Decision Proposal 108 - Banking Maintenance Iteration 3

[CDR-API-Stream]

This decision captures the outcome of Banking Maintenance Iteration 3. Scope under consideration and consultation for this maintenance iteration is detailed here.

The final decision document has been reviewed and approved by the Data Standards Chair. It is attached below: Decision 108 - Banking Maintenance Iteration 3.pdf.

This change will be included in the next Consumer Data Standards release v1.4.0.

---

Meeting series

Note: To receive calendar invites for this series please email your request via our mailbox. To receive notifications of this meeting series and more subscribe to the DSB mailing list for regular updates.

Previous Meeting Minutes

• Please refer to the kickoff meeting agenda and minutes help on 6th April 2020.

Schedule

Phase 1: Backlog Grooming - 6th April 2020 commencement. 2 weeks duration Phase 2: Consultation - 20th April 2020 commencement. 4 weeks duration Phase 3: Approval - 18th May 2020 commencement. 1 week duration Phase 4: Documentation - 25th May 2020 commencement. 1 week duration

Meeting 1, Maintenance Iteration 3: Kickoff and backlog review Time: 2pm AEST, 9th April Duration: 1 hour

Meeting 2, Maintenance Iteration 3: Discuss proposals

Time: 2pm AEST, 14th May Duration: 1 hour

Meeting 3, Maintenance Iteration 3: Retrospective & Maintenance Iteration 4: Kickoff and backlog review

Time: 2pm AEST, 4th June Duration: 1 hour

[CDR-API-Stream]

Meeting notes have been added from the Kickoff & Backlog Grooming meeting.

• The items under consideration in the agenda were supported
• Participants requested prioritisation of Error Handling
• Participants reiterated support for at-cost fees CR #168: New Product Fee Type - CALCULATED (to address issue #161)
• Request was made to consider issues CR #177: Negative Available Balance in Get Balances response and CR #176: Update Query Parameter Transaction

Feedback on change request prioritisation remains open until COB 19/04/2020.

[Michael-Backhouse]

I've seen a few comments around the Swagger/Open API Spec as not be a source of truth for the data standards and the site should be consulted.
Most modern development is contract first, allowing error-free generation of source, test cases and even initial validation of input. But this approach relies on the OpenAPI spec being an accurate representation of the standard.
Can we get a clarification if this is the case - that the swagger is a "source-of-truth", and, if it isn't can this discussion take place as part of this maintenance release. The proposal is each maintenance release, produces a "source-of-truth" OpenAPI artefact, as well as the release documentation.

[deboraelkin2]

I've seen a few comments around the Swagger/Open API Spec as not be a source of truth for the data standards and the site should be consulted. Most modern development is contract first, allowing error-free generation of source, test cases and even initial validation of input. But this approach relies on the OpenAPI spec being an accurate representation of the standard. Can we get a clarification if this is the case - that the swagger is a "source-of-truth", and, if it isn't can this discussion take place as part of this maintenance release. The proposal is each maintenance release, produces a "source-of-truth" OpenAPI artefact, as well as the release documentation.

I agree that having up-to-date OpenAPI specs should be prioritised. There are plenty of tools that automatically generate interactive documentation and test sandboxes from Open API specifications. In order to make use of such tools, we now have to manually correct the OpenAPI specification (eg: to include security schemas, add missing parameters, etc.)

It would also help, I think, to have, not a monolithic Open API specification, but broken down in smaller areas (eg: products, accounts, balances, etc), this would improve the rendering for the interactive documentation.

I personally created some tools to break down the specification into smaller files, but it'd be much simpler to have them from the source, so to speak.

[CDR-API-Stream]

Thanks @Michael-Backhouse the definition of source of truth varies depending on intention. For the Data Standards, the underlying source of truth are the decision records themselves. The standards documentation and Swagger specification are developed to those decisions. Because the CDR is not purely an IT project, but a government reform project, the Swagger cannot be the only consideration.

Equally the reason that the Swagger specification is not treated as the source of truth is because not all constraints and requirements can be expressed purely in the Swagger/OpenAPI language. This is why the standards documentation should be considered in totality as it allows for further detail where the Swagger language does not allow.

[CDR-API-Stream]

Hi @deboraelkin2 you raise some good points. The DSB is currently assessing OAS3 and ReDoc as well as refactoring the Swagger specification to be more modular. The view is to better provide a more manageable specification over time and address some of the points you raise. Also note that OAS3 has improvements to the API specification language features that are not available with Swagger 2.

Previously the DSB had consulted on the use of OAS 3 but at the time the feedback we received was that many API Gateways did not then have support for OAS 3. If that has changed and their is broader support it would make the move to OAS 3 more feasible.

[perlboy]

@deboraelkin2 For what it's worth the CDS Codegen has a Swagger generator in it that is based on the API Model. It's also template driven (Mustache now) so changes can be incorporated there. In addition, the CDS API Model was designed to support all of the constraints that @CDR-API-Stream has mentioned.

