Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decision Proposal 298 - Urgent Change Request #576 #298

Closed
CDR-API-Stream opened this issue Apr 6, 2023 · 3 comments
Closed

Decision Proposal 298 - Urgent Change Request #576 #298

CDR-API-Stream opened this issue Apr 6, 2023 · 3 comments
Labels
Category: InfoSec Information Security Technical Working Group Decision Proposal Industry: All This proposal impacts the CDR as a whole (all sectors) Status: Decision Made A determination on this decision has been made

Comments

@CDR-API-Stream
Copy link
Contributor

CDR-API-Stream commented Apr 6, 2023

Decision Record

The Data Standards Chair approved this decision on 14th April 2023. The decision record is attached:
Decision 298 - Urgent CR 576-FINAL.pdf


This decision proposal is a placeholder for the decision in relation to the urgent change request #576 that was consulted on in Maintenance Iteration 14.

The details of the change request can be found here:

@CDR-API-Stream CDR-API-Stream changed the title Decision Proposal 297 - Placeholder Decision Proposal 298 - Placeholder Apr 6, 2023
@CDR-API-Stream CDR-API-Stream added Status: Decision Made A determination on this decision has been made Category: InfoSec Information Security Technical Working Group Decision Proposal Industry: All This proposal impacts the CDR as a whole (all sectors) labels Apr 14, 2023
@CDR-API-Stream CDR-API-Stream changed the title Decision Proposal 298 - Placeholder Decision Proposal 298 Apr 14, 2023
@CDR-API-Stream CDR-API-Stream changed the title Decision Proposal 298 Decision Proposal 298 - Urgent Change Request #576 Apr 17, 2023
@cuctran-greatsouthernbank

Hi @CDR-API-Stream,

Our interpretation of this change is that our current solution remains complaint and no change is required from Great Southern Bank post FAPI phase 3.

Our current solution as part of FAPI phase 3 as below:

• We support both ACF and Hybrid flow. However, ADRs must choose either method in their client registration, not both.

• If the ADR uses Hybrid Flow, we will encrypt the id tokens in our API response.

• If the ADR uses ACF, we will ignore the id token encryption fields as per the original requirement from the ACCC for FAPI phase 3.

id_token_encrypted_response_alg
id_token_encrypted_response_enc

REQUIRED
Required if OIDC Hybrid Flow (response_type “code id_token”) is registered. Must be ignored for Authorization Code Flow.

Much appreciated if we can have some urgent attention and response from your end regarding this query.

Regards,

Great Southern Bank.

@CDR-API-Stream
Copy link
Contributor Author

Hi @cuctrangsb, the intention during Phase 3 is that Data Holders permit ADRs registering both flows so they can test and fallback to Hybrid Flow without updating their client registration. If they have to update it to switch flows this could have unforeseen impacts with their live software products and establishing consumer consents.

During this Phase 3 transition period ADRs are expected to test the migration to ACF and where all tests pass move to update their client registration to ACF only ahead of the Phase 4 migration date of 10th July. After this date Data Holders may withdraw support for Hybrid Flow so the onus is on ADRs to facilitate the migration of their software products during Phase 3 transition.

When it comes to the ID token encryption this is at the discretion of the Data Holder. ID token encryption must be used where the client is initiating an authorisation request using Hybrid Flow. For ACF the Data Holder can continue to require ID token encryption because the client registration cannot represent a conditional separation of ID token encryption along with the authorisation flow. However some Data Holders have indicated they can support ACF without encrypting ID tokens and this is permissible.

Please note that the "Must be ignored for Authorization Code Flow." requirement was removed in v1.23.0 of the Data Standards.

@cuctran-greatsouthernbank

Thank you @CDR-API-Stream

We will review this clarification and if we need any further information, we will follow up later.

Regards,

Great Southern Bank

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category: InfoSec Information Security Technical Working Group Decision Proposal Industry: All This proposal impacts the CDR as a whole (all sectors) Status: Decision Made A determination on this decision has been made
Projects
None yet
Development

No branches or pull requests

2 participants