search

openbankingspace / tpp-issues

34 stars 1 forks source link

OBIE - Directory Sandbox SSA API returning alg RS256 #139

Open ashleymiller-kcom opened 5 years ago

ashleymiller-kcom commented 5 years ago

Issue

SSA generated from Open Banking website returns alg as PS256. SSA generated from Open Banking via SSA API returns alg as RS256.

Steps to reproduce

  1. Login to Open Banking here: https://directory.openbanking.org.uk/s/login/
  2. Generate your organisation's Software Statement Assertion via the UI.
  3. Decode the SSA using jwt.io or similar and it contains a header with:

{ "alg": "PS256", "kid": "removed", "typ": "JWT" }

  1. Use the obdatat utility to obtain an Auth Token, as detailed in Section 10 of the Open Banking Directory Usage (Directory Sandbox) document here
  2. Make an HTTP GET call using the Auth Token and relevant scope to:
  3. https://matls-ssaapi.openbankingtest.org.uk/api/v1rc2/tpp//ssa/
  4. Decode the SSA using jwt.io or similar and it contains a header with:

{ "alg": "RS256", "kid": "removed", "typ": "JWT" }

Impact

May catch a few people out. Issue identified on the OBIE Directory Sandbox, but I'm unable to access the OBIE Directory itself to verify whether it is also present there.

Workaround

Obtain SSA direct from the Open Banking website, rather than via the published API endpoint.

Submitted as OBSD-7460