W001

Ref	W001
Organisation	OBIE (but applies to all ASPSPs)
Date raised	02 Nov 2017
Priority	HIGH
Summary	Authorisation Servers (OPs) cannot externalise their JWKS to be hosted by Open Banking (as required by the OpenBanking Security Profile)
Policy/standard affected	Open Banking Security Profile - Implementer's Draft v1.1.0
Duration (end date)	30 Jun 2018
Status	EXPIRED
Approved by	IE Trustee
Approved date	12 Jan 2018
Comments

Description	Several ASPSPs use OP / Authorisation Server vendors to provide Identity and Access Management capabilities and control access to APIs. These vendor do not currently support the Open Banking (OB) security Profile as follows: The OP uses auto generated asymmetric key pairs for signing and validation of the any generated Id tokens rather than the OB Directory issued digital certificate and private key based mechanism. This has two direct impacts: All Id tokens returned by the OP are digitally signed by internally generated and self-managed keys and not by OB issued signing certs TPP validation of JWTs must be done by accessing ASPSP hosted JWKS end points rather than those provided centrally by OB Id tokens generated are not compliant with the OIDC hybrid flow as not all mandatory claims are available in the Id token, specifically the state hash (s_hash claim) These limitations have either been addressed in the next version of these vendor platforms, available now, but this release came too late to be used for the 13/01/2018 OB go live. Furthermore there is some additional work required by OBIE to support this feature.
Risk assessment	Limited risk. Transparent to customer users and TPPs who will be able to verify id_tokens using the public keys hosted by the ASPSP at standard JWKS endpoints discoverable using the OpenID /.well-known endpoint.
Mitigating controls	Use of the out of the box signing provided by the OP provides the necessary security for day 1 API operations.
Impact if refused
Financial cost (if any) £
Resource cost (if any) £