OAuth SIG (OAuth : Special Interest Group)

Ex FAPI-SIG (Financial-grade API Security : Special Interest Group)

Overview

FAPI-SIG is a group whose activity is mainly supporting Financial-grade API (FAPI) and its related specifications to keycloak.

FAPI-SIG is open to everybody so that anyone can join it anytime. Nothing special need not to be done to join it. Who want to join it can only access to the communication channels shown below. All of its activities and outputs are public so that anyone can access them.

FAPI-SIG mainly treats FAPI and its related specifications but not limited to. E.g., Ecosystems employing FAPI for their API Security like UK OpenBanking, Open Banking Brasil and Australia Consumer Data Right (CDR).

Since June 2023, FAPI-SIG is evolved into OAuth SIG. OAuth SIG will mainly treats OAuth/OIDC and its related security features like FAPI 2.0 to Keycloak.

Scope

Supporting OAuth/OIDC and its related security features to Keycloak.

Roles

Tech Lead : Takashi Norimatsu

Members

Please refer to the list.

Goals

Currently, proposed goals are as follows.

OAuth and OIDC related security features

Nation/Region/Market Specific Features

EU : PSD2/eIDAS - QWAC Verification Extension

Open Works

Currently, proposed open works are as follows.

Integrating FAPI conformance tests run into keycloak’s CI/CD pipeline
Implement security profiles for Apps run on mobile devices
- RFC 8252 OAuth 2.0 for Native Apps
- OAuth 2.0 for Browser-Based Apps
FAPI-RW App2App

Contributions

FAPI related accomplishments by FAPI-SIG and OAuth SIG, other contributors and keycloak development team is as follows.

Common Security Features

keycloak 14

Client Policies

keycloak 24

Nation/Region/Market Specific Features

keycloak 15

Brazil : Open Banking Brasil Financial-grade API Security Profile

mainly by keycloak development team.

Standards

keycloak 13

Client Initiated Backchannel Authentication (CIBA) poll mode

keycloak 14

keycloak 15

Client Initiated Backchannel Authentication (CIBA) ping mode

mainly by keycloak development team.
FAPI JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)

mainly by the contributor outside FAPI-SIG.
FAPI Client Initiated Backchannel Authentication Profile (FAPI-CIBA)
RFC 9126 OAuth 2.0 Pushed Authorization Requests (PAR)

keycloak 18

OpenID Connect Logout 1.0 for Logout Profiles

mainly by keycloak development team and the contributor outside FAPI-SIG.

keycloak 20

UK OpenBanking Security Profile

keycloak 23

keycloak 24

In progress

OpenID for Verifiable Credentials

Format

Issurance Protocol

OpenID for Verifiable Credential Issuance

Other OpenID Connect Extension

OpenID Connect for Identity Assurance 1.0

Automated Conformance Test Run Environment by this kc-fapi-sig repository

The current environment uses the following software version.

Keycloak version : 26.0.5
Conformance-suite version : release-v5.1.22

FAPI 1.0 Advanced (Final)

Client Authentication Method : MTLS, private_key_jwt
Signature Algorithm : PS256, ES256
Request Object Method : plain, PAR
Response Mode : plain, JARM

Keycloak 15.0.2 have achieved certification for all 8 conformance profiles of FAPI 1 Advanced Final (Generic).

FAPI-CIBA (Implementer’s Draft)

Client Authentication Method : MTLS, private_key_jwt
Signature Algorithm : PS256, ES256
Mode : Poll, Ping

Keycloak 15.0.2 have achieved certification for all 4 conformance profiles of Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA).

Open Banking Brasil FAPI 1.0

Client Authentication Method : MTLS, private_key_jwt
Signature Algorithm : PS256
Request Object Method : plain, PAR
Response Mode : plain, JARM

Keycloak 15.0.2 have achieved certification for 8 conformance profiles of Brazil Open Banking (Based on FAPI 1 Advanced Final) except for DCR (Dynamic Client Registration).

