Archived 2024-09-30. See CDS, Client Registration.
Question
For Dynamic Client Registration (DCR), FAPI-RW in section 8.6 for algorithm consideration states:
"For JWS, both clients and authorisation servers shall use PS256 or ES256 algorithms".
Considering this, can a Data Holders (DH) support one of those two algorithms mentioned, or is it mandatory to support both algorithms to be compliant with the Consumer Data Standards (CDS)?
Answer
As per the CDS, a DH has the discretion to choose their preferred algorithm, either PS256 or ES256. The DH may support both algorithms if desired.
DHs must publish their support via id_token_signing_alg_values_supported
and request_object_signing_alg_values_supported
to allow for negotiation with the Accredited Data Recipients (ADR) clients.
If the DH does not publish its algorithm support, it is assumed the DH supports any of the recommended algorithms.
ADRs must support both algorithms because different DHs may support different algorithms.
Comments
1 comment
The question was around DCR but the response relates to authorisation request establishment. How does a Recipient discover what signing algorithm to use for DCR requests? Historically there was a statement that all registrations must be PS256 but this is no longer the case and it is left ambiguous.
Please sign in to leave a comment.