jogu
commented
4 years ago FAPI working group and OIDF certification team member here.
The correct answers are as follows, and I'll also list out what they should be given https://developer.caterallen.co.uk/.well-known/openid-configuration (Cater Allen's production system - a fairly arbitrary choice but they are one of the implementations that is FAPI certified, https://openid.net/certification/#FAPI_OPs - and my answers are taken from their actual certification results, https://www.certification.openid.net/plan-detail.html?plan=D1uyHXCTrHgSl&public=true :
-
For request object passed to authorization endpoint, the 'aud' should be the issuer as found in the discovery document, i.e. https://developer.caterallen.co.uk/ - as described in the standard here: https://bitbucket.org/openid/fapi/annotate/master/Financial_API_WD_002.md?at=master&fileviewer=file-view-default#Financial_API_WD_002.md-203 (for non-FAPI banks, the relevant standard is https://openid.net/specs/openid-connect-core-1_0.html#RequestObject )
-
For private_key_jwt client assertions passed to the token endpoint, 'aud' should be the token endpoint, i.e. https://developer.caterallen.co.uk/token - the relevant spec reference is https://tools.ietf.org/html/rfc7521#section-5.1
Any bank that doesn't accept the above values is not compliant with the specifications and would fail the conformance tests.
There has been a debate by various parties including OB and various TPPs as to what the Audience (Aud) should be for the above.
There are questions as to whether the specification specifies this or not.
One thesis is that the specification requires this to be the token endpoint for the client assertion and the issuer (from the OB directory) for the private key JWT client assertion.
However, quite a few ASPSPs have decided to implement something else and a contrary view is taken that doing so is in accordance with the specification. There is, however, no list of what the different ASPSPs are doing.
Hence I have raised this issue in order to list what I personally have found. Others can then add other items. This relates to the Sandbox implementations:
I copy below bits from my code which should be obvious in their meaning: (orgid means using the OrganizationId rather than the defaults above. Capital One - OrganisationId
setAudienceOption("Ozone Financial Technology Limited", "2iFQxVLjroeDny1Wt82yvG", AudienceOption.orgid); setAudienceOption("Ozone Financial Technology Limited", "3iPABZImMFEND0b9ZxSuNC", AudienceOption.orgid);
setAudienceOption("TIDE PLATFORM LTD", "4lmug9hlb2doAhZfHPRKvL", AudienceOption.orgid); setAudienceOption("TIDE PLATFORM LTD", "4sSV1h0FrcUWNA8XyFDd08", AudienceOption.orgid);
setAudienceOption("APS Financial Ltd", "5NkXymSM4vBTJIbdFgpMAn", AudienceOption.orgid); setAudienceOption("VANQUIS BANK LIMITED", "78xegifJ02fc3ti8zEh3oC", AudienceOption.orgid);
setAudienceOption("Yorkshire Building Society", "5QzYkHpcCKIbeLtoquPsQB", AudienceOption.orgid); setAudienceOption("Yorkshire Building Society", "7U5hVDty8WnCY3bufPRb18", AudienceOption.orgid);