Archived 06/06/2023 - See CDS Guide ID Permanence and PPID, and Consumer Data Standards: Security Profile.
Question
Regarding the pushed authorization request endpoint which needs to be exposed by DH. The RFC states that the endpoint needs to be protected with authentication. The standards documentation doesn't mention how this endpoint will be protected. We need to understand if there will be an access token issued though client credentials grant with client assertion JWT and then use this access token for calling pushed auth. request endpoint. If so, what would be the scope that would be used to get access token using client credentials grant?
Answer
The ADR would follow the client authentication section in the data standards. An ADR would use private_key_jwt
. Per PAR spec:
The rules for client authentication as defined in [RFC6749] for token endpoint requests, including the applicable authentication methods, apply for the pushed authorization request endpoint as well. If applicable, the
token_endpoint_auth_methods
client metadata parameter indicates the registered authentication method for the client to use when making direct requests to the authorization server, including requests to the pushed authorization request endpoint.
The token endpoint authentication method is obtained in the response from dynamic client registration and published by the Data Holder via the token_endpoint_auth_methods_supported
metadata parameter of their OIDC Discovery metadata endpoint (/.well-known/openid-configuration).
Source
https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/241
Comments
0 comments
Please sign in to leave a comment.