Archived 2023.08.11. Content moved to Guidance on Dynamic Client Registration (DCR)
As a Data Holder (DH) participating in the Consumer Data Right (CDR) regime, given below is a list of questions regarding the usage of JSON Web Tokens (JWTs) for Client Authentication and Dynamic Client Registration (DCR) requirements listed in the Consumer Data Standards (CDS).
Question
What is the value of issuer
from the Software Statement Assertion (SSA) which is used to determine the JSON Web Key Set (JWKS) Uniform Resource Identifier (URI) for verifying the SSA JWT?
Answer
The SSA generated by the CDR register will have an iss
claim set as cdr-register
. The create registration flow documented in the CDR Register Design Reference provides a breakdown of the various JWKS URIs and when they are used to verify both the SSA and the registration JWT signatures.
Question
Is the JWKS URI for Australia https://api.cdr.gov.au/cdr-register/v1/jwks?
Answer
Yes this is correct, as described in https://cdr-register.github.io/register/#getjwks
Question
What is the validation process for all JWTs involved in the DCR process?
Answer
Please refer to the create registration flow to map how each JWT is to be validated.
Question
Is there a requirement to verify all JWTs that contain the SSA? Should the values found in JWKS URI within the SSA be used for this purpose and is there a set of known values that can be expected?
Answer
Both the SSA and DCR JWTs require validation. The JWKS URI defined in the SSA belongs to the software product. Therefore, this is not a known set of values and is published and maintained by the Accredited Data Recipient (ADR). It is a requirement to retrieve these keys to validate the JWT request. This is also covered in the sequence diagram.
Question
Is the internal testing recommended to create and sign JWTs asymmetrically?
Answer
It is recommended that participants generate their own JWTs to cover the different variations that they may encounter. Numerous libraries can be found at JWT.IO that can be leveraged for this purpose.
There are non-normative examples provided in the CDR Register for reference. These are not designed to be used in testing, instead they can be used in conjunction with JWT.IO to understand the composition of the JWTs.
A mock register is also provided which participants can interrogate the code on: https://github.com/ConsumerDataRight/mock-register
Question
What is an example of the Client Authentication and DCR request that the ADR would send to the DH with the schema including all mandatory and optional attributes listed?
Answers
The CDS has provided non-normative examples of such requests. Additionally, the ACCC has now provided an example implementation of the CDR Register, Data Holder, and Data Recipient. Please refer to their GitHub repositories at: https://github.com/ConsumerDataRight.
Comments
0 comments
Please sign in to leave a comment.