Are Infosec end points in scope for Get Metrics API?

[xchen-ibm]

Infosec end points are currently listed as part of the 'High Priority' performance tier for a customer present scenario:

Tier	Response Time	Applies To…
High Priority	1000ms	Customer Present calls to the following end points:InfoSec end points....

Have two questions in the context of Get Metrics API:

1. Are calls to Infosec endpoints expected to be part of the metrics data (i.e. availability, performance, invocation, average response, etc.)?
2. CDS APIs have the 'x-fapi-customer-ip-address' header which can be used to determine Customer Present scenarios, but this may not be available for Infosec end point calls. Should all calls to Infosec end points be considered 'High Priority' regardless of whether it is customer present?

[nils-work]

Hi @xchen-ibm

I don't think I've seen any detail about your question 1, but something similar to your question 2 was asked in issue 276 and also relates to some discussion in issue 274.

[nils-work]

Actually, related to questions 1 and 2, there was an unanswered comment on issue 147.

[jas8BEN]

@CDR-API-Stream : Clarification is needed on the scope of endpoints listed in the availability requirement depicted in the standards and categorisation of the Grant consent flow.

As per the availability requirement specified the standards here ,

The availability requirement applies to both authenticated and unauthenticated end points.

Consent/Authorisation endpoint (Listed here) -> Does not require an access token for issuing requests to Authorisation endpoint BUT requires customer inputs to yield the access token to be presented for calls like getAccounts. This conflicts with the definition for Customer-Present here which explicitly mentions Authenticated.

What is the classification for Consent/Authorisation endpoint and is this flow still a part of metrics requirement?

[CDR-API-Stream]

Hi @xchen-ibm

1. Are calls to Infosec endpoints expected to be part of the metrics data (i.e. availability, performance, invocation, average response, etc.)?

Yes. This was further clarified in v1.5.0 of the standards

2. CDS APIs have the 'x-fapi-customer-ip-address' header which can be used to determine Customer Present scenarios, but this may not be available for Infosec end point calls. Should all calls to Infosec end points be considered 'High Priority' regardless of whether it is customer present?

Yes all Info Sec end points should be considered high priority. It is understood that "x-fapi-customer-ip-address" only applies to protected resource endpoints.

[CDR-API-Stream]

Hi @jas8BEN ,

The references you link to are the archived 1.3.1 version of the data standards not the most up to date version:
https://consumerdatastandardsaustralia.github.io/standards/#non-functional-requirements.

Consent/Authorisation endpoint (Listed here) -> Does not require an access token for issuing requests to Authorisation endpoint BUT requires customer inputs to yield the access token to be presented for calls like getAccounts. This conflicts with the definition for Customer-Present here which explicitly mentions Authenticated.

The statement for Customer Present calls is meant to apply to (authenticated) protected resources where the customer's presence is represented by the x-fapi-customer-ip-address header.

What is the classification for Consent/Authorisation endpoint and is this flow still a part of metrics requirement?

This was clarified in v1.5.0 of the standards. InfoSec end points are to be treated as High Priority.

[CDR-API-Stream]

This issue has been answered. Accordingly, the issue is closed.