Closed CDR-API-Stream closed 4 years ago
SachiniSiriwardene
commented
4 years ago Out of all the given options, I think the sharing id claim is a more clean and safer way to solve the issue. When a consumer successfully authorizes the consent, the sharing_id claim can be sent in the Id token to the DR. If the DR wants to revoke an earlier consent, the sharing_id of the consent to be revoked can be sent in the request object. If no consents are to be revoked, no sharing_id should be sent.
anzbankau
commented
4 years ago We support the addition of a sharing ID to fulfill this functionality, as it is a minor modification from the existing implementation and prevents exposure of the refresh token to the customer’s device.
WestpacOpenBanking
commented
4 years ago It is important that the chosen solution approach will allow for appropriate levels of extensibility as the consumer data right regime continues to evolve. Most acutely, the CX stream has flagged that investigation into re-authorisation will occur in the next few months, including investigation into simplification of the flow during re-authorisation, and amending of the consent during this process. Research into joint accounts and fine-grained control have also been flagged as part of the same body of work. Longer term, it is reasonable to expect development of the rules with complex multi-party consents, intermediaries and write access being among the possible additions to the regime.
Most solution options presented do not have the extensibility required to adapt to expected changes over time with minimal ongoing implementation complexity or forcing expensive customizations to vendor supplied IAM software.
Although infeasible for November timeframes, we recommend that a consent object type approach be adopted over time and remark that the FAPI staged intent proposal or the UK open banking approach are suitable starting points for development. Previously articulated benefits of an approach of this type include:
A key difference between these approaches is the method of exchanging the intent/sharing identifier. In the FAPI staged intent proposal dynamic scopes are used, whereas in the UK open banking approach a claim is used (similar to the Addition Of A Sharing ID option). Vendor support for either of these methods will need to be considered as will the difficulty of transition from the current state of the standards for participants.
The UK approach gives extensible and secure patterns allowing for querying, deletion and sending of notifications (e.g. for revocation, addition or removal of accounts and so on). These are not incompatible with the proposed FAPI intent pattern. There are likely security benefits to adopting similar approaches. The data recipient to data holder interaction pattern in particular is based on standard OAuth patterns which are the subject of substantial international research. Additionally, a revocation notification using this pattern would not involve the transmission of sensitive refresh tokens, and updates are better protected by defence in depth:
We are happy to collaborate further on an intermediate state proposal and suggest that a workshop may be a productive approach to create a proposal for consultation.
We remark that options involving the sharing of refresh tokens (unencrypted or encrypted with an un-established pattern) carry security risks and we strongly recommend removing the existing mandate to adopt an approach of this type for November.
commbankoss
commented
4 years ago Commonwealth Bank agrees with @WestpacOpenBanking (https://github.com/ConsumerDataStandardsAustralia/standards/issues/99#issuecomment-587993724) that target state consent solution should solve for fine-grain authorisation, re-authorisation, multi-party consents as well as improvement of the security of the ecosystem.
Options identified in the original post above: (https://github.com/ConsumerDataStandardsAustralia/standards/issues/99#issue-559369359) can only be used as a partial solution.
E.g.
Support for fine-grain authorisation, multi-party consents and etc. require additional building blocks.
We welcome a suggestion of a collaborative workshop with industry participants to discuss and agree on a solution to satisfy current and future consent requirements.
sakimura
commented
4 years ago My name is Nat Sakimura and I am the Chairman of the OpenID Foundation (OIDF) and am one of the Chairs of the Financial-grade API Working Group (FAPI WG).
The OpenID Foundation is a non-profit international standardisation organisation of individuals and companies committed to enabling, promoting and protecting OpenID technologies. The Financial-grade API Working Group is dedicated to the development of technology standards suitable for use within the financial services landscape. Active members include technical implementers within the UK Open Banking ecosystem as well as emerging open banking initiatives including Australia, USA, Canada, Germany, South Africa, Canada and Brazil. Multiple standards have been established within this working group including the ubiquitous FAPI R/RW specifications and many lessons learned and shared by our members.
