/
Application Layer Authentication Questionnaire

Application Layer Authentication Questionnaire

Owned by Chris Michael
12 Nov 2024
2 min read

This form is for information only. The information will be gathered using the API Hub Service Desk

1. General

 

Question

Options

Notes

 

Question

Options

Notes

Q1 - What method of Application Layer Authentication will you use for securing calls made by OFP to Bank Connect ?

Select one

None
API Key
Client Credentials Grant
JWT Auth

 

Q2 - Will you be sending JWT Auth headers for calls to the Consent Manager and Authorisation Server?

Select one

Yes
No

 

2. API Key

This section must be filled in only if you selected “API Key” in Q1

Question

Options

Notes

Question

Options

Notes

Provide the API key that you require to be included as a Bearer token in calls to Ozone Connect.

 

The key is a shared secret.

We will specify a method for sharing this securely.

How often will this key be rotated?

Select one

Every 12 months
Never

 

3. Client Credentials Grant

This section must be completed only if you selected “Client Credentials Grant” in Q1.

Question

Options

Notes

Question

Options

Notes

Provide the URL of the well-known endpoint of the authorisation server used to get a client credentials grant.

 

The URL must return a payload compliant with OIDC discovery.

The response must include a token_endpoint that supports a client credentials grant.

What method of client authentication is used?

Select one of:

private_key_jwt
tls_client_auth
client_secret_basic
client_secret_jwt

client_secret_basic and client_secret_jwt use a shared secret and are not considered secure for financial grade APIs.

What is the client_id for the OFP client?

 

 

If you selected client_secret_basic and client_secret_jwt as client authentication method, provide the client_secret for the client.

 

The key is a shared secret.

We will specify a method for sharing this securely.

How often will the client_secret be rotated?

Select one

Every 12 months
Never

 

If you selected private_key_jwt, please specify the signing alg to be used.

Select one

PS256
RS256

RS256 is not considered secure for financial grade APIs.

Confirm that the client specified above has been configured to participate in a client_credentials grant.

 

 

4. JWT Auth

JWT Auth does not require any configuration parameters.

The OFP will specify the JWKS_URL that can be used to verify requests from OFP to Ozone Connect once the OFTF is live.

5. Service Initiation Token

The service initiation token does not require any configuration parameters.

If a consent is patched with a service initiation token, it will be used by the OFP.

See the API Hub Consent Manager Specification for details of the field that this must be patched into.

© Ozone Financial Technology Limited 2024-2025
Ozone Non Commercial Software EULA