The Consumer Data Standards rely on normative standards, including OAuth, OIDC and FAPI, to provide security for authorisation and consent. For a thorough discussion of the CDS specific use of these standards, see CDS, Security profile. This article provides some additional material to clarify questions related to CDS usage.
For further questions the Data Standards Body refers participants to the public documentation of these open standards.
FAPI - Financial Grade API
The data standards follow FAPI and require the use of the signed request object for submission of authorisation parameters.
See:
- Request Object, below
- FAPI
- PAR RFC9126, section 3, The Request parameter
PAR - Pushed Authorisation Request
Since 16 September 2022, PAR is the only way for the ADR to initiate consent flow with the DH.
See:
PKCE - Proof Key for Code Exchange
FAPI applies PKCE as a blanket requirement for all authorisation flows when PAR is used.
DHs must support PKCE for PAR requests. DHs should reject an ADR request that is not correctly supporting PKCE
See:
PPID - Pairwise Pseudonymous Identifier
Refresh token
You can determine the expiry date and time of the refresh token by calling the token introspection endpoint to obtain the "exp" value of the refresh token.
See:
- CDS, Security Profile, Security Endpoints, Introspection Endpoint
Request Object
ADR Software Products MUST send a request object containing a "nbf" (not before) claim and an "exp" (expires) claim that has a lifetime of no longer than 60 minutes after the "nbf" claim.
See:
nbf claim
ADRs have been required to include the value for “nbf” in their Request Object since July 4, 2022.
From September 16, 2022, DHs can validate and may reject requests from ADRs that do not provide valid values for "nbf" and "exp" in the Request Object.
The DH must validate the nbf claim in accordance with RFC7523 and RFC7519.
Comments
0 comments
Please sign in to leave a comment.