OrganisationOBIE (but applies to all ASPSPs)
Date raised
SummaryAuthorisation Servers (OPs) cannot externalise their JWKS to be hosted by Open Banking (as required by the OpenBanking Security Profile)
Policy/standard affectedOpen Banking Security Profile - Implementer's Draft v1.1.0
Duration (end date)
Approved byIE Trustee
Approved date 


Several ASPSPs use OP / Authorisation Server vendors to provide Identity and Access Management capabilities and control access to APIs. These vendor do not currently support the Open Banking (OB) security Profile as follows:

  1. The OP uses auto generated asymmetric key pairs for signing and validation of the any generated Id tokens rather than the OB Directory issued digital certificate and private key based mechanism. This has two direct impacts:
    1. All Id tokens returned by the OP are digitally signed by internally generated and self-managed keys and not by OB issued signing certs
    2. TPP validation of JWTs must be done by accessing ASPSP hosted JWKS end points rather than those provided centrally by OB
  2. Id tokens generated are not compliant with the OIDC hybrid flow as not all mandatory claims are available in the Id token, specifically the state hash (s_hash claim)

These limitations have either been addressed in the next version of these vendor platforms, available now, but this release came too late to be used for the 13/01/2018 OB go live. Furthermore there is some additional work required by OBIE to support this feature.

Risk assessmentLimited risk. Transparent to customer users and TPPs who will be able to verify id_tokens using the public keys hosted by the ASPSP at standard JWKS endpoints discoverable using the OpenID /.well-known endpoint.
Mitigating controlsUse of the out of the box signing provided by the OP provides the necessary security for day 1 API operations.
Impact if refused
Financial cost (if any) £
Resource cost (if any) £