/
NZ Banking Data Security Profile v2.0.2

NZ Banking Data Security Profile v2.0.2

 

Version Control

Version

Date

Author

Comments

Version

Date

Author

Comments

v1.0.0

May 10, 2019 

Payments NZ

Baseline from v1.0.0-draft2

v2.0-draft2

Sep 10, 2019 

@Gavin Wong (Unlicensed)

Restructuring for v2.0

v2.0-draft3

Sep 17, 2019 

@Gavin Wong (Unlicensed)

Additions:

Updates:

  • References to Intent Id to "ConsentId" to unify the specifications

  • Separate section for the "NZ Read and Write API Security Profile" which extends the [FAPI Read+Write profile]

  • In 5.2.2.6 updated to "shall issue an ID Token in the token response" as the openid scope must be requested by the Third Party

  • Updated draft3-ImplementationGuide section:

    • To have (1) one example of the Hybrid Flow for the Payment Initiation API and (2) one example of the Decoupled Flow for the Account Information API

    • With updated examples for v2.0 API endpoint names and payloads

  • Updated state to be mandatory in the Hybrid Flow Authorization Request

  • Updated openbanking_intent_id to ConsentId

  • Updated urn:openbanking to urn:apicentre as per Technical Decision - 001 - Namespacing Token Claims

  • Updated nonce to be required "The API Provider must be replay the supplied nonce parameter in any ID Token response."

  • Updated at_hash to be optional in ID Token response

  • Clarification that a Confidential Client "shall accept and verify signed ID Tokens (JWS)"

  • Clarification that "OpenID Connect Request Object values (in the JWT) supersede those which are passed using the OAuth 2.0 request query parameter syntax." in the draft3-RequestObject

  • Clarifications on the claims request parameter in the draft3-RequestObject

  • Clarified that the ID Token sub shall always be populated with the ConsentId as per Technical Decision - 012 - Sub in ID Token

Removed:

  • From draft3-JWKSEndpoints

    • "Each API Provider will host their own JWKS endpoint. Upon issuance of a certificate a JWK Set will be created or updated for a given Third Party."

    • "The private key must have been used by the issuer to get a signing certificate issued from OB."

  • Reference to public clients as OPs are not supporting this functionality

  • References to the request_uri as this functionality is not supported

  • References to the userinfo endpoint as this functionality is not supported

  • In NZ Read and Write API Security Profile 5.2.2

    • Removed client_secret_basic and client_secret_post

    • Removed client_secret_jwt

  • As how to "authenticate the confidential client at the token endpoint" now aligns with FAPI-RW - have removed the variation on authentication methods

  • References to acr as this was optional to support and no guidance is given on how to support

  • From Non-Normative examples of Hybrid Flow - removed at_hash from ID Token as this is not required with the response type "code id_token"

  • Removed support for RSASSA-PKCS1-v1_5 (e.g. RS256) from 8.6JWSAlgorithmConsiderations and 7.10AlgorithmConsiderations as per Technical Decision - 013 - JWS Signing Algorithms

  • Removed references to azp as per Technical Decision - 014 - ID Token Authorized Party Field

  • Removed references to amr as per Technical Decision - 015 - ID Token Authentication Methods References

Errata:

  • Updated 8.2.1 to state "Authorization servers must not support the Request Object Endpoint (request_uri)"

  • "The scope parameter must contain openid" as the profile mandates the hybrid flow

  • "Third Parties must specify code id_token" as the profile mandates the hybrid flow

v2.0-rc2

Jan 3, 2020

@Gavin Wong (Unlicensed)

Updates:

  • Clarified in Unspecified Behaviour section that “The implementation guide does not illustrate the following configurations in this section.”

  • Updated unspecified behaviour for “Client Credentials Grant Type (scope=openid email profile)”

Removed:

  • Section on “Notation Conventions”

v2.0.0

Mar 31, 2020

@Gavin Wong (Unlicensed)

Errata:

  • Updated references to “third_party_client_credential” for consistency

v2.0.1

Jul 17, 2020

@Gavin Wong (Unlicensed)

No change

v2.0.2

Nov 5, 2022

@Nigel Somerfield

No change

Introduction

This document is based on the OpenID Foundation's Financial-grade API Read+Write specification FAPI-RW, which in turn is based on the Read only specification document FAPI. In addition, the Financial-grade API: Client Initiated Backchannel Authentication Profile FAPI-CB has been incorporated, to support a decoupled authentication flow. The NZ Banking Data profile will further shape these profiles in some cases tightening restrictions and in others loosening requirements using keywords. Please see the introduction to FAPI-RW for a general introduction to the aims of this document.

