[ES-2841] Updated fapi2 design doc and reduced auth expiry time to 60s

docs/design/fapi2-compliance.md

@@ -104,6 +104,53 @@ Refer to the [README](https://github.com/mosip/esignet-mock-services/tree/master
 - Returns standardized error codes and descriptions.
 - Does not leak sensitive information in error responses.
 
+# FAPI 2.0 Configuration Details
+
+To enable FAPI 2.0 Security Profile compliance, the following configurations must be set in `application-default.properties`:
+
+## Server Profile
+
+Set the server profile to `fapi2.0` to enable FAPI 2.0 specific validations:
+
+```properties
+mosip.esignet.server.profile=fapi2.0
+```
+
+## Authorization Code Expiry
+
+FAPI 2.0 requires that authorization codes expire within 60 seconds. The default configuration is:
+
+```properties
+# Cache expire in seconds for authcodegenerated
+'authcodegenerated': 60
+```
+
+This is configured in `mosip.esignet.cache.expire-in-seconds` property map.
+
+## Client Authentication Signing Algorithms
+
+The property **mosip.esignet.supported.client.auth.signing.algorithms** in `application-default.properties` controls the JWS algorithms accepted at the token endpoint for `private_key_jwt` client authentication.
+
+- **Default value:** `{'RS256','PS256','ES256'}` — supports non-FAPI deployments for backward compatibility.
+- **FAPI 2.0 compliance:** FAPI 2.0 Security Profile only supports **PS256** and **ES256**. **RS256 is NOT supported in FAPI 2.0.** When `mosip.esignet.server.profile=fapi2.0` is enabled, configure this property to **only** `{'PS256','ES256'}`
+
+Example (FAPI 2.0):
+
+```properties
+## Type of the client authentication algorithms for the token endpoint
+## Note: For FAPI 2.0 Security Profile compliance, use only PS256 and ES256. RS256 is not supported in FAPI 2.0.
+mosip.esignet.server.profile=fapi2.0
+mosip.esignet.supported.client.auth.signing.algorithms={'PS256','ES256'}
+```
+
+## Summary of FAPI 2.0 Required Configurations
+
+| Configuration | FAPI 2.0 Requirement | Property |
+|---------------|---------------------|----------|
+| Server Profile | `fapi2.0` | `mosip.esignet.server.profile` |
+| Auth Code Expiry | ≤ 60 seconds | `mosip.esignet.cache.expire-in-seconds` (authcodegenerated) |
+| Signing Algorithms | PS256, ES256 only (no RS256) | `mosip.esignet.supported.client.auth.signing.algorithms` |
+
 ## Future Improvements
 
 - Global flags to enable/disable PAR and DPoP features across all clients.

esignet-service/src/main/resources/application-default.properties

@@ -170,7 +170,10 @@ mosip.esignet.supported.client.assertion.types={'urn:ietf:params:oauth:client-as
 ## Type of the client authentication methods for token endpoint
 mosip.esignet.supported.client.auth.methods={'private_key_jwt'}
 
-## Type of the client authentication algorithms for the token endpoint
+## Type of the client authentication algorithms for the token endpoint.
+## Note: The default list below supports non-FAPI deployments.
+## For FAPI 2.0 Security Profile compliance (when mosip.esignet.server.profile=fapi2.0),
+## configure only {'PS256','ES256'}. RS256 is NOT supported in FAPI 2.0.
 mosip.esignet.supported.client.auth.signing.algorithms={'RS256','PS256','ES256'}
 
 ## Only S256 method supported
@@ -222,7 +225,7 @@ mosip.esignet.cache.size={'clientdetails' : 200, \
 mosip.esignet.cache.expire-in-seconds={'clientdetails' : 86400, \
 'preauth': ${mosip.esignet.preauthentication-expire-in-secs},\
 'authenticated': ${mosip.esignet.authentication-expire-in-secs}, \
-'authcodegenerated': 300, \
+'authcodegenerated': 60, \
 'userinfo': ${mosip.esignet.access-token-expire-seconds}, \
 'linkcodegenerated' : ${mosip.esignet.link-code-expire-in-secs}, \
 'linked': 300, \