For more than a year, the FAPI WG has been in active discussions among its members as the Australian Consumer Data Right evolution has occurred. More recently the FAPI WG has conducted detailed design and architecture discussions to provide a proposal for a flexible model for establishing, maintaining and withdrawing consent. This specification has included all of the requirements from our members and incorporated lessons learned from our shared experiences of implementing various complex consent sharing mechanisms including the Lodging Intent specification used within Open Banking UK and other market initiatives.
After a detailed analysis of the problem space, it is clear to FAPI WG members that any solution must be flexible enough to allow for jurisdictional requirements whilst facilitating data minimisation principles. It is also clear that the definition of “consent” has both legal and variable interpretations across jurisdictions. Due to this ambiguity, FAPI WG members prefer instead to utilise the term “grant” to provide an unambiguous description to a solution designed to cross multiple jurisdictional (ie. legal) boundaries. Any proposed model must also be flexible enough to facilitate new requirements introduced post-implementation.
We attach a presentation which seeks to define the problem space, evaluate the existing approach the CDR has taken to consent and provide a proposal which leverages a number working group work items which meet the long term objectives of the CDR ecosystem.
In summary, the FAPI WG proposes the implementation of the following combination of specifications:
While some Australian requirements are unique, the problem is not. Let’s solve it together for the benefit of the customers in multiple jurisdictions. We believe Australia has an opportunity to become a world-leading technology reference case for other worldwide data initiatives and we welcome the opportunity for further and hopefully fruitful collaboration. Consent proposal for CDR (Australia).pdf
NationalAustraliaBank
commented
4 years ago NAB supports the option for the inclusion of a sharing id claim to replace the current “existing_refresh_token” mechanism.
cdradr
commented
4 years ago We agree with full re-design of consent, addition of sharing ID and consent API.
Concurrent consents might be required or not.
Accounts should be a part of consent to make it useful for ADRs.
CDR-API-Stream
commented
4 years ago The period of feedback for this consultation is now closed. Thank you to everyone for your contributions. As stated, the next step for this issue will be the development of a specific proposal that will be posted in a separate thread for further consultation before a recommendation is made to the Chair.
It should be noted that some of the feedback was outside of the scope of the initial issue. This feedback has been noted but will not be reflected in the proposal that will remain targeted at The Ask outlined in the main issue description.
CDR-API-Stream
commented
4 years ago Hi everyone, thanks for your feedback. Based on the feedback raised by the community, changes have been incorporated into an updated decision proposal for concurrent consent.
This decision proposal outlines a recommendation for enabling concurrent, or overlapping, consents under the CDR regime.
The consultation draft for this decision proposal is attached below: Decision Proposal 099 - Concurrent Consent.pdf
Feedback is now open for this proposal. Feedback is planned to be closed on the 9th of April 2020.
RalphBragg
commented
4 years ago General Comment:
Thanks for the proposal – It is great to see new standards being considered to address some of the challenges that the community has raised. A lot of inspiration appears to have come from the FAPI 2.0 draft which is available for review and all comments welcome.
It would be great for global interoperability if Data61 / CSIRO could cross reference Proposal 99 against the FAPI 2.0 spec and provide a profile that clearly calls out the differences. This would simplify implementation challenges for vendors, banks and the security community alike.
It looks as if vendors and banks support FAPI 2.0 then they will have all of the necessary RFC support to implement Proposal 99.
Conveying Sharing ID / Requiring PAR
Introducing a consent management API, ala Open Banking UK is a proven well adopted pattern, as it’s essentially lodging intent with an ID being returned. Is the intention or direction of travel to extend this API to incorporate fine grained consent and if so, has RAR (Rich Authorization Request) been considered?
