Configuring FAPI Client
FAPI conformance requires MTLS and Certificate bound token to use a Client Certificate.
You can bind a certificate that is added to the trust store, to a client. To bind a certificate,
add the client certificate details (for example, alias and keystore) to the extended properties when
you are creating a client. This can be achieved by navigating to
. This can also be done for
dynamic
clients.
{
"tls_client_auth_subject_dn": "clientID",
"tls_client_auth_keystore": "rt_profile_keys "
}
The information that is added to client configuration can then be used to verify if the incoming
mtls certificate matches client certificate. Use the following code snippet at
FAPI_ValidateJWT_RequestJWT
mapping rule or oauth20_pre_token
mapping rule to
verify:/*
* Certificate and Jwt signing key check
* claims.iss can be substituted with client id
* headers.kid can be substituted with fingerprint (stsuu.getAttributeValueByName("fingerprint");)
* Please note that (stsuu.getAttributeValueByName("fingerprint");) returns thumbprint in OAuthMappingExtUtils.getCertificateThumbprint format.
*/
var client_ExtendedData = OAuthMappingExtUtils.getClient(claims.iss).getExtendedData();
if ( client_ExtendedData != null){
var client_keystore = JSON.parse(client_ExtendedData).dynamic_client.tls_client_auth_keystore;
var client_alias = JSON.parse(client_ExtendedData).dynamic_client.tls_client_auth_subject_dn;
if (client_alias != null && client_keystore != null){
var cert_thumbprint = OAuthMappingExtUtils.getCertificateThumbprint_S256(client_keystore,client_alias);
if (cert_thumbprint != null && cert_thumbprint != headers.kid){
OAuthMappingExtUtils.throwSTSCustomUserPageException("Client certificate mis-match!!!",400,"invalid_request");
}
}
}