connectid-fapi-security-profile-03 October 2025
Postnikov Standards Track [Page]
Workgroup:
ConnectID Security
Published:
Author:
DP. Postnikov
ConnectID

ConnectID FAPI 2 Security Profile 1.0 Implementers' Draft 3

Foreword

This specification is a part of standards and specifications necessary to meet the requirements and obligations of the Australian Payments Plus ConnectID Scheme. There is a possibility that some of the elements of this document may be the subject to patent rights. Australian Payments Plus shall not be held responsible for identifying any or all such patent rights.

The ConnectID specifications consist of the following parts:

Introduction

The ConnectID Security profile specifies additional security and interoperability requirements for ConnectID participants on top of requirements detailed in RFC6749, FAPI-2-Security, FAPI-2-Message-Signing and other referenced specifications.

Notational Conventions

The key words "shall", "shall not", "should", "should not", "may", and "can" in this document are to be interpreted as described in ISO Directive Part 2. These key words are not used as dictionary terms such that any occurrence of them shall be interpreted as key words and are not to be interpreted with their natural language meanings.

Table of Contents

1. Scope

This document details ConnectID profile of FAPI Security profile ConnectID-FAPI.

This document is applicable to all participants engaging in ConnectID.

2. Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ConnectID-FAPI - ConnectID FAPI Security Profile

ConnectID-Id-Assurance ConnectID Identity Assurance Profile

ConnectID-Cert-Std - ConnectID Certificate Standards

ConnectID-Client-Reg - ConnectID Client Registration Profile

OAuth2-Purpose - Oauth 2 Purpose extension (individual draft)

ISODIR2 - ISO/IEC Directives Part 2

RFC6749 - The OAuth 2.0 Authorization Framework

RFC8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens

OIDC - OpenID Connect Core 1.0 incorporating errata set 1

OIDD - OpenID Connect Discovery 1.0 incorporating errata set 1

FAPI-2-Security - FAPI 2.0 Security Profile

FAPI-2-Message-Signing - FAPI 2.0 Message Signing

RFC4122 - A Universally Unique IDentifier (UUID) URN Namespace

3. Terms and definitions

For the purpose of this document, the terms defined in RFC6749, OpenID Connect Core and other normative references apply.

4. ConnectID FAPI Security Profile

4.1. Introduction

The ConnectID Security profile specifies security and interoperability requirements for ConnectID participants in addition to requirements detailed in RFC6749, FAPI-2-Security, FAPI-2-Message-Signing and other referenced specifications.

4.2. Authorization Server

The Authorization Server shall support the provisions for Authorisation Servers in FAPI 2.0 Security Profile.

In addition, the Authorization Server:

  1. shall only issue sender-constrained access tokens using mTLS as described in RFC8705;
  2. shall ensure that the access token expiry is no longer than 10 minutes;
  3. shall implement a resource endpoint, as per the Resource Server requirements in clause 4.4 of this document, to support conformance testing. This may be the userinfo endpoint as defined in clause 5.3 of OpenID Connect Core;
  4. shall authenticate the confidential client using private_key_jwt;
  5. shall use the query parameter as the mechanism for returning authorization response parameters as the response mode, which is the default for the code response type;
  6. shall advertise support for all signing, authentication mechanisms, and standards required to support ConnectID FAPI profile in the OpenID Connect Discovery endpoint;
  7. shall advertise mtls_endpoint_aliases as per clause 5 RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens for the token_endpoint, pushed_authorization_request_endpoint and userinfo_endpoint in the OpenID Connect Discovery endpoint;
  8. shall require signed request objects using the request object signing algorithm of PS256 only;
  9. shall only use the parameters included in the signed request object passed via the request_uri parameter;
  10. shall require the request object to contain an exp claim that has a lifetime of no longer than 10 minutes after the nbf claim;
  11. shall require the request object to contain an nbf claim that is no longer than 10 minutes in the past.
  12. shall set the response header x-fapi-interaction-id to the value received from the corresponding client request header, or to a RFC4122 UUID if the request header was not provided, to track the interaction for token and PAR endpoints.
  13. shall log the value of x-fapi-interaction-id in the log entry for token and PAR endpoints.

4.3. Confidential Client

A Confidential Client shall support the provisions for Confidential Clients in FAPI 2.0 Security Profile.

In addition, the Confidential Client:

  1. shall support private_key_jwt as a token endpoint authentication mechanism;
  2. shall derive necessary Authorization Server metadata by relying on an Authorization Server's OpenID Connect Discovery services only;
  3. where present, shall use endpoints advertised in mtls_endpoint_aliases as per clause 5 RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens;
  4. shall include the request_uri parameter as defined in Section 6.2 of OpenID Connect Core in the authentication request;
  5. shall send all parameters inside the authorization request's signed request object as defined in FAPI-2-Message-Signing;
  6. shall send the aud claim in the request object as the OP's Issuer Identifier URL;
  7. shall send an exp claim in the request object that has a lifetime of no longer than 10 minutes; and
  8. shall send a nbf claim in the request object.
  9. shall send the x-fapi-interaction-id request header for token, PAR AS endpoints and any other Resource Server call, with its value being a unique RFC4122 UUID for each request, to help correlate log entries between the client and server, eg: x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a.
  10. shall log the value of x-fapi-interaction-id in the log entry for token, PAR AS endpoints and any other Resource Server call.

4.4. Resource Server

A Resource Server shall support the provisions for Resource Servers in FAPI 2.0 Security Profile.

In addition, the Resource Server:

  1. shall set the response header x-fapi-interaction-id to the value received from the corresponding client request header, or to a RFC4122 UUID if the request header was not provided, to track the interaction.
  2. shall log the value of x-fapi-interaction-id in the log entry.

5. Algorithm considerations

For JWS, both clients and Authorization Servers:

  1. shall use PS256 algorithm.

6. Acknowledgements

We would like to thank Ralph Bragg, Joseph Heenan, Paul Ruskin, Amanda Wyllie, Tam Tran, Naveen Tiku and everyone who provided valuable feedback and contributions that helped to evolve this specification.

We would also like to thank OpenID Foundation, IETF and many others who have set up the foundations for secure and safe data sharing.

Appendix A. Notices

Copyright (c) 2025 ConnectID

Appendix B. Appendix A: Change History

B.1. Version 1.0 Implementers Draft 3

Published: 28th July 2025

  • Remove aud requirement for OP that contradicts the latest FAPI 2 final specification. It has to be a string not array now.
  • Clarify applicability of x-fapi-interaction-id for AS endpoints.
  • Updated references to the latest FAPI 2 Message signing and ConnectID Client Registration specifications.
  • Update section references to FAPI 2 final specification.

B.2. Version 1.0 Implementers Draft 2

Published: 10th July 2025

  • Update FAPI 2 final specification references
  • Renamed this document to connectid-fapi-security-profile
  • Editorial cleanup

B.3. Version 1.0 Implementers Draft 1

Published: 30th September 2022

Changes:

  • Refactor of FAPI specific requirements from original digitalid-financial-api-04.md specification into this standalone spec
  • token and signed request object lifetime updated to 10 mins

Author's Address

Dima Postnikov
ConnectID
URI: www.connectid.com.au