Skip to main content

Consumer Data Right FAPI 1.0 Advanced: Transition to Phase 4

This article provides an overview of SecureAuth configurations to comply with the Consumer Data Right (CDR) FAPI 1.0 Advanced Phase 4 profile requirements.

CDR FAPI 1.0 Advanced Alignment

The OIDF Financial-grade API (FAPI) security profile specifies security requirements for high risk API resources protected by the OAuth 2.0 Authorization Framework. CDR is adopting the FAPI specification to ensure the data holders and data recipients exchange data in the most secure way with appropriate consumer consents.

At a highlevel in Phase 4m Data Holders may decide to retire Hybrid Flow from 10th of July 2023. Although there is no hard obligation on that date, ADRs should re-register and switch from Hybrid to Authorization Code flow without ID token encryption to complete FAPI 1.0 Advanced transition.

Client Registration

ADRs should reregister and switch to Authorization Code flow without ID token encryption.

When using Hybrid Flow, the ID token encryption was mandatory, however, it's not required for Authorization Code Flow as the exchange happens using secure back channel.

During reregistration, the ADRs should use response_types: ["code"] and no longer provide id_token_encrypted_response_alg and id_token_encrypted_response_alg as that, if set, results in ID Token being encrypted.

SecureAuth Configuration Updates

Once all registered ADRs meet the new requirements, the Hybrid Flow can be disabled in SecureAuth authorization server OAuth settings.

This can be done in Settings -> OAuth by disabling all hybrid options under Allowed Response Types.

CDR - disable Hybrid Flow