[OBIE-821] Nationwide's well-known endpoint returns invalid JSON that deviates from OIDC spec - JIRA

Nationwide's well-known endpoint returns invalid JSON that deviates from OIDC spec

Description

https://obonline.nationwide.co.uk/open-banking/.well-known/openid-configuration returns the following JSON:

{
"issuer": "https://api.nationwide.co.uk/open-banking/v1.1",
"authorization_endpoint": "https://obonline.nationwide.co.uk/open-banking/oauth/authorize",
"token_endpoint": "https://api.nationwide.co.uk/open-banking/oauth/token",
"jwks_uri": "https://keystore.openbanking.org.uk/0015800000jf8aKAAQ/bghrOqZUMgBTV07eFcydf.jwks",
"registration_endpoint": "https://api.nationwide.co.uk/open-banking/register",
"scopes_supported": ["openid", "accounts", "payments", "fundsconfirmations"],
"claims_supported": ["openbanking_intent_id"],
"response_types_supported": ["code id_token"],
"grant_types_supported": ["authorization_code", "refresh_token", "client_credentials"],
"subject_types_supported": ["Public"],
"id_token_signing_alg_values_supported": ["PS256"],
"token_endpoint_auth_methods_supported": tls_client_auth,
"request_parameter_supported": true,
"claims_parameter_supported": true,
"request_object_signing_alg_values_supported": ["PS256"],
"service_documentation": "https://www.nationwide.co.uk/developer"
}

Note that token_endpoint_auth_methods_supported should be an array per https://openid.net/specs/openid-connect-discovery-1_0.html. Also note that tls_client_auth should be wrapped with quotations to make it a valid JSON string.

Technical Impact

None

Workaround

None

Resolution Notes

None

Impact Assessment

None

Status

Assignee

Unassigned

Reporter

Beejal Nagar

Reference

None

Service Desk Reference

OBSD-10824

ASPSP

Query Type

Read/Write

TPP Impact

Medium

OB Environment

Production

Business Impact Severity

None

Share

Yes