This page is for Authlete 2.x. For 3.0, see FAPI 2.0 Message Signing Profile – Signing Authorization Requests (3.0).
FAPI 2.0 Message Signing – Signing Auth Requests (2.x)
The FAPI 2.0 Message Signing profile extends the FAPI 2.0 Security profile. It defines requirements for:- Signing Authorization Requests
- Signing Authorization Responses
- Signing Introspection Responses
- Signing HTTP Messages
Flow (2.x)
- Pushed Authorization Request – Client sends a signed request object to the PAR endpoint; client authentication via mutual TLS or private_key_jwt.
- Pushed Authorization Response – Server returns a
request_uri. - Authorization Request – Client sends
request_urito the authorization endpoint. - Authorization Response – Server returns authorization code.
- Token Request – Client exchanges the code; access tokens are sender-constrained (mutual TLS or DPoP). private_key_jwt is used for client auth at the token endpoint.
- Token Response – Sender-constrained access token.
- API Request – Client calls the resource with the access token and proof-of-possession.
Scope Attribute (2.x)
Scope attribute for FAPI2 MS Auth Req:| attribute key | attribute value |
|---|---|
| fapi2 | ms-authreq |
Service Configuration (2.x)
Configure your service as follows to comply with FAPI2 MS Auth Req (Authlete 2.3+). In Service Owner Console (so.authlete.com) the equivalent settings are under Basic, Authorization (grant types, response types, authorization endpoint, token endpoint, PAR endpoint, request object), Token, and Scope.| Property | Description |
|---|---|
| Supported Grant Types | Include AUTHORIZATION_CODE. |
| Supported Response Types | Include CODE. |
| Supported Service Profiles | Include FAPI. |
| iss Response Parameter | Select Included. |
| Token Endpoint URI | Set your authorization server’s token endpoint URI. |
| Supported Client Authentication Methods | Select PRIVATE_KEY_JWT. |
| nbf Claim | Select Required. |
| Audience Validation | Select Perform. |
| Access Token Signature Algorithm | If using JWT access tokens: PS256, ES256 or EdDSA. |
| Supported Scopes | Include a scope with the FAPI2 MS Auth Req attribute (fapi2 / ms-authreq). |
| JWK Set / JWK Set Endpoint URI | If using JWK Set for JWT access token signing: set JWK set or an https URI to the JWK set. |
Client Configuration (2.x)
| Property | Description |
|---|---|
| Client Type | CONFIDENTIAL. |
| Grant Types | Include AUTHORIZATION_CODE. |
| Response Types | Include CODE. |
| Redirect URIs | At least one redirect URI. |
| Client Authentication Method | PRIVATE_KEY_JWT. |
| Assertion Signature Algorithm | PS256, ES256 or EdDSA. |
| ID Token Signature Algorithm | If ID tokens are issued and signed: any algorithm other than NONE. |
| ID Token Encryption Algorithm | If ID tokens are issued and encrypted: any algorithm other than RSA1_5. |
| JWK Set Content / JWK Set URI | If used: JWK set or an https URI for client assertion signing. |
API Call Example (2.x)
The authorization server calls Authlete APIs in the same way as in 3.0. Example: when the client sends a valid PAR request with a signed request object and client assertion, the server forwards the parameters to /api/pushed_auth_req (or the 2.x equivalent endpoint). A successful response containsrequestUri and responseContent (with expires_in and request_uri).
For full request/response examples for /pushed_auth_req, /auth/authorization, /auth/authorization/issue, /auth/token, and /auth/introspection, see the FAPI 2.0 Message Signing – Signing Authorization Requests (3.0) page; the same flow and API usage apply to Authlete 2.x (2.3+).