Question
During the consent grant flow, what is the maximum duration an Accredited Data Recipient (ADR) waits for a response from the authorisation endpoint?
What is the expectation for the Data Holder (DH) app to complete before the ADR app abandons the request?
If the ADR authorise timeout duration is less than the DH timeout, then the customer may confirm the request after the ADR consent flow has timed out.
Should the ADR only accept a response at the redirect_uri
before the exp
(expiry time) specified in the request?
Answer
The CDS does not explicitly specify any expiry requirements and defers to the FAPI specification. See FAPI 1.0 section 5.2.2 Authorization server and FAPI 1.0 section 5.2.3 Confidential client.
The ADR is not waiting on an open socket, because the Authorisation call is asynchronous. The ADR provides a callback API called the redirect_uri
.
FAPI compliant authorisation servers would be expected to reject an authorisation request if the exp
claim value is not valid for the purposes of processing the request.
How the DH authorisation server handles an authorisation delay by the consumer on the DH side is likely to be vendor specific. The DH may perform a check prior to minting the authorisation and authorisation code which is then sent to the ADR.
See:
- CDS Security profile
- FAPI 1.0 section 5.2.2 Authorization server
- FAPI 1.0 section 5.2.3 Confidential client
Comments
0 comments
Please sign in to leave a comment.