The OpenID Foundation is pleased to announce the availability of certification tests for both FAPI 2.0 Security Profile Implementers Draft 2and the upcoming first Implementer’s Draft of FAPI 2.0 Message Signing.
The FAPI Working Group has taken many of the learnings from FAPI 1.0 and also formulated an attacker model, producing a second iteration of FAPI that is simpler and easier to use but still meets the security goals. You can learn more about the differences between FAPI 1.0 and FAPI 2.0 on our blog post.
The release of these FAPI 2 certification tests is an important next step on the journey to these standards becoming final specifications. The release of the FAPI 2 certification tests follow the comprehensive security analysis performed and published in Summer 2022. The researchers at the University of Stuttgart, Institute of Information Security led by Prof. Ralf Küsters, Pedram Hosseyni, and Tim Würtele were able to prove the security properties of the FAPI 2.0 Security Profile (formerly known as FAPI 2.0 Baseline). This is a great result and should give implementers of FAPI 2.0 further confidence in the security benefits of implementing the specifications.
Two ecosystem profiles are currently supported for certification – the “plain” FAPI 2.0 specification and a profile of FAPI 2.0 Message Signing for the Australian ConnectID ecosystem (the latter requiring support of the OpenID Connect ‘claims’ parameter).
A significant change in the new FAPI 2.0 tests is that support of OpenID Connect (in particular, the openid scope value and the return of an id_token) is now optional.
Certifications that include DPoP will launch later in the year (beta versions of the DPoP tests are available but are not yet complete and do not yet support some features like DPoP nonces).
Please note a few features of the FAPI 2 specification currently not supported:
- HTTP Message Signatures
- Servers must reject unregistered redirect URLs
These features will be tackled in due course. If you have any current use-cases that rely on these features and are particularly interested in any, please inform the certification team at email@example.com. Additionally, the certification team kindly welcomes feedback from all testers on the performance of the tests.
The Foundation also kindly thanks ConnectID for their directed funding contributions to support the development of these FAPI 2.0 conformance tests. This directed funding accelerated the development of these tests for the global community to start using with Implementer’s Drafts, and the importance of these tests to help the FAPI 2.0 family of specifications move towards Final in due course.