Hello.
Last year, I sent some PRs to meet Financial API(FAPI).
FAPI is API's security requirement for API services in financial sector.
It is specified by OpenID Foundation.
http://openid.net/wg/fapi/
FAPI seems to be promising for conforming to PSD2 (Payment Service Directive) in Europe as
API Security Profile.
Past PRs (Issue:KEYCLOAK-5661, KEYCLOAK-2604, KEYCLOAK-5811) are related to FAPI Part1.
Recently, I've investigated into keycloak to find out whether it conforms to Part 2
(Read and Write API Profile Requirements) for Authorization Server and found that it does
not satisfy several points.
Therefore, I've implemented one of them, state hash value (s_hash) to protect state
parameter in authorization request.
FAPI Part 2 Read and Write API Security Profile Requirements for Authorization Server is
the following.
http://openid.net/specs/openid-financial-api-part-2.html#introduction
http://openid.net/specs/openid-financial-api-part-2.html#authorization-se...
* shall include state hash, s_hash, in the ID Token to protect the state value; is met by
this PR.
https://github.com/keycloak/keycloak/pull/5022
Hope this PR is reviewed and merged.
And I am also working to meet other points of FAPI Part2, it may take several months
(hopefully).
Best Regards
Takashi Norimatsu
Hitachi, Ltd.