The NZ Banking Data Profile outlines the differences between the FAPI-RW and FAPI-CB with clauses and provisions necessary to reduce delivery risk for API Providers.

Security Architecture

OAuth 2.0

OAuth 2.0 will be the foundational framework for API Security for the NZ Banking Data API Standard. OAuth 2.0 itself is a framework which can be deployed in many ways, some of them completely incompatible with financial models. In order to securely use the OAuth 2.0 framework, a profile must exist by which both Third Parties and API Providers are certified to have correctly configured their clients and servers.

OIDC Core

The OpenID Connect Request object uses exactly the same claims object for specifying claim names, priorities, and values as OAuth 2.0. However if the Request object is used, the Claims object becomes a member in an assertion that can be signed and encrypted, allowing the API Provider to authenticate the request from the Third Party and ensure it hasn't been tampered with. The OpenID Connect Request object can either be passed as a query string parameter, or can be referenced at an endpoint that could theoretically be protected by MATLS. The use of JWT Request objects by reference is not supported due a number of delivery risks and remaining security concerns.

In addition to specifying a ticket, the Third Party can optionally require a minimum strength of authentication context or request to know how long ago the user was actually authenticated. Multiple tickets could be passed if necessary. Everything is fully specified. Vendors who implement this feature are not creating a one-off proprietary feature, they are simply supporting the OpenID Connect standard.

Full accountability is available as required by all participants. Not only can the API Provider prove that they received the original request from the Third Party, but the Third Party can prove that the access token that comes back was the token that was intended to be affiliated to this specific ConsentId.

OIDC Client Initiated Backchannel Authentication

The OIDC Client Initiated Backchannel Authentication (CIBA) profile enables a Client (Third Party) to initiate the authentication of the end-user (Customer) with the OpenID Provider (API Provider) in an out of band mechanism. This direct out of band mechanism between the Third Party and API Provider means that the Customer is not redirected to authenticate through the Customer's browser (or consumption device).

FAPI

The Financial API working group in the OpenID Foundation has created a draft standard for configuration of Financial-grade API security regimes. If any FAPI-compliant vendor can participate in the NZ Banking Data API ecosystem, it means that vendors can work to the standard and reach many customers, rather than having to create different solutions for different banking platforms. The FAPI profiles apply to both OIDC Core and OIDC CIBA profiles.

Scope

This part of the document specifies the method of

  • Applications to obtain the OAuth tokens in an appropriately secure manner for financial data access;

  • Applications to use OpenID flows to identify the Customer; and

  • Using tokens to interact with the REST endpoints that provides financial data;

This document is applicable to higher risk use cases which includes commercial and investment banking.

Normative References

The following referenced documents are strongly recommended to be used in conjunction with this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

Terms and Definitions

For the purpose of this document, the terms defined in [FAPI ReadOnly profile] FAPI, [FAPI Read+Write profile] FAPI-RW, [OpenID Connect Core] OIDC, [OpenID Connect Client Initiated Backchannel Authentication Flow] CIBA, and [FAPI: Client Initiated Backchannel Authentication Profile] FAPI-CB apply.

Symbols and Abbreviated Terms

  • API Provider - provides APIs in a manner that complies with the API Standards (e.g. Account Information and Payment Initiation APIs), and connects those APIs with a Third Party.

  • Third Party - the entity that consumes an API in a manner that complies with the API Standards.

  • Customer - a natural or legal person that operates banking accounts.

NZ Read and Write API Security Profile

The NZ Read and Write API Security Profile extends from [FAPI Read+Write profile] FAPI-RW.

This section identifies variations from FAPI-RW and the numbered section references where there is a variation in FAPI-RW.

Read and Write API Security Profile Variations

5.2 Read and Write API Security Provisions

5.2.1 Introduction

The NZ Banking Data API Security Profile does not distinguish between the security requirements from a technical level between "read" and "write" resources. The security requirements for accessing Customer resources held at API Providers requires more protection level than a basic OAuth 2.0 (RFC6749) supports.

As a profile of The OAuth 2.0 Authorization Framework, this document mandates the following to the NZ Banking Data APIs.

5.2.2 Authorization Server

The Authorization Server

  1. shall only support confidential clients;

  2. shall secure its token endpoint using mutually authenticated TLS;

  3. shall only support the response_type value code id_token;

  4. shall require the ConsentId to be passed in the authorisation request as an essential claim;

  5. shall issue an ID Token in the token response as in Section 3.1.3.3 of OIDC with its "sub" value corresponding to the ConsentId;

  6. may support refresh tokens; and 

  7. shall provide a discovery endpoint that does not require a client certificate to authenticate using a TLS certificate that should be trusted by the user agent.

