Skip to content

eSignet-Thunder:[TASK] Update eSignet Postman Collection to Support FAPI (PAR,PKCE DPoP, Auth Server Issuer Identifier) #2139

Description

@rachik-hue

Description

The current Postman collection for the eSignet Thunder identity provider only covers the standard OAuth 2.0 / OIDC authorization code flow. However, the codebase has already implemented three FAPI (Financial-grade API) related features that are not yet reflected in the collection:

  1. PAR (Pushed Authorization Requests) – RFC 9126
  2. DPoP (Demonstrating Proof-of-Possession) – RFC 9449
  3. Authorization Server Issuer Identifier – RFC 9207

Since these endpoints/parameters are not present in the Postman collection, there is currently no easy way to manually verify or regression-test the FAPI-compliant flow alongside the existing simple OIDC flow. This gap needs to be closed so that both flows (with and without FAPI) can be validated end-to-end.

Implementation Details

  • Add a new PAR request call to the collection:
    • with client authentication (private_key_jwt / client_secret_basic, as applicable)
    • Capture the returned request_uri and expires_in into collection/environment variables
  • Update the Authorization endpoint request to support:
    • Using the request_uri obtained from PAR instead of passing all params inline
    • Toggling between PAR-based and standard authorization requests (folder or variable-driven)
  • Add DPoP support:
    • Generate a DPoP proof JWT (JWK thumbprint, htm, htu, iat, jti claims) — via Postman pre-request script or a helper request
    • Attach the DPoP header to the token request and to resource/userinfo requests
    • Add a request variant for the token endpoint with DPoP-bound access tokens
    • Add a request demonstrating a DPoP-bound token used at the UserInfo/resource endpoint
  • Add validation for Auth Server Issuer Identifier:
    • Add/verify the iss parameter is returned on the authorization response redirect
    • Add a test script assertion confirming iss matches the expected authorization server identifier
    • Add a check against .well-known/openid-configuration to confirm authorization_response_iss_parameter_supported (or equivalent) is advertised
  • Organize the collection into two clearly separated folders/environments:
    • Standard OIDC flow (existing, unchanged)
    • FAPI-compliant flow (PAR + DPoP + iss validation)
  • Add/update Postman environment variables (client keys, JWK, DPoP key pair, PAR endpoint URL, etc.)
  • Add test scripts (Postman pm.test) for each new request to assert correct status codes, response schema, and required headers/claims
  • Update collection-level documentation/README describing how to run both flows

Definition of Done

  • Postman collection includes working requests for PAR, DPoP, and Auth Server Issuer Identifier
  • Both the standard OIDC flow and the FAPI flow can be executed successfully end-to-end from the collection
  • Automated test scripts pass for all new/updated requests
  • Collection is validated against a running eSignet Thunder instance with FAPI features enabled
  • Collection is validated against a configuration with FAPI features disabled (backward compatibility confirmed)
  • Documentation/README updated with setup and usage instructions for both flows
  • Collection exported and committed to the repository (with environment file, secrets excluded/templated)
  • Peer review and sign-off from at least one other team member

Related Tickets/PRs


Metadata

Metadata

Assignees

Labels

Type

Fields

No fields configured for Task.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions