CDR FAPI 1.0 Advanced Alignment

The OIDF Financial-grade API (FAPI) security profile specifies security requirements for high risk API resources protected by the OAuth 2.0 Authorization Framework. CDR is adoptiong the FAPI specification to ensure the data holders and data recipients exchange data in the most secure way with appropriate consumer consents.

At a highlevel in Phase 4m Data Holders may decide to retire Hybrid Flow from 10th of July 2023. Although there is no hard obligation on that date, ADRs should reregister and switch from Hybrid to Authorization Code flow without ID token encryption to complete FAPI 1.0 Advanced transition.

Client Registration

ADRs should reregister and switch to Authorization Code flow without ID token encryption.

When using Hybrid Flow, the ID token encryption was mandatory, however, it’s not required for Authorization Code Flow as the exchange happens using secure back channel.

During reregistration, the ADRs should use response_types: ["code"] and no longer provide id_token_encrypted_response_alg and id_token_encrypted_response_alg as that, if set, results in ID Token being encrypted.

Cloudentity Configuration Updates

Once all registered ADRs meet the new requirements, the Hybrid Flow can be disabled in Cloudentity authorization server OAuth settings.

This can be done in Settings -> OAuth by disabling all hybrid options under Allowed Response Types.