Configure FAPI Client

FAPI conformance requires MTLS and Certificate bound token to use a Client Certificate. We can bind a certificate that is added to the trust store, to a client. To bind a certificate, add the client certificate details (for example, alias and keystore) to the extended properties when you are creating a client. This can be achieved by navigating to Federation > OpenID Connect and API Protection > Clients. This can also be done for dynamic clients.

{
  "tls_client_auth_subject_dn": "clientID",
  "tls_client_auth_keystore": "rt_profile_keys "
}

The information that is added to client configuration can then be used to verify if the incoming mtls certificate matches client certificate. Use the following code snippet at FAPI_ValidateJWT_RequestJWT mapping rule or oauth20_pre_token mapping rule to verify:

/*
 * Certificate and Jwt signing key check
 * claims.iss can be substituted with client id
 * headers.kid can be substituted with fingerprint (stsuu.getAttributeValueByName("fingerprint");)
 * Please note that (stsuu.getAttributeValueByName("fingerprint");) returns thumbprint in OAuthMappingExtUtils.getCertificateThumbprint format.
 */
var client_ExtendedData = OAuthMappingExtUtils.getClient(claims.iss).getExtendedData();
if ( client_ExtendedData != null){
	var client_keystore = JSON.parse(client_ExtendedData).dynamic_client.tls_client_auth_keystore;
	var client_alias = JSON.parse(client_ExtendedData).dynamic_client.tls_client_auth_subject_dn;
	if (client_alias != null && client_keystore != null){
	   var cert_thumbprint = OAuthMappingExtUtils.getCertificateThumbprint_S256(client_keystore,client_alias);
	   if (cert_thumbprint != null && cert_thumbprint != headers.kid){
		   OAuthMappingExtUtils.throwSTSCustomUserPageException("Client certificate mis-match!!!",400,"invalid_request");
	   }	}}


Parent topic: Achieving Financial-grade API (FAPI) conformance with IBM Security Verify Access