A Data Holder ran FAPI-RW certification conformance tests against the Data Holders Consumer Data Right (CDR) banking APIs. The test suite sent requests which included the
x-fapi-customer-ip-address header. The APIs rejected the requests as they did not have the
What is the solution to this problem?
UDPATE: The FAPI-RW certification conformance tests do include the
x-cds-client-headers header, due to its CDR specific specification. To support the certification conformance tests the OpenID Foundation (OIDF) suggest you include the following:
- private_key_jwt must be used
- required x-v header is sent to resource server endpoint
- Refresh tokens must be supported (the sharing_duration claim will be requested when a refresh token must be returned)
- Returned id_tokens must be encrypted
- For ACR claims, a CDR specific value is used, “urn:cds.au:cdr:2”
- x-fapi-auth-date header is included in all resource endpoint calls (it’s optional in FAPI but mandatory in CDR)
- x-cds-client-headers header is included when the x-fapi-customer-ip-address header is sent
In the CDS (Consumer Data Standards), the
x-fapi-customer-ip-address indicates that the API is being called in a customer present context.
x-cds-client-headers header is mandatory for customer present calls.
If the header
x-fapi-customer-ip-address is present in the request, then the
x-cds-client-headers header must be present for the request to be valid.
See CDS HTTP Headers.
Note: while the FAPI-RW conformance tests are an excellent resource they are not maintained or reviewed by the Data Standards Body, so please check with us via the CDR Support Portal if a non-compliance is flagged that you believe is inconsistent with the Standards.