Configure the FAPI Client

Edit online

FAPI conformance requires MTLS and Certificate bound token to use a Client Certificate.

You can bind a certificate that is added to the trust store, to a client. To bind a certificate, add the client certificate details (for example, alias and keystore) to the extended properties when you are creating a client. This can be achieved by navigating to Federation > OpenID Connect and API Protection > Clients. This can also be done for dynamic clients.

{
  "tls_client_auth_subject_dn": "clientID",
  "tls_client_auth_keystore": "rt_profile_keys "
}
The following entries are based on MTLS specifications:

{ 
  "tls_client_auth_keystore": "rt_profile_keys_fapi",

// The following entries are based on MTLS specification:

"tls_client_auth_subject_dn": "CN=clientID01,OU=security,O=IBM,L=Singapore,ST=Singapore,C=SG",
"tls_client_auth_san_uri": " http://my.url2.here/",
"tls_client_auth_san_dns": " *.example.com",
"tls_client_auth_san_ip": "  10.10.10.14",
"tls_client_auth_san_email": " my@other.address"

}
The information that is added to client configuration can then be used to verify if the incoming MTLS certificate matches client certificate. Use the following code snippet at FAPI_ValidateJWT_RequestJWT mapping rule or oauth20_pre_token mapping rule to verify:
/*
 * Certificate and Jwt signing key check
 * claims.iss can be substituted with client id
 * headers.kid can be substituted with fingerprint (stsuu.getAttributeValueByName("fingerprint");)
 * Please note that (stsuu.getAttributeValueByName("fingerprint");) returns thumbprint in OAuthMappingExtUtils.getCertificateThumbprint format.
 */
var client_ExtendedData = OAuthMappingExtUtils.getClient(claims.iss).getExtendedData();
if ( client_ExtendedData != null){
	var client_keystore = JSON.parse(client_ExtendedData).dynamic_client.tls_client_auth_keystore;
	var client_alias = JSON.parse(client_ExtendedData).dynamic_client.tls_client_auth_subject_dn;
	if (client_alias != null && client_keystore != null){
	   var cert_thumbprint = OAuthMappingExtUtils.getCertificateThumbprint_S256(client_keystore,client_alias);
	   if (cert_thumbprint != null && cert_thumbprint != headers.kid){
		   OAuthMappingExtUtils.throwSTSCustomUserPageException("Client certificate mis-match!!!",400,"invalid_request");
	   }
	}
}