Introduction
The notes below are gathered from Subject Matter Expert guidance and responses to participant questions.
Failure to obtain token within Authorisation Code expiry period
A consumer may give authorisation, but the Authorisation Code is not successfully exchanged for an access or refresh token. This may occur when the Accredited Data Recipient (ADR) fails to obtain an Access or Refresh Token within the allocated Authorisation Code expiry period. In this case the ADR cannot access the orphaned authorisation.
The response to this situation is at the discretion of the Data Holder (DH).
ADR unable to validate ID Token typical scenario
The ADR may be unable to validate the ID Token returned by the DH during an authorisation flow. This can occur due to the decrypted auth id_token including a “kid” property that does not match a key in the DH public JWKS. This results in ID Token failed verification.
This may be due to the DH regularly rotating JWT keys. The ADR may be using cached JWT keys which are outdated due to this key rotation.
To avoid this problem, the ADR should adjust its JWKS caching policy to take into account DH key rotation.
Get JWKS endpoint response hosted by the CDR register
ADRs host their own JWKS endpoint which is provided in the jwks_uri property of their SSA, which is part of what they provide to the Data Holder during Client Registration. These are not held by the Register.
The Register JWKS endpoint (/cdr-register/v1/jwks) holds the public keys of the Register only, which are associated with the signing of SSA JWTs which are provided to the ADRs. The Data Holder must check the Register keys to verify the SSA JWTs which are presented by ADRs.
The Register JWKS may have multiple keys and the DH is expected to iterate them to find an appropriate match - for example against the kid value in the registration JWT.
Comments
0 comments
Please sign in to leave a comment.