...
In addition, the confidential client
shall support encrypted request objects;shall support Pushed Authorisation Requests PAR;
shall support parameterized OAuth 2.0 resource scope consent as defined in clause 6.3.1 OIDF FAPI WG Lodging Intent Pattern;
shall support refresh tokens;
shall not populate the acr claim with required values;
shall require the acr claim as an essential claim;shall support all authentication methods specified in clause 5.2.2-14 of Financial-grade API Security Profile 1.0 - Part 2: Advanced including diferent combinations of the methods to send requests (using PAR or not - item 11);
shall not allow refresh tokens rotation feature;
shall send header x-fapi-interaction-id on FAPI endpoints;
...