diff --git a/docs/design/fapi2-compliance.md b/docs/design/fapi2-compliance.md index 5b4fb6944..85ec4575b 100644 --- a/docs/design/fapi2-compliance.md +++ b/docs/design/fapi2-compliance.md @@ -104,6 +104,53 @@ Refer to the [README](https://github.com/mosip/esignet-mock-services/tree/master - Returns standardized error codes and descriptions. - Does not leak sensitive information in error responses. +# FAPI 2.0 Configuration Details + +To enable FAPI 2.0 Security Profile compliance, the following configurations must be set in `application-default.properties`: + +## Server Profile + +Set the server profile to `fapi2.0` to enable FAPI 2.0 specific validations: + +```properties +mosip.esignet.server.profile=fapi2.0 +``` + +## Authorization Code Expiry + +FAPI 2.0 requires that authorization codes expire within 60 seconds. The default configuration is: + +```properties +# Cache expire in seconds for authcodegenerated +'authcodegenerated': 60 +``` + +This is configured in `mosip.esignet.cache.expire-in-seconds` property map. + +## Client Authentication Signing Algorithms + +The property **mosip.esignet.supported.client.auth.signing.algorithms** in `application-default.properties` controls the JWS algorithms accepted at the token endpoint for `private_key_jwt` client authentication. + +- **Default value:** `{'RS256','PS256','ES256'}` — supports non-FAPI deployments for backward compatibility. +- **FAPI 2.0 compliance:** FAPI 2.0 Security Profile only supports **PS256** and **ES256**. **RS256 is NOT supported in FAPI 2.0.** When `mosip.esignet.server.profile=fapi2.0` is enabled, configure this property to **only** `{'PS256','ES256'}` + +Example (FAPI 2.0): + +```properties +## Type of the client authentication algorithms for the token endpoint +## Note: For FAPI 2.0 Security Profile compliance, use only PS256 and ES256. RS256 is not supported in FAPI 2.0. +mosip.esignet.server.profile=fapi2.0 +mosip.esignet.supported.client.auth.signing.algorithms={'PS256','ES256'} +``` + +## Summary of FAPI 2.0 Required Configurations + +| Configuration | FAPI 2.0 Requirement | Property | +|---------------|---------------------|----------| +| Server Profile | `fapi2.0` | `mosip.esignet.server.profile` | +| Auth Code Expiry | ≤ 60 seconds | `mosip.esignet.cache.expire-in-seconds` (authcodegenerated) | +| Signing Algorithms | PS256, ES256 only (no RS256) | `mosip.esignet.supported.client.auth.signing.algorithms` | + ## Future Improvements - Global flags to enable/disable PAR and DPoP features across all clients. diff --git a/esignet-service/src/main/resources/application-default.properties b/esignet-service/src/main/resources/application-default.properties index 064b6a546..aaf585815 100644 --- a/esignet-service/src/main/resources/application-default.properties +++ b/esignet-service/src/main/resources/application-default.properties @@ -170,7 +170,10 @@ mosip.esignet.supported.client.assertion.types={'urn:ietf:params:oauth:client-as ## Type of the client authentication methods for token endpoint mosip.esignet.supported.client.auth.methods={'private_key_jwt'} -## Type of the client authentication algorithms for the token endpoint +## Type of the client authentication algorithms for the token endpoint. +## Note: The default list below supports non-FAPI deployments. +## For FAPI 2.0 Security Profile compliance (when mosip.esignet.server.profile=fapi2.0), +## configure only {'PS256','ES256'}. RS256 is NOT supported in FAPI 2.0. mosip.esignet.supported.client.auth.signing.algorithms={'RS256','PS256','ES256'} ## Only S256 method supported @@ -222,7 +225,7 @@ mosip.esignet.cache.size={'clientdetails' : 200, \ mosip.esignet.cache.expire-in-seconds={'clientdetails' : 86400, \ 'preauth': ${mosip.esignet.preauthentication-expire-in-secs},\ 'authenticated': ${mosip.esignet.authentication-expire-in-secs}, \ -'authcodegenerated': 300, \ +'authcodegenerated': 60, \ 'userinfo': ${mosip.esignet.access-token-expire-seconds}, \ 'linkcodegenerated' : ${mosip.esignet.link-code-expire-in-secs}, \ 'linked': 300, \