Table of contents
Author
Criipto is now an approved broker in the Finnish Trust Network (FTN). This approval comes as FTN undergoes a major security upgrade, with the regulator Traficom implementing stricter privacy and security standards for everyone in the Finnish digital ecosystem.
All FTN integrations must meet the new standard by the end of 2025, so now is the time to assess what's needed for your applications.
As the first FTN broker to fully enforce the new requirements, we want to help our customers prepare. While this involves some work, we made the process as straightforward as possible.
Introducing the FTN Compliance Checker
Keeping track of new technical requirements can be a challenge. That’s why we added an FTN Compliance Checker to the Criipto Dashboard.
The page gives you an overview of your Criipto Verify Applications’ compliance status against FTN requirements. Each technical requirement is broken down into a simple checklist of actionable steps, allowing you to quickly identify any missing settings or misconfigurations.
When all checks turn green, your application is correctly configured.
Verifying your configuration: the four requirements
The Compliance Checker is divided into four sections corresponding to the FTN requirements. For each requirement, we list the following:
- Dashboard Checks: settings we can verify for you.
- Application Code tasks: changes you must implement in your system.
Here is a breakdown:
1. Private Key JWT client authentication
Your application must be configured to use private_key_jwt for client authentication.
- Dashboard Checks:
- Your application must be configured to use static JWKS.
- Client JWKS must contain a signing key.
- Application Code:
- Your client application must use private_key_jwt client authentication towards the /token endpoint.
2. Authentication requests signing
Your application must sign all authorize requests and send them as JWT-Secured Authorization Requests (JARs). Note that the same key pair can be used for authentication request signing and Private Key JWT client authentication.
- Dashboard Checks:
- Your application must be configured to use static JWKS.
- Client JWKS must contain a signing key.
- Application Code:
- Your client application must sign all authorize requests to Criipto.
3. Encrypt token and userinfo responses
Your application must be able to receive encrypted tokens in the JSON Web Encryption (JWE) format.
- Dashboard Checks:
- Your application must be configured to use static JWKS.
- Client JWKS must contain the encryption key.
- UserInfo response strategy must be set to signedAndEncryptedJWT
- id_token response strategy must be set to signedAndEncryptedJWT
- Application Code:
- Your client application must receive and decrypt JWE
4. Additional technical requirements
Finally, the checker ensures that other necessary settings are in place:
- Dashboard Checks:
- Your application must be configured to use static JWKS.
- The static JWKS must contain distinct keys for signing and encryption.
- Application Code:
- Your application does not use the legacy response_type=id_token in authorize requests.
Testing your implementation
When all Dashboard checks have turned green, you must prepare your application's code to handle these changes. Once that’s ready, you can test your implementation by running test logins with enforced FTN requirements.
Getting started
The FTN Compliance Checker provides a clear path to updating your applications to meet the new FTN standards.
To begin, log in to your Criipto Dashboard to access the checker and review your current application setup.
For detailed integration guides and code samples, explore the FTN Documentation.
And if you have any questions, please reach out to our support team via email or Slack.
Curious about the technical details?
If you want to learn more about the security principles behind the FTN updates, check out our other articles. They explain the "why" behind each change, from the importance of signing your requests to the privacy benefits of token encryption.
- On Client Authentication:
- On Request Signing:
- On JSON Web Encryption:
Author
