Comments on security standard in relation to non-functional requirements

[WestpacOpenBanking]

Access token expiry expectations

There is currently no mechanism in the security standard to extend the life of an access token beyond the initial lifetime set without the use of a refresh token.

In particular, the OAuth2 standard, a normative reference for the security standard, states that access tokens should have a specific lifetime in seconds at creation, recommends a maximum lifetime of 10 minutes, and requires that access tokens cannot be modified. In particular, there is currently no mechanism in the security standard to extend the life of an access token beyond the initial lifetime set, only obtaining a new access token with a refresh token. For the reasons we point out that the candidate proposal that:

Access Tokens will expire after: • 10 minutes of inactivity • 60 minutes total duration

is non-standard behaviour. We strongly suggest avoiding deviation from normative references identified in the security standard and instead recommend retaining approaches and tools that have been tested to be secure.

FAPI HTTP request headers

With regard to NAB’s comment on FAPI HTTP request headers, we remark that the original user agent of the customer device is not provided for in the FAPI spec. The user agent transmitted is instead a custom user agent that represents the data recipient.

[JamesMBligh]

This has been dealt with via the feedback to the NFR proposal at: https://github.com/ConsumerDataStandardsAustralia/standards/issues/21

The final position was to define a TTL of 10 minutes for an access token.

-JB-