Q1 - What method of Application Layer Authentication will you use for securing calls made by OFP to Bank Connect ?

Select one

• None

• API Key

• Client Credentials Grant

• JWT Auth

Q2 - Will you be sending JWT Auth headers for calls to the Consent Manager and Authorisation Server

Select one

• Yes

• No

Provide the API key that you require to be included as a Bearer token in calls to Ozone Connect

The key is a shared secret.

We will specify a method for sharing this securely.

How often will this key be rotated ?

Select one

• Every 12 months

• Never

Provide the URL of the well-known endpoint of the authorisation server used to get a client credentials grant

The URL must return a payload compliant with OIDC discovery.

The response must include a token_endpoint that supports a client credentials grant

What method of client authentication is used ?

Select one of:

• private_key_jwt

• tls_client_auth

• client_secret_basic

• client_secret_jwt

client_secret_basic and client_secret_jwt use a shared secret and are not considered secure for financial grade APIs.

What is the client_id for the OFP client

If you selected client_secret_basic and client_secret_jwt as client authentication method, provide the client_secret for the client

The key is a shared secret.

We will specify a method for sharing this securely.

How often will the client_secret be rotated ?

Select one

• Every 12 months

• Never

If you selected private_key_jwt, please specify the signing alg to be used

Select one

• PS256

• RS256

RS256 is not considered secure for financial grade APIs

Confirm that the client specified above has been configured participate in a client_credentials grant