New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenID Provider Configuration End Point parameter requirements #522
Comments
Option 2 is preferred as it is more flexible to future extensions. Suggest FAPI 1.0 like wording along the lines of:
|
Our preference is Option 1 - this in order for the specifications to be explicit and reduce the chances of incompatibility due to participants misinterpreting upstream specifications. |
Option 1 is preferred, this is to ensure any ambiguity referring to upstream specification is avoided |
CBA is also supportive of option 1. While we acknowledge that this approach results in some overlap between the Consumer Data and upstream standards, from an implementation point of view, the team finds it to be useful to have these references in the CDS as well as the non-normative examples provided. |
Discussion in the maintenance iteration call indicated a desire for certainty when it came time to implementation testing. It was argued that being exhaustive in listing the required parameters may assist implementation consistency across a large set of data holders. It was also suggested that comprehensive test cases and standard guidance articles may play an important role in providing better implementation certainty/consistency whilst keeping the Data Standards Information Security profile as a profile over FAPI by only listing constraints, variations and additional requirements. The DSB is also seeking questions regarding legal defence where participants refer to upstream standards incorporated by reference and how any published CDR test cases and/or support guidance is relied upon for implementation. |
Given the views from participants, the proposal is to select Option 1 and provide a normative list of metadata parameters that apply. With future Security Profile uplifts it would be worthwhile revisiting this to consider a lighter weight CDS profile. |
The following change to the OpenID Provider Configuration End Point metadata list is proposed. If there are any parameters required that are omitted in the below proposal please feel free to comment. As a proposal, the list will be separated by the normative reference that registers the parameters. Please note the links in the text refer to anchors inline to the Data Standards, not this issue. Metadata requirementsAt a minimum, the Data Holder metadata MUST include:
In addition, the Data Holder metadata MUST also include:
Non-Normative Example
|
The proposal above has been edited to
|
This change has been staged for review: ConsumerDataStandardsAustralia/standards-staging@release/1.24.0...maintenance/522 Note it is compared against the previous release. At present no draft 1.25.0 release has been staged but it is expected this change will target 1.25.0 for release at the end of maintenance iteration 15. |
There is an existing statement in the Standards of:
The MUST statements in the proposed discovery document clarification are potentially ambiguous when cross checked against the existing statement. Suggest this be clarified or one of the statements be modified so as to avoid encountering Regulator misunderstanding (Discovery documents have been previously and incorrectly flagged by the ACCC as non-compliant due to legitimate and compliant missing attributes). |
Good pick up. Given there are requirements around the use of authorisation response encryption, if used, I'd suggest we take that out of the minimum set of MUSTs and have it standalone:
|
These changes have been incorporated in the staged standards for review: ConsumerDataStandardsAustralia/standards-staging@release/1.25.0...maintenance/522 |
Standards version 1.25.0 has now been published, incorporating this change. |
Description
The OpenID Provider Configuration End Point section describes a minimum set of mandatory parameters that authorisation servers must advertise. There are often other parameters required by upstream normative references. Typically, metadata parameters are registered with IANA and these parameters are described within the RFCs. For example PAR - RFC9126 and JARM.
In the Maintenance Iteration 11 call, streamlining of the Consumer Data Standards was discussed. Rather than list out the required metadata parameters, and update this to include JARM and PAR, it was proposed by the community that another option was to remove this section and refer implementers to the upstream specifications.
If this approach is taken, the non-normative example would be trimmed down and the OpenID Provider Configuration End Point section would remove required parameters except for any parameters defined or constrained by the CDS information security profile.
Area Affected
OpenID Provider Configuration End Point section
Change Proposed
Option 1: Expand list of required parameters
Option 2: Remove required parameters defined within upstream specifications
The text was updated successfully, but these errors were encountered: