Description
The current Postman collection for the eSignet Thunder identity provider only covers the standard OAuth 2.0 / OIDC authorization code flow. However, the codebase has already implemented three FAPI (Financial-grade API) related features that are not yet reflected in the collection:
- PAR (Pushed Authorization Requests) – RFC 9126
- DPoP (Demonstrating Proof-of-Possession) – RFC 9449
- Authorization Server Issuer Identifier – RFC 9207
Since these endpoints/parameters are not present in the Postman collection, there is currently no easy way to manually verify or regression-test the FAPI-compliant flow alongside the existing simple OIDC flow. This gap needs to be closed so that both flows (with and without FAPI) can be validated end-to-end.
Implementation Details
- Add a new PAR request call to the collection:
- with client authentication (private_key_jwt / client_secret_basic, as applicable)
- Capture the returned
request_uri and expires_in into collection/environment variables
- Update the Authorization endpoint request to support:
- Using the
request_uri obtained from PAR instead of passing all params inline
- Toggling between PAR-based and standard authorization requests (folder or variable-driven)
- Add DPoP support:
- Generate a DPoP proof JWT (JWK thumbprint,
htm, htu, iat, jti claims) — via Postman pre-request script or a helper request
- Attach the
DPoP header to the token request and to resource/userinfo requests
- Add a request variant for the token endpoint with DPoP-bound access tokens
- Add a request demonstrating a DPoP-bound token used at the UserInfo/resource endpoint
- Add validation for Auth Server Issuer Identifier:
- Add/verify the
iss parameter is returned on the authorization response redirect
- Add a test script assertion confirming
iss matches the expected authorization server identifier
- Add a check against
.well-known/openid-configuration to confirm authorization_response_iss_parameter_supported (or equivalent) is advertised
- Organize the collection into two clearly separated folders/environments:
- Standard OIDC flow (existing, unchanged)
- FAPI-compliant flow (PAR + DPoP +
iss validation)
- Add/update Postman environment variables (client keys, JWK, DPoP key pair, PAR endpoint URL, etc.)
- Add test scripts (Postman
pm.test) for each new request to assert correct status codes, response schema, and required headers/claims
- Update collection-level documentation/README describing how to run both flows
Definition of Done
Related Tickets/PRs
Description
The current Postman collection for the eSignet Thunder identity provider only covers the standard OAuth 2.0 / OIDC authorization code flow. However, the codebase has already implemented three FAPI (Financial-grade API) related features that are not yet reflected in the collection:
Since these endpoints/parameters are not present in the Postman collection, there is currently no easy way to manually verify or regression-test the FAPI-compliant flow alongside the existing simple OIDC flow. This gap needs to be closed so that both flows (with and without FAPI) can be validated end-to-end.
Implementation Details
request_uriandexpires_ininto collection/environment variablesrequest_uriobtained from PAR instead of passing all params inlinehtm,htu,iat,jticlaims) — via Postman pre-request script or a helper requestDPoPheader to the token request and to resource/userinfo requestsissparameter is returned on the authorization response redirectissmatches the expected authorization server identifier.well-known/openid-configurationto confirmauthorization_response_iss_parameter_supported(or equivalent) is advertisedissvalidation)pm.test) for each new request to assert correct status codes, response schema, and required headers/claimsDefinition of Done
Related Tickets/PRs