--- title: FapiDcrFilterChain description: Configure FapiDcrFilterChain in PingGateway to validate DCR requests and enforce FAPI 1.0 Baseline and Advanced compliance for OAuth 2.0 clients component: pinggateway version: 2026 page_id: pinggateway:reference:FapiDcrFilterChain canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/FapiDcrFilterChain.html revdate: 2025-06-29T16:46:29Z section_ids: usage: Usage properties: Properties example: Example get_the_client_certificate: Get the client certificate from_https: From HTTPS from_a_client_cert_trusted_header: From a Client-Cert trusted header from_an_nginx_trusted_header: From an NGINX trusted header from_an_envoy_or_istio_trusted_header: From an Envoy or Istio trusted header more_information: More information --- # FapiDcrFilterChain A filter chain to validate dynamic client registration (DCR) requests and make sure they produce OAuth 2.0 clients that comply with the following FAPI specifications: * [Financial-grade API Security Profile 1.0 - Part 1: Baseline](https://openid.net/specs/openid-financial-api-part-1-1_0.html#authorization-server) * [Financial-grade API Security Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html) Put this filter before other filters to reject requests that would result in creating an OAuth 2.0 client that doesn't comply with the FAPI specifications. ## Usage ```none { "name": string, "type": "FapiAuthorizeFilterChain", "config": { "forwardedHost": string, "clientId": runtime expression, "clientCertificate": runtime expression, "jwkSetService": JwkSetService reference, "trustedDirectoryService": TrustedDirectoryService reference, "apiClientService": ApiClientService reference, "apiClientOrgService": ApiClientOrgService reference, "auditService": AuditService reference, "skewAllowance": configuration expression, "supportedSigningAlgorithms": [ configuration expression, ... ], "supportedTokenEndpointAuthMethods": [ configuration expression, ... ], "registrationObjectSigningFieldNames": [ configuration expression, ... ], "allowPingIssuedTestCerts": configuration expression } } ``` ## Properties * `"forwardedHost"`: *[string](preface.html#definition-string), required* The forwarded host added to the endpoint request. * `"clientId"`: *runtime expression<[string](preface.html#definition-string)>, required* The client ID. The filter evaluates this for every request. * `"clientCertificate"`: *runtime expression<[certificate](preface.html#definition-certificate)>, required* The client TLS certificate, often found in the request as shown in the examples that follow. The filter evaluates this for every request. * `"jwkSetService"`: *JwkSetService [reference](preface.html#definition-reference), required* The [CachingJwkSetService](CachingJwkSetService.html) to retrieve keys for the OAuth 2.0 client. * `"trustedDirectoryService"`: *TrustedDirectoryService [reference](preface.html#definition-reference), required* The [TrustedDirectoryService](TrustedDirectoryService.html) referencing the [TrustedDirectory](TrustedDirectory.html) that issues the OAuth2.0 software statements and their certificates for API clients and providers. * `"apiClientService"`: *ApiClientService [reference](preface.html#definition-reference), required* The `ApiClientService` to retrieve the API client, such as an [IdmApiClientService](IdmApiClientService.html). * `"apiClientOrgService"`: *ApiClientOrgService [reference](preface.html#definition-reference), required* The `ApiClientOrgService` to retrieve the API organizations, such as an [IdmApiClientOrganisationService](IdmApiClientOrganisationService.html). * `"auditService"`: *AuditService [reference](preface.html#definition-reference), optional* The [AuditService](AuditService.html) to record audit events. Provide either the name of an AuditService object defined in the heap or an inline AuditService configuration object. Default: No audit service. * `"skewAllowance"`: *configuration expression<[duration](preface.html#definition-duration)>, optional* The skew to allow when validating time-based claims. Default: 5 seconds * `"supportedSigningAlgorithms"`: *array of configuration expression<[strings](preface.html#definition-string)>, optional* JSON Web Signature (JWS) algorithms supported for signing. PingGateway uses this to validate the registration request object (JWT) `alg` header and to configure the signing algorithms for the OAuth 2.0 client. Default: `ES256`, `PS256` * `"supportedTokenEndpointAuthMethods"`: *array of configuration expression<[strings](preface.html#definition-string)>, optional* The supported OAuth 2.0 `token_endpoint_auth_method` values. Default: `private_key_jwt`, `self_signed_tls_client_auth`, `tls_client_auth` * `"registrationObjectSigningFieldNames"`: *array of configuration expression<[strings](preface.html#definition-string)>, optional* Registration request fields to validate against the `"supportedSigningAlgorithms"`. Default: `id_token_signed_response_alg`, `request_object_signing_alg`, `token_endpoint_auth_signing_alg` * `"allowPingIssuedTestCerts"`: *configuration expression<[boolean](preface.html#definition-boolean)>, optional* Whether to permit use of a PingGateway-issued JWKSet for client TLS certificate validation. Default: `false` ## Example The following example gets the client certificate from an `ssl-client-cert` header: ```json { "name": "fapiDCRFilter", "type": "FapiDCRFilter", "config": { "forwardedHost" : "&{as.fqdn}", "clientId" : "${request.queryParams.client_id[0]}", "clientCertificate": "${pemCertificate(urlDecode(request.headers['ssl-client-cert'][0]))}", "jwkSetService": "jwkSetService", "trustedDirectoryService": "trustedDirectoryService", "apiClientService" : "auditService", "apiClientOrgService" : "idmApiClientOrgService" } } ``` ### Get the client certificate This section shows how to get the client certificate in various situations. #### From HTTPS When PingGateway terminates transport layer security (TLS), use the certificate associated with the incoming HTTPS connection: ```none "clientCertificate": "${contexts.client.certificates[0]}" ``` #### From a `Client-Cert` trusted header When a proxy using the `Client-Cert` header fronts PingGateway and terminates TLS, it sends the client certificate with distinguished encoding rules (DER). The following example gets the certificate from the header: ```none "clientCertificate": "${derCertificate(request.headers['Client-Cert'][0])}" ``` Learn more in [RFC 9440, Client-Cert HTTP Header Field](https://www.rfc-editor.org/rfc/rfc9440). #### From an NGINX trusted header When NINGX fronts PingGateway and terminates TLS, it can send the client certificate in a trusted header. The following example uses `x-ssl-cert` as the trusted header. NGINX encodes the certificate in PEM format and URL-encodes the result: ```none "clientCertificate": "${pemCertificate(urlDecode(request.headers['x-ssl-cert'][0]))}" ``` Learn more in the NGINX [Module ngx\_http\_ssl\_module](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables) documentation. #### From an Envoy or Istio trusted header When Envoy or Istio fronts PingGateway and terminates TLS, it can send the client certificate in a field in a trusted header. The following example uses `x-forwarded-client-cert` as the trusted header. Envoy puts the client certificate in the `Cert` field of the header value. Envoy encodes the certificate in privacy enhanced mail (PEM) format and URL-encodes the result: ```none "clientCertificate": "${pemCertificate(urlDecode(findGroups(request.headers['x-forwarded-client-cert'][0], 'Cert=([^;]+);?')[1]))}" ``` Learn more in the Envoy [x-forwarded-client-cert](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert) documentation. ## More information [org.forgerock.openig.fapi.dcr.FapiDcrFilterChainHeaplet](../_attachments/apidocs/org/forgerock/openig/fapi/dcr/FapiDcrFilterChainHeaplet.html)