...
Where a client_secret is used to obtain the access token, the client_secret must have a validity of 12 months or more. Secret rotation is supported annually.
scope values are set during onboarding, based on LFI requirements.
4. JWT Auth
JWT based Authentication or JWT Auth as we often call it is a Ozone standard for secure and efficient application layer authentication.
...
the tokens are generated using
PS256- a secure assymetric algorithm that does not rely on shared secretsAdditiona Additional infrastructure setup is not required
The keys utilise standard JWS and JWKS which is widely supported in many programming languages
In the CBUAE context, the signing keys that are used are generated and managed by the OFTF
Key rotation is managed by the sending party. The receiving party uses a JWKS for verifying the JWS. The sender can rotate keys as often as they please!
The sender can decide on the validity period of the token based on their security posture
The standard specifies claims that bind the token to certificates with a specific
OUandDNin the underlying mutual TLS layer.
...