Closed WestpacOpenBanking closed 5 years ago
This has been dealt with via the feedback to the NFR proposal at: https://github.com/ConsumerDataStandardsAustralia/standards/issues/21
The final position was to define a TTL of 10 minutes for an access token.
-JB-
Access token expiry expectations
There is currently no mechanism in the security standard to extend the life of an access token beyond the initial lifetime set without the use of a refresh token.
In particular, the OAuth2 standard, a normative reference for the security standard, states that access tokens should have a specific lifetime in seconds at creation, recommends a maximum lifetime of 10 minutes, and requires that access tokens cannot be modified. In particular, there is currently no mechanism in the security standard to extend the life of an access token beyond the initial lifetime set, only obtaining a new access token with a refresh token. For the reasons we point out that the candidate proposal that:
Access Tokens will expire after: • 10 minutes of inactivity • 60 minutes total duration
is non-standard behaviour. We strongly suggest avoiding deviation from normative references identified in the security standard and instead recommend retaining approaches and tools that have been tested to be secure.
FAPI HTTP request headers
With regard to NAB’s comment on FAPI HTTP request headers, we remark that the original user agent of the customer device is not provided for in the FAPI spec. The user agent transmitted is instead a custom user agent that represents the data recipient.