URI standards are defined in CDS URI structure. These standards are applicable for the resource server. Are there URI structure standards defined for the security profile endpoints?
Yes. The structure for these end points is defined by the normative standards. The structure is relatively open with the end points being defined by the DH (Data Holder) in the OIDD (OpenID Connect Discovery) compliant discovery document. See:
Standards allow different data holder paths for authenticated and unauthenticated endpoints. Can the data holders have different paths for security profile endpoints and banking endpoints?
Yes. The register specifically allows for multiple base URIs for multiple purposes. See CDS Security Endpoints, Participant Endpoints. This includes a specific base URI for the Information Security profile end points. Note that you can reuse the base path for multiple entries but this is sometimes difficult due to the various TLS configurations that are required.
Below are some examples based on the various combinations. Does this align with standards and best practices? The URL components that are base paths are bolded in the URLs below.
Unauthenticated Resource URL:
Authenticated Resource URL:
Unauthenticated security profile URL:
Authenticated security profile URL :
The structures described above are aligned to what was intended and also compliant with the standards. No best practice has been defined.
The Standards have three baseURIs clearly articulating their purpose ( PublicBaseUri, ResourceBaseUri and InfoSecBaseUri ). Should there be a separate baseURI (similar to the other three) representing the authenticated InfosecBase URI?
This way it is explicit and consistent with the resources: Public & Authenticated
The InfosecBaseUri points to the OIDC Provider Configuration Endpoint. From here, reference to the assorted infosec endpoints such as token, authorize etc can be derived. How these endpoints are split between domains is an implementation issue for data holders to determine and they can request ACCC CA issued certificates as required.
Adding these references to the CDR Register would be redundant and risk synchronisation issues as there would then be two discovery points.