From 2c7034213a5e373a0f9943f1c78f9b946342c00e Mon Sep 17 00:00:00 2001
From: Mark Verstege <2514377+markverstege@users.noreply.github.com>
Date: Mon, 24 Apr 2023 13:25:57 +1000
Subject: [PATCH 1/2] Standards Maintenance 535: Updated Private Key JWT client
authentication requirements
---
slate/source/includes/introduction/_fdo.md | 1 +
slate/source/includes/introduction/_references.md | 1 +
.../includes/releasenotes/releasenotes.1.24.0.html.md | 6 ++++--
.../source/includes/security/_client_authentication.md | 10 ++++++++--
4 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/slate/source/includes/introduction/_fdo.md b/slate/source/includes/introduction/_fdo.md
index 3948b0a9..fee47014 100644
--- a/slate/source/includes/introduction/_fdo.md
+++ b/slate/source/includes/introduction/_fdo.md
@@ -28,3 +28,4 @@ The table below highlights these areas of the standards.
|[Get Account Detail V3](#get-account-detail)|Version 3 of this end point **MUST** be made available by affected data holders by July 10th 2023|July 10th 2023|
|[Get Accounts V1](#get-account-detail)|Data Holders **MAY** decommission v1 of this end point from March 11th 2024| March 11th 2024 |
|[Get Account Detail V2](#get-account-detail)|Data Holders **MAY** decommission v2 of this end point from March 11th 2024| March 11th 2024 |
+|[Private Key JWT Client Authentication](#https://consumerdatastandardsaustralia.github.io/standards/?examples#client-authentication) | Change to support [**[RFC7521]**](#nref-RFC7521) such that, until November 13th 2023, clients authenticating using Private Key JWT are _recommended_ to provide the `client_id`, but no longer required. From November 13th 2023, it is then _optional_ to provide the `client_id`. This applies to ADRs and the CDR Register authenticating with Data Holders and ADRs authenticating with the CDR Regsiter. | November 13th 2023 |
\ No newline at end of file
diff --git a/slate/source/includes/introduction/_references.md b/slate/source/includes/introduction/_references.md
index 75f594ae..fb4d030b 100644
--- a/slate/source/includes/introduction/_references.md
+++ b/slate/source/includes/introduction/_references.md
@@ -30,6 +30,7 @@
| **[RFC5322]** | Internet Message Format: |October 2008
| **[RFC6750]** | The OAuth 2.0 Authorization Framework: Bearer Token Usage: |Oct 2012
| **[RFC7009]** | OAuth 2.0 Token Revocation: |Aug 2013
+| **[RFC7521]** | Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants: |May 2015
| **[RFC7523]** | JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants: |May 2015
| **[RFC7662]** | OAuth 2.0 Token Introspection: |Oct 2015
| **[RFC8414]** | OAuth 2.0 Authorization Server Metadata: |Jun 2018
diff --git a/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md b/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md
index cc63a6a6..496823f3 100644
--- a/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md
+++ b/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md
@@ -21,7 +21,7 @@ This release addresses the following minor defects raised on [Standards Staging]
This release addresses the following change requests raised on [Standards Maintenance](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues):
-- XXXX
+- [Issue 535: Standard appears to redefine requirements for private_key_jwt authentication](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/535)
### Decision Proposals
@@ -44,7 +44,9 @@ No Change
## Information Security Profile
-No Change
+|Change|Description|Link|
+|------|-----------|----|
+|RFC6749 conformant Private Key JWT Client Authentication | Change to support **[RFC7521]** such that, until November 13th 2023, clients authenticating using Private Key JWT are _recommended_ to provide the `client_id`, but no longer required. From November 13th 2023, it is then _optional_ to provide the `client_id`. This applies to ADRs and the CDR Register authenticating with Data Holders and ADRs authenticating with the CDR Regsiter. During the RECOMMENDED phase in period, Data Holders and the CDR Register may reject clients that do not provide the `client_id`. ADRs may re-attempt client authentication by providing the `client_id`. During this phase in period, Data Holders and the CDR Register may stop requiring the `client_id`. If the client provides the `client_id`, the Data Holder/CDR Register must validate that its value is the same as the `iss` and `sub` claims in accorance with **[RFC7521](https://datatracker.ietf.org/doc/html/rfc7521#section-4.2)**| [Private Key JWT Client Authentication](../../#client-authentication) |
## Consumer Experience
diff --git a/slate/source/includes/security/_client_authentication.md b/slate/source/includes/security/_client_authentication.md
index 0869cc7e..e31a34df 100644
--- a/slate/source/includes/security/_client_authentication.md
+++ b/slate/source/includes/security/_client_authentication.md
@@ -59,10 +59,16 @@ Authorisation Servers supporting `private_key_jwt` Client Authentication of clie
* `iat` - OPTIONAL. Time at which the JWT was issued. Value is a JSON number representing the number of seconds from 1970-01-01T00:00:00Z to the UTC issued at time.
