search

ConsumerDataStandardsAustralia / standards-maintenance

This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
41 stars 9 forks source link

Concurrent consent support and cdr_arrangement_id #632

Closed nils-work closed 2 months ago

nils-work commented 4 months ago

Description

The following lines are from the Security Profile > Identifiers and Subject Types section -

A Data Holder MUST only return the cdr_arrangement_id in the Token and Token Introspection End Point responses if they also support concurrent consent. This ensures that Data Recipient Software Products have a reliable way to determine whether a given Data Holder supports concurrent consent.

For any existing consents, Data Holders MUST retrospectively generate a cdr_arrangement_id such that Data Recipient Software Products can obtain a valid cdr_arrangement_id for all active consents they hold.

Area Affected

Security Profile > Identifiers and Subject Types section, under CDR Arrangement ID and Obtaining a CDR Arrangement ID.

Change Proposed

To remove these obsolete lines, as -

  1. the obligation date for supporting concurrent consent has passed (1 November 2020), meaning it must be supported by all Data Holders,
  2. the cdr_arrangement_id must always be returned in the Token and Token Introspection responses,
  3. it is not anticipated that Data Holders will have any existing, or create new consents without a cdr_arrangement_id,
  4. these statements may cause confusion by remaining in the Standards.

DSB Proposed Solution

The proposed solution can be found through the staging link provided in this comment.

nils-work commented 3 months ago

This issue was discussed on the 6 March Maintenance Iteration call and no objections were raised in regard to the Change Proposed.

Please add a comment if there are any concerns.

nils-work commented 3 months ago

This change has been staged for review here - https://github.com/ConsumerDataStandardsAustralia/standards-staging/commit/3145e7107499c5356ce7463e646f83dbb86a973e#diff-f3adc2f53e36ac8a4dcd5b3f07910489680bfff9db6fbde092b5cd93e53ad5d0

nils-work commented 3 months ago

This issue was raised in the agenda for the 20th March Maintenance Iteration call and there was no opposition to the change proposed, which has been staged.

nils-work commented 2 months ago

Standards version 1.30.0 was published on 24/04/2024 incorporating this change from MI18.