Profile scope not aligned with CX standards

[TacheI]

Description

Currently the data recipient can add to an authorisation the profile scope and can request for customer information such as name, surname, email address, address. This is not aligned with the CX standards that only allows for the customer to authorise the customer:basic and customer:detail scopes. This leads to the possibility of the data recipient asking for customer data and receiving it without customer consent.

Area Affected

Security Profile, CX standards

Change Proposed

Allow for the data holders to not send customer data if only the profile scope is authorised until the standards are aligned
Align the OIDC profile requirements with the CX standards either by excluding customer data from the profile scope or updating the CX standards to allow the customer to consent to sharing customer data if the profile scope included in the authorisation
Clarify which claims in the profile scope can be requested by the data recipient. Must email and address be supported by data holders or it's an optional implementation?
Clarify in the standards that the data points not included in the CDR, such as date of birth cannot be requested by the data recipient.

[nils-work]

Related support article -
https://cdr-support.zendesk.com/hc/en-us/articles/900003906386-User-visibility-of-the-profile-scope

[TacheI]

Further on a related topic the CX standards have to be updated on how the Data Holders will present the authorisation to customers when the only scope requested by the ADR is OpenID. A per this support portal article, a authorisation request with only the OpenID scope is valid. https://cdr-support.zendesk.com/hc/en-us/articles/900002116163?input_string=allowed+scope+combinations+for+the+request+object%27s+scope+attribute+passed+in+the+authorization+request

[TacheI]

Related support article -
https://cdr-support.zendesk.com/hc/en-us/articles/900003906386-User-visibility-of-the-profile-scope

The response provided to ticket 913, Answer 2 seems to contradict this article. Based on these 2 articles it is not clear what DHs should do while the scopes and CX standards are not aligned. https