Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation of client_id parameter in client authentication requests #172

Closed
WestpacOpenBanking opened this issue Mar 30, 2020 · 2 comments
Closed

Validation of client_id parameter in client authentication requests #172

WestpacOpenBanking opened this issue Mar 30, 2020 · 2 comments
Labels
Security Change or question related to the information security profile

Comments

@WestpacOpenBanking
Copy link

Description

The Australian CDS information security profile mandates that data recipient client calling data holders must provide a client_id parameter. This parameter is redundant because the client ID is also provided in the iss and sub claims of the client assertion JWT provided during the authentication request following the private_key_jwt method as in section 9 of OIDC. RFC 7521 implies in in section 4.2 that this parameter is optional for clients (hence that servers must accept the parameter) and that if present the server MUST validate that the value provided matches the values in the iss and sub claims of the authentication request (as in section 9 of the OIDC spec). Neither the Australian security profile nor the normative references currently specify that the server must ensure that a client_id is provided.

Area Affected

The Data Recipients calling Data Holders section.

Change Proposed

In order to provide clarity for all participants and align with vendor implementations and standard practises, we suggest that the documentation is amended to confirm that it is not mandatory for the server to check that a client_id is provided.
@perlboy
Copy link

perlboy commented Mar 31, 2020

I agree that client_id is not mandatory and, in fact, FAPI conformance tools do not check it at all. With that said however if it is supplied it MUST match the client_id in the assertion.

@CDR-API-Stream CDR-API-Stream added In Backlog Security Change or question related to the information security profile labels Apr 20, 2020
@CDR-API-Stream CDR-API-Stream mentioned this issue Apr 21, 2020
Closed
@CDR-API-Stream
Copy link
Collaborator

Hi @WestpacOpenBanking, as you correctly point out, the normative standards specify that if the client_id is provided it must be validated by the DH. The CDS has required ADRs to provide this parameter since the earliest version of the InfoSec profile so changing it now will impact all ADRs.

Making this optional would not achieve any change for DHs in any event, because DHs would still need to implement the checks to validate the client_id when presented by the ADR.

This change request doesn't appear to result in any material benefit to DHs whilst having the client_id currently set to mandatory ensures DHs can reliably check the presence of the parameter, or error.

@CDR-API-Stream CDR-API-Stream mentioned this issue May 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security Change or question related to the information security profile
Projects
Data Standards Maintenance
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@perlboy @JamesMBligh @WestpacOpenBanking @CDR-API-Stream