Closed samlarsen1 closed 2 years ago
The requirement in this space was articulated in https://github.com/OpenBanking-Brasil/specs-seguranca/blob/main/open-banking-brasil-financial-api-1_ID1.md
shall ensure Access Tokens are issued with sufficient scope necessary for access to data specified in the Permissions element of a linked Consent Resource object;
Consumers will consent to a specific set of permissions (not scopes) with a TPP. A TPP, based on their regulatory roll is allowed to ask for these permissions at all times. i.e it is a DADOS. The obligation is placed onto the OpenID Provider to ensure that an Access Token is always issued that grants access to the consented permissions.
It has been raised previously that the inclusion of numerous scopes for the same regulatory given role is confusing and adds potential complexity, poorer user experience for no customer or security benefit. The security working group felt it was was too late to address as part of this first release however, in order to mitigate the impact of this issue, the requirements as specified in the security profile put the obligation on the banks to 'always ensure that an access token can be granted that will provide access to the resources permitted by the customer'.
For information, this same principle is echoed by the FAPI WG when it comes to Grant Management and Rich Authorisation Request (which is similar in a lot of respects to the 'Consent API'). If there is sufficient 'scope' in a RAR request to convey meaning and authorisation then an RS should honour the AT. It should not require a TPP to specify a 'fine-grained authorization_details in a 'RAR Payload' + 'A scope string' if the RAR authorization_details is sufficient to describe the request.
This direction from the OIDF FAPI WG has been applied here: The TPP has agreed and presented to the customers what PERMISSIONS it wishes to be granted. The TPP has defined what PERMISSIONS it wants in the Consent API of the Bank. The TPP requests the Bank to confirm with the customer that it wishes to have PERMISSION to access the requested resources.
ergo any access token issued should be sufficient for the TPP to gain access to those resources.
On a personal note; i'd prefer to see these myriad of scopes dropped in subsequent releases as, for our bank implementations are following the following logic on an Authorization request.
RFC6749 "The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions. " gives the ability for the Authorization Server to apply what it needs to in order for the 'Resource Owners instructions' to be carried out.
@RalphBragg I still think this question is unclear, at least for me.
Two scenarios to try to clarify the question:
Scenario A:
Scenario B:
Hi - so i would be applying the same logic that applies to 'rich authorisation requests' which is essentially what the Consent Object is.
"Since the scopes overwrite the permissions granted by a customer". Is incorrect using a referenced Consent. The Customer has consented to certain access, the TPP is allowed access to those resources by its regulatory permission ergo access should be granted. In the same way that rich authorisation requests authoriation_details are sufficient to grant access to this resource the scope should be ignored.
I have raised this many times with the security working group which is why the security requirements are explicit. The AS will ensure that access tokens are issued that have sufficient scope to provide access to the resources authorized by the customers. The customers authorise permission, transaction date ranges and associate accounts in the Consent Resource. Scopes are completely superflous. This interpretation applies also to RAR which is why it has been applied to lodging intent based resources. As defined by RFC7591 scope String containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. The semantics of values in this list are service specific. If omitted, an authorization server MAY register a client with a default set of scopes.
The authorization server MAY reject or replace any of the client's requested metadata values submitted during the registration and substitute them with suitable values.
In order to address this for our Banking Customers, we are exercising this clause of RFC7591, they will always have access to the full set of scopes for their regulatory roles. This negates this problem and is one that i have recommended be adopted formally, or just remove all of these superflous scopes. Whenever a customer registers or updates their metadata the scope will be calculated based on their regulatory rules.
Scenario B. This is a revocation; if a TPP loses one of the regulatory roles that are defined in the directory the application in its entirety will be revoked. Notifications will be sent via webhook and the keys will be moved to an inactive state. This is the same approach in the UK.
If we receive a PUT /register update for a TPP Client with a different (smaller) sub-set of allowed scopes, are we expected to delete all consents that have been previously issued which may include scopes that are no longer allowed? Or do we simply delete all consents? Or is this something we should evaluate in real-time for each resource API request?
e.g. Initial Scopes: openid accounts credit-cards-accounts consents customers invoice-financings financings loans unarranged-accounts-overdraft
New Scopes: openid accounts consents