curityio · gary-archer · Jun 24, 2025 · Jun 23, 2025 · Jun 23, 2025 · Jun 24, 2025
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
@@ -18,9 +18,6 @@ Edit your `/etc/hosts` file and add these entries:
 127.0.0.1 www.product.example bff.product.example login.example.com
 ```
 
-Download a [Trial License](https://developer.curity.io/free-trial) from the developer portal with access to the applications / token handler feature.\
-Rename it to `license.json` and copy it into the root folder of this project.
-
 Use the [Curity developer portal](https://developer.curity.io/releases/token-handler) to download one of the OAuth Proxy zip files to the root folder of this project:
 
 - [Kong OAuth Proxy 2.0.0+](https://developer.curity.io/releases/token-handler?proxy=kong)
@@ -39,6 +36,9 @@ Two example deployments are provided, to explain the moving parts of the end-to-
 
 ### Scenario 1: SPA uses an External Authorization Server
 
+Download a [Trial License](https://developer.curity.io/free-trial) from the developer portal with access to the `applications` feature.\
+Rename the file to `license.json` and copy it into the root folder of this project.
+
 An instance of Keycloak acts as the external authorization server that issues RS256 JWTs as access tokens.\
 The OAuth Agent is deployed as a stateless API that issues cookies to the SPA.\
 Choose an OAuth proxy type of `kong`, `openresty` or `nginx`:
@@ -58,7 +58,19 @@ Wait a few minutes for components to come up and then access components:
 
 ### Scenario 2: SPA uses the Curity Identity Server as the Authorization Server
 
-The Curity Identity Server issues opaque access tokens.\
+Download a [Trial License](https://developer.curity.io/free-trial) from the developer portal with access to the following features.\
+Rename the file to `license.json` and copy it into the root folder of this project.
+
+- applications
+- financial-grade
+
+The Curity Identity Server deployment demonstrates the following additional features.
+
+- Opaque access tokens that help to ensure small cookies.
+- JWT client assertions as an OAuth client credential.
+- Pushed authorization requests (PAR).
+- JWT Secured Authorization Response Mode (JARM).
+
 A single instance of the Docker deployment acts as both authorization server and OAuth Agent.\
 Choose an OAuth proxy type of `kong`, `openresty` or `nginx`:
 

diff --git a/deploy.sh b/deploy.sh
@@ -2,14 +2,6 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
-#
-# Check that a valid license is available
-#
-./validate-license.sh
-if [ $? -ne 0 ]; then
-  exit 1
-fi
-
 #
 # Validate input
 #
@@ -23,6 +15,14 @@ if [ "$OAUTH_PROXY_TYPE" != 'kong' ] && [ "$OAUTH_PROXY_TYPE" != 'openresty' ] &
   exit 1
 fi
 
+#
+# Check that a valid license is available
+#
+./validate-license.sh
+if [ $? -ne 0 ]; then
+  exit 1
+fi
+
 #
 # Dot source a script that creates environment variables used by the docker compose deployment
 #

diff --git a/deployments/curity/apigateway/kong/Dockerfile b/deployments/curity/apigateway/kong/Dockerfile
@@ -2,7 +2,7 @@ FROM kong/kong:3.9-ubuntu
 
 USER root
 RUN apt-get update
-RUN apt-get install -y git unzip
+RUN apt-get install -y git unzip wget
 
 #
 # Install luarocks, and set git options if required
@@ -20,4 +20,4 @@ RUN cd /tmp/oauth-proxy && luarocks make oauth-proxy-*.rockspec \
 #
 # Install the Phantom Token plugin and its dependencies
 #
-RUN luarocks install kong-phantom-token 2.0.0
+RUN luarocks install kong-phantom-token 2.0.1
diff --git a/deployments/curity/idsvr/config-backup.xml b/deployments/curity/idsvr/config-backup.xml
@@ -305,11 +305,10 @@
                 </user-authentication>
                 <capabilities>
                   <code>
+                    <require-pushed-authorization-requests></require-pushed-authorization-requests>
                   </code>
                 </capabilities>
-                <use-pairwise-subject-identifiers>
-                  <sector-identifier>spa-client</sector-identifier>
-                </use-pairwise-subject-identifiers>
+                <require-secured-authorization-response/>
                 <validate-port-on-loopback-interfaces>true</validate-port-on-loopback-interfaces>
               </client>
               <client>

diff --git a/deployments/external/apigateway/kong/Dockerfile b/deployments/external/apigateway/kong/Dockerfile
@@ -2,7 +2,7 @@ FROM kong/kong:3.9-ubuntu
 
 USER root
 RUN apt-get update
-RUN apt-get install -y git unzip
+RUN apt-get install -y git unzip wget
 
 #
 # Install luarocks, and set git options if required

diff --git a/validate-license.sh b/validate-license.sh
@@ -28,8 +28,23 @@ fi
 LICENSE_DATA=$(cat './license.json')
 LICENSE_JWT=$(echo $LICENSE_DATA | jq -r .License)
 LICENSE_PAYLOAD=$(base64url_decode $(echo $LICENSE_JWT | cut -d '.' -f 2))
-APPLICATIONS_FEATURE=$(echo $LICENSE_PAYLOAD | jq -r '.Features[]  | select(.feature == "applications")')
-if [ "$APPLICATIONS_FEATURE" == '' ]; then
+
+#
+# Check for token handler permissions
+#
+FEATURE=$(echo $LICENSE_PAYLOAD | jq -r '.Features[]  | select(.feature == "applications")')
+if [ "$FEATURE" == '' ]; then
   echo 'The license.json file does not include the applications feature'
   exit 1
 fi
+
+#
+# For Curity deployments, check for the financial grade package
+#
+if [ "$DEPLOYMENT" == 'curity' ]; then
+  FEATURE=$(echo $LICENSE_PAYLOAD | jq -r '.Features[]  | select(.feature == "financial-grade")')
+  if [ "$FEATURE" == '' ]; then
+    echo 'The license.json file does not include the financial-grade feature'
+    exit 1
+  fi
+fi