FDX Workspace
Cloudentity enables a simple way to configure a FDX compliant FAPI certified OAuth authorization server with a couple of clicks. Adopting Cloudentity accelerates the entire effort to achieve FDX compliance drastically and allows faster time to market. Cloudentity solution offers a highly performant, multi-tenant advanced FAPI-compliant and certified authorization server built on open standards and compatible with advanced OAuth 2.0 & OIDC specifications. Cloudentity also provides a rich set of APIs that facilitates consent collection & management for Data providers to implement the FDX recommended safe and secure customer journey experiences using various digital channels.
FDX Security Profile
FDX security profile conformance and Financial Grade API (FAPI) compliance can be enabled in the Cloudentity platform with a single click security profile for meeting the FDX specifications. You get a FAPI-grade authorization server configured to meet all FDX requirements for the recommended FAPI 1.0 advanced level compliance.
You can finish the configuration at a high level by connecting the integrating systems:
-
Connect your existing identity source that handles end user authentication to the FDX-compliant workspace.
-
Skip the developer portal creation in case you don’t need the capability to expose a portal for developers to register applications. Dynamic Client Registration is enabled in the workspace in any case.
FDX Workspace Settings
In this section, you can learn about the advanced OAuth requirements that are configured for the FDX-compliant workspace to meet the FDX security profile requirements. Most of these configurations can be found under Auth Settings for the workspace. FDX recommends the FAPI 1.0 Advanced profile as the base profile.
Cloudentity FDX-compliant workspaces:
-
Can enforce OAuth 2.0 Pushed Authorization Request (PAR)
-
Have only the OAuth grant types allowed by FDX specifications enabled and for other integrating applications to participate in the integration like consent app, dashboard, api-gateway introspections, and more.
-
Authorization Code Flow enabled by default with the possibility to enforce PKCE
-
Client Credentials Flow that can be used, for example, by your consent application to authenticate with the Cloudentity platform and fetch consent details.
-
Refresh Token Flow that can be used to obtain refresh tokens that are used after an access token becomes invalid to exchange the refresh token for a new access token.
-
-
Have client authentication methods allowed by FDX preconfigured for you:
-
Client registration including manual client registration and Dynamic Client Registration (DCR)
-
Tokens configuration including:
-
Token time-to-live (TTL) - set to 10 minutes, by default.
-
ID Token encryption
-
Signing key rotation with a possibility to set up an automatic rotation schedule.
-
-
Pairwise identifiers for subjects (
sub
) -
Consent - the capability to add a custom consent page.
In addition to these settings, Cloudentity automatically enforces other restrictions & validation in the FDX Security Profile as specified by the FDX security profile requirements.
FDX Data Cluster Permissions/Scopes
By enabling an FDX workspace, you will also get a preconfigured set of data cluster permission scopes as defined by the FDX specification.
FDX Consent APIs
By enabling an FDX workspace, you will unlock all the consent APIs applicable for FDX workspace.
Explore FDX Consent APIs provided by Cloudentity
FDX Consent Application
By enabling an FDX workspace, you will unlock the capability to integrate with a custom consent application that provides the UX as per FDX guidelines using above FDX consent APIs and some internal APIs to interact with Cloudentity.
Explore FDX Consent application integration
FDX Compliant Dynamic Client Registration
The FDX workspace exposes a set of Dynamic Client Registration APIs compliant with the FDX specification, saving you precious time required if you were to implement it yourself.