Archived 2022.11.20. Content moved to error scenarios and responses.
Question
Are the status codes mentioned in the following scenarios correct and compliant?
- Accredited Data Recipient (ADR ) does not send a Client Certificate when making a Banking API Call. Client Certificate is mandated by the API definition. As the necessary input data is not sent by the client, the status code sent should be Bad Request 400?
- ADR sends a Client Certificate that is not issued by the right Certificate Authority (CA). Therefore the client is not authorised, so should the status code be Forbidden 403?
- For issues such as expired Client Certificate or bad Client Certificate in the same category as the previously mentioned scenarios, should the status code be Forbidden 403?
Answer
The DSB has intentionally not applied CDR data standards to errors that are covered by normative standards. This allows vendors to support Requests for Comment (RFCs) out of the box and reduces the need for participants to customise their InfoSec libraries and software.
OAuth authentication error codes are covered by RFC8705 "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens". RFC8705 refers to RFC6749 for error response structure, status code and error message.
With regards to the above-mentioned scenarios, the expected response status code is generally 401 Unauthorised "invalid client".
- ADR does not send a Client Certificate when making a Banking API Call refers to
RFC8705: "no certificate is presented", thus return 401 Unauthorised "invalid_client". - ADR sends a Client Certificate which is not issued by the right CA is
RFC8705: "that which is presented doesn't match that which is expected for the given 'client_id'", thus return 401 Unauthorised"invalid_client". - Other related issues such as expired Client Certificate etc also refer to
RFC8705: "that which is presented doesn't match that which is expected for the given 'client_id'", thus return 401 Unauthorised "invalid_client".
See RFC8705 section "6.3 Certificate Expiration and Bound Access Tokens" for discussion of Client Certificate expiration.
Comments
0 comments
Please sign in to leave a comment.