...
The Authorization Server shall support the provisions specified in clause 5.2.2.1 of Financial-grade API Security Profile 1.0 - Part 2: Advanced
Must Shall encrypt the id_token returned by authorization endpoint before sending it to the customer; The id_token returned by token endpoint must be returned without encryptionin callback and token endpoint calls;
For the encryption of the id_token, a key available in the JWKS informed in the jwks_uri parameter, with the attribute “use”:”enc”, during the client registration must be used, indicated through the kid header of the JWT document;
The use of other headers to indicate the key used, such as x5u, x5c, jku or jkw is prohibited as defined in clause 2 OIDC.
...
Each of elements above must be encoded using the Base64url pattern RFC4648 and the elements must be concatenated with "." (JWS Compact Serialization method as defined in RFC7515).
The payload of signed messages (request JWT and response JWT) shall include the following claims as defined at RFC7519:
...
string 'consent'; and
delimiter of a colon ":"; and
Consent API REST Resource Id as returned by a successful creation of Open Finance Consent Resource;
In addition:
the Consent Resource Id must include url safe characters only;
the Consent Resource Id must be namespaced;
the Consent Resource Id must have the properties of a nonce Nonce;
7.1.3. Dynamic Consent Scope Example
...