-* The aforementioned assertion **MUST** be sent to the Authorisation Server's Token endpoint with the `POST` method and **MUST** include the following REQUIRED parameters and **MAY** contain the following OPTIONAL parameters:
+```diff
+Updated the requirements for the client_id claim. It is now recommended the client_id be provided until November 13th 2023. Afterwhich it is optional for clients to provide this claim. It is then beholden on the CDR Register and Data Holders to permit client authentication where the client omits the client_id claim. This facilitates Data Holders seeking FAPI compliance by supporting Private Key JWT client authentication as per [RFC7521].
+```
+
+* The aforementioned assertion **MUST** be sent to the Authorisation Server's Token endpoint with the `POST` method and **MUST** include the following REQUIRED parameters, **SHOULD** include the following RECOMMENDED parameters and **MAY** contain the following OPTIONAL parameters:
* `grant_type` - REQUIRED. The grant type(s) supported by the Authorisation Server.
- * `client_id` - REQUIRED. The client ID of the bearer.
+ * `client_id` -
+ * **Until November 13th 2023**
RECOMMENDED. The client ID of the bearer.
+ * **From November 13th 2023**
OPTIONAL. The client ID of the bearer in accordance with [**[RFC7521]**](#nref-RFC7521).
* `client_assertion_type` - REQUIRED. This **MUST** be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
* `client_assertion` - REQUIRED. The encoded assertion JWT.
* `scope` - OPTIONAL. The requested scope as described in [Section 3.3](https://tools.ietf.org/html/rfc6749#section-3.3) of **[[RFC6749]](#nref-RFC6749)**.
From 47bcba8aac9edd8881587e7fa13cb4768f88803b Mon Sep 17 00:00:00 2001
From: Mark Verstege <2514377+markverstege@users.noreply.github.com>
Date: Tue, 2 May 2023 13:40:40 +1000
Subject: [PATCH 2/2] Corrected typos
---
slate/source/includes/releasenotes/releasenotes.1.24.0.html.md | 2 +-
slate/source/includes/security/_client_authentication.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md b/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md
index 496823f3..4bd98eac 100644
--- a/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md
+++ b/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md
@@ -46,7 +46,7 @@ No Change
|Change|Description|Link|
|------|-----------|----|
-|RFC6749 conformant Private Key JWT Client Authentication | Change to support **[RFC7521]** such that, until November 13th 2023, clients authenticating using Private Key JWT are _recommended_ to provide the `client_id`, but no longer required. From November 13th 2023, it is then _optional_ to provide the `client_id`. This applies to ADRs and the CDR Register authenticating with Data Holders and ADRs authenticating with the CDR Regsiter. During the RECOMMENDED phase in period, Data Holders and the CDR Register may reject clients that do not provide the `client_id`. ADRs may re-attempt client authentication by providing the `client_id`. During this phase in period, Data Holders and the CDR Register may stop requiring the `client_id`. If the client provides the `client_id`, the Data Holder/CDR Register must validate that its value is the same as the `iss` and `sub` claims in accorance with **[RFC7521](https://datatracker.ietf.org/doc/html/rfc7521#section-4.2)**| [Private Key JWT Client Authentication](../../#client-authentication) |
+|RFC6749 conformant Private Key JWT Client Authentication | Change to support **[RFC7521]** such that, until November 13th 2023, clients authenticating using Private Key JWT are _recommended_ to provide the `client_id`, but no longer required. From November 13th 2023, it is then _optional_ to provide the `client_id`. This applies to ADRs and the CDR Register authenticating with Data Holders and ADRs authenticating with the CDR Register. During the RECOMMENDED phase in period, Data Holders and the CDR Register may reject clients that do not provide the `client_id`. ADRs may re-attempt client authentication by providing the `client_id`. During this phase in period, Data Holders and the CDR Register may stop requiring the `client_id`. If the client provides the `client_id`, the Data Holder/CDR Register must validate that its value is the same as the `iss` and `sub` claims in accordance with **[RFC7521](https://datatracker.ietf.org/doc/html/rfc7521#section-4.2)**| [Private Key JWT Client Authentication](../../#client-authentication) |
## Consumer Experience
diff --git a/slate/source/includes/security/_client_authentication.md b/slate/source/includes/security/_client_authentication.md
index e31a34df..d3a1b600 100644
--- a/slate/source/includes/security/_client_authentication.md
+++ b/slate/source/includes/security/_client_authentication.md
@@ -60,7 +60,7 @@ Authorisation Servers supporting `private_key_jwt` Client Authentication of clie
```diff
-Updated the requirements for the client_id claim. It is now recommended the client_id be provided until November 13th 2023. Afterwhich it is optional for clients to provide this claim. It is then beholden on the CDR Register and Data Holders to permit client authentication where the client omits the client_id claim. This facilitates Data Holders seeking FAPI compliance by supporting Private Key JWT client authentication as per [RFC7521].
+Updated the requirements for the client_id claim. It is now recommended the client_id be provided until November 13th 2023. After which it is optional for clients to provide this claim. It is then beholden on the CDR Register and Data Holders to permit client authentication where the client omits the client_id claim. This facilitates Data Holders seeking FAPI compliance by supporting Private Key JWT client authentication as per [RFC7521].
```
* The aforementioned assertion **MUST** be sent to the Authorisation Server's Token endpoint with the `POST` method and **MUST** include the following REQUIRED parameters, **SHOULD** include the following RECOMMENDED parameters and **MAY** contain the following OPTIONAL parameters: