ConsumerDataStandardsAustralia · JamesMBligh · May 7, 2023 · Apr 24, 2023 · Apr 24, 2023 · May 2, 2023
diff --git a/slate/source/includes/introduction/_fdo.md b/slate/source/includes/introduction/_fdo.md
@@ -28,3 +28,4 @@ The table below highlights these areas of the standards.
 |[Get Account Detail V3](#get-account-detail)|Version 3 of this end point **MUST** be made available by affected data holders by July 10th 2023|July 10th 2023|
 |[Get Accounts V1](#get-account-detail)|Data Holders **MAY** decommission v1 of this end point from March 11th 2024| March 11th 2024 |
 |[Get Account Detail V2](#get-account-detail)|Data Holders **MAY** decommission v2 of this end point from March 11th 2024| March 11th 2024 |
+|[Private Key JWT Client Authentication](#https://consumerdatastandardsaustralia.github.io/standards/?examples#client-authentication) | Change to support [**[RFC7521]**](#nref-RFC7521) such that, until November 13th 2023, clients authenticating using Private Key JWT are _recommended_ to provide the `client_id`, but no longer required. From November 13th 2023, it is then _optional_ to provide the `client_id`. This applies to ADRs and the CDR Register authenticating with Data Holders and ADRs authenticating with the CDR Regsiter. | November 13th 2023 |
diff --git a/slate/source/includes/introduction/_references.md b/slate/source/includes/introduction/_references.md
@@ -30,6 +30,7 @@
 | <a id="nref-RFC5322"></a>**[RFC5322]**  | Internet Message Format: <https://tools.ietf.org/html/rfc5322>                                                      |October 2008
 | <a id="nref-RFC6750"></a>**[RFC6750]**  | The OAuth 2.0 Authorization Framework: Bearer Token Usage: <https://tools.ietf.org/html/rfc6750>                                                                              |Oct 2012
 | <a id="nref-RFC7009"></a>**[RFC7009]**  | OAuth 2.0 Token Revocation: <https://tools.ietf.org/html/rfc7009>                                                                                                             |Aug 2013
+| <a id="nref-RFC7521"></a>**[RFC7521]**  | Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants: <https://tools.ietf.org/html/rfc7521>                                              |May 2015
 | <a id="nref-RFC7523"></a>**[RFC7523]**  | JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants: <https://tools.ietf.org/html/rfc7523>                                              |May 2015
 | <a id="nref-RFC7662"></a>**[RFC7662]**  | OAuth 2.0 Token Introspection: <https://tools.ietf.org/html/rfc7662> |Oct 2015
 | <a id="nref-RFC8414"></a>**[RFC8414]**  | OAuth 2.0 Authorization Server Metadata: <https://tools.ietf.org/html/rfc8414>                                                                                                          |Jun 2018

diff --git a/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md b/slate/source/includes/releasenotes/releasenotes.1.24.0.html.md
@@ -21,7 +21,7 @@ This release addresses the following minor defects raised on [Standards Staging]
 
 This release addresses the following change requests raised on [Standards Maintenance](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues):
 
-- XXXX
+- [Issue 535: Standard appears to redefine requirements for private_key_jwt authentication](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/535)
 
 ### Decision Proposals
 
@@ -44,7 +44,9 @@ No Change
 
 ## Information Security Profile
 
-No Change
+|Change|Description|Link|
+|------|-----------|----|
+|RFC6749 conformant Private Key JWT Client Authentication | Change to support **[RFC7521]** such that, until November 13th 2023, clients authenticating using Private Key JWT are _recommended_ to provide the `client_id`, but no longer required. From November 13th 2023, it is then _optional_ to provide the `client_id`. This applies to ADRs and the CDR Register authenticating with Data Holders and ADRs authenticating with the CDR Regsiter. During the RECOMMENDED phase in period, Data Holders and the CDR Register may reject clients that do not provide the `client_id`. ADRs may re-attempt client authentication by providing the `client_id`. During this phase in period, Data Holders and the CDR Register may stop requiring the `client_id`. If the client provides the `client_id`, the Data Holder/CDR Register must validate that its value is the same as the `iss` and `sub` claims in accorance with **[RFC7521](https://datatracker.ietf.org/doc/html/rfc7521#section-4.2)**| [Private Key JWT Client Authentication](../../#client-authentication) |
 
 ## Consumer Experience
 

diff --git a/slate/source/includes/security/_client_authentication.md b/slate/source/includes/security/_client_authentication.md
@@ -59,10 +59,16 @@ Authorisation Servers supporting `private_key_jwt` Client Authentication of clie
     * `iat` - OPTIONAL. Time at which the JWT was issued. Value is a JSON number representing the number of seconds from 1970-01-01T00:00:00Z to the UTC issued at time.
 
 
-* The aforementioned assertion **MUST** be sent to the Authorisation Server's Token endpoint with the `POST` method and **MUST** include the following REQUIRED parameters and **MAY** contain the following OPTIONAL parameters:
+```diff
+Updated the requirements for the client_id claim. It is now recommended the client_id be provided until November 13th 2023. Afterwhich it is optional for clients to provide this claim. It is then beholden on the CDR Register and Data Holders to permit client authentication where the client omits the client_id claim. This facilitates Data Holders seeking FAPI compliance by supporting Private Key JWT client authentication as per [RFC7521].
+```
+
+* The aforementioned assertion **MUST** be sent to the Authorisation Server's Token endpoint with the `POST` method and **MUST** include the following REQUIRED parameters, **SHOULD** include the following RECOMMENDED parameters and **MAY** contain the following OPTIONAL parameters:
 
     * `grant_type` - REQUIRED. The grant type(s) supported by the Authorisation Server.  
-    * `client_id` - REQUIRED. The client ID of the bearer.
+    * `client_id` - 
+      * **Until November 13th 2023**<br/>RECOMMENDED. The client ID of the bearer.
+      * **From November 13th 2023**<br/>OPTIONAL. The client ID of the bearer in accordance with [**[RFC7521]**](#nref-RFC7521).
     * `client_assertion_type` - REQUIRED. This **MUST** be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.
     * `client_assertion` - REQUIRED. The encoded assertion JWT.
     * `scope` - OPTIONAL. The requested scope as described in [Section 3.3](https://tools.ietf.org/html/rfc6749#section-3.3) of **[[RFC6749]](#nref-RFC6749)**.