Question : Should DCR payload be a JSON payload on the DCR request or JWS?

[alexasensio]

Current Brazil spec is requiring that the claims of the DCR request are sent as JSON (see example). This follows the spec from RFC7591 and OIDR.

However, in UK this payload is defined as a JWS. Which then requires retrieving the jwks keyset for the TPP.

Question: Given the number of similarities that are being implemented in Brasil when compared with UK, will Brasil' spec change before July to require a JWS instead of a JSON?

My understanding is that mTLS is already adding one layer of security, however, unlike in the UK, there is no current application layer security to prove that the TPP "the TPP app was the originally intended recipient of the SSA when the OB issued it." link.

[RalphBragg]

Why on earth does everyone insist on sharing that document written by that Australian so many years ago like he knew what he was talking about... That specification that you linked too I just find amazing how many times it is referenced by so many bodies as a good idea... which it was, at the time because the UK had very specific requirements that it needed to address at the time. So maybe the author wasn’t quite as crazy I think he is.

In the beginning as they say, the major UK Banks were unable to implement anything like FAPI and so we had to create a security profile that was 'implementable' but 'good enough' initially. https://bitbucket.org/openid/obuk/src/master/uk-openbanking-security-profile.md

One of the major issues with this profile is that it allowed banks to use non certificate based means of authentication 'client_secret_basic'.

With FAPI clients and Brazil, becuase you're relying on metadata in a software statement that describes the clients and where the keystores are (private_key_jwt) or the structure of a certificate they should be using in the case of tls_client_auth, even if a bad actor TPP used a stolen SSA to register a different software statement, the resulting client would be unusuable by the hijacker because they don't have access to any of the key material.

However, in the UK OBIE use case, because banks were issuing credentials (client secrets) after a DCR, they had to be sure that of the provenance of the request over and above the fact that they have an initial access token (ssa) and are using a MTLS link to perform registration. A signed JWT was one way to achieve this however this is unnecessary in a FAPI environment and makes the processing of the double signed wrapped JWT unnecessary complex.

If i can find a powerpoint that shows the ecosystem evolutions of the standards i'll attach it to the ticket.

[RalphBragg]

Answer: FAPI Authorisation Servers only require a JSON Request, the need and justification for the use of a non IETF / OIDF DCR payload is given above.

[alexasensio]

Please thank that Australian for writing a very comprehensive document 3-4 years ago ;)

Thanks for the history lesson. It is clear now.

Let me know if you want me to close the issue or keep it as answered question.

[RalphBragg]

You're more than welcome, keep the ticket open for now.

@alex-siqueira @ginglass - can we get a WIKI going for FAQ and get these questions and answers copied over and translated before closing?

[DeiGratia33]

@RalphBragg , I have written a FAQ MD over here to cover this kind of thing. We may recovery it and include this issue in there.

[joaorodolfo]

I sent it to WG Security to include into SD FAQ.