This is then posted using PAR with justifications for PAR adoption given around security and payload size which I hope you can answer the following questions.
Security Comment: Enumeration Raidiam considers the enumeration attack to swap or change a sharing_id with another valid one as minimal vs the overhead of requiring PAR in the timescales suggested.
Security Alternative: JAR (signed) If this really is deemed to be a significant security issue then JAR or encrypted JAR would mitigate this issue alone which is far more likely to be supportable by vendors as they have similar capability from the OIDC Request Object by Reference and the requirement for its use in FAPI 1.0 today.
Size Comment
Decision 99, uses a Size justification for requiring PAR however the inclusion of a sharing ID will not materially increase the payload size. For example, the UK ecosystem functions perfectly well with the inclusion of sharing ID in the front channel request. PAR is really only required on a size justification if a RAR is also going to be used.
If PAR is adopted why is OIDC hybrid still being used instead of just moving to supporting PKCE RFC7636? If the ecosystem is considering such a fundamental change then aligning to FAPI 2.0 or baselining the profile requirements against this specification might be useful.
As we understood, the security challenge detailed in issue 74 was raising concerns about the passing of a credential via an untrusted network segment but this appears to being used to justify not putting anything through the front channel. This proposal removes the requirement to share a credential via the front channel and so derisks the security issues with the front channel. Espeically if JAR is adopted. Are there any ecosystem concerns about the ability for the Data Holders and Data recipients to uplift and implement this standard in the timeline outlined
Final Comment: Generally, Raidiam is fully supportive of using RAR,PAR,JAR if fine grained sharing is in scope, which it isn’t with this proposal. Currently it appears to be a very similar model to what is currently used by the UK OBIE and as such it would be useful if Data61 could share their decision making process that led to the requirement for the ecosystem and their vendors to uplift to PAR for this need alone?
Perhaps if Data61 / CSIRO would signal the intention to move to RAR instead of a sharing API then requiring banks make this uplift to support PAR now so that they can support RAR in the future would be much easier to justify for the ecosystem.
Technically, Raidiam's OpenID Provider already implements all of the required RFCs and standards required by Decision 99 and so we can support any standards based solution that the ecosystem adopts. Commentary from other vendors would be welcome.
mark-nienaber
commented
4 years ago With respect to the following comment made by @RalphBragg
It would be great for global interoperability if Data61 / CSIRO could cross reference Proposal 99 against the FAPI 2.0 spec and provide a profile that clearly calls out the differences. This would simplify implementation challenges for vendors, banks and the security community alike.
It looks as if vendors and banks support FAPI 2.0 then they will have all of the necessary RFC support to implement Proposal 99.
I agree that a comparison of FAPI 2.0 and Proposal 99 would be helpful for relevant parties to clearly understand compliance or implementation challenges.
mark-nienaber
commented
4 years ago With respect to the following comment made by @RalphBragg
Hybrid Flow Requirement vs PKCE If PAR is adopted why is OIDC hybrid still being used instead of just moving to supporting PKCE RFC7636?
Agree on the consideration of the use of Auth Code + PKCE. While commonly considered only for SPA's has become the industry best practice to use wherever possible.
anzbankau
commented
4 years ago ANZ views many of the changes in the latest decision proposal as beneficial, but would like to note that most are not required to achieve the capability of concurrent consents.
Please see below for aspects we support and some items to further refine:
Furthermore, we would like more specificity for:
WestpacOpenBanking
commented
4 years ago As we have previously articulated, long term we believe that the regime should move towards an approach along the lines of the FAPI staged intent proposal or the similar UK Open Banking approach, ideally after flagged CX work is completed. Introducing a sharing_id claim and the Sharing Agreement Management API are both positive steps in this direction and overall we welcome the proposal as an improvement over the approach which has previously been articulated. We agree that the proposal addresses the key concerns and moves towards a technical position that will facilitate future sectors and use cases.
However, we are unable to support the use of Pushed Authorization Requests in the near future. The proposal is still in draft format and our vendors are unlikely to support this functionality in November timeframes. Sufficient availability of certified platforms and libraries is important to ensure security and to control implementation cost and complexity for all participants.
We also suggest the removal of direct references to the JAR draft standard. We are concerned that the inclusion of these references may cause confusion because JAR specification is targeted at hosting request objects at endpoints controlled by the client whereas the PAR draft standard is focussed on pushing request object to the authorisation server. Additionally, the immediate benefits of allowing a third method of passing a request for authentication are unclear. Finally, we are also concerned that client hosting of request objects may be less secure. A more thorough analysis would need to be undertaken to ensure that any risks are identified and adequately controlled – it is unlikely that this could occur and leave enough time for November implementation.
In relation to proposed changes to standards we have the following feedback:
sharing_id must not be provided where an ID Token is provided from the Authorisation endpoint.sector_identifier but this is not part of the standard as far as we are aware.pushed_authentication_request as per the PAR draft standard which states that the same authentication method is used as at the token endpoint.sharing_id is not related to the consumer being authenticated it MUST be rejected". The consumer is not known at this point in time. This rule will need to be moved to elsewhere in the standard.sharing_id. Additional it is a claim, not a hint, as the Authorisation Server is not free to ignore this value.sharing_id is provided as a hint in the authorisation request object”. There is a need to add clarifying text to say existing authorisation tokens and consents associated with this sharing_id are to be revoked.sharing_id is provided as a hint in the authorisation request object”. Does this mean that existing authorisation tokens and consents should be immediately revoked, rather than waiting for a successful authorisation?InfoSecBaseURI published in the CDR Register". This statement seems to contradict the statement made earlier in this decision proposal that the Sharing Agreement Management API allows the separation of business concerns and security concerns. This, however, is likely to be an error – on page 15, a contradictory statement is made: “Data Recipients MUST publish their Sharing Agreement Management API under the ResourceBaseURI that is published on the CDR Register.”CDR-API-Stream
commented
4 years ago Hi @RalphBragg and @mark-nienaber, thanks for the comments. A reminder to the community that consultation on this Decision Proposal closes today. Any feedback should be provided by COB 9th April.
To address the points raised so far: Cross reference Proposal 99 against the FAPI 2.0 spec From a standards perspective, the CDR concurrent consent proposal in addition to CDR data standards would support all standards referenced in the FAPI 2.0 Profile other than:
1. Security Comment: Enumeration @RalphBragg could you please expand further? I assume these comments are related to your later comments on PKCE support?
2. Security Alternative: JAR (signed) This is under consideration.
3. Size Comment That is not the only justification for PAR and specifically achieving staged intent using request object by reference. It is a consideration and a known limitation as we move towards a richer authorisation model - consideration was given to future implementation burden on the ecosystem vs building core foundations that will reduce implementation burden in the future.
4. Hybrid Flow Requirement vs PKCE This wasn't part of the scope for concurrent consent and has not been raised by previously by the community under the concurrent consent consultation.
That said, FAPI 2.0 is under consideration and we will consider how this fits into the data standards roadmap in consultation with participants. As consultation on the third banking maintenance iteration has commenced we would welcome feedback from the community on their priority views under DP 108.
5. PAR adoption implementation timescale challenge Thank you for this @RalphBragg. We'd welcome feedback from IAM vendors on their current supportability of PAR. The DSB recognises that the OIDF had provided recommendations on consideration and adoption of PAR previously in this consultation.
Feedback is always welcome regarding implementation impacts and are considered seriously and the DSB recognises that the OIDF had provided recommendations on consideration and adoption of PAR previously in this consultation. We have accommodated this feedback in the timeframes for adoption of the standard and made allowance for phased implementation in the approach we have recommended.
