Skip to content

FAPI 2.0 Security Profile

Compliance validation helpers for the FAPI 2.0 Security Profile.

Constants

FAPI2_ALLOWED_SIGNING_ALGORITHMS = frozenset({'PS256', 'ES256'}) module-attribute

FAPI2_REQUIRED_PKCE_METHOD = 'S256' module-attribute

FAPI2_REQUIRED_RESPONSE_TYPE = 'code' module-attribute

Validation Result

FAPIValidationResult(violations=list()) dataclass

Result of a FAPI 2.0 compliance check.

is_compliant is derived from violations — it is True when violations is empty. It cannot be set directly.

Validation Functions

validate_fapi_authorization_request(*, response_type, code_challenge, code_challenge_method, redirect_uri, use_par, algorithm=None)

Validate an authorization request against FAPI 2.0 requirements.

All parameters are keyword-only to prevent positional argument mistakes.

Parameters:

Name Type Description Default
response_type str

OAuth 2.0 response type.

 required
code_challenge str | None

PKCE code challenge value.

 required
code_challenge_method str | None

PKCE method (must be "S256").

 required
redirect_uri str

The redirect URI (must use https).

 required
use_par bool

Whether PAR is being used.

 required
algorithm str | None

Signing algorithm for JAR/DPoP (validated if provided).

 None

Returns:

Type Description
FAPIValidationResult

FAPIValidationResult with compliance status and any violations.

validate_fapi_client_config(*, auth_method, use_dpop=False, use_mtls=False)

Validate client configuration against FAPI 2.0 requirements.

Parameters:

Name Type Description Default
auth_method str | None

Token endpoint authentication method (e.g. "private_key_jwt" or "tls_client_auth"). None means public client (no authentication).

 required
use_dpop bool

Whether DPoP sender-constraining is enabled.

 False
use_mtls bool

Whether mTLS sender-constraining is enabled.

 False

Returns:

Type Description
FAPIValidationResult

FAPIValidationResult with compliance status and any violations.

validate_fapi_discovery(discovery)

Validate a discovery document for FAPI 2.0 server support.

Checks that the authorization server advertises capabilities required by FAPI 2.0. When optional metadata fields are absent, RFC 8414 §2 and OIDC Discovery §3 defaults are assumed.

Parameters:

Name Type Description Default
discovery DiscoveryDocumentResponse

A discovery document response.

 required

Returns:

Type Description
FAPIValidationResult

FAPIValidationResult with compliance status and any violations.