Decision Proposal 298 - Urgent Change Request #576 #298
Comments
CDR-API-Stream
changed the title
CDR-API-Stream
added
Status: Decision Made
CDR-API-Stream
changed the title
CDR-API-Stream
changed the title
|
Hi @CDR-API-Stream, Our interpretation of this change is that our current solution remains complaint and no change is required from Great Southern Bank post FAPI phase 3. Our current solution as part of FAPI phase 3 as below: • We support both ACF and Hybrid flow. However, ADRs must choose either method in their client registration, not both. • If the ADR uses Hybrid Flow, we will encrypt the id tokens in our API response. • If the ADR uses ACF, we will ignore the id token encryption fields as per the original requirement from the ACCC for FAPI phase 3. id_token_encrypted_response_alg REQUIRED Much appreciated if we can have some urgent attention and response from your end regarding this query. Regards, Great Southern Bank. |
|
Hi @cuctrangsb, the intention during Phase 3 is that Data Holders permit ADRs registering both flows so they can test and fallback to Hybrid Flow without updating their client registration. If they have to update it to switch flows this could have unforeseen impacts with their live software products and establishing consumer consents. During this Phase 3 transition period ADRs are expected to test the migration to ACF and where all tests pass move to update their client registration to ACF only ahead of the Phase 4 migration date of 10th July. After this date Data Holders may withdraw support for Hybrid Flow so the onus is on ADRs to facilitate the migration of their software products during Phase 3 transition. When it comes to the ID token encryption this is at the discretion of the Data Holder. ID token encryption must be used where the client is initiating an authorisation request using Hybrid Flow. For ACF the Data Holder can continue to require ID token encryption because the client registration cannot represent a conditional separation of ID token encryption along with the authorisation flow. However some Data Holders have indicated they can support ACF without encrypting ID tokens and this is permissible. Please note that the "Must be ignored for Authorization Code Flow." requirement was removed in v1.23.0 of the Data Standards. |
|
Thank you @CDR-API-Stream We will review this clarification and if we need any further information, we will follow up later. Regards, Great Southern Bank |
Decision Record
The Data Standards Chair approved this decision on 14th April 2023. The decision record is attached:
Decision 298 - Urgent CR 576-FINAL.pdf
This decision proposal is a placeholder for the decision in relation to the urgent change request #576 that was consulted on in Maintenance Iteration 14.
The details of the change request can be found here:
The text was updated successfully, but these errors were encountered: