Alignment with OIDC on auth_time

[WestpacOpenBanking]

Description

In OIDC implementations, the auth_time claim is normally only supported by vendor implementations the ID token context. Including the claim in the Userinfo response will frequently require custom implementations with the associated costs and security risks. We suggest aligning with OIDC by only requiring auth_time in the ID Token.

As a separate issue, we also suggest that the list of claims which must be provided in the ID token and the userinfo endpoints should be provided as separate lists within the documentation. This would be less difficult to interpret than the combined list and exclusions elsewhere in the standards and would better reflect their separate usages in implementations.

Area Affected

Scopes and Claims section

Change Proposed

The auth_time claim is made only mandatory in the ID Token. Separate lists are provided for the mandatory claims for the userinfo endpoint and the ID token endpoint.

[CDR-API-Stream]

Thank you @WestpacOpenBanking. At the request of @WestpacOpenBanking this CR has been marked as urgent to address July requirements.

[pcurtisrab]

Regional Australia Bank would like to add that we suspect that it was intended that the auth_time claim was mandatory only in the authorization flow. By the looks of it, there is a general need to remove requirements which are already implied in the OIDC and FAPI standards, and/or clarify per context (id_token auth flow, id_token at token endpoint, userinfo endpoint) which claims are mandatory.

[CDR-API-Stream]

Hi @pcurtisrab thanks for the feedback. Does this mean your position has changed regarding the previous comment provided which expected auth_time in the ID Token and the Userinfo Endpoint?

[pcurtisrab]

Hi @CDR-API-Stream. No, our position on the reading of the standards hasn't changed. Just speculating that the standards may be at odds with a "common-sense" expectation that all would agree with.

[anzbankau]

ANZ aligns to OIDC for the auth_time claim, but has built customizations to also provide this on the UserInfo end point. However we are happy to support this being changed to optional on the UserInfo end point.

[CDR-API-Stream]

Hi all. Thank you to everyone who has provided feedback so far. The DSB held a review session of this issue today with participants that have impacted July 2020 go-live builds. This session included all major banks and ADRs. A summary pack is available here.

The discussion reviewed the implementation of all banks and expected handling by ADRs. It was agreed that the auth_time claim is only required in the ID Token. This is a statement of that agreed position.

Changes proposed

The proposal is to change the data standards to clearly state:

1. The auth_time claim must be provided in the ID Token returned per the OIDC normative references
2. The auth_time claim MAY be returned from the UserInfo endpoint. This will allow builds that are currently doing this to avoid additional build impact to remain compliant

Before the DSB provides a recommendation to the chair on this issue it is requested that confirmation be provided by the impacted participants that the change proposed will not adversely impact their ability to implement for July.

^^ @pcurtisrab, @brett-frollo, @WestpacOpenBanking, @commbankoss, @NationalAustraliaBank, @anzbankau

[NationalAustraliaBank]

NAB provides auth_time on the userinfo endpoint. However, we support the proposed change.

[commbankoss]

Commonwealth Bank supports the proposed change.

[CDR-API-Stream]

A change to the data standards was approved by the Data Standards Chair for inclusion in v1.4.0.

This issue will be closed accordingly.