Archived 2023.08.11. Content moved to Guidance on Dynamic Client Registration (DCR)
Question
As a Data holder (DH), we wanted to clarify the validation process during Dynamic Client Registration (DCR) for the redirect_uris
published in the sector_identifier_uri
endpoint.
In accordance with the Consumer Data Standards (CDS), a DCR request should have a nested JSON Web Token (JWT) structure. The payload request has an outer JWT structure that contains the Software Statement Assertion (SSA) as an inner JWT. Given this, can the DSB confirm whether:
- For DCR request with
redirect_uris
, is the outer JWToptional
? - For DCR request with
redirect_uris
, is an inner JWT with SSArequired
? - For DCR request with
sector_identifier_uri
, is an inner JWT with SSAoptional
?
Answer
- This is correct, for DCR request with
redirect_uris
, the outer JWT isoptional
. - This is correct, for DCR request with
redirect_uris
, an inner JWT with SSA isrequired
. The SSA is generated by the CDR Register based on the redirect_uris configured against the software product. As this field ismandatory
, it is invalid for an SSA to be generated without thesevalues
. - This is correct, for DCR request with
sector_identifier_uri
, an inner JWT with SSA isoptional
. The SSA is generated by the CDR Register based on thesector_identifier_uri
configured against the software product. As thesector_identifier_uri
is anoptional
field, if it is not configured, the SSA will simply be generated without this value.
Question
In accordance with the Consumer Data Standards (CDS) for a DCR request can the DSB confirm whether:
- A published
redirect_uris
should match or be a subset of theredirect_uris
in the SSA? This is the same as the validation that is applied to theredirect_uri
in the outer JWT if supplied. - Published
redirect_uri
should match theredirect_uri
(if supplied) in the outer JWT? - If
sector_identifier_uri
provided in DCR request, and the endpoint is not reachable, should the DCR request be failed?
Answer
Assuming that a published redirect_uris
means a redirect_uris
that is published in the sector_identifier_uri
JSON document:
- No, the values of the registered
redirect_uris
MUST be included in the elements of the array. This means that the publishedvalues
are a superset of those used in the DCR process. - Published
redirect_uris
are a superset of those in the SSA and the JWT. Therefore, they should match the set that is included in the publishedredirect_uris
. - During registration, if the
sector_identifier_uri
is unreachable, POST and PUT requests to the register endpoint should fail. Accredited Data Recipient'ssector_identifier_uri
hosted endpoints are checked during the DCR validation process.
See:
Comments
0 comments
Please sign in to leave a comment.