Here are the main points of difference between E2E and PROD itsme environment:
- Validity of the redirect_URI not checked in E2E while in PROD the redirect_uri set-up is checked against the one present in both the Authentication and Token request. As a consequence, no dynamic redirect is allow in production. If you need to carry a dynamic parameter, you will have to use the state/nonce parameters as described in our technical documentation;
- Your production certificate Trustee must be whitelisted in our F5. If you use the most secured ones, it should be listed but it is, indeed, worth to provide us with your Trustee name to double-check; Only OV or EV certificates are accepted. DV certificates are therefore not supported.
- You should not whitelist our calling IP address as it will change over time and Public/Private keys on sign and encryption provide sufficient level of security;
- Your production server should respond in 500ms when calling the JWKset endpoint and in 1500ms when calling the request_URI.