[ACDS] Response regarding OIDC Dynamic Registration / SSA
As per the FAPI Pacific call this morning an action was taken to create an issue regarding whether a unified FAPI WG response was possible regarding the discussion around Client Registration method within the implementation of the Australian Consumer Data Right.
The specific GitHub thread is here: https://github.com/cdr-register/register/issues/23
The specification in Slate format is here: [https://cdr-register.github.io/register/](https://cdr-register.github.io/register/)
I believe it was @Anoop Saxena that highlighted the specific section which outlines the current Static registration approach intended: https://cdr-register.github.io/register/#static-client-registration
I’m happy to discuss further in the Atlantic FAPI WG call tonight.
I’m marking this as major only because there is a time sensitivity as the ACCC intends to make a decision, most likely, this week.
Comments (7)
-
reporter -
Scope: On-boarding Data Recipients to Data Holders Authorisation Servers
Current approach (https://cdr-register.github.io/register/#static-client-registration):
Summary:
- All Participants maintain full cache of everyone to be refreshed at regular intervals or by request.
- Backend synchronisation via Registry Discovery API that contains both security and business metadata (client_id, JWKS, contact details, business name and etc.)
Main reasons given:
- Alternative is a lot of effort for Data recipients
- Alternative requires the Registry to be more highly available
- Current approach gives more control to the Registry
- Note: It's Ok to deviate from a standard if there is a valid reason. Arguably, above reasons are not valid or not significant enough.
Potential issues:
- OAuth client's client_id is assigned by the Registry.
- Up to Data Holders to work out the way to create OAuth clients in their Authorisation Servers.
- Additional custom work, not aligned with standards, less vendor support, less proven and secure and etc.
Alternative proposed: Dynamic client registration with signed SSA and Registry status check:
- Based on RFC7591
- Profiled similar to UK implementation
- Diagram https://github.com/cdr-register/register/issues/23#issuecomment-525573911
Feedback from Data Holders, Data Recipients and vendors https://github.com/cdr-register/register/issues/23 is strongly in favour of Dynamic Client Registration based approach.
-
Update from ACCC 11-Sep-2019: The ACCC has made the decision to use a Dynamic Client Registration Model for the Consumer Data Right Register in Australia.
Can probably close this issue.
-
reporter - changed status to resolved
Agreed, closing this following ACCC decision.
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
Focusing on independence of discussion, I deliberately avoided putting my individual opinion in the initial post. I’ve previously provided my point of view here: https://github.com/cdr-register/register/issues/23#issuecomment-525980199