search

ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
41 stars 9 forks source link

Profile scope not aligned with CX standards #404

Closed TacheI closed 2 years ago

TacheI commented 3 years ago

Description

Currently the data recipient can add to an authorisation the profile scope and can request for customer information such as name, surname, email address, address. This is not aligned with the CX standards that only allows for the customer to authorise the customer:basic and customer:detail scopes. This leads to the possibility of the data recipient asking for customer data and receiving it without customer consent.

Area Affected

Security Profile, CX standards

Change Proposed

Allow for the data holders to not send customer data if only the profile scope is authorised until the standards are aligned Align the OIDC profile requirements with the CX standards either by excluding customer data from the profile scope or updating the CX standards to allow the customer to consent to sharing customer data if the profile scope included in the authorisation Clarify which claims in the profile scope can be requested by the data recipient. Must email and address be supported by data holders or it's an optional implementation? Clarify in the standards that the data points not included in the CDR, such as date of birth cannot be requested by the data recipient.

nils-work commented 3 years ago

Related support article - https://cdr-support.zendesk.com/hc/en-us/articles/900003906386-User-visibility-of-the-profile-scope

TacheI commented 3 years ago

Further on a related topic the CX standards have to be updated on how the Data Holders will present the authorisation to customers when the only scope requested by the ADR is OpenID. A per this support portal article, a authorisation request with only the OpenID scope is valid. https://cdr-support.zendesk.com/hc/en-us/articles/900002116163?input_string=allowed+scope+combinations+for+the+request+object%27s+scope+attribute+passed+in+the+authorization+request

TacheI commented 3 years ago

Related support article - https://cdr-support.zendesk.com/hc/en-us/articles/900003906386-User-visibility-of-the-profile-scope

The response provided to ticket 913, Answer 2 seems to contradict this article. Based on these 2 articles it is not clear what DHs should do while the scopes and CX standards are not aligned. https://github.com/ConsumerDataStandardsAustralia/standards/wiki/ACCC-&-DSB-%7C-CDR-Implementation-Call-Agenda-&-Meeting-Notes-(15th-of-July-2021)

commbankoss commented 3 years ago

CBA is of the view that if this change is implemented, participants should be provided with a minimum of six months between the finalisation of updated CX Standards and compliance dates to ensure adequate time for participants to implement the change.

CDR-CX-Stream commented 2 years ago

This issue is being consulted on in DP216: https://github.com/ConsumerDataStandardsAustralia/standards/issues/216

CDR-API-Stream commented 2 years ago

This change was incorporated into release v1.15.0. Refer to Decision 212 for further details.