Open Finance Brasil FAPI 1.0 (Open Banking Brasil FAPI 1.0 was evolved)

Client Authentication Method : private_key_jwt
Signature Algorithm : PS256
Request Object Method : PAR
Response Mode : plain
ID token encryption : required

Australia Consumer Data Right (CDR)

Client Authentication Method : private_key_jwt
Signature Algorithm : PS256
Request Object Method : plain, PAR
Response Mode : plain

Keycloak 15.0.2 have achieved certification for all 2 conformance profiles of Australia CDR (Based on FAPI 1 Advanced Final).

UK Open Banking

Client Authentication Method : MTLS, private_key_jwt
Signature Algorithm : PS256
Request Object Method : plain, PAR
Response Mode : plain

OpenID Connect: OpenID Providers

Basic OP
Implicit OP
Hybrid OP
Config OP
Dynamic OP
Form Post OP
3rd Party-Init OP

Keycloak 18.0.0 have re-achieved certification for 6 conformance profiles of Certified OpenID Providers except for 3rd Party-Init OP.

OpenID Connect: OpenID Providers for Logout Profile

Front-Channel OP
Back-Channel OP
Session OP
RP-Initiated OP

Keycloak 18.0.0 have achieved certification for all 4 conformance profiles of Certified OpenID Providers for Logout Profiles.

Note: Session OP and Front-Channel OP of OpenID Provider for Logout Profile conformance tests cannot be automated. These can be passed manually.

FAPI 2.0 Security Profile Second Implementer’s Draft

FAPI2SP MTLS + MTLS
- Client Authentication Method : mtls
- Sender Constrain : mtls
- OpenID : plain_oauth
- FAPI Profile : plain
FAPI2SP private key + MTLS
- Client Authentication Method : private_key_jwt
- Sender Constrain : mtls
- OpenID : plain_oauth
- FAPI Profile : plain
FAPI2SP OpenID Connect
- Client Authentication Method : mtls
- Sender Constrain : mtls
- OpenID : openid
- FAPI Profile : plain

FAPI 2.0 Message Signing First Implementer’s Draft

FAPI2MS JAR
- Client Authentication Method : mtls
- Sender Constrain : mtls
- OpenID : plain_oauth
- FAPI Profile : plain
- FAPI Request Method : signed_non_repudiation
- FAPI Response Mode : plain_response
FAPI2MS JARM
- Client Authentication Method : mtls
- Sender Constrain : mtls
- OpenID : plain_oauth
- FAPI Profile : plain
- FAPI Request Method : signed_non_repudiation
- FAPI Response Mode : jarm

Passed Conformance Tests per Keycloak version

To ensure that every keycloak version can pass conformance tests, we check if a new Keycloak version pass conformance tests that the older Keycloak version could pass whenever the new Keycloak version is released.

We tagged the environment for every keycloak verion:	Tag	Keycloak version
kc-15.0.2	15.0.2	release-v4.1.38
kc-17.0.0	17.0.0	release-v4.1.41
kc-17.0.1	17.0.1	release-v4.1.41
kc-18.0.0	18.0.0	release-v4.1.42
kc-18.0.2	18.0.2	release-v4.1.42
kc-19.0.1	19.0.1	release-v4.1.45
kc-19.0.2	19.0.2	release-v5.0.3
kc-20.0.0	20.0.0	release-v5.0.6
kc-20.0.1	20.0.1	release-v5.0.6
kc-20.0.2	20.0.2	release-v5.0.7
kc-20.0.3	20.0.3	release-v5.0.12
kc-20.0.5	20.0.5	release-v5.0.14
kc-21.0.0	21.0.0	release-v5.1.0
kc-21.0.1	21.0.1	release-v5.1.0
kc-21.0.2	21.0.2	release-v5.1.2
kc-21.1.0	21.1.0	release-v5.1.2
kc-21.1.1	21.1.1	release-v5.1.2
kc-21.1.2	21.1.2	release-v5.1.5
kc-22.0.0	22.0.0	release-v5.1.5
kc-22.0.1	22.0.1	release-v5.1.5
kc-22.0.2	22.0.2	release-v5.1.5
kc-22.0.3	22.0.3	release-v5.1.7
kc-22.0.4	22.0.4	release-v5.1.8
kc-22.0.5	22.0.5	release-v5.1.9
kc-23.0.0	23.0.0	release-v5.1.15
kc-23.0.1	23.0.1	release-v5.1.15
kc-23.0.2	23.0.2	release-v5.1.15
kc-23.0.3	23.0.3	release-v5.1.15
kc-23.0.4	23.0.4	release-v5.1.15
kc-23.0.5	23.0.5	release-v5.1.15
kc-23.0.6	23.0.6	release-v5.1.15
kc-23.0.7	23.0.7	release-v5.1.15
kc-24.0.0	24.0.0	release-v5.1.15
kc-24.0.1	24.0.1	release-v5.1.15
kc-24.0.2	24.0.2	release-v5.1.16
kc-24.0.3	24.0.3	release-v5.1.16
kc-24.0.4	24.0.4	release-v5.1.16
kc-24.0.5	24.0.5	release-v5.1.16
kc-25.0.0	25.0.0	release-v5.1.17
kc-25.0.1	25.0.1	release-v5.1.17
kc-25.0.2	25.0.2	release-v5.1.17
kc-25.0.4	25.0.4	release-v5.1.21
kc-25.0.5	25.0.5	release-v5.1.22
kc-25.0.6	25.0.6	release-v5.1.22
kc-26.0.0	26.0.0	release-v5.1.22
kc-26.0.1	26.0.1	release-v5.1.22
kc-26.0.2	26.0.2	release-v5.1.22
kc-26.0.4	26.0.4	release-v5.1.22
kc-26.0.5	26.0.5	release-v5.1.22