6. Re:Issue # 74 Moving towards standards adoption of PAR and request objects by reference is also designed to more easily facilitate fine-grained authorisation in the future if it comes into scope as well as the inclusion of sensitive information in the request if that eventuates also.
7. Final comments Draft standards such as JAR, RAR, PAR and emerging draft standards such as Grant Management API will continue to be monitored and will be considered in the future as regime requirements bring them into scope.
PKCE Adoption Thanks @mark-nienaber and @RalphBragg. We recognise that industry guidance now considers PKCE as the preferred flow vs Hybrid Flow. This will be considered in future consultation with the community.
SlatsFR
commented
4 years ago ForgeRock is engaged with the development and ratification of the FAPI2 security profile and the technologies by which it is underpinned. To provide an overview of where the Security Profile stands from a ForgeRock perspective today, included below is an overview of current status of development and support for the aforementioned technologies:
OAuth 2.0 Authorization Framework [@!RFC6749] - Fully Compliant OAuth 2.0 Bearer Tokens [@!RFC6750] - Fully Compliant OAuth 2.0 PKCE [@!RFC7636] - Fully Compliant OAuth 2.0 Mutual-TLS Client Authentication [@!RFC8705] - Fully Compliant OAuth 2.0 Pushed Authorization Requests (PAR) [@!I-D.lodderstedt-oauth-par] - *RFE in progress* OAuth 2.0 Rich Authorization Requests (RAR) [@!I-D.lodderstedt-oauth-rar] - RFE in progress OAuth 2.0 Authorization Server Metadata [@!RFC8414] - Fully Compliant OpenID Connect Core 1.0 incorporating errata set 1 [@!OpenID] - Fully Compliant**
*With regard to:
Request For Enhancements have been created and their priority set to 'Major'. As such, they are viewed by our Product Management team, as well as our various working group members, as proceeding on a trajectory making them likely to be adopted globally. That said, we are still in holding pattern as the specifications are still stabilising. Until the specifications are ratified, it is not possible for vendors to bring a complete solution for the technologies to market.
ForgeRock encourages the continued leveraging of standards by the working group wherever possible, while making allowances where the standard driving the preferred solution is incomplete.
commbankoss
commented
4 years ago Commonwealth Bank continues to support the introduction of concurrent consent, and believes the proposal requires the following:
Guidelines for Data Recipients to avoid inconsistent or confusing customer experiences (e.g. multiple consents on a consent dashboard without the ability to differentiate them, multiple CDR receipts etc). We recommend further testing from Data61 CX stream to assess impact on consumers.
Consent purpose to be communicated from Data Recipient to Data Holder. As we have done previously, Commonwealth Bank continues to recommend the inclusion of consent purpose to make it easier for the end user to differentiate between different consents. If CDR adopts RAR, this would allow purpose to be added with minimal effort and no custom extensions.
Commonwealth Bank welcomes the introduction of Consent back-channel lodgement pattern (PAR), Consent API (Sharing Management API), and consent ID (sharing ID), that UK has adopted and we have previously advocated for.
Commonwealth Bank prefers a solution that:
Reduces the build impact once fine-grain consent or multi-party consent are introduced.
Drives alignment to the target state described by:
Maximises the alignment to open standards (PAR, RAR, Grant Management and FAPI 2, in general). Adoption of Grant Management specification instead of Sharing Agreement management API would improve security, increase chances of vendor support, and minimise long term implementation costs.
Doesn't require Data Recipients to host Sharing Management / Grant Management APIs which is an additional cost and complexity imposed on Data Recipients. We believe that consent revocation notification (from Data Holder to Data Recipient) can be solved differently (e.g. OBIE UK's event notification specification or bulk consent event API). This will also address security and availability concerns raised around current implementation of Data Recipient's consent / revocation (client authentication and exception processing).
If staging is required, we agree that PAR and re-authorisation (CIBA) can be deferred. RAR and Grant Management are more essential for setting us up for the consent target state.
