[keycloak-dev] State hash value (s_hash) to protect state parameter (Related to FAPI)
乗松隆志 / NORIMATSU,TAKASHI
takashi.norimatsu.ws at hitachi.com
Thu Feb 22 20:21:49 EST 2018
Hello.
Last year, I sent some PRs to meet Financial API(FAPI).
FAPI is API's security requirement for API services in financial sector.
It is specified by OpenID Foundation.
http://openid.net/wg/fapi/
FAPI seems to be promising for conforming to PSD2 (Payment Service Directive) in Europe as API Security Profile.
Past PRs (Issue:KEYCLOAK-5661, KEYCLOAK-2604, KEYCLOAK-5811) are related to FAPI Part1. Recently, I've investigated into keycloak to find out whether it conforms to Part 2 (Read and Write API Profile Requirements) for Authorization Server and found that it does not satisfy several points.
Therefore, I've implemented one of them, state hash value (s_hash) to protect state parameter in authorization request.
FAPI Part 2 Read and Write API Security Profile Requirements for Authorization Server is the following.
http://openid.net/specs/openid-financial-api-part-2.html#introduction
http://openid.net/specs/openid-financial-api-part-2.html#authorization-server
* shall include state hash, s_hash, in the ID Token to protect the state value; is met by this PR.
https://github.com/keycloak/keycloak/pull/5022
Hope this PR is reviewed and merged.
And I am also working to meet other points of FAPI Part2, it may take several months (hopefully).
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
More information about the keycloak-dev
mailing list