An open source enterprise digital identity platform for CIAM or workforce... Janssen is a distribution of standards-based, developer friendly, components that are engineered to work together in any cloud. #OAuth #OpenID #FIDO
token_endpoint_auth_method MUST be set to tls_client_auth The client metadata parameter tls_client_auth_dn MUST be included in the registration request
OPs SHALL reject requests if the requested configuration is not supported by the OP. e.g token_endpoint_auth_method requested should match one listed on the well-known configuration endpoint.
The signature of the registration request assertion MUST successfully validate against the JWKS URI specified in the software_jwks_endpoint attribute of the software statement assertion (SSA). - If the request assertion specifies a redirect_uris metadata element, the array contents MUST match or be a subset of the software_redirect_uris claim in the SSA. -
If the request assertion specifies a software_id metadata element, that value MUST match the software_id element in the SSA.
An ASPSP MUST return an error response if any of the following requirements are not met:
The transport layer negotiated by the TPP MUST be mutually authenticated.
The client TLS certificate SHOULD chain to a certificate located in the SSA 'org_jwks_endpoint' attribute.
The client TLS certificate must contain the following attributes:
The Subject DN MUST contain the commonName (CN) attribute and organisationUnit (OU) of the certificate.
The CN attribute of the certificate MUST match the software_id specified within the SSA.
The OU attribute of the certificate MUST match the org_id specified within the SSA.
The Issuer DN MUST be validated ensuring that the issuer was the appropriate Open Banking CA for the environment.
maduvena
commented
3 years ago
token_endpoint_auth_method MUST be set to tls_client_auth The client metadata parameter tls_client_auth_dn MUST be included in the registration request
OPs SHALL reject requests if the requested configuration is not supported by the OP. e.g token_endpoint_auth_method requested should match one listed on the well-known configuration endpoint.
The signature of the registration request assertion MUST successfully validate against the JWKS URI specified in the software_jwks_endpoint attribute of the software statement assertion (SSA). - If the request assertion specifies a redirect_uris metadata element, the array contents MUST match or be a subset of the software_redirect_uris claim in the SSA. -
If the request assertion specifies a software_id metadata element, that value MUST match the software_id element in the SSA.
An ASPSP MUST return an error response if any of the following requirements are not met:
The transport layer negotiated by the TPP MUST be mutually authenticated. The client TLS certificate SHOULD chain to a certificate located in the SSA 'org_jwks_endpoint' attribute. The client TLS certificate must contain the following attributes: The Subject DN MUST contain the commonName (CN) attribute and organisationUnit (OU) of the certificate. The CN attribute of the certificate MUST match the software_id specified within the SSA. The OU attribute of the certificate MUST match the org_id specified within the SSA. The Issuer DN MUST be validated ensuring that the issuer was the appropriate Open Banking CA for the environment.