MEF 128 LSO API Security Profile
This document defines the security profile, security approaches and security architecture for LSO API security using OAuth2 and OIDC within either a centralized or federated identity provider framework.
The intended audience of this document is senior IT security professionals, in particular identity and security architects and compliance specialists implementing LSO APIs. This document is not a general reference on API security, but an LSO API-specific standard.
The document first defines the LSO API security architecture and conformance requirements to that architecture. The standard then defines the following security components:
- JWT Best Practices for LSO API Security
- JWKS Endpoints for cryptographic signatures and their verifications
- Structure and conformance requirements for JWSs and JWEs
Standards published by MEF are intended for general distribution to the public and may be downloaded from this site and reproduced without charge. Any reproduction of MEF documents shall contain the following statement: "Reproduced with permission of MEF Forum." All rights granted to MEF under applicable copyright laws are expressly reserved. No permission is granted to any recipient or user of MEF publications to modify any of the information contained therein and MEF disclaims all responsibility and liability for such modifications.