Versions Compared

Version Old Version 1 New Version 2
Changes made by

Chris Michael

Chris Michael

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document provides an overview of the options available, the configurations that have to be agreed and the implementation that LFIs would have to carry out for the selected option.

1. Application Layer Authentication Switched Off

In its simplest implementation, Application Layer Authentication can be switched off.

...

This setting can be applied in both directions

2. API Key

API Keys are the most rudimentary form of access tokens. This is a shared secret that is used between the LFI and the OFP.

...

Operationally, the OFP supports the use of API Keys with a validity of 12 months or more. Key rotation is supported annually.

3. Client Credentials Grant

The OFP supports the use of an access token obtained through an OIDC client credentials grant

...

Where a client_secret is used to obtain the access token, the client_secret must have a validity of 12 months or more. Secret rotation is supported annually.

4. JWT Auth

JWT based Authentication or JWT Auth as we often call it is a Ozone standard for secure and efficient application layer authentication.

...

The use of jwt auth is supported by Ozone Connect, Consent Manager and Authorisation Server APIs

5. Service Initiation Token

As a further security mechanism, the OFH allows the use of a service initiation access token.

...