Commonwealth Bank believes that the introduction of JAR in as part of the November release does not deliver additional benefits to the ecosystem, as signed request objects are already used by the CDR.
Lastly, Commonwealth Bank believes the migration strategy from consents established after the initial go-live, to the consent framework to be established after the release of concurrent consent, should be outlined. Commonwealth Bank recommends this strategy should minimise transition effort.
mperryau
commented
4 years ago Ping is strongly in favour of a solution for concurrent (and in the future, fine-grained) consent built on open standards. We have been vocal in past discussions in this forum, and as a member of the Advisory Committee for the Data Standards Body, about the need to remain consistent with InfoSec open standards. Designing bespoke security standards just for Australia makes it more difficult and more costly for Data Holders, Data Recipients, solution vendors, and solution implementers to implement and maintain a compliant solution.
We support aspects of the current form of this proposal, but recommend it more closely resemble that submitted by the OpenID Foundation (OIDF), as detailed in the previous response from @sakimura. As a member of the OIDF and the FAPI working group, Ping collaborated in the development of this design. Brian Campbell, Distinguished Engineer at Ping Identity, is also a co-author of RAR, PAR, CIBA, RFC 8705, RFC 7523 and other related standards.
We also recommend that the implementation of this proposal be delayed, to allow for detailed workshops between Data61, the OIDF and other industry participants. This mechanism will form the basis of fine-grained authorisation for the CDR, across banking, energy, telco and other industry segments, and it’s our belief that it needs to be designed with due care rather than meeting an arbitrary timeline.
In particular:
sakimura
commented
4 years ago As I previously introduced, my name is Nat Sakimura and I am one of the Chairs of the Financial-grade API Working Group (FAPI WG). Following on from our previous feedback within this Decision Proposal the FAPI WG have reviewed the response provided by the Data Standards Body (DSB) and provide a detailed response with our evaluation of the proposal.
Our response includes the following key areas of feedback:
Adoption of the FAPI 2.0 profile
Adoption of Pushed Authorisation Request (PAR)
Adoption of JWT Secured Authorization Request
Non adoption of Rich Authorisation Request (RAR)
Non Adoption of Grant Management Extension & API
Sharing Agreement API Introduction
In addition the FAPI Working Group propose a Stage approach to adoption. While intertwined with the long term roadmap of the CDR as a whole we acknowledge that the scope for this feedback is intended to be specific to the Concurrent Consent requirements. With this in mind the FAPI Working Group requests consideration of this content to be included in development of other related Decision Proposals, notably #108 and #106.
In addition the FAPI Working Group continues to make available it’s expertise to the Data Standards Body. In addition to the OpenID Foundation and the Working Group body itself the following additional members have expressed their willingness to engage with the DSB to provide further background on lessons learned:
Open ID Foundation members:
Joseph Heenan - Open ID Certification Suite Developer & CTO at FinTechLabs.io
Don Thibeau - Executive Director at Open ID Foundation
Members of the Open Banking Implementation Entity (OBIE) within the UK, specifically:
Imran Gulamhuseinwala - OBIE Trustee at OBIE
Ed Colley - Programme Director at OBIE
Chris Michael - Interim Head of Technology at OBIE
Ralph Bragg - Ecosystem Trust Framework Architect at OBIE
Authors of all of the referenced specifications including:
Dr. Torsten Lodderstedt - Author of OAuth 2.0 Threat Model (RFC6819), OAuth 2.0 Token Revocation (RFC7009), OAuth2 MA-TLS (RFC8705), FAPI Grant Management, FAPI Pushed Authorisation Request, FAPI JWT Secured Authorization Response (JAR)
Dr. Daniel Fett - Author of OAuth 2.0 Threat Model (RFC6819), FAPI 2.0 Baseline Profile, FAPI 2.0 Attacker Model
Nat Sakimura - Author of JWS (RFC7515), JWT (RFC7519), PKCE (RFC7636), JWK (RFC7638), OAuth2 MA-TLS (RFC8705), FAPI 1 Part 1, FAPI 1 Part 2, OpenID Connect Core
Ralph Bragg - Author of FAPI 1 Part, FAPI 1 Part 2, FAPI JWT Secured Authorization Response (JAR)
Executives of the Financial Data Exchange, a North American open data initiatives with members from all of North America’s largest financial institutions
FAPI WG Decision Proposal 99 Response.pdf
Reiterating on my first response, while some Australian requirements are unique, the problem is not. Let’s solve it together for the benefit of the customers in multiple jurisdictions. Australia has already demonstrated leadership towards adopting best security practice with it’s progression towards FAPI 2.0 and we welcome the continued opportunity to collaborate further.