Suffice to say, when it existed, the Engineering team proposed the adoption of Codegen generated Swaggers allowing for a single source of truth driven off the API Model library. This was proposed multiple times within the DSB but was rejected primarily because the spec maintainers didn't want to write Java POJO's or produce backlogs for Engineering to perform the translation. Now... here we are...

@CDR-API-Stream Deep Thought already generates the entire CDS specification in OAS3 and Biza already publishes a Postman collection which incorporates all the headers and auth. FWIW OpenAPI 3 has support for Hybrid Flow but Swagger UI doesn't and even if it did the CDR modifications mean they will never work.

Nonetheless, you're welcome.

[perlboy]

Oh, final side note, splitting up of OpenAPI specs "seems" like a good idea but can get very very messy very quickly and many tools will barf when they encounter it. Additionally, the tools that do support it have quite a few issues resulting in it being very easy to produce broken specs without realising it.

Combine this with versioning requirements, it became clear that, outside of defining a DSL which Engineering would have preferred had it not been for time constraints, a POJO approach provided the ability to do compile checked splitting of definition with the OpenAPI spec being the product. We also proposed that the Slate documentation eventually be generated from this same source of truth but this was also rejected....

[deboraelkin2]

Hi @deboraelkin2 you raise some good points. The DSB is currently assessing OAS3 and ReDoc as well as refactoring the Swagger specification to be more modular. The view is to better provide a more manageable specification over time and address some of the points you raise. Also note that OAS3 has improvements to the API specification language features that are not available with Swagger 2.

Previously the DSB had consulted on the use of OAS 3 but at the time the feedback we received was that many API Gateways did not then have support for OAS 3. If that has changed and their is broader support it would make the move to OAS 3 more feasible.

Thanks for taking this request into consideration. I can't speak for other tools, but for what it's worth, the API Management platform from the company I represent (Google Cloud Apigee) certainly does support OAS 3.0.

[CDR-API-Stream]

Based on consideration of community feedback and review of issues and change requests, the focus of this iteration will address a number of themes:

• Enhanced Error Handling

  • Recently consulted on under Decision Proposal 068 - Enhanced Error Handling
  • We have received good feedback on this issue with clear examples and feedback. Consultation on this will be split out into component problem spaces as required
  • It will cover data standards and CX
  • Likely to span Maintenance Iteration 3 (this) and Iteration 4 (next)

• CDR Consent Model

  • Consultation will be conducted on the technical roadmap for consent and consideration to international standards alignment to provide a clearer path forward across releases and sectors
  • Likely to span Maintenance Iteration 3 (this) and Iteration 4 (next)
  • Will assist in identifying CX research required
  • CX will continue work on JAH and two-to-sign consent election as another input into this
  • Consultation on this will be split out into component problem spaces as required

• Carry over CRs from Maintenance Iteration 3, prioritised community requests and documentation fixes

  • #64 - Support URI Encoded Images in Payloads
  • #169 - Align how audience is set for 'Data Recipients calling Data Holders’
  • #79 - New constraint type for product detailed and account detailed endpoints
  • #168 - New Product Fee Type - CALCULATED (to address issue #161)
  • #10 - Tiered fees in Product Reference data
  • #172 - Validation of client_id parameter in client authentication requests
  • #175 - Premature Completion of Consent (Hybrid) Flow
  • #101 - Changes to align to FAPI and OIDF Specifications Round 2
  • #99 - Update id_token example to correctly show nested jwt
  • #78 - HTTP Header to be returned in the case where the request is not entirely well formed and a large page size is requested
  • #74 - V1.1.0 Reintroduction of request_uri and/or Pushed Request Object

• Minor bug fixes related to v1.3.0 release of the standards

[perlboy]

And just like that, Codegen is murdered: https://github.com/ConsumerDataStandardsAustralia/java-artefacts/issues/25#issuecomment-617575575

It seems the DSB is determined to make life as difficult as possible for everyone.

[cdradr]

What is or who is codegen? A member of open banking community who asked difficult questions?

[perlboy]

@cdradr https://github.com/ConsumerDataStandardsAustralia/standards/issues/108#issuecomment-615051753 CDS Codegen as referenced in my original comment.

[CDR-API-Stream]

Enhanced Error Handling Enhanced Error Handling has been broken down into component problem spaces for further consultation:

• Decision Proposal 119 - Enhanced Error Handling Payload Conventions
• Decision Proposal 120 - CDR Error Codes for Enhanced Error Handling
• Decision Proposal 121 - Application of existing HTTP Error Response Codes to Enhanced Error Handling
• Decision Proposal 122 - Extension of Supported HTTP Response Codes for Enhanced Error Handling

[CDR-API-Stream]

The final decision document has been reviewed and approved by the Data Standards Chair and it is included in the main issue above.