Closed CDR-API-Stream closed 1 year ago
See https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/458 and comment for further information.
This issue was discussed in the last MI call. The DSB Proposed Solution has been updated as follows:
Add "code" to the valid response_types enumeration values in the "Registration Request using JWT"
Array of the OAuth 2.0 response type strings that the client can use at the authorization endpoint. Permitted values: [
code
,code id_token
] representing Authorization Code Flow and OpenID Connect Hybrid Flow respectively.
Add the following claims to the RegistrationProperties for Dynamic Client Registration APIs (PUT and POST for requests, and the GET response):
Claim | Required | Description |
---|---|---|
authorization_signed_response_alg | Conditional | The signing algorithm to use for JWT Secured Authorization Response Mode (JARM). Required when JARM is used for Authorization Code Flow: where response_type value code in conjunction with the response_mode value jwt (or variant) is used. |
authorization_encrypted_response_alg | Conditional | The JWE alg algorithm to use for encrypting authorization responses in JWT Secured Authorization Response Mode (JARM). Required if authorization_encrypted_response_enc is provided. |
authorization_encrypted_response_enc | Conditional | The JWE enc algorithm to use for encrypting authorization responses in JWT Secured Authorization Response Mode (JARM). When authorization_encrypted_response_enc is included, authorization_encrypted_response_alg MUST also be provided. Required if the Data Holder specifies response encryption algorithms in accordance with JARM. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in JWT [RFC7519]. The default, if omitted, is that no encryption is performed. |
Update the "OpenID Provider Configuration End Point" section in accordance with #479 such that the following parameters are included:
authorization_signing_alg_values_supported
: CONDITIONAL. The list of JWS algorithms for signing the authorization response in accordance with [JARM]. Required when supporting Authorization Code Flow and [JARM].authorization_encryption_alg_values_supported
: OPTIONAL. The list of JWE alg
algorithms for encrypting the authorization response in accordance with [JARM]. Required if authorization_encrypted_response_enc
algorithms are offered.authorization_encryption_enc_values_supported
: OPTIONAL. The list of JWE enc
algorithms for signing the authorization response in accordance with [JARM]. The default, if omitted, is that no encryption is performed.The changes would have an obligation date of April 7th 2023 in alignment with the FAPI 1.0 Phase 3 migration obligation date.
The Data Standard's Chair has approved this issue be treated as urgent in combination with #479.
Last maintenance iteration call we discussed defining the error scenarios for registration and negotiation when using JARM for the Authorization Code Flow. The following scenarios are presented below with proposed behaviour. If there are any other error scenarios that need to be considered, please propose them in the comments.
It's worth providing some context and a set of solution design questions that will help frame the responses to each scenario.
This flow uses response_type
"code id_token" and requires the use of the ID Token as a detached signature. As such, id_token_encryption_alg_values_supported
and id_token_encryption_enc_values_supported
are required to be published in the Data Holder's OIDD.
Data Holders may continue to support OIDC Hybrid Flow after the 7th of April 2023. If they do so, they need to continue supporting these negotiation parameters and ID Token signing and encryption.
This flow uses response_type
"code" and in accordance with FAPI 1.0 Advanced, requires the use of JARM for message signing. A such, authorization_signing_alg_values_supported
must be used and the Data Holder may support response encryption using authorization_encryption_alg_values_supported
and authorization_encryption_enc_values_supported
.
The algorithmic requirements are consulted on in Issue 547: Clarification on Minimum Algorithm Required for JARM.
Data Holders must support this flow no later than the 7th of April 2023.
The JARM spec is ambigious when the client omits the authorization_encrypted_response_alg
client metadata value. The JARM specification states that "The default, if omitted, is that no encryption is performed". Should Data Holders support no response encryption when this value is omitted, even if the Data Holder supports encryption and offers "RSA-OAEP" and/or "RSA-OAEP-256"? The quoted statement in the JARM spec could be interpreted as:
authorization_encrypted_response_alg
is omitted when the Data Holder advertises "alg" algorithm support.Should a Data Holder that no longer supports OIDC Hybrid Flow reject response_type "code id_token" being included in the client registration (e.g. if "response_types": ["code", "code id_token"]
is presented ?
Should a Data Holder that no longer supports OIDC Hybrid Flow ignore id_token_signed_response_alg
, id_token_encrypted_response_alg
, id_token_encrypted_response_enc
If the Data Holder does not support response encryption they may do so by providing an empty array for the associated parameters or omit them from their OIDD. ADRs should be capable of handling both.
"authorization_encryption_alg_values_supported": [],
"authorization_encryption_enc_values_supported": []
# is equivalent to
"authorization_encryption_alg_values_supported": null,
"authorization_encryption_enc_values_supported": null
The parameters may be omitted from the OIDD. This is the equivalent of the empty arrays.
JARM states that for client metadata authorization_encrypted_response_alg
:
The default, if omitted, is that no encryption is performed.
JARM also states that for authorization_encrypted_response_enc
:
If
authorization_encrypted_response_alg
is specified, the default for this value isA128CBC-HS256
In other words, if a value for authorization_encrypted_response_alg
is specified and authorization_encrypted_response_enc
is not specified then the default enc
algorithm is A128CBC-HS256
. This value is permitted by the CDS. See https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/479.
The following scenarios consider incorrect values passed by the ADR during registration of their client with the Data Holder. This may include new registrations as well as updates to existing registrations.
# | Scenario | Pre-Conditions | Assertion(s) | Result |
---|---|---|---|---|
1 | Invalid authorization_signed_response_alg client metadata value |
|
Where authorization_signed_response_alg is
|
oAuth error response (error value): "invalid_client_metadata" |
2 | Invalid authorization_encrypted_response_alg client metadata value |
|
Where
|
oAuth error response ( |
3 | Omitted authorization_encrypted_response_alg client metadata value |
|
Where
|
|
4 | Invalid authorization_encrypted_response_enc client metadata value |
|
Where
|
oAuth error response ( |
5 | Omitted authorization_encrypted_response_enc client metadata value |
|
Where
|
|
6 | Valid authorization_encrypted_response_enc and missing authorization_encrypted_response_alg client metadata value |
|
Where
|
oAuth error response ( |
These scenarios consider the transition of the Data Holder supporting OIDC Hybrid Flow, Authorization Code Flow and the retirement of OIDC Hybrid Flow. These scenarios also consider what happens if the Data Holder requires response encryption or retires response encryption.
In all of these scenarios there remains a responsibility on the ADR to monitor each Data Holder's OIDD to discover changes that may impact their client registrations.
Assumptions:
# | Scenario | Pre-Conditions | Assertion(s) | Result |
---|---|---|---|---|
7 | Authorization Code Flow + JARM and no response encryption |
|
|
|
8 | Authorization Code Flow with JARM and response encryption |
|
Assertion A:
Assertion B:
Assertion C:
|
Result A:
Result B
Result C
|
9 | DH switches on response encryption | A Data Holder has supported JARM without response encryption. The Data Holder changes to support response encryption. Pre-Conditions
|
Assertion A: If Solution Question 1a is supported, the client continues to work as-is without a registration update and no response encryption is performed Assertion B: If Solution Question 1b is supported, the client MUST update their registration to use a suitable encryption algorithm set. Until such time, the client cannot perform any new authorisation requests successfully. Existing authorisations will continue to work correctly. Assertion C: If the ADR updates to use response encryption, the client must register a suitable encryption algorithm set |
|
10 | DH switches off response encryption | This requires the ADR to monitor the Data Holder's OIDD endpoint and identify the change to remove response encryption support. In this case, the ADR should update their client registration to remove any encryption algorithms. The Data Holder must ignore the encryption algorithms so they can continue to support ADR clients establishing new authorisation requests without breaking. ADRs should be developed so they are resilient and able to identify that the response is not encrypted and cater for this. Pre-Conditions
|
|
Successful client registration update.
|
11 | Client registration supports OIDC Hybrid Flow and Authorization Code Flow |
|
|
Successful client registration update for both OIDC Hybrid Flow and Authorization Code Flow |
12 | Data Holder removes OIDC Hybrid Flow support, client is already registered for Authorization Code Flow |
|
|
|
13 | Data Holder removes OIDC Hybrid Flow, client is not registered for Authorization Code Flow |
|
|
|
If the Data Holder still supports OIDC Hybrid Flow:
The Data Holder is in an invalid state. The ADR should not update thier client registration to use ACF because the Data Holder is non-compliant and does not support JARM with Authorization Code Flow.
The ADR continues to use their current registration.
ADRs creating new client registrations should continue to use OIDC Hybrid Flow with the ID Token acting as the detached signature in accordance with FAPI 1.0 Advanced s5.2.3.1
If the Data Holder does not support OIDC Hybrid Flow:
Assuming the Data Holder has dropped support for OIDC Hybrid Flow and advertises they support ACF but doesn't support JARM, the Data Holder is non-compliant.
In this scenario, the ADR cannot perform any new authorisation requests successfully. Existing authorisations will continue to work as they only require the exchange of the existing refresh token for a short-lived access token.
Should a Data Holder that no longer supports OIDC Hybrid Flow ignore
id_token_signed_response_alg
,id_token_encrypted_response_alg
,id_token_encrypted_response_enc
- Option 3a: Ignore the parameters for client registration when OIDC Hybrid Flow is not supported: onus is on the Data Holder to ignore these parameters to minimise impact to ADRs
- Option 3b: Return an error if any of these parameters are present when OIDC Hybrid Flow is not supported: All Data Holders return an error and the onus is on the ADR to handle this
- Option 3c: At the discretion of the Data Holder: onus is on the ADR to handle errors
Since "openid" scope is mandatory in request object, shouldn't atleast the "id_token_signed_response_alg" be passed in the DCR call, as the id_token will be returned from token endpoint.
Clarification for decision write-up please - point 13 seems to indicate id_token encryption is not allowed for ACF.
My understanding is that DCR client metadata does not allow the ADR to differentiate id_token encryption for each flow, therefore the standard must support id_token encryption for ACF where the ADR is registered for both Hybrid Flow and ACF.
Can you clarify please if id_token encryption is OPTIONAL or NOT ALLOWED for ADRs who register solely for ACF?
This change request was incorporated through https://github.com/ConsumerDataStandardsAustralia/standards/issues/282#issue-1486041781
Description
To support Phase 3 FAPI 1.0 migration, update the DCR APIs to specify JARM and Authorization Code Flow support.
Area Affected
Dynamic Client Registration APIs response_types enumeration
Change Proposed
authorization_signed_response_alg
authorization_encrypted_response_alg
authorization_encrypted_response_enc
DSB Proposed Solution
The DSB proposed solution is presented here.