Question
A Data Holder ran FAPI-RW certification conformance tests against the Data Holders Consumer Data Right (CDR) banking APIs. The test suite sent requests which included the x-fapi-customer-ip-address
header. The APIs rejected the requests as they did not have the x-cds-client-headers
header.
What is the solution to this problem?
Answer
UDPATE: The FAPI-RW certification conformance tests do include the x-cds-client-headers
header, due to its CDR specific specification. To support the certification conformance tests the OpenID Foundation (OIDF) suggest you include the following:
- private_key_jwt must be used
- required x-v header is sent to resource server endpoint
- Refresh tokens must be supported (the sharing_duration claim will be requested when a refresh token must be returned)
- Returned id_tokens must be encrypted
- For ACR claims, a CDR specific value is used, “urn:cds.au:cdr:2”
- x-fapi-auth-date header is included in all resource endpoint calls (it’s optional in FAPI but mandatory in CDR)
- x-cds-client-headers header is included when the x-fapi-customer-ip-address header is sent
Source: Conformance Testing for FAPI Read/Write OPs
In the CDS (Consumer Data Standards), the x-fapi-customer-ip-address
indicates that the API is being called in a customer present context.
The x-cds-client-headers
header is mandatory for customer present calls.
If the header x-fapi-customer-ip-address
is present in the request, then the x-cds-client-headers
header must be present for the request to be valid.
See CDS HTTP Headers.
Note: while the FAPI-RW conformance tests are an excellent resource they are not maintained or reviewed by the Data Standards Body, so please check with us via the CDR Support Portal if a non-compliance is flagged that you believe is inconsistent with the Standards.
Comments
0 comments
Please sign in to leave a comment.