Consecutive authorize requests: new consent, consent extending or consent overriding?

[sachi-d]

Hypothesis

Scenario: A Data Recipient sends an authorization request with scopes xyz, sharing_duration t1. Consumer authorizes it with account-IDs A and B. Data recipient utilizes corresponding banking APIs using the provided access token. Data recipient sends another authorization request with the same scopes xyz and same sharing_duration t2 and the same consumer authorizes it with account-IDs B and C.

What effect does the second authorization have on the first authorization?

• Are those two considered as two independent consents?
• Is the first consent revoked and only the second is in effect?
• Is the consent extended for a sharing duration of t1+t2?

Description

A clear and concise description of the hypothesis. Example: Based on initial feedback Java is the most prevalent language in use within implementing organisations. In addition Java is a language where engineering resources are readily available. On this basis the project will develop it's core assets in Java and focus on delivering assets for use by industry in Java first.

Available Options

Present a list of considered options with an optional indication of what is currently preferred Example: Initial assets from the CDS Engineering team will be produced using the Java language.

[speedyps]

It is my opinion that these are two independent consents. It may be that the client has registered twice with the ADR under different ids and these consents are for different tenants within the ADRs solution.

If the ADR knows that these consents are for the same tenant and same accounts, then the ADR should cancel the initial consent upon generating the second consent.