Page Properties | ||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
Description | Several ASPSPs use an OP / Authorisation Server vendor vendors to provide Identity and Access Management capabilities and control access to its APIs. The version running in production by these ASPSPs, whilst OIDC complaint, does not support several features of the Open Banking Security Profile specification in a couple of areas which means that ASPSPs using this version are unable to comply with the Open These vendor do not currently support the Open Banking (OB) security Profile as follows:
These limitations have either been addressed in the next version of the these vendor platformplatforms, available now, but this release came too late to be used for the 13/01/2018 OB go live. Furthermore there is some additional work required by OBIE to support this feature. |
---|---|
Risk assessment | Limited risk. Transparent to customer users and TPPs who will be able to verify id_tokens using the public keys hosted by the ASPSP at standard JWKS endpoints discoverable using the OpenID /.well-known endpoint. |
Mitigating controls | Use of the out of the box signing provided by the OP provides the necessary security for day 1 API operations. |
Impact if refused | |
Financial cost (if any) £ | |
Resource cost (if any) £ |
...