digitalid-fapi-profile-01 October 2025
ConnectID Standards Track [Page]
Workgroup:
DigitalID Security
Published:
Author:
CID. ConnectID
ConnectID

DigitalID FAPI Security Profile 1.0 Implementers' Draft 1

Foreword

The DigitalID Solution Working Group is responsible for creating standards and specifications necessary to meet the requirements and obligations of the Australian Payments Plus DigitalID Scheme. There is a possibility that some of the elements of this document may be the subject to patent rights. Australian Payments Plus shall not be held responsible for identifying any or all such patent rights.

The DigitalID v1.0 specifications consist of the following parts:

These parts are intended to be used with RFC6749, RFC6750, RFC7636, OIDC, FAPI-2-Baseline and FAPI-2-Advanced.

Introduction

The DigitalID FAPI security profile is a highly secured OAuth profile that aims to provide specific implementation guidelines for security and interoperability which can be applied to APIs in the DigitalID ecosystem.

Although it is possible to code an OpenID Provider (OP) and Relying Party (RP) from first principles using this specification, the main audience for this specification is parties who already have a certified implementation of FAPI Security Profile 2.0 - Part 1: Baseline and want to achieve certification for the DigitalID programme.

Notational Conventions

The key words "shall", "shall not", "should", "should not", "may", and "can" in this document are to be interpreted as described in ISO Directive Part 2. These key words are not used as dictionary terms such that any occurrence of them shall be interpreted as key words and are not to be interpreted with their natural language meanings.

Table of Contents

1. Scope

This document specifies the method of:

This document is applicable to all participants engaging in DigitalID.

2. Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ISODIR2 - ISO/IEC Directives Part 2

RFC3966 - The tel URI for Telephone Numbers

RFC4627 - JavaScript Object Notation (JSON)

RFC4648 - The Base16, Base32, and Base64 Data Encodings

RFC6749 - The OAuth 2.0 Authorization Framework

RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage

RFC7636 - Proof Key for Code Exchange by OAuth Public Clients

RFC6819 - OAuth 2.0 Threat Model and Security Considerations

RFC7515 - JSON Web Signature (JWS)

RFC7519 - JSON Web Token (JWT)

RFC7591 - OAuth 2.0 Dynamic Client Registration Protocol

RFC7592 - OAuth 2.0 Dynamic Client Registration Management Protocol

RFC8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens

BCP195 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)

E.164 - The international public telecommunication numbering plan

OIDC - OpenID Connect Core 1.0 incorporating errata set 1

OIDD - OpenID Connect Discovery 1.0 incorporating errata set 1

OIDR - OpenID Connect Registration 1.0 incorporating errata set 1

OIDI - OpenID Connect for Identity Assurance 1.0

PAR - OAuth 2.0 Pushed Authorization Requests

JAR - OAuth 2.0 JWT Secured Authorization Request

FAPI-2-Baseline - FAPI Security Profile 2.0 - Part 1: Baseline

FAPI-2-Advanced - FAPI Security Profile 1.0 - Part 2: Advanced Working Draft

FAPI-2-Implementation-Advice - FAPI Security Profile 2.0 - Implementation Advice

RFC4122 - A Universally Unique IDentifier (UUID) URN Namespace

3. Terms and definitions

For the purpose of this document, the terms defined in RFC6749, RFC6750, RFC7636, OpenID Connect Core and ISO29100 apply.

4. Symbols and Abbreviated terms

acr - Authentication Context Class Reference

API – Application Programming Interface

FAPI - FAPI

HTTP – Hyper Text Transfer Protocol

OIDF - OpenID Foundation

OP - OpenID Provider

PII - Personally Identifiable Information

PPID - Pairwise Pseudonymous Identifier

TLS – Transport Layer Security

5. DigitalID Security Profile

5.1. Introduction

The DigitalID Security profile specifies additional security and identity requirements for sharing digital identity that consists of RFC6749, RFC6750, RFC7636, FAPI-2-Baseline, FAPI-2-Advanced and other specifications.

This profile describes security and feature provisions for a server and client that are necessary for the DigitalID Programme.

