Several ASPSPs use OP / Authorisation Server vendors to provide Identity and Access Management capabilities and control access to APIs. These vendor do not currently support the Open Banking (OB) security Profile as follows:
- The OP uses auto generated asymmetric key pairs for signing and validation of the any generated Id tokens rather than the OB Directory issued digital certificate and private key based mechanism. This has two direct impacts:
- All Id tokens returned by the OP are digitally signed by internally generated and self-managed keys and not by OB issued signing certs
- TPP validation of JWTs must be done by accessing ASPSP hosted JWKS end points rather than those provided centrally by OB
- Id tokens generated are not compliant with the OIDC hybrid flow as not all mandatory claims are available in the Id token, specifically the state hash (s_hash claim)
These limitations have either been addressed in the next version of these vendor platforms, available now, but this release came too late to be used for the 13/01/2018 OB go live. Furthermore there is some additional work required by OBIE to support this feature.