Page Comparison

Several ASPSPs use an OP / Authorisation Server vendor vendors to provide Identity and Access Management capabilities and control access to its APIs. The version running in production by these ASPSPs, whilst OIDC complaint, does not support several features of the Open Banking Security Profile specification in a couple of areas which means that ASPSPs using this version are unable to comply with the Open These vendor do not currently support the Open Banking (OB) security Profile as follows:

1. The OP uses auto generated asymmetric key pairs for signing and validation of the any generated Id tokens rather than the OB Directory issued digital certificate and private key based mechanism. This has two direct impacts:
   1. All Id tokens returned by the OP are digitally signed by internally generated and self-managed keys and not by OB issued signing certs
   2. TPP validation of JWTs must be done by accessing ASPSP hosted JWKS end points rather than those provided centrally by OB
2. Id tokens generated are not compliant with the OIDC hybrid flow as not all mandatory claims are available in the Id token, specifically the state hash (s_hash claim)

These limitations have either been addressed in the next version of the these vendor platformplatforms, available now, but this release came too late to be used for the 13/01/2018 OB go live. Furthermore there is some additional work required by OBIE to support this feature.