Versions Compared

Version Old Version 1 New Version Current
Changes made by

Matthew Bell

Gavin Wong (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Table of Contents
maxLevel3
outlinetrue

...

Version

Date

Author

Comments

v1.0.0

 

Payments NZ

Baseline from v1.0.0-draft2

v2.0-draft2

 

Gavin Wong (Unlicensed)

Restructuring for v2.0

v2.0-draft3

 

Gavin Wong (Unlicensed)

Additions:

Updates:

  • References to Intent Id to "ConsentId" to unify the specifications

  • Separate section for the "NZ Read and Write API Security Profile" which extends the [FAPI Read+Write profile]

  • In 5.2.2.6 updated to "shall issue an ID Token in the token response" as the openid scope must be requested by the Third Party

  • Updated draft3-ImplementationGuide section:

    • To have (1) one example of the Hybrid Flow for the Payment Initiation API and (2) one example of the Decoupled Flow for the Account Information API

    • With updated examples for v2.0 API endpoint names and payloads

  • Updated state to be mandatory in the Hybrid Flow Authorization Request

  • Updated openbanking_intent_id to ConsentId

  • Updated urn:openbanking to urn:apicentre as per /wiki/spaces/PaymentsDirectionAPIStandardsDevelopment/pages/22839309

  • Updated nonce to be required "The API Provider must be replay the supplied nonce parameter in any ID Token response."

  • Updated at_hash to be optional in ID Token response

  • Clarification that a Confidential Client "shall accept and verify signed ID Tokens (JWS)"

  • Clarification that "OpenID Connect Request Object values (in the JWT) supersede those which are passed using the OAuth 2.0 request query parameter syntax." in the draft3-RequestObject

  • Clarifications on the claims request parameter in the draft3-RequestObject

  • Clarified that the ID Token sub shall always be populated with the ConsentId as per /wiki/spaces/PaymentsDirectionAPIStandardsDevelopment/pages/44892241

Removed:

Errata:

  • Updated 8.2.1 to state "Authorization servers must not support the Request Object Endpoint (request_uri)"

  • "The scope parameter must contain openid" as the profile mandates the hybrid flow

  • "Third Parties must specify code id_token" as the profile mandates the hybrid flow

...

Panel
titleRead and Write API Security Profile Variations
borderStylesolid

5.2 Read and Write API Security Provisions

5.2.1 Introduction

The NZ Banking Data API Security Profile does not distinguish between the security requirements from a technical level between "read" and "write" resources. The security requirements for accessing Customer resources held at API Providers requires more protection level than a basic OAuth 2.0 (RFC6749) supports.

As a profile of The OAuth 2.0 Authorization Framework, this document mandates the following to the NZ Banking Data APIs.

5.2.2 Authorization Server

The Authorization Server

  1. shall only support confidential clients;

  2. shall secure its token endpoint using mutually authenticated TLS;

  3. shall only support the response_type value code id_token;

  4. shall require the ConsentId to be passed in the authorisation request as an essential claim;

  5. shall issue an ID Token in the token response as in Section 3.1.3.3 of OIDC with its "sub" value corresponding to the ConsentId;

  6. may support refresh tokens; and 

  7. shall provide a discovery endpoint that does not require a client certificate to authenticate using a TLS certificate that should be trusted by the user agent.

5.2.4 Confidential Client

A Confidential Client

  1. may use separate and distinct Redirect URI for each Authorization Server that it talks to; and

  2. shall accept and verify signed ID Tokens (JWS);

6. Accessing Protected Resources

6.1 Introduction

The FAPI endpoints are OAuth 2.0 protected resource endpoints that return various financial information for the resource owner associated with the submitted access token.

6.2 Access Provisions

6.2.1 Protected resources provisions

The resource server with the FAPI endpoints

  1. shall mandate mutually authenticated TLS; and

  2. shall verify that the client identifier bound to the underlying mutually authenticated TLS transport session matches the client that the access token was issued to.

6.2.2 Client Provisions

The confidential client supporting this document

  1. shall use mutually authenticated TLS;

  2. shall supply the last time the customer logged into the client as defined by FAPI clause 6.2.2.3;

  3. shall supply the customer's IP address if this data is available as defined by FAPI clause 6.2.2.4;

  4. shall supply the merchant's IP address if this data is available in the x-merchant-ip-address header, e.g., x-fapi-merchant-ip-address: 198.51.100.119; and

  5. shall supply the customer's user agent if this data is available in the x-customer-user-agent header.

7. Request Object Endpoint

7.1 Introduction

OPs:

  1. shall not support request_uri, OIDC Request Object by Reference;

  2. shall only support Request Objects passed by value as in clause 6.3 of OIDC.

8. Security Considerations

  1. The Message containment failure considerations in FAPI section 7.4 shall be followed.

8.5 TLS Considerations

  1. The TLS considerations in FAPI section 7.1 shall be followed; and

  2. The TLS considerations in FAPI-RW section 8.5 shall be followed.

8.6 JWS Algorithm Considerations

  1. The JWS algorithm considerations in FAPI-RW section 8.6 shall be followed.

...

Field

NZ Banking Data Profile

Notes

aud

Required

The aud value should be or include the API Provider's Issuer Identifier URL.

iss

Required

The iss value should be the Client Id of the Third Party, unless it was signed by a different party than the Third Party.

nbf

Required

The time before which the JWT must not be accepted for processing. The processing of the "nbfclaim requires that the current date/time MUST be after or equal to the not-before date/time listed in the nbf claim.

Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519.

exp

Required

Token expiration date/time.

Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519.

iat

Required

Token issuance date/time.

Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC. RFC7519.

jti

Required

The jti (JWT ID) claim provides a unique identifier for the JWT.

scope

Required

Third Parties must specify the scopes that are being requested.

The scope parameter must contain openid

The scopes must be a sub-set of the scopes that were registered during Client Registration with the API Provider.

ConsentId

Required

Third Parties must provide a ConsentId for which this authorisation is requested.

client_notification_token

Optional

Third Parties must provide this field if registered to use Ping mode. 

It is a bearer token provided by the Third Party that will be used by the API Provider to authenticate the callback request to the Third Party. 

login_hint_token

Optional

A token containing information identifying the Customer for whom authentication is being requested.

The particular details for the login_hint_token are documented in the NZ Banking Data API standard.

Third Parties must provide either a login_hint_token or an id_token_hint

id_token_hint

Optional

An ID Token previously issued to the Third Party by the API Provider being passed back as a hint to identify the Customer for whom authentication is being requested.

Third Parties must provide either a login_hint_token or an id_token_hint

requested_expiry

Optional

A positive integer allowing the client to request the expires_in value for the auth_req_id the server will return.

The API Provider may use this value to influence the lifetime of the authentication request and is encouraged to do so where it will improve the user experience, for example by terminating the authentication when as it knows the client is no longer interested in the result.

...

The sequence diagram below highlights the OAuth 2.0 Client Credentials Grant and OIDC Hybrid flow that are used by the Payments API. Image Removed\

...

Payment Initiation with Client Credentials Grant Type and OIDC Hybrid Flows

...