Keycloak version	FAPI 1.0 Advanced	FAPI-CIBA	Open Banking Brasil FAPI 1.0 (1,2)	Open Finance Brasil FAPI 1.0 (*3)	Australia Consumer Data Right (CDR)	UK Open Banking	OpenID Connect OP (*4)	OpenID Connect OP for Logout Profile	FAPI 2.0 Security Profile Implementer’s Draft	FAPI 2.0 Message Signing Implementer’s Draft
15.0.2	x	x	x	-	x	-	-	-	-	-
17.0.0	x	x	x	-	x	-	-	-	-	-
17.0.0-legacy	x	x	x	-	x	-	-	-	-	-
17.0.1	x	x	x	-	x	-	-	-	-	-
17.0.1-legacy	x	x	x	-	x	-	-	-	-	-
18.0.0	x	x	x	-	x	-	x	x	-	-
18.0.0-legacy	x	x	x	-	x	-	x	x	-	-
18.0.2	x	x	x	-	x	-	x	x	-	-
18.0.2-legacy	x	x	x	-	x	-	x	x	-	-
19.0.1	x	x	x	-	x	-	x	x	-	-
19.0.1-legacy	x	x	x	-	x	-	x	x	-	-
19.0.2	x	x	x	-	x	-	x	x	-	-
19.0.2-legacy	x	x	x	-	x	-	x	x	-	-
20.0.0	x	x	x	-	x	x	x	x	-	-
20.0.1	x	x	x	-	x	x	x	x	-	-
20.0.2	x	x	x	-	x	x	x	x	-	-
20.0.3	x	x	x	-	x	x	x	x	-	-
20.0.5	x	x	x	-	x	x	x	x	-	-
21.0.0	x	x	x	-	x	x	x	x	-	-
21.0.1	x	x	x	-	x	x	x	x	-	-
21.0.2	x	x	x	-	x	x	x	x	-	-
21.1.0	x	x	x	-	x	x	x	x	-	-
21.1.1	x	x	x	-	x	x	x	x	-	-
21.1.2	x	x	x	-	x	x	x	x	-	-
22.0.0	x	x	x	-	x	x	x	x	-	-
22.0.1	x	x	x	-	x	x	x	x	-	-
22.0.2	x	x	x	-	x	x	x	x	-	-
22.0.3	x	x	x	-	x	x	x	x	-	-
22.0.4	x	x	x	-	x	x	x	x	-	-
22.0.5	x	x	x	-	x	x	x	x	-	-
23.0.0	x	x	-(*5)	-(*5)	x	x	x	x	x	x
23.0.1	x	x	x	x	x	x	x	x	x	x
23.0.2	x	x	x	x	x	x	x	x	x	x
23.0.3	x	x	x	x	x	x	x	x	x	x
23.0.4	x	x	x	x	x	x	x	x	x	x
23.0.5	x	x	x	x	x	x	x	x	x	x
23.0.6	x	x	x	x	x	x	x	x	x	x
23.0.7	x	x	x	x	x	x	x	x	x	x
24.0.0	x	x	x	x	x	x	x	x	x	x
24.0.1	x	x	x	x	x	x	x	x	x	x
24.0.2	x	x	x	x	x	x	x	x	x	x
24.0.3	x	x	x	x	x	x	x	x	x	x
24.0.4	x	x	x	x	x	x	x	x	x	x
24.0.5	x	x	x	x	x	x	x	x	x	x
25.0.0	x	x	x	x	x	x	x	x	x	x
25.0.1	x	x	x	x	x	x	x	x	x	x
25.0.2	x	x	x	x	x	x	x	x	x	x
25.0.4	x	x	x	x	x	x	x	x	x	x
25.0.5	x	x	x	x	x	x	x	x	x	x
25.0.6	x	x	x	x	x	x	x	x	x	x
26.0.0	x	x	x	x	x	x	x	x	x	x
26.0.1	x	x	x	x	x	x	x	x	x	x
26.0.2	x	x	x	x	x	x	x	x	x	x
26.0.4	x	x	x	x	x	x	x	x	x	x
26.0.5	x	x	x	x	x	x	x	x	x	x