5.2. DigitalID Security Provisions

5.2.1. Introduction

This profile describes the specific security profile requirements necessary to support the wider DigitalID ecosystem. As a profile of the OAuth 2.0 Authorization Framework, this document mandates the following for the DigitalID Security profile.

5.2.2. Authorization Server

The Authorization Server shall support the provisions specified in clause 2.2.1 of FAPI Security Profile 2.0 - Part 2: Baseline

In addition, the Authorization Server:

  1. shall only issue sender-constrained access tokens using mTLS as described in RFC8705;
  2. shall ensure that the access token expiry is no longer than 10 minutes;
  3. shall implement a resource endpoint, as per the Resource Server requirements in clause 5.2.4 of this document, to support conformance testing. This may be the userinfo endpoint as defined in clause 5.3 of OpenID Connect Core;
  4. shall authenticate the confidential client using private_key_jwt;
  5. shall use the query parameter as the mechanism for returning authorization response parameters as the response mode, which is the default for the code response type;
  6. shall advertise support for all signing, authentication mechanisms, and standards required to support [DigitalID Financial API][digitalid-fapi] in the OpenID Connect Discovery endpoint;
  7. shall advertise mtls_endpoint_aliases as per clause 5 RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens for the token_endpoint, pushed_authorization_request_endpoint and userinfo_endpoint in the OpenID Connect Discovery endpoint;
  8. shall require signed request objects using the request object signing algorithm of PS256 only;
  9. shall only use the parameters included in the signed request object passed via the request_uri parameter;
  10. shall require the request object to contain an exp claim that has a lifetime of no longer than 10 minutes after the nbf claim;
  11. shall require the aud claim in the request object to be, or to be an array containing, the OP's Issuer Identifier URL; and
  12. shall require the request object to contain an nbf claim that is no longer than 10 minutes in the past.
  13. shall set the response header x-fapi-interaction-id to the value received from the corresponding client request header, or to a RFC4122 UUID if the request header was not provided, to track the interaction
  14. shall log the value of x-fapi-interaction-id in the log entry.

5.2.3. Confidential Client

A Confidential Client shall support the provisions specified in clause 2.2.2 of FAPI Security Profile 2.0 - Part 1: Baseline.

In addition, the Confidential Client:

  1. shall support private_key_jwt as a token endpoint authentication mechanism;
  2. shall derive necessary Authorization Server metadata by relying on an Authorization Server's OpenID Connect Discovery services only;
  3. where present, shall use endpoints advertised in mtls_endpoint_aliases as per clause 5 RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens;
  4. shall include the request_uri parameter as defined in Section 6.2 of OpenID Connect Core in the authentication request;
  5. shall send all parameters inside the authorization request's signed request object;
  6. shall send the aud claim in the request object as the OP's Issuer Identifier URL;
  7. shall send an exp claim in the request object that has a lifetime of no longer than 10 minutes; and
  8. shall send a nbf claim in the request object.
  9. shall send the x-fapi-interaction-id request header, with its value being a unique RFC4122 UUID for each request, to help correlate log entries between the client and server, eg: x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a.
  10. shall log the value of x-fapi-interaction-id in the log entry.

5.2.4. Resource Server

A Resource Server shall support the provisions specified in clause 2.2.3 of FAPI Security Profile 2.0 - Part 1: Baseline.

5.3. Algorithm considerations

For JWS, both clients and Authorization Servers:

  1. shall use PS256 algorithm.

6. Acknowledgements

We would like to thank everyone for their valuable feedback and contributions that helped to evolve this specification.

We would also like to thank OpenID Foundation, IETF and many others who have set up the foundations for secure and safe data sharing.

Appendix A. Notices

Copyright (c) 2022 DigitalID Solution Working Group.

Appendix B. Appendix A: Change History

B.1. Version 1.0 Implementers Draft 1

Published: 30th September 2022

Changes:

  • Refactor of FAPI specific requirements from original digitalid-financial-api-04.md specification into this standalone spec
  • token and signed request object lifetime updated to 10 mins

Author's Address

ConnectID
ConnectID
URI: www.connectid.com.au