From 7335e8a949f26e82b03c47ab98d2cc649f902ae7 Mon Sep 17 00:00:00 2001
From: Joseph Heenan <joseph@heenan.me.uk>
Date: Fri, 22 Dec 2023 18:35:40 +0900
Subject: [PATCH] Conform to FAPI-BR v2 security profile

id_tokens must be encrypted by default and contain an acr claim.
---
 .../com/authlete/jaxrs/server/api/OBBDCRProcessor.java     | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/main/java/com/authlete/jaxrs/server/api/OBBDCRProcessor.java b/src/main/java/com/authlete/jaxrs/server/api/OBBDCRProcessor.java
index 008b28f..853c176 100644
--- a/src/main/java/com/authlete/jaxrs/server/api/OBBDCRProcessor.java
+++ b/src/main/java/com/authlete/jaxrs/server/api/OBBDCRProcessor.java
@@ -28,6 +28,7 @@
 import java.net.URL;
 import java.text.ParseException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -1015,6 +1016,12 @@ private void adjustClientMetadata(Map<String, Object> merged, Map<String, Object
         // "FAPI 1.0 Advanced" which requires certificate-bound access tokens.
         merged.putIfAbsent("tls_client_certificate_bound_access_tokens", Boolean.TRUE);
 
+        // the latest security profile ("v2") requires that id tokens are always encrypted
+        merged.putIfAbsent("id_token_encrypted_response_alg", "RSA-OAEP");
+        merged.putIfAbsent("id_token_encrypted_response_enc", "A256GCM");
+        // and that an acr value is always returned
+        merged.putIfAbsent("default_acr_values", Arrays.asList("urn:brasil:openbanking:loa3"));
+
         // Use some claims in the software statement as default values
         // for some standard claims. See also:
         //