Closed NationalAustraliaBank closed 5 years ago
There is no practical need for data holders to notify data consumers at the time of revocation. Data recipients would be able to determine when consent is revoked because they’ll receive an appropriate error in response to an API request for data.
@WestpacOpenBanking – we are concerned that without clear error codes or notification of consent revocation a data consumer may unknowingly continue to use the consumers’ data without their consent. Based on the currently defined HTTP headers and response codes the DR will not receive a detailed error message. Therefore, the following scenarios can happen:
We believe that a formal notification and acknowledgement must be in place to ensure strong processes to manage consumer’s shared data.
With the ACCC draft rules published it is clear that bi-directional notification of revocation is now required. The mechanism for this will be via a new endpoint that will be defined in the Admin end point proposal that is to be released. To facilitate this end point an "Authorisation ID" will need to added to the InfoSec stream and returned with each access and refresh token so that a revocation can uniquely identify a specific authorisation to both holder and recipient.
It is also assumed that when revocation occurs the recipient will delete any remaining tokens and will adhere to the ACCC rules with regards to the handling of CDR data that has been previously obtained. Data holders would be expected to invalidate any refresh or access tokens that are currently valid.
-JB-
If the customer revokes the consent/authorisation on the DH management portal, the DR may continue to make calls the DHs API endpoints. Is there a proposed method for DRs to be informed that the consent/authorisation has been revoked? e.g. an API implemented on the DRs end?