Note: Keycloak legacy (wildfly) is no longer supported since keycloak 20.

*1 : Up to Implementer's Draft version 2, Open Banking Brazil Security Profile. From Implementer's Draft version 3, Open Finance Brazil Security Profile. Its conformance test is no longer supported since conformance suite version 5.1.11. Therefore, its conformance test is conducted by the conformance suite version 5.1.10.

*2 : Its conformance test is supported by conformance suite version 5.1.11.

*3 : Except for Dynamic Client Registration (DCR) conformance profile.

*4 : Except for 3rd Party-Init OP conformance profile.

*5 : ISSUE-25022

Other Contributions

Conferences

Keyconf 24 (ARCOTEL Kaiserwasser Wien, Vienna, Austria, September 19, 2024)

Please see keyconf 24.

OAuth Security Workshop 2024 (Auditorium Antonianum, Rome, Italy, April 11, 2024)

Title: Supporting OAuth 2.0 Based Security Profiles to Open-source Software - from Implementation to Operation
URL: https://oauth.secworkshop.events/osw2024/agenda-thursday-osw-2024

KubeCon + CloudNativeCon Europe 2024 (Paris Expo Porte de Versailles, Paris, France, March 22, 2024)

Title: The Leading Edge of AuthN and AuthZ by Keycloak
URL: https://kccnceu2024.sched.com/event/1YhiQ/the-leading-edge-of-authn-and-authz-by-keycloak-takashi-norimatsu-hitachi-thomas-darimont-codecentric-ag

OpenID Summit Tokyo 2024 (Shibuya Stream Hall, Tokyo, Japan, January 19, 2024)

Title: Implementing OAuth 2.0-based Security Profiles on Open-source Software
URL: https://www.openid.or.jp/summit/2024/en/

KubeCon + CloudNativeCon North America 2023 (McCormick Place West, Chicago, Illinois, United States of America, November 7, 2023)

Title: 10 Years of Keycloak - What's Next for Cloud-Native Authentication and OIDC?
URL: https://kccncna2023.sched.com/event/1R2mH/10-years-of-keycloak-whats-next-for-cloud-native-authentication-and-oidc-alexander-schwartz-red-hat-takashi-norimatsu-hitachi-ltd

Keyconf 23 (Level39, London, United Kingdom, June 16, 2023)

please see keyconf 23.