perlboy
commented
4 years ago As a contributing member of the FAPI WG, a longtime contributor to the CDR and vendor to both Data Holders and Data Recipients, Biza.io endorses and supports the staged approach outlined within the FAPI WG response provided by @sakimura . Based on the currently understood timelines, we expect our products to be entirely compliant with FAPI 2.0 by launch and prefer international standards alignment over unnecessarily unique Australian approaches.
CDR-API-Stream
commented
4 years ago Thanks everyone for all your feedback and participation. The feedback period has now closed. The DSB will review the responses and will provide additional commentary here.
CDR-API-Stream
commented
4 years ago For noting: AGL provided a response to this decision proposal within the consultation window. Inline with the DSB's open consultation process it has been posted here for visibility.
AGL submission concurrent consent target state - 9 April.pdf
CDR-API-Stream
commented
4 years ago Please find the final decision document attached here: Decision 99 - Concurrent Consent.pdf
This decision has been incorporated into v1.3.0 of the standards.
Thank you to everyone for your feedback. This consultation provided good contribution from participants and provided important feedback now and into future aspects of the standards.
The final decision document has been reviewed and approved by the Data Standards Chair. It is attached here: Decision 99 - Concurrent Consent.pdf
The prior decision proposal consulted on is available here.
Previous consultation:
This decision proposal continues the consultation on the target state solution for concurrent consent in the standards. It is a continuation of the consultation on Decision Proposal 085.
A proposal document has not been created for this decision as no specific recommendation has been identified by the DSB. Instead the context will be outlined below and the suggested solutions that have previously been proposed by the community will be listed. The intent is that a specific proposal will be generated from this consultation and put to the community for further feedback.
Context In Decision Proposal 085 a change was made to the standards to prepare a path for concurrent consents but that restricted the initial implementation for July 2020 to single extant consent to minimise implementation impact. This decision also proposed a target state to be implemented in the November 2020 timeframe. This target state solution included the passing of an active refresh token via the front channel to the authorize end point. Security concerns have been raised with this approach.
The Ask This consultation is therefore being initiated to identify feasible solutions to the original problem statement articulated in Decision Proposal 085 that will:
Options Identified To Date Staged Intent The FAPI staged intent pattern could be used to stage consent, this would result in a separate intent ID that could be used to refer to a previous consent and would also mean that any sensitive content related to consent is only conveyed server to server.
Pushed Request Object The FAPI pushed request object pattern could be used to stage a complex or sensitive request object. This would be light impact to the standards but would allow for sensitive content related to consent to be only conveyed server to server.
Encrypt Existing Refresh Token The 'existing_refresh_token' claim could be encrypted in the request object.
Addition Of A Sharing ID Introduce the concept of a 'sharing_id' claim that would be issued when a new consent is established that is not a token (and therefore secret) but can be used to identify an existing consent for replacement or revocation purposes.
Status Quo The real risk of passing the refresh token is clarified as being immaterial considering other controls established in the information security profile, such as the usage of client authentication, MTLS and HoK for the token end point. In this case the current, documented target state may be considered valid.