search

ConsumerDataStandardsAustralia / standards

Work space for data standards development in Australia under the Consumer Data Right regime
Other
321 stars 56 forks source link

Decision Proposal 298 - Urgent Change Request #576 #298

Closed CDR-API-Stream closed 1 year ago

CDR-API-Stream commented 1 year ago

Decision Record

The Data Standards Chair approved this decision on 14th April 2023. The decision record is attached: Decision 298 - Urgent CR 576-FINAL.pdf

This decision proposal is a placeholder for the decision in relation to the urgent change request #576 that was consulted on in Maintenance Iteration 14.

The details of the change request can be found here:

cuctran-greatsouthernbank commented 1 year ago

Hi @CDR-API-Stream,

Our interpretation of this change is that our current solution remains complaint and no change is required from Great Southern Bank post FAPI phase 3.

Our current solution as part of FAPI phase 3 as below:

• We support both ACF and Hybrid flow. However, ADRs must choose either method in their client registration, not both.

• If the ADR uses Hybrid Flow, we will encrypt the id tokens in our API response.

• If the ADR uses ACF, we will ignore the id token encryption fields as per the original requirement from the ACCC for FAPI phase 3.

id_token_encrypted_response_alg id_token_encrypted_response_enc

REQUIRED Required if OIDC Hybrid Flow (response_type “code id_token”) is registered. Must be ignored for Authorization Code Flow.

Much appreciated if we can have some urgent attention and response from your end regarding this query.

Regards,

Great Southern Bank.

CDR-API-Stream commented 1 year ago

Hi @cuctrangsb, the intention during Phase 3 is that Data Holders permit ADRs registering both flows so they can test and fallback to Hybrid Flow without updating their client registration. If they have to update it to switch flows this could have unforeseen impacts with their live software products and establishing consumer consents.

During this Phase 3 transition period ADRs are expected to test the migration to ACF and where all tests pass move to update their client registration to ACF only ahead of the Phase 4 migration date of 10th July. After this date Data Holders may withdraw support for Hybrid Flow so the onus is on ADRs to facilitate the migration of their software products during Phase 3 transition.

When it comes to the ID token encryption this is at the discretion of the Data Holder. ID token encryption must be used where the client is initiating an authorisation request using Hybrid Flow. For ACF the Data Holder can continue to require ID token encryption because the client registration cannot represent a conditional separation of ID token encryption along with the authorisation flow. However some Data Holders have indicated they can support ACF without encrypting ID tokens and this is permissible.

Please note that the "Must be ignored for Authorization Code Flow." requirement was removed in v1.23.0 of the Data Standards.

cuctran-greatsouthernbank commented 1 year ago

Thank you @CDR-API-Stream

We will review this clarification and if we need any further information, we will follow up later.

Regards,

Great Southern Bank