5.2.4 Confidential Client

A Confidential Client

  1. may use separate and distinct Redirect URI for each Authorization Server that it talks to; and

  2. shall accept and verify signed ID Tokens (JWS);

6. Accessing Protected Resources

6.1 Introduction

The FAPI endpoints are OAuth 2.0 protected resource endpoints that return various financial information for the resource owner associated with the submitted access token.

6.2 Access Provisions

6.2.1 Protected resources provisions

The resource server with the FAPI endpoints

  1. shall mandate mutually authenticated TLS; and

  2. shall verify that the client identifier bound to the underlying mutually authenticated TLS transport session matches the client that the access token was issued to.

6.2.2 Client Provisions

The confidential client supporting this document

  1. shall use mutually authenticated TLS;

  2. shall supply the last time the customer logged into the client as defined by FAPI clause 6.2.2.3;

  3. shall supply the customer's IP address if this data is available as defined by FAPI clause 6.2.2.4;

  4. shall supply the merchant's IP address if this data is available in the x-merchant-ip-address header, e.g., x-fapi-merchant-ip-address: 198.51.100.119; and

  5. shall supply the customer's user agent if this data is available in the x-customer-user-agent header.

7. Request Object Endpoint

7.1 Introduction

OPs:

  1. shall not support request_uri, OIDC Request Object by Reference;

  2. shall only support Request Objects passed by value as in clause 6.3 of OIDC.

8. Security Considerations

  1. The Message containment failure considerations in FAPI section 7.4 shall be followed.

8.5 TLS Considerations

  1. The TLS considerations in FAPI section 7.1 shall be followed; and

  2. The TLS considerations in FAPI-RW section 8.5 shall be followed.

8.6 JWS Algorithm Considerations

  1. The JWS algorithm considerations in FAPI-RW section 8.6 shall be followed.

NZ Client Initiated Backchannel Authentication Profile

The NZ Client Initiated Backchannel Authentication Profile extends from [FAPI: Client Initiated Backchannel Authentication Profile] FAPI-CB.

This section identifies variations from FAPI-CB and the numbered section references where there is a variation in FAPI-CB.

The Client Initiated Backchannel Authentication Flow [CIBA] specifies an alternate method of users granting access to their resources whereby the flow is started from a consumption device, but authorized on an authentication device.

Client Initiated Backchannel Authentication Variations

5.2 Read and Write API Security Provisions

5.2.2 Authorization Server

The Authorization Server

  1. shall require a previously staged ConsentId to be passed in the authentication request;

  2. shall not require clients to provide a request_context claim - as these fraud and threat parameters will be passed in the consent object;

  3. shall only support login_hint_token and id_token_hint; and 

  4. shall not support the user_code parameter in the authentication request.

6. Accessing Protected Resources

6.1 Introduction

The FAPI endpoints are OAuth 2.0 protected resource endpoints that return various financial information for the resource owner associated with the submitted access token.

6.2 Access Provisions

6.2.1 Protected resources provisions

The resource server with the FAPI endpoints

  1. shall mandate mutually authenticated TLS; and 

  2. shall verify that the client identifier bound to the underlying mutually authenticated TLS transport session matches the client that the access token was issued to.

6.2.2 Client Provisions

The confidential client supporting this document

  1. shall use mutually authenticated TLS;

  2. shall supply the last time the customer logged into the client as defined by FAPI clause 6.2.2.3;

  3. shall supply the customer's IP address if this data is available as defined by FAPI clause 6.2.2.4;

  4. shall supply the merchant's IP address if this data is available in the x-merchant-ip-address header, e.g., x-fapi-merchant-ip-address: 198.51.100.119; and 

  5. shall supply the customer's user agent if this data is available in the x-customer-user-agent header.

7. Security Considerations

7.9 TLS Considerations

  1. The TLS considerations in FAPI-CB section 7.9 shall be followed.

7.10 Algorithm Considerations

  1. The JWS algorithm considerations in FAPI-CB section 7.10 shall be followed.

Non-Normative Examples

Hybrid Flow

This section describes parameters that should be used with a hybrid grant flow request so that an ConsentId can be passed from the Third Party to an API Provider for minimum conformance for the NZ Read and Write API Security Profile (extending FAPI-RW). The hybrid flow is used as the redirect authorisation flow for the NZ Banking Data APIs.

Prior to this step, 

  1. The Third Party would have already registered a consent with an API Provider. This is achieved by creating a resource with an account information or payment consent APIs.

  2. The API Provider would have responded with an ConsentId (this is the unique identifier for the consent resource).

Authorization Request

This section describes the bare minimum set of Authorization Request parameters that an API Provider must support. The definitive reference is specified in OIDC Section 3.3.2.1 (Authentication Request) and OIDC Section 3.1.2.1 (Authentication Request)

All API Providers must support the issuance of OIDC ID Tokens, a Third Party must request that an ID Token is issued. 

This is a non-normative example of the Authorization Request:

GET /authorize? response_type=code%20id_token &client_id=s6BhdRkqt3 &state=af0ifjsldkj& &scope=openid%20payments &nonce=n-0S6_WzA2Mj &redirect_uri=https://api.mytpp.com/cb &request=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6I.....JjVqsDuushgpwp0E.5leGFtcGxlIiwianRpIjoiM....JleHAiOjE0.olnx_YKAm2J1rbpOP8wGhi1BDNHJjVqsDuushgpwp0E

Parameters

Parameter

NZ Banking Data Profile

Notes

Parameter

NZ Banking Data Profile

Notes

scope

Required

Third Parties must specify the scopes that are being requested.

The scope parameter must contain openid

The scopes must be a sub-set of the scopes that were registered during Client Registration with the API Provider.

response_type

Required

OAuth 2.0 requires that this parameter is provided.

Third Parties must specify "code id_token"

The values for these parameters must match those in the Request Object, if present.

client_id

Required

Third Parties must provide this value and set it to the Client Id issued to them by the API Provider to which the authorization code grant request is being made.

redirect_uri

Required

Third Parties must provide the URI to which they want the resource owner's user agent to be redirected to after authorization.

This must be a valid, absolute URL that was registered during Client Registration with the API Provider.

state

Required

Third Parties must provide a state parameter.

The parameter may be of any format and is opaque to the API Provider.

The API Provider must play back the value in the redirect to the Third Party.

The API Provider must include the s_hash in the ID Token.

nonce

Required

Third Parties must provide a nonce parameter.

Used to help mitigate against replay attacks.

The API Provider must be replay the supplied nonce parameter in any ID Token response.

request

Required

The Third Party must provide a value for this parameter.

The Request Object parameter must contain a JWS that is signed by the Third Party.

The JWS payload must consist of a JSON object containing a Request Object as per OIDC Section 6.1.

Request Object

This section describes the Request Object which is used in the request Authorization Request parameter. The definitive reference is specified in OIDC Section 6.1 (Request Object). All standards and guidance MUST be followed as per the OIDC specification.

As per OIDC - when the Request Object is used, the OpenID Connect Request Object values (in the JWT) supersede those which are passed using the OAuth 2.0 request query parameter syntax. 

The Request Object:

  • must contain a "claims" request parameter with the ConsentId in the "id_token" object as an essential claim

  • may contain additional "claims" to be requested if the API Provider's Authorization Server support them - these claims must be listed on the OIDC Well Known configuration endpoint.

In OIDC - the "claims" request parameter in the Request Object is used to request that specific Claims be returned in either the ID Token or at the userinfo endpoint. Hence the top level members of the "claims" request parameter are:

  • id_token

  • userinfo

The userinfo and id_token members of the claims request parameter are JSON objects with the names of the individual Claims being requested as the member names. Within an individual Claims field, the "essential" field is required to indicate whether the Claim being requested is an Essential Claim. If the value is true, this indicates that the claim is an Essential Claim.

For instance, the claim request:

"claims": { "id_token": { "ConsentId": { "value": "urn-alphabank-intent-58923", "essential": true } } }

can be used to specify that it is essential to return the ConsentId as a claim in the ID Token.

This is a non-normative example of the Request Object JWS - without Base64 encoding:

{ "alg": "PS256", "kid": "GxlIiwianVqsDuushgjE0OTUxOTk" } . { "aud": "https://api.alphanbank.com", "iss": "s6BhdRkqt3", "response_type": "code id_token", "client_id": "s6BhdRkqt3", "redirect_uri": "https://api.mytpp.com/cb", "scope": "openid payments", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", "max_age": 86400, "claims": { "id_token": { "ConsentId": { "value": "urn-alphabank-intent-58923", "essential": true } } } } . <<signature>>

Claims

Where appropriate follow the JWT Good Practice Guides http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html#rfc.section.3.1 

Field

NZ Banking Data Profile

Notes

Field

NZ Banking Data Profile

Notes

aud

Required

The aud value should be or include the API Provider's Issuer Identifier URL.

iss

Required

The iss value should be the Client Id of the Third Party, unless it was signed by a different party than the Third Party.

scope

Required

Third Parties must specify the scopes that are being requested.

The scope parameter must contain openid

The scopes must be a sub-set of the scopes that were registered during Client Registration with the API Provider.

response_type

Required

Third Parties must provide this field and set its value to 'code id_token'.

The values must match those in the request parameter.

client_id

Required