Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. The requestor must ensure that the machine on which the signature is generated uses NTP to synchronise its clock.

  2. The requestor must construct the header and payload for the JWT as specified in https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv3APIHubDocsv5/pages/134938986/JWT+Auth+Specification#JWTedit-v2/180781316#3.-JWT-Auth-Claims-Reference .

  3. The JWT must be signed using the PS256 algorithm using a private key whose public part has been published on the JWKS.

  4. The JWT must be included as a bearer token in the authorization http header.

  5. The https request must be made over mutual tls. The client certificate used to initiate the mutual tls session must have a DN and OU that matches the values placed in the signature.

...

  1. The receiver must ensure that the machine on which the signature is verified uses NTP to synchronise its clock.

  2. The receiver must ensure that the request was received over a mutual tls connection.

  3. The receiver must extract the jwt-auth token from the authorization http header.

  4. The JWT must verify the signature on the JWT using the kid specified in the JWS and the JWKS pre-specified by the sender.

  5. The receiver may cache the JWKS for up to ten minutes.

  6. The receiver must verify each of the claims in the JWT has the expected value specified in https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv3APIHubDocsv5/pages/134938986/JWT+Auth+Specification#JWTedit-v2/180781316#3.-JWT-Auth-Claims-Reference .

3. JWT Auth Claims Reference

...