Correct Data Language for Contact Details (profile scope and individual claims)

[CDR-API-Stream]

Description

A documentation error was introduced in v1.15.0 of the standards when dealing with the OpenID Connect profile scope and OIDC standard claims. This has caused some confusion for participants implementing individual named claims and the profile scope. This change request seeks to address the documentation error to remove confusion with how ADRs request and DHs authorise individual contact detail claims.

These claims, if supported, must be requested individually and were not intended to be requested using the profile scope as a catch-all substitute. The description for the Contact Details data language incorrectly implies the profile scope can be used as a mechanism to request the standard OIDC contact detail claims as well as the name claims.

No future dated obligation would be provided because it clarifies the optional nature of the contact details claims. This change corrects the change raised in DP216 which has a July 1st 2022 obligation date for the introduction of Profile scope data language.

Area Affected

Data Language Standards: Profile scope.

Change Proposed

• Change title from “Profile Scope” to “Profile Scope and OpenID Connect Standard Claims”

• Change “Authorisation scopes” description for Contact Details to be “One or more of these standard OIDC claims:” This drops the “OIDC Profile scope and/or” section and clarifies the claims are standard OIDC claims

• Include a "Required" column to articulate which claims and scopes the Data Holders MUST support versus which individual OIDC claims are at the discretion of the Data Holder to support. This removes implementation ambiguity for Data Holders.

In table form, this would be represented as follows:

Data cluster language	Permission language	Authorisation Scopes	Required
Name	Full name and title(s)	OIDC Profile scope and/or one or more of these standard [OIDC] claims: name given_name family_name updated_at See 5.4. Requesting Claims using Scope Values on the OIDC website for more information	Required
Contact Details	Phone number; Email address; Mail address;	One or more of these standard [OIDC] claims: email email_verified phone_number phone_number_verified address See 5.4. Requesting Claims using Scope Values on the OIDC website for more information	Optional

[CDR-API-Stream]

This documentation fix will be targeted for v1.17.0 release. A staged change will be published this week. If there is any feedback in regards to this item we'd welcome feedback this week.

[CDR-API-Stream]

This change has been staged for review: https://github.com/ConsumerDataStandardsAustralia/standards-staging/compare/release/1.17.0...maintenance/504

[perlboy]

Overall looks good, a few minor things.

code only flow isn't implicitly OpenID (it's OAuth2+PKCE) so perhaps at least the title should drop references to OpenID Connect?

OIDC Profile scope and/or one or more of these standard claims

should probably be

OIDC Profile scope or one or more of these standard claims

Because profile requests all of them and therefore and/or would lead to the question of whether profile scope + first_name claim should result in all claims or just first_name being provided.

The wording from OIDC is:

This scope value requests access to the End-User's default profile Claims, which are:

[CDR-API-Stream]

Thanks @perlboy those suggestions sounds reasonable. They have been reflected in the staged change: https://github.com/ConsumerDataStandardsAustralia/standards-staging/compare/release/1.17.0...maintenance/504