Apidays Paris 2022 (Cité des sciences et de l'industrie, Paris, France, December 6, 2022)

Title: Securing APIs in Open Banking - Financial-grade API security profile implementation to open-source software
URL: https://speakerdeck.com/apidays/apidays-paris-2022-securing-apis-in-open-banking-takashi-norimatsu-hitachi

OAuth Security Workshop 2021 (Virtual Event, December 1, 2021)

Title: Consideration on how to apply multiple FAPI and its related security profiles dynamically
URL: https://www.youtube.com/watch?app=desktop&v=_ei7e8aOfkY

Referred academic paper

Policy-Based Method for Applying OAuth 2.0-Based Security Profiles

Journal: IEICE Transactions on Information and Systems, Volume E106.D-9, pp.1364-1379, Institute of Electronics, Information and Communications Engineers (IEICE), Septempber 1, 2023.
DOI: https://doi.org/10.1587/transinf.2022icp0004
URL: https://www.jstage.jst.go.jp/article/transinf/E106.D/9/E106.D_2022ICP0004/_pdf

Oral presentation of refereed international conference paper

Flexible Method for Supporting OAuth 2.0 Based Security Profiles in Keycloak

Proceedings: Lecture Notes in Informatics (LNI) Proceedings of Open Identity Summit 2022, P-325, pp.87-98, DTU Compute, Lyngby, Denmark, July 7-8, 2022.
DOI: https://doi.org/10.18420/OID2022_07
DBLP: https://dblp.uni-trier.de/rec/conf/openidentity/NorimatsuNY22
URL: https://dblp.uni-trier.de/rec/conf/openidentity/2022
URL: https://dblp.uni-trier.de/db/conf/openidentity/openidentity2022.html#NorimatsuNY22

Communication Channels

Not only OAuth SIG member but others can communicate with each other by the following ways.

Slack : Cloud Native Computing Foundation (CNCF) slack's channel #keycloak-oauth-sig
Mail : Google Group keycloak developer mailing list
Chat : Zulip Chat stream (#dev-sig-fapi)
Meeting : Web meeting on a regular basis

Automated Conformance Test Run Environment

Please see conformance-tests-env.

License

Apache License, Version 2.0

keycloak / kc-sig-fapi

readme

OAuth SIG (OAuth : Special Interest Group)

Overview

Scope

Roles

Members

Goals

OAuth and OIDC related security features

Nation/Region/Market Specific Features

Open Works

Contributions

Common Security Features

keycloak 14

keycloak 24

Nation/Region/Market Specific Features

keycloak 15

Standards​

keycloak 13

keycloak 14

keycloak 15

keycloak 18

keycloak 20

keycloak 23

keycloak 24

In progress

OpenID for Verifiable Credentials

Format

Issurance Protocol

Other OpenID Connect Extension

Automated Conformance Test Run Environment by this kc-fapi-sig repository

FAPI 1.0 Advanced (Final)​

FAPI-CIBA (Implementer’s Draft)​

Open Banking Brasil FAPI 1.0

Open Finance Brasil FAPI 1.0 (Open Banking Brasil FAPI 1.0 was evolved)

Australia Consumer Data Right (CDR)

UK Open Banking

OpenID Connect: OpenID Providers

OpenID Connect: OpenID Providers for Logout Profile

FAPI 2.0 Security Profile Second Implementer’s Draft

FAPI 2.0 Message Signing First Implementer’s Draft

Passed Conformance Tests per Keycloak version

Other Contributions

Conferences

Keyconf 24 (ARCOTEL Kaiserwasser Wien, Vienna, Austria, September 19, 2024)

OAuth Security Workshop 2024 (Auditorium Antonianum, Rome, Italy, April 11, 2024)

KubeCon + CloudNativeCon Europe 2024 (Paris Expo Porte de Versailles, Paris, France, March 22, 2024)

OpenID Summit Tokyo 2024 (Shibuya Stream Hall, Tokyo, Japan, January 19, 2024)

KubeCon + CloudNativeCon North America 2023 (McCormick Place West, Chicago, Illinois, United States of America, November 7, 2023)

Keyconf 23 (Level39, London, United Kingdom, June 16, 2023)

Apidays Paris 2022 (Cité des sciences et de l'industrie, Paris, France, December 6, 2022)

OAuth Security Workshop 2021 (Virtual Event, December 1, 2021)

Referred academic paper

Policy-Based Method for Applying OAuth 2.0-Based Security Profiles

Oral presentation of refereed international conference paper

Flexible Method for Supporting OAuth 2.0 Based Security Profiles in Keycloak

Communication Channels

Automated Conformance Test Run Environment

License

Standards

FAPI 1.0 Advanced (Final)

FAPI-CIBA (Implementer’s Draft)