Keycloak FAPI Compliance: A New Milestone for Financial-Grade Security

The recent certification of Keycloak as a FAPI OpenID Provider marks a significant step forward for financial-grade security in the world of identity and access management. As a result, Keycloak is now officially able to be used in highly confidential financial-based deployments. In this blog post, we will discuss the importance of FAPI, the role of the FAPI Working Group in Keycloak’s certification, and the impact this achievement will have on the financial industry.

Understanding FAPI and Its Importance in the Financial Industry

What is FAPI?

FAPI, or Financial-grade API, is a set of technical security specifications designed to ensure the highest level of protection for sensitive financial data when accessed through APIs. Developed by the OpenID Foundation, FAPI is designed to provide a robust and secure framework for online financial services, such as Open Banking and other financial ecosystems.

As a growing number of financial institutions and fintech companies move towards API-driven architectures, FAPI compliance has become a critical requirement to ensure that these organizations can safely and securely handle sensitive financial data while providing innovative services to their customers.

How FAPI Ensures Security in Financial Applications

FAPI provides a comprehensive set of security requirements and best practices for API-based financial applications. These requirements address key security concerns, such as strong authentication, data encryption, and secure API communication. By adhering to FAPI specifications, financial service providers can ensure that their APIs are secure, reliable, and resistant to common attack vectors.

Some of the critical security features provided by FAPI include:

  1. Strong customer authentication: FAPI requires financial service providers to implement multi-factor authentication mechanisms to ensure that only authorized users can access sensitive financial data.
  2. Data protection: FAPI mandates the use of encryption for sensitive data, both in transit and at rest, to protect against unauthorized access and data breaches.
  3. Secure API communication: FAPI specifies the use of Mutual-TLS, JSON Web Token (JWT) signing, and other secure communication protocols to ensure the integrity and confidentiality of API requests and responses.

Keycloak: Officially Certified as a FAPI OpenID Provider

FAPI 1 Advanced Final (Generic) Provider Certification

Keycloak, a widely-used open-source identity and access management solution, has recently achieved FAPI 1 Advanced Final (Generic) Provider certification. This certification validates Keycloak’s compliance with all the matrix combinations for the generic profile, enabling Keycloak clients to use PAR, JARM, and client authentication based on Mutual-TLS or JSON Web Token signed by a private key.

This achievement signifies that Keycloak is now officially recognized as a secure and reliable solution for identity and access management in the financial sector, paving the way for its adoption in various financial ecosystems, such as Open Banking, Open Finance, and Consumer Data Rights (CDR).

Keycloak’s Compliance with Matrix Combinations

The FAPI 1 Advanced Final (Generic) certification requires that Keycloak complies with all matrix combinations of FAPI features, ensuring that it can support various combinations of secure communication protocols and authentication mechanisms. This flexibility allows Keycloak to be easily integrated into a wide range of financial applications and environments, catering to the diverse security requirements of different financial service providers.

Keycloak’s Progress in FAPI CIBA and OpenID Connect Core Certifications

Compliance with FAPI CIBA

In addition to its FAPI 1 Advanced Final (Generic) certification, Keycloak is also compliant with the FAPI Client-Initiated Backchannel Authentication (CIBA) specification. CIBA is a secure authentication protocol that enables financial service providers to authenticate end-users through out-of-band mechanisms, such as mobile devices or biometric authentication. This compliance demonstrates Keycloak’s commitment to providing cutting-edge security features for the financial industry.

While Keycloak has already achieved FAPI CIBA compliance, the team is currently working towards obtaining official certification to further strengthen its position as a leading identity and access management solution in the financial sector.

Plans to Re-Certify with OpenID Connect Core and Highlights of Keycloak’s Conformance Test Achievements

In addition to its FAPI certification, Keycloak aims to re-certify with the OpenID Connect Core specification, ensuring that its implementation stays up-to-date with the latest security requirements. The kc-fapi-sig repository has facilitated the automated conformance test run environment for Keycloak, allowing it to remain compliant with industry standards.

The current testing environment utilizes Keycloak version 20.0.0 and Conformance-suite version release-v5.0.6. Keycloak 15.0.2 has achieved numerous certifications for various conformance profiles, showcasing its commitment to providing cutting-edge security features in identity and access management.

