Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-10973

Support Financial-grade API (FAPI) - Baseline profile

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Unresolved
    • Major
    • None
    • None
    • Gateway
    • False
    • None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • 0
    • 0% 0%
    • RHOAM Sprint 57

    Description

      The resource server with the FAPI endpoints

      1. shall support the use of the HTTP GET method as in Section 4.3.1 of RFC7231;
      2. shall accept access tokens in the HTTP header as in Section 2.1 of OAuth 2.0 Bearer Token Usage RFC6750;
      3. shall not accept access tokens in the query parameters stated in Section 2.3 of OAuth 2.0 Bearer Token Usage RFC6750;
      4. shall verify that the access token is neither expired nor revoked;
      5. shall verify that the scope associated with the access token authorizes access to the resource it is representing;
      6. shall identify the associated entity to the access token;
      7. shall only return the resource identified by the combination of the entity implicit in the access and the granted scope and otherwise return errors as in Section 3.1 of RFC6750;
      8. shall encode the response in UTF-8 if applicable;
      9. shall send the Content-type HTTP header Content-Type: application/json if applicable;
      10. shall send the server date in HTTP Date header as in Section 7.1.1.2 of RFC7231;
      11. shall set the response header x-fapi-interaction-id to the value received from the corresponding FAPI client request header or to a RFC4122 UUID value if the request header was not provided to track the interaction, e.g., x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a;
      12. shall log the value of x-fapi-interaction-id in the log entry; and
      13. shall not reject requests with a x-fapi-customer-ip-address header containing a valid IPv4 or IPv6 address.
        NOTE: While this document does not specify the exact method to obtain the entity associated with the access token and the granted scope, the protected resource can use OAuth Token Introspection RFC7662.
        Further, the resource server
      14. should support the use of Cross Origin Resource Sharing (CORS) [CORS] and or other methods as appropriate to enable JavaScript clients to access the endpoint if it decides to provide access to JavaScript clients.
        NOTE: Providing access to JavaScript clients has other security implications. Before supporting those clients RFC6819 should be consulted.

       

      APIcast already support (1) (2) (3) (5) (6) (7) (8) (9) (10)

      (4) is supported by Token Introspection policy

      (14) is also supported by CORS policy

      TODO:

      [ ] 11 - Support  x-fapi-interaction-id

      [ ] 12 - Log the value of x-fapi-interaction-id in the log entry

      [ ] 13 - Handle x-fapi-customer-ip-address header

      Attachments

        Activity

          People

            rhn-support-atra An Tran
            rhn-support-atra An Tran
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: