search

ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
41 stars 9 forks source link

New Register Authenticated APIs versions require multiple authorisation scopes #498

Closed CDR-API-Stream closed 2 years ago

CDR-API-Stream commented 2 years ago

Description

Version 1.15.0 of the Register APIs introduced new API versions through issues #424 and #425. As part of this work, a new authorisation scope cdr-register:read was introduced for authenticated APIs.

The new API versions are currently documented as requiring a union of cdr-register:bank:read and cdr-register:read

image

This is a defect and was not intended. cdr-register:read is intended to replace cdr-register:bank:read for the new versions of multi-sector supported authenticated Register APIs.

Area Affected

Get Data Holder Brands V2 Get Software Statement Assertion (SSA) V3

Change Proposed

Consider specifying cdr-register:read as the only scope required to consume these authenticated Register APIs.

CDR-API-Stream commented 2 years ago

The CDR Register API authorisation scope requirements are now corrected as follows:

API Version Authorisation Scope
GetDataHolderBrands V1 cdr-register:bank:read
GetDataHolderBrands V2 cdr-register:read
Get Software Statement Assertion (SSA) V1, V2 cdr-register:bank:read
Get Software Statement Assertion (SSA) V3 cdr-register:read

This change was incorporated into release v1.17.0.

Please refer to Decision 237 for further details.