[keycloak-dev] State hash value (s_hash) to protect state parameter (Related to FAPI)

Hello. Last year, I sent some PRs to meet Financial API(FAPI). FAPI is API's security requirement for API services in financial sector. It is specified by OpenID Foundation. http://openid.net/wg/fapi/ FAPI seems to be promising for conforming to PSD2 (Payment Service Directive) in Europe as API Security Profile. Past PRs (Issue:KEYCLOAK-5661, KEYCLOAK-2604, KEYCLOAK-5811) are related to FAPI Part1. Recently, I've investigated into keycloak to find out whether it conforms to Part 2 (Read and Write API Profile Requirements) for Authorization Server and found that it does not satisfy several points. Therefore, I've implemented one of them, state hash value (s_hash) to protect state parameter in authorization request. FAPI Part 2 Read and Write API Security Profile Requirements for Authorization Server is the following. http://openid.net/specs/openid-financial-api-part-2.html#introduction http://openid.net/specs/openid-financial-api-part-2.html#authorization-se... * shall include state hash, s_hash, in the ID Token to protect the state value; is met by this PR. https://github.com/keycloak/keycloak/pull/5022 Hope this PR is reviewed and merged. And I am also working to meet other points of FAPI Part2, it may take several months (hopefully). Best Regards Takashi Norimatsu Hitachi, Ltd.