You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The FAPI conformance suite has a separate test to validate the scenario of aud value is equal to the par request URL value in its request object and it can be found in [1] (also refer the image below).
According to the description highlighted in blue, in this scenario, the authorization server is expected to reject the request. Which is the current behavior of the solution. We also analyzed the OB2 code and found that this is the same behavior. We also confirmed that the CDS FAPI conformance suite has the same test [2].
In addition to that, we found that in OB3, builds the PAR URL using the IDP URL in [3] and it is wrong. We will send a fix removing it because building that URL and adding it to valid audiences list is wrong according to the FAPI suite. This should be removed from the PAR validations with a separate.
Description:
Hi @KasuniHemasika ,
The FAPI conformance suite has a separate test to validate the scenario of
audvalue is equal to theparrequest URL value in its request object and it can be found in [1] (also refer the image below).According to the description highlighted in blue, in this scenario, the authorization server is expected to reject the request. Which is the current behavior of the solution. We also analyzed the OB2 code and found that this is the same behavior. We also confirmed that the CDS FAPI conformance suite has the same test [2].
In addition to that, we found that in OB3, builds the PAR URL using the IDP URL in [3] and it is wrong. We will send a fix removing it because building that URL and adding it to valid audiences list is wrong according to the FAPI suite. This should be removed from the PAR validations with a separate.
[1] https://www.certification.openid.net/log-detail.html?log=chprTHoTdUuAXa2&public=true
[2] https://docs.google.com/spreadsheets/d/1Yn3O8hKud9ZdfW2GjwkIgFtTA_D_1N_F7i9AMdtCgx0/edit?gid=1544204482#gid=1544204482&range=A14
[3] https://github.com/wso2-support/financial-open-banking/blob/8a3ce7bb1bd909c75ae8e564c734d3fefaf1b5d1/open-banking-accelerator/components/com.wso2.openbanking.accelerator.identity/src/main/java/com/wso2/openbanking/accelerator/identity/push/auth/extension/request/validator/util/PushAuthRequestValidatorUtils.java#L572
Suggested Labels:
OB3, Accelerator
Suggested Assignees:
Affected Product Version:
OS, DB, other environment details and versions:
Steps to reproduce:
Related Issues:
The text was updated successfully, but these errors were encountered: