These can be passed manually.

FAPI 2.0 Security Profile Second Implementer’s Draft

  • FAPI2SP MTLS + MTLS
    • Client Authentication Method : mtls
    • Sender Constrain : mtls
    • OpenID : plain_oauth
    • FAPI Profile : plain​
  • FAPI2SP private key + MTLS
    • Client Authentication Method : private_key_jwt
    • Sender Constrain : mtls
    • OpenID : plain_oauth
    • FAPI Profile : plain​
  • FAPI2SP OpenID Connect
    • Client Authentication Method : mtls
    • Sender Constrain : mtls
    • OpenID : openid
    • FAPI Profile : plain​

FAPI 2.0 Message Signing First Implementer’s Draft

  • FAPI2MS JAR
    • Client Authentication Method : mtls
    • Sender Constrain : mtls
    • OpenID : plain_oauth
    • FAPI Profile : plain​
    • FAPI Request Method : signed_non_repudiation
    • FAPI Response Mode : plain_response
  • FAPI2MS JARM
    • Client Authentication Method : mtls
    • Sender Constrain : mtls
    • OpenID : plain_oauth
    • FAPI Profile : plain​
    • FAPI Request Method : signed_non_repudiation
    • FAPI Response Mode : jarm

Passed Conformance Tests per Keycloak version

To ensure that every keycloak version can pass conformance tests, we check if a new Keycloak version pass conformance tests that the older Keycloak version could pass whenever the new Keycloak version is released.

We tagged the environment for every keycloak verion:

Tag Keycloak version Conformance-suite version
kc-15.0.2 15.0.2 release-v4.1.38
kc-17.0.0 17.0.0 release-v4.1.41
kc-17.0.1 17.0.1 release-v4.1.41
kc-18.0.0 18.0.0 release-v4.1.42
kc-18.0.2 18.0.2 release-v4.1.42
kc-19.0.1 19.0.1 release-v4.1.45
kc-19.0.2 19.0.2 release-v5.0.3
kc-20.0.0 20.0.0 release-v5.0.6
kc-20.0.1 20.0.1 release-v5.0.6
kc-20.0.2 20.0.2 release-v5.0.7
kc-20.0.3 20.0.3 release-v5.0.12
kc-20.0.5 20.0.5 release-v5.0.14
kc-21.0.0 21.0.0 release-v5.1.0
kc-21.0.1 21.0.1 release-v5.1.0
kc-21.0.2 21.0.2 release-v5.1.2
kc-21.1.0 21.1.0 release-v5.1.2
kc-21.1.1 21.1.1 release-v5.1.2
kc-21.1.2 21.1.2 release-v5.1.5
kc-22.0.0 22.0.0 release-v5.1.5
kc-22.0.1 22.0.1 release-v5.1.5
kc-22.0.2 22.0.2 release-v5.1.5
kc-22.0.3 22.0.3 release-v5.1.7
kc-22.0.4 22.0.4 release-v5.1.8
kc-22.0.5 22.0.5 release-v5.1.9
kc-23.0.0 23.0.0 release-v5.1.15
kc-23.0.1 23.0.1 release-v5.1.15
kc-23.0.2 23.0.2 release-v5.1.15
kc-23.0.3 23.0.3 release-v5.1.15
kc-23.0.4 23.0.4 release-v5.1.15
kc-23.0.5 23.0.5 release-v5.1.15
kc-23.0.6 23.0.6 release-v5.1.15
kc-23.0.7 23.0.7 release-v5.1.15
kc-24.0.0 24.0.0 release-v5.1.15
kc-24.0.1 24.0.1 release-v5.1.15
kc-24.0.2 24.0.2 release-v5.1.16
kc-24.0.3 24.0.3 release-v5.1.16
kc-24.0.4 24.0.4 release-v5.1.16
kc-24.0.5 24.0.5 release-v5.1.16
kc-25.0.0 25.0.0 release-v5.1.17
kc-25.0.1 25.0.1 release-v5.1.17
kc-25.0.2 25.0.2 release-v5.1.17
kc-25.0.4 25.0.4 release-v5.1.21
kc-25.0.5 25.0.5 release-v5.1.22
kc-25.0.6 25.0.6 release-v5.1.22
kc-26.0.0 26.0.0 release-v5.1.22
kc-26.0.1 26.0.1 release-v5.1.22
kc-26.0.2 26.0.2 release-v5.1.22
kc-26.0.4 26.0.4 release-v5.1.22
kc-26.0.5 26.0.5 release-v5.1.22
kc-26.0.6 26.0.6 release-v5.1.25
kc-26.0.7 26.0.7 release-v5.1.26
Keycloak version FAPI 1.0 Advanced FAPI-CIBA Open Banking Brasil FAPI 1.0 (*1,*2) Open Finance Brasil FAPI 1.0 (*3) Australia Consumer Data Right (CDR) UK Open Banking OpenID Connect OP (*4) OpenID Connect OP for Logout Profile FAPI 2.0 Security Profile Implementer’s Draft (*6) FAPI 2.0 Message Signing Implementer’s Draft (*6)
15.0.2 x x x - x - - - - -
17.0.0 x x x - x - - - - -
17.0.0-legacy x x x - x - - - - -
17.0.1 x x x - x - - - - -
17.0.1-legacy x x x - x - - - - -
18.0.0 x x x - x - x x - -
18.0.0-legacy x x x - x - x x - -
18.0.2 x x x - x - x x - -
18.0.2-legacy x x x - x - x x - -
19.0.1 x x x - x - x x - -
19.0.1-legacy x x x - x - x x - -
19.0.2 x x x - x - x x - -
19.0.2-legacy x x x - x - x x - -
20.0.0 x x x - x x x x - -
20.0.1 x x x - x x x x - -
20.0.2 x x x - x x x x - -
20.0.3 x x x - x x x x - -
20.0.5 x x x - x x x x - -
21.0.0 x x x - x x x x - -
21.0.1 x x x - x x x x - -
21.0.2 x x x - x x x x - -
21.1.0 x x x - x x x x - -
21.1.1 x x x - x x x x - -
21.1.2 x x x - x x x x - -
22.0.0 x x x - x x x x - -
22.0.1 x x x - x x x x - -
22.0.2 x x x - x x x x - -
22.0.3 x x x - x x x x - -
22.0.4 x x x - x x x x - -
22.0.5 x x x - x x x x - -
23.0.0 x x -(*5) -(*5) x x x x x x
23.0.1 x x x x x x x x x x
23.0.2 x x x x x x x x x x
23.0.3 x x x x x x x x x x
23.0.4 x x x x x x x x x x
23.0.5 x x x x x x x x x x
23.0.6 x x x x x x x x x x
23.0.7 x x x x x x x x x x
24.0.0 x x x x x x x x x x
24.0.1 x x x x x x x x x x
24.0.2 x x x x x x x x x x
24.0.3 x x x x x x x x x x
24.0.4 x x x x x x x x x x
24.0.5 x x x x x x x x x x
25.0.0 x x x x x x x x x x
25.0.1 x x x x x x x x x x
25.0.2 x x x x x x x x x x
25.0.4 x x x x x x x x x x
25.0.5 x x x x x x x x x x
25.0.6 x x x x x x x x x x
26.0.0 x x x x x x x x x x
26.0.1 x x x x x x x x x x
26.0.2 x x x x x x x x x x
26.0.4 x x x x x x x x x x
26.0.5 x x x x x x x x x x
26.0.6 x x x x x x x x x x
26.0.7 x x x x x x x x x x

Note: Keycloak legacy (wildfly) is no longer supported since keycloak 20.

*1 : Up to Implementer's Draft version 2, Open Banking Brazil Security Profile. From Implementer's Draft version 3, Open Finance Brazil Security Profile. Its conformance test is no longer supported since conformance suite version 5.1.11. Therefore, its conformance test is conducted by the conformance suite version 5.1.10.

*2 : Its conformance test is supported by conformance suite version 5.1.11.

*3 : Except for Dynamic Client Registration (DCR) conformance profile.

*4 : Except for 3rd Party-Init OP conformance profile.

*5 : ISSUE-25022

*6 : Conformance suite version 5.1.22.

Other Contributions

Conferences

Keyconf 24 (ARCOTEL Kaiserwasser Wien, Vienna, Austria, September 19, 2024)

Please see keyconf 24.

OAuth Security Workshop 2024 (Auditorium Antonianum, Rome, Italy, April 11, 2024)

KubeCon + CloudNativeCon Europe 2024 (Paris Expo Porte de Versailles, Paris, France, March 22, 2024)

OpenID Summit Tokyo 2024 (Shibuya Stream Hall, Tokyo, Japan, January 19, 2024)

KubeCon + CloudNativeCon North America 2023 (McCormick Place West, Chicago, Illinois, United States of America, November 7, 2023)

Keyconf 23 (Level39, London, United Kingdom, June 16, 2023)

please see keyconf 23.

Apidays Paris 2022 (Cité des sciences et de l'industrie, Paris, France, December 6, 2022)

OAuth Security Workshop 2021 (Virtual Event, December 1, 2021)

Referred academic paper

Policy-Based Method for Applying OAuth 2.0-Based Security Profiles

Oral presentation of refereed international conference paper

Flexible Method for Supporting OAuth 2.0 Based Security Profiles in Keycloak

Communication Channels

Not only OAuth SIG member but others can communicate with each other by the following ways.

  • Slack : Cloud Native Computing Foundation (CNCF) slack's channel #keycloak-oauth-sig
  • Mail : Google Group keycloak developer mailing list
  • Chat : Zulip Chat stream (#dev-sig-fapi)
  • Meeting : Web meeting on a regular basis

Automated Conformance Test Run Environment

Please see conformance-tests-env.

License