search

ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
41 stars 9 forks source link

Disambiguation of the claims for a response from the introspection endpoint #415

Closed CDR-API-Stream closed 3 months ago

CDR-API-Stream commented 2 years ago

Description

Currently this support article states that the statements in the standards regarding mandatory token introspection claims do not override the normative standard: https://cdr-support.zendesk.com/hc/en-us/articles/900004618103-Introspection-Endpoint-RFC-vs-Standards-clarification

The standards statements, however, if read plainly do not obviously align with the clarification in this article.

Area Affected

This would be a change to the introspection endpoint description in the information security profile.

Change Proposed

Update the description of the introspection endpoint to align with the knowledge base article quoted above.

DSB Proposed Solution

The proposed solution can be found in https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/415#issuecomment-2151518715

CDR-API-Stream commented 4 months ago

This issue was discussed in the MI call on March 29 2024. The DSB and participants agreed that the standards could be updated to align with the guidance clarifying that the additional token information is only required for active tokens.

The DSB proposes amending the Introspection Endpoint sub-section in Security Endpoints from:

A Token Introspection End Point Response SHALL include, at least, the following fields:

  • active: Boolean indicator of whether or not the presented token is currently active.
  • exp: A JSON number representing the number of seconds from 1970-01-01T00:00:00Z to the UTC expiry time.
  • scope: A JSON string containing a space-separated list of scopes associated with this token.
  • cdr_arrangement_id: A unique identifier of the CDR arrangement related to the authorisation.

to:

For currently active tokens, a Token Introspection End Point Response SHALL include, at least, the following fields :

  • active: Boolean indicator of whether or not the presented token is currently active.
  • exp: A JSON number representing the number of seconds from 1970-01-01T00:00:00Z to the UTC expiry time.
  • scope: A JSON string containing a space-separated list of scopes associated with this token.
  • cdr_arrangement_id: A unique identifier of the CDR arrangement related to the authorisation.

Specifically, the change involves the addition of "For currently active tokens," at the start to clarify that the fields are only required for active tokens. This would be a non-breaking change as it is a documentation change

Feedback on the above is welcome.

CDR-API-Stream commented 3 months ago

The proposed change has been staged for review.