Expand | ||||
---|---|---|---|---|
| ||||
|
This document sets out how a requestor should construct a jwt-auth header and how a receiver must validate the header.
Requirements for the requestor
Publication of signing keys on a JWKS
The requestor must publish the URL of the JWKS that must be used to verify messages to the receiver.
The JWKS must be publicly accessible over https.
The requestor must use an assymetric RSA key of 2048 bits or more.
The requestor must ensure that the JWKS must have at least one signing key published. The key must have a unique
kid
on the JWKS.When publishing a new key, the requestor must wait for 10 minutes before issuing a message with the key (to allow the receiver’s caches to refresh)
Creating the authorisation header
The requestor must ensure that the machine on which the signature is generated uses NTP to synchronise its clock.
The requestor must construct the header and payload for the JWT
...
When using JWT Authentication, the following claims should be included:
...
as specified in https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv2/pages/edit-v2/126877708#JWT-Auth-Claims-Reference
The JWT must be signed using the
PS256
algorithm using a private key whose public part has been published on the JWKS.The JWT must be included as a
bearer
token in theauthorization
http header.The https request must be made over mutual tls. The client certificate used to initiate the mutual tls session must have a
DN
andOU
that matches the values placed in the signature
Requirements for the receiver
Verifying the authorisation header
The receiver must ensure that the machine on which the signature is verified uses NTP to synchronise its clock.
The receiver must ensure that the request was received over a mutual tls connection
The reciever must extract the jwt-auth token from the
authorization
http headerThe JWT must verify the signature on the JWT using the
kid
specified in the JWS and the JWKS pre-specified by the senderThe receiver may cache the JWKS for up to ten minutes
The receiver must verify each of the claims in the JWT has the expected value specified in https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv2/pages/edit-v2/126877708#JWT-Auth-Claims-Reference
JWT Auth Claims Reference
Header
Claim Name | Expected Value | Mandatory | Notes |
alg |
| Yes | |
typ |
| Yes | |
cty |
| Yes | |
kid | The key id of keypair used to sign the message . | We recommend that only Other alternatives do not offer similar security and controls and are currently unsupported by Ozone. |
...
as published on the JWKS | Yes | The specification does not support the use of other means of identifying the key as they are not considered to be secure enough (e.g. |
Body
Claim Name | Expected Value | Mandatory | Example value for JWT issued by OzoneExample value for JWT issued by ASPSP | Notes | ||||
iss | Mandatory Should be set to be equal to the The organization | Yes |
| Bancorosa Limited | sub | Mandatory Should be set to be equal to the For a certificate with | ||
sub | The organization unit Ozone UK Hub | Openbanking | aud | Mandatory | Yes | For a certificate with | ||
aud | Identifier for the party receiving the JWT | The |
| exp | Mandatory Expiration time for the JWT.. | Yes | This must be set to the PROVIDER_ID specified by Ozone during configuration. | |
exp | Time when the JWT will expire in UTC seconds since epoch | Yes | 30 | We recommend an expiry time of 10-30s and . When validating the JWT, allow for a 10s clock skew | 30 | 30 | iat | MandatoryThe JWT is considered invalid if the current time is greater than this value |
iat | Time when the JWT was issued in UTC seconds since epochThe resource server processing the header should reject the JWT | Yes | When validating the JWT, allow for a 10s clock skew The JWT is considered invalid if the current time is < iss (after allowing for clock skew)We recommend a 10s allowance for clock skew.less than this value | |||||
nbf | Optional Time before which the JWT is invalidThe resource server processing the header should reject the JWT | No | When validating the JWT, allow for a 10s clock skew The JWT is considered invalid if the current time < nbf (after allowing for clock skew) We recommend a 10s allowance for clock skew. | NOT SENT | jti | Optionalis less than this value (when specified) | ||
jti | A unique identifier for the JWT | Uuid v4 | UUID v4Yes | We recommend that the requestor populates this value with a uuidv4. This increases the entropy for the JWT. |