search

ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
41 stars 9 forks source link

Clean up of Refresh Token requirements #667

Open CDR-API-Stream opened 2 months ago

CDR-API-Stream commented 2 months ago

Description

Requirements for Refresh Tokens include a legacy reference to an expiration date of 28 days or longer from when refresh token cycling was permitted. The standards further include some ambiguity about the alignment of refresh token expiry to the sharing duration.

Intention and Value of Change

Clarification of requirements regarding refresh token support.

Area Affected

Security Profile -> Tokens -> Refresh Tokens

Change Proposed

Change the following statements:

Refresh Token

Refresh Tokens MUST be supported by Data Holders.

The usage of Refresh Tokens is specified in section 12 of [OIDC].

The expiration time for a Refresh Token MUST be set by the Data Holder. Refresh Token expiration MAY be any length of time greater than 28 days but MUST NOT exceed the end of the duration of sharing consented to by the Consumer.

Data Holders MUST NOT cycle refresh tokens (rotation). In other words, Refresh Tokens SHOULD be issued with an "exp" equal to the sharing duration authorised by the Customer.

To be:

Refresh Token

Refresh Tokens MUST be supported by Data Holders in accordance with section 12 of [OIDC].

In addition Data Holders:

  • MUST NOT cycle refresh tokens (rotation).
  • MUST issue Refresh Tokens with an "exp" equal to the sharing duration authorised by the Customer.

Obligation date

No feedback has been received from Data Holders that they are not currently setting refresh token expiry to anything but the length of the sharing duration, however out of caution it is proposed this change be attached to a future dated obligation date of Y25 # 2: 12th May 2025.

CDR-API-Stream commented 3 weeks ago

This change has been staged for review: https://github.com/ConsumerDataStandardsAustralia/standards-staging/compare/release/1.33.0...maintenance/667

CDR-API-Stream commented 1 week ago

This issue was discussed in the MI 21 meeting. It was noted that the proposed obligation date would give Data Holders slightly less than six months to implement the change. The change was still supported with the current proposed obligation date. No feedback to date has indicated that Data Holders do not currently satisfy the proposed change.