Configure FAPI Client
FAPI conformance requires MTLS and Certificate bound token to use a Client Certificate. We can bind a certificate that is added to the trust store, to a client. To bind a certificate, add the client certificate details (for example, alias and keystore) to the extended properties when you are creating a client. This can be achieved by navigating to Federation > OpenID Connect and API Protection > Clients. This can also be done for dynamic clients.
{ "tls_client_auth_subject_dn": "clientID", "tls_client_auth_keystore": "rt_profile_keys " }The information that is added to client configuration can then be used to verify if the incoming mtls certificate matches client certificate. Use the following code snippet at FAPI_ValidateJWT_RequestJWT mapping rule or oauth20_pre_token mapping rule to verify:
/* * Certificate and Jwt signing key check * claims.iss can be substituted with client id * headers.kid can be substituted with fingerprint (stsuu.getAttributeValueByName("fingerprint");) * Please note that (stsuu.getAttributeValueByName("fingerprint");) returns thumbprint in OAuthMappingExtUtils.getCertificateThumbprint format. */ var client_ExtendedData = OAuthMappingExtUtils.getClient(claims.iss).getExtendedData(); if ( client_ExtendedData != null){ var client_keystore = JSON.parse(client_ExtendedData).dynamic_client.tls_client_auth_keystore; var client_alias = JSON.parse(client_ExtendedData).dynamic_client.tls_client_auth_subject_dn; if (client_alias != null && client_keystore != null){ var cert_thumbprint = OAuthMappingExtUtils.getCertificateThumbprint_S256(client_keystore,client_alias); if (cert_thumbprint != null && cert_thumbprint != headers.kid){ OAuthMappingExtUtils.throwSTSCustomUserPageException("Client certificate mis-match!!!",400,"invalid_request"); } }}
Parent topic: Achieving Financial-grade API (FAPI) conformance with IBM Security Verify Access