Open CDR-Register-Stream opened 5 years ago
Some queries based on the latest registry design (both directly and indirectly related to DCR):
NAB has the following feedback across the sections of the draft CDR Register Client Registration documentation.
The supported software statement signing algorithms must align with what is supported under the CDS. ES256 has been removed from the CDS InfoSec profile (https://github.com/ConsumerDataStandardsAustralia/infosec/issues/66) and must not be used to sign the software statement. PS256 is available under the FAPI profile.
The jwks_endpoint
metadata value to be named as jwks_uri
.
Recommend that the values supported under the software_roles
metadata value aligns with the proposed entity, brand, software product model. I.e. Data Recipient Software Product instead of Data Recipient .
iss_tos
metadata value:
What is the intended use for this field? And would this URI be presented to the end user during authorisation? If so, when the CDR Register wants to change their CDR terms of service URI, then all data recipients would have to update their software product's client registration. The CDR Register's terms of service URI metadata must be managed independently of client metadata and must not be included in the client's software statement.
If this value remains, then suffix with _uri
.
org_contacts
metadata value:
As the ACCC advised that this object can be different per software product, then adopt the existing open standards contacts
metadata value into the software statement, which is intended to be able to be displayed during the consent authorisation flow.
To publish contact points to support business and operational communication between Data Recipients and Data Holders, these contact points must instead be made available in the CDR Register portal rather than having them stored in the authorisation server directory, which could get out of date given that it does not impact the technical solution.
The Get Data Holder Brands API, does not contain data holder contact information, so we expect that Data Recipients would be able to find these out in the CDR Register portal as previously described.
Logos will be incorporated within the SSA to ensure there is consistency between the logos published on the Public Register and those passed to Data Holders as part of Registration
Clarifying that this refers to the logo URI, not the logo content itself.
JWKS will be decentralised and the URI described in the OIDC Discovery endpoint
The JWKS URI is also in the software statement (jwks_endpoint
/ jwks_uri
) for the software product, as well as the "token revocation" URI (revocation_uri
). With the above statement, it indicates that Data Recipient's will also provide an OIDC Discovery compliant endpoint. Is that correct? Is the inclusion of both locations to ensure consistency?
token_endpoint_auth_signing_method
metadata value to be named as token_endpoint_auth_method
.application_type
values align to OIDC Dynamic Client Registration 1.0 values (native
, web
)? /register
& /register/{client_id}
./register
endpoints (where applicable) follow the private_key_jwt
client authentication method?Westpac supports the decision to adopt dynamic client registration .We have the following questions and comments in relation to the draft specification:
• We assume ‘Authorisation Server Support’ being required for the client registration request (POST) only means that Data Holders must implement support for that endpoint and not that that the client registration request endpoint requires an initial access token as allowed for in (RFC 7592 and [OIDC-DR]). We suggest the addition of explanatory text under the table to this effect.
grant-type:jwt-bearer appears to have a small typo in the documentation.
As of now the design has:
"grant_types":"[
authorization_code,
refresh_token,
urn:ietf:params:oauth:grant-type:jwtbearer
]"
While as per the standard (https://tools.ietf.org/html/rfc7523#page-10) it should be
"grant_types":"[
authorization_code,
refresh_token,
urn:ietf:params:oauth:grant-type:jwt-bearer
]"
It appears that there is no requirement to check software application status during DCR flow.
it also appears that there is no requirement to check ADR level status (as there is no visibility of this status to data holder via proposed metadata data structure.)
In other words DH will rely on CDR register's issued SSA and trust that these checks have been done by CDR register prior to issuing SSA. Moreover, it is trusted that the 30 minutes lifetime window of downloaded SSA is smaller enough for a software product status change which is why there is no requirement to check software application status against metadata cache on DH side.
Can these be confirmed please?
Under the registration response section [1] "redirect_uris" property seems to be repeated in the example response. [1] -https://cdr-register.github.io/register/#registration-response
In a recent revision to the Registry design, Data Receiver Discovery API has been reduced to Status API only, with all Data Receiver metadata moved to the SSA.
Commonwealth Bank recommends separating security and business data. Security data should be carried over in the SSA and business data should be available via Data Receiver Discovery API. This will allow security data to be consumed by security infrastructure (authorisation server) and business metadata to be consumed by business applications (e.g. consent dashboard using software product logo, url, product name and product description).
This will also minimise unnecessary SSA updates for ADRs for business metadata that can be updated via portal without re-registration.
Is it expected that GET /register/{clientID} returns a 200 response code with client registration details while ADR Software Product Status is "inactive" or "revoked".
The responsibility of Data Holder in relation to participants statuses defined on this link does not talk about DCR flows explicitly.
It appears that a suspended/removed ADR can still continue to retrieve previously registered software's client registration details from data holders successfully. It looks like it is similar to UK specs as mentioned on this link
Can this be confirmed if this is expected behaviour?
Noticed that Create Registration and Modify Registration flow diagrams on this link have been changed on 16th October as a result of this commit in the repository. And this change is not called out in change log section of the page.
Following changes are made:-
1) A new alternative flow is introduced "IF JWKS cache has expired" 2) "Get Software Product Metadata" call from DH to Register is introduced 3) A check on Software Product status is introduced
Kindly update the change log for traceability purposes.
Edit:- A question on above change, would it make any difference if software product status check is done before validating SSA?
What behaviour is expected from Create Registration endpoint when an ADR submits a registration request (for a software product that is already registered i.e. client was created previously as a result of an old registration request) ?
The RFC7591 provides a duplicate detection method using software_version element in SSA. But specified SSA does not include this element.
Should this element be part of SSA or an ADR is allowed to create multiple clients (the later option introduces complications. please refer security consideration on this link).
@fahadbinrahat The SSA definition is provided here. The software_id is the primary identifier for a registration. No duplication of registrations is allowed.
The sequence diagrams have been cleaned up to no longer require the DH to check the status of the software product prior to registration. To minimise "invalid" registrations occurring, SSAs will only be issued for ACTIVE software products.
Does a DCRM GET response require the software_statement?
The OAuth specifications for POST state:
If a software statement was used as part of the registration, its value MUST be returned unmodified in the response along with other metadata using the "software_statement" member name. https://tools.ietf.org/html/rfc7591#section-3.2.1
CDR does not separate the expected DCR response for the various requests and has software_statement as a required response property for POST/PUT/GET (see here). The software_statement claim is provided for both POST and PUT requests, so it must be returned. However, software_statement is not provided through a GET request.
Question - Should a DCRM GET request return the software_statement property? This requirement will have the banks store the latest successful software_statement used during POST/PUT.
Edit: We also found that in OpenBanking UK, they have a requirement for software_statement to be present in both the request and the response. We see this to be an inconsistency as the GET request does not contain a software_statement, and question whether it then should be in the response.
@ttranatping thank you for your query.
A few things to note:
There have been some discussions internally on the benefits of persisting the SSA as part of the registration. One benefit is allowing DHs and ADRs traceability on the registration if any of the fields were modified as part of the registration flow.
Therefore, to summarise, as specified in the Dynamic Client Registration API section of the CDR Register design, GET, POST and PUT requests MUST return the SSA as part of the response.
This thread has been created to allow for feedback on Dynamic Client Registration within the CDR Ecosystem.
Details can be found at: https://cdr-register.github.io/register/#dynamic-client-registration
All feedback is welcome.