Versions Compared

Version Old Version 1 New Version Current
Changes made by

Chris Michael

Erick Domingues

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Shall only issue sender-constrained access tokens using mTLS as described in RFC8705.

  2. Shall ensure that the access token expiry is no longer than 10 minutes.

  3. Shall authenticate the confidential client using private_key_jwt;

  4. Shall cache clients jwks_uris for a maximum period of 20 minutes.

  5. Shall support OAuth 2.0 Rich Authorization Requests (RAR) as a method of conveying information about the End User Authorization Request.

  6. Shall only process authorization requests if the type specified in the authorization_details attribute matches any of the types listed in the authorization_detail_types metadata attribute of the Relying Party.

  7. Shall use the query parameter as the mechanism for returning authorization response parameters as the response mode, which is the default for the code response type.

  8. Shall advertise support for all signing, authentication mechanisms, and standards required to support this Specification on its OpenID Connect Discovery (.well-known) endpoint.

  9. Shall support and require signed request objects according to the OAuth JWT-Secured Authorization Request (JAR) [RFC9101] at the PAR endpoint [RFC9126].

  10. Shall require the aud claim  require the aud claim in the request object to be, or to be an array containing, the client assertion JWT to be a string equal to the OP's Issuer Identifier URL.

  11. Shall require the request object to contain an exp claim that has a lifetime of no longer than 10 minutes after the nbf claim and an nbf claim that is not more than 10 minutes in the past.

  12. Shall only rely on the parameters included in the signed request object passed via the request_uri parameter except for the client_idparameter.

  13. Shall set the response header x-fapi-interaction-id to the value received from the corresponding client request header, or to a RFC4122 UUID if the request header was not provided, to track the interaction.

  14. Shall issue refresh_tokens with an expiration period set to the same length as the expiration period of the longest consent with which the token can be used. For consents that do not have an expiry period, the authorization server shall issue refresh_tokens without an expiration period, or, if not technically achievable, with an expiration period greater than 100 years.

  15. Shall enforce that all redirect URIs passed by the Relying Party are pre-registered in the client metadata as provided by the Trust Framework, in accordance with the Registration Framework, and shall reject any requests containing unregistered redirect URIs

  16. Shall advertise mtls_endpoint_alias's including Token Endpoint, Pushed Authorisation Request Endpoint (PAR) and all other endpoints where an authentication credential is presented

  17. Shall honour and enforce all clients to support and utilise mtls endpoints as defined by client metadata use_mtls_endpoints_alias's and follow the orientations defined on RFC8705

  18. Shall validate that the commonName (CN) of the client certificate used for mTLS matches the Software Statement ID obtained on the client registration.

2.2 Client Considerations (Relying Party)

...

  1. Shall support private_key_jwt as a token endpoint authentication mechanism (client authentication method).

  2. Shall include the request_uri parameter in the authorization request as defined in the 6.2 section of OpenID Connect Core specification.

  3. Shall send all parameters inside the authorization request's signed request object.

  4. Shall support and require signed request objects according to the OAuth JWT-Secured Authorization Request (JAR) [RFC9101] at the PAR endpoint [RFC9126].

  5. Shall send the aud claim in the request object as  send the aud claim in the client assertion JWT as a string equal to the OP's Issuer Identifier URL.

  6. Shall send an exp claim in the request object that has a lifetime of no longer than 10 minutes;

  7. Shall send an nbf claim in the request object.

  8. Shall send the x-fapi-interaction-id request header, with its value being a unique RFC4122 UUID for each request, to help correlate log entries between the client and server, e.g: x-fapi-interaction-id: c770aef3-6784-41f7-8e0e-ff5f97bddb3a.

...