[ACDS] Response regarding OIDC Dynamic Registration / SSA

Issue #268 resolved
Stuart Low created an issue

As per the FAPI Pacific call this morning an action was taken to create an issue regarding whether a unified FAPI WG response was possible regarding the discussion around Client Registration method within the implementation of the Australian Consumer Data Right.

The specific GitHub thread is here: https://github.com/cdr-register/register/issues/23

The specification in Slate format is here: [https://cdr-register.github.io/register/](https://cdr-register.github.io/register/)

I believe it was @Anoop Saxena that highlighted the specific section which outlines the current Static registration approach intended: https://cdr-register.github.io/register/#static-client-registration

I’m happy to discuss further in the Atlantic FAPI WG call tonight.

I’m marking this as major only because there is a time sensitivity as the ACCC intends to make a decision, most likely, this week.

Comments (4)

  1. Dima Postnikov

    Scope: On-boarding Data Recipients to Data Holders Authorisation Servers

    Current approach (https://cdr-register.github.io/register/#static-client-registration):


    • All Participants maintain full cache of everyone to be refreshed at regular intervals or by request.
    • Backend synchronisation via Registry Discovery API that contains both security and business metadata (client_id, JWKS, contact details, business name and etc.)

    Main reasons given:

    • Alternative is a lot of effort for Data recipients
    • Alternative requires the Registry to be more highly available
    • Current approach gives more control to the Registry
    • Note: It's Ok to deviate from a standard if there is a valid reason. Arguably, above reasons are not valid or not significant enough.

    Potential issues:

    • OAuth client's client_id is assigned by the Registry.
    • Up to Data Holders to work out the way to create OAuth clients in their Authorisation Servers.
    • Additional custom work, not aligned with standards, less vendor support, less proven and secure and etc.

    Alternative proposed: Dynamic client registration with signed SSA and Registry status check:

    Feedback from Data Holders, Data Recipients and vendors https://github.com/cdr-register/register/issues/23 is strongly in favour of Dynamic Client Registration based approach.

  2. Dima Postnikov

    Update from ACCC 11-Sep-2019: The ACCC has made the decision to use a Dynamic Client Registration Model for the Consumer Data Right Register in Australia.

    Can probably close this issue.

  3. Log in to comment