Some of Keycloak’s notable achievements in conformance testing include:

  • FAPI 1.0 Advanced (Final): Keycloak 15.0.2 is certified for all eight conformance profiles of FAPI 1 Advanced Final (Generic).
  • FAPI-CIBA (Implementer’s Draft): Keycloak 15.0.2 is certified for all four conformance profiles of the Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA).
  • Open Finance Brasil FAPI 1.0 (formerly Open Banking Brasil FAPI 1.0): Keycloak 15.0.2 is certified for eight conformance profiles, except for Dynamic Client Registration (DCR).
  • Australia Consumer Data Right (CDR): Keycloak 15.0.2 is certified for all two conformance profiles of Australia CDR (based on FAPI 1 Advanced Final).
  • UK Open Banking: Keycloak is compliant with the relevant requirements and is currently working to achieve certification.
  • OpenID Connect: OpenID Providers: Keycloak 18.0.0 has re-achieved certification for six conformance profiles, except for the 3rd Party-Init OP.
  • OpenID Connect: OpenID Providers for Logout Profile: Keycloak 18.0.0 is certified for all four conformance profiles.

It’s important to note that the Session OP and Front-Channel OP of OpenID Provider for Logout Profile conformance tests cannot be automated. These tests can be passed manually.

Keycloak’s ongoing efforts to maintain certifications for a range of conformance profiles demonstrate its dedication to providing a secure and reliable identity and access management solution for various industries, including finance, healthcare, and government services. By staying up-to-date with industry standards and certifications, Keycloak remains a trusted choice for organizations seeking robust security and compliance in their IAM solutions.

The Role of the FAPI Working Group in Keycloak’s Certification

Contributions from FAPI Working Group Members

Keycloak’s FAPI certification would not have been possible without the valuable contributions from the FAPI Working Group. Members of this group have contributed numerous features related to FAPI, including Client Policies, CIBA, PAR, JARM, and others. These contributions have significantly enhanced Keycloak’s security capabilities and enabled it to meet the rigorous requirements of the FAPI specification.

Future Plans for FAPI-related Standards and Certifications

The FAPI Working Group is continuously working to develop new standards and certifications for financial-grade security. As the financial industry evolves, new security challenges and requirements will emerge, necessitating further advancements in FAPI and related specifications. The Keycloak team is committed to staying at the forefront of these developments and plans to obtain additional certifications as they become available.

For those interested in contributing to Keycloak’s FAPI support, the FAPI Working Group is open to anyone and welcomes new members. By joining this community-driven effort, you can help shape the future of financial-grade security in the world of identity and access management.

Keycloak’s Track Record in Conformance Testing

Conformance Test Results for Keycloak Versions

To ensure ongoing compliance with industry standards, the Keycloak team regularly checks whether new Keycloak versions pass conformance tests that older versions could pass. This process helps identify potential security issues and ensures that Keycloak remains a reliable and secure solution for identity and access management across various industries.

Ensuring Ongoing Compliance with Industry Standards

Keycloak’s commitment to ongoing conformance testing demonstrates the team’s dedication to maintaining the highest level of security and reliability across different Keycloak versions. By continually validating conformance with established standards, such as FAPI, OpenID Connect Core, and CIBA, Keycloak ensures that it remains a trusted solution for organizations in the financial industry and beyond.

The Impact of Keycloak’s FAPI Certification on the Financial Industry

Greater Security and Confidence in Financial Deployments

Keycloak’s FAPI certification brings a new level of security and confidence to financial institutions and fintech companies looking to implement robust identity and access management solutions. With its FAPI compliance, Keycloak can now be used in highly sensitive financial deployments, providing strong authentication, data protection, and secure API communication.

Organizations that choose Keycloak for their identity and access management needs can trust that they are implementing a solution that meets the rigorous security requirements of the financial industry. This trust translates into increased confidence in the security and reliability of their financial services, ultimately benefiting end-users and the broader financial ecosystem.

Expanding Opportunities for Keycloak in the Financial Sector

The FAPI certification has opened up new opportunities for Keycloak in the financial sector, as more organizations recognize the value of a FAPI-compliant identity and access management solution. Keycloak’s flexibility and robust security features make it an ideal choice for financial institutions, payment service providers, and fintech companies that require a secure and reliable IAM solution to support their API-driven architectures.

As the financial industry continues to embrace digital transformation and API-driven services, the demand for secure and compliant identity and access management solutions will only grow. Keycloak’s FAPI certification positions it as a leading choice for organizations seeking to adopt the highest level of security for their financial applications and services.


Keycloak’s FAPI certification marks a significant milestone in the world of identity and access management, demonstrating its commitment to providing secure and reliable solutions for the financial industry. As more organizations embrace digital transformation and API-driven architectures, Keycloak’s FAPI compliance ensures that it remains a trusted and innovative solution for identity and access management in the financial sector and beyond.

By staying at the forefront of industry standards and certifications, Keycloak continues to evolve and adapt to the changing needs of the financial industry, providing organizations with the tools they need to protect sensitive financial data and deliver secure, innovative services to their customers.