FAPI Definition Configurations
This topic describes the FAPI definitions configurations.
- Definition Configuration- Minimum Entropy 128bit
- As part of FAPI requirement, access_tokens should be a minimum of 128 bit. To configure this set access_token length to '32' in OpenID Definition.
- Definition & Advanced Configuration - Update HTML Encoded Macro
- As part of FAPI requirement, users are allowed to reject login attempt upon authentication. This can be achieved by setting Prompt to Always allow in the Definition configuration. This would mean the prompt page is triggered during the SSO flow after the user successfully logs in. In order for claims passed to be successfully added without being html encoded we can add the macro @OAUTH_OTHER_PARAM_VALUE_REPEAT@ to sps.page.htmlEscapedMacros.
- Definition Configuration- Use EC256 or PS256 Signing keys
- As part of FAPI requirement, ES256 signing keys are required to be used for id_token signing.
- Advance Configuration- OAuth20.State.Required
- FAPI conformance requires authorization requests without state to be allowed. To achieve this, set the advance configuration parameter OAuth20.State.Required to false. The configuration overwrites IBM Security Verify Access default behavior making state a non-mandatory parameter. This can only be achieved on IBM Security Verify Access version 10.0.0
Parent topic: Achieving Financial-grade API (FAPI) conformance with IBM Security Verify Access