Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation defect in the non-normative example - DH calling the DR Revocation Endpoint #200

Closed
CDR-AMO opened this issue Apr 23, 2020 · 3 comments
Closed

Documentation defect in the non-normative example - DH calling the DR Revocation Endpoint #200

CDR-AMO opened this issue Apr 23, 2020 · 3 comments

Comments

@CDR-AMO
Copy link

CDR-AMO commented Apr 23, 2020
edited
Loading

Description

For a DH calling the DR Revocation endpoint the non-normative examples provided in the Client Authentication section includes a Bearer Token for authorization as below .

POST https://data.recipient.com.au/revocation HTTP/1.1
Host: data.recipient.com.au
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey

However, for both DH and DR revocation endpoints, Client Authentication is the only requirement and no bearer token is needed in the authorization header as detailed in the Revocation Endpoints section .

The documentation needs to be corrected accordingly to use client_assertion instead of a bearer token.
@pcurtisrab
Copy link

pcurtisrab commented May 3, 2020
edited
Loading

Regional Australia Bank would like to note that we read the Consumer Data Standard as complete and consistent in this regard.

The Revocation Endpoints section indeed states the use of Client Authentication. However, Client Authentication takes different forms depending on who is the sender and receiver of the request. For example:

  • DR calling DH revocation endpoint uses the client_id, client_assertion JWT POST body parameters.
  • DH calling DR revocation endpoint supplies the JWT as a bearer token.

Both forms come under the heading of the Client Authentication, and this method is not in conflict with RFC 6749 Section 2.3, specifically 2.3.2 on alternative authentication methods.

That is to say, this is not something we feel needs correction due to some technical conflict or incompleteness within the standards. On the other hand, we would value simplicity taking into account overall ecosystem complexity and existing implementations.

@CDR-API-Stream
Copy link
Collaborator

The example referenced is for the Data Recipient calling the Data Holder and appears correct using the Self-Signed JWT method. It is different to the Private Key JWT method for Data Recipients calling Data Holders. For Maintenance Iteration 11, it is proposed that this issue be closed with no change.

@CDR-API-Stream CDR-API-Stream mentioned this issue May 10, 2022
Closed
@CDR-API-Stream
Copy link
Collaborator

This issue was discussed in the Maintenance Iteration 11 call. It is proposed this change be closed with no change unless feedback is received during the maintenance iteration.

@markverstege markverstege mentioned this issue May 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Data Standards Maintenance
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@JamesMBligh @pcurtisrab @CDR-API-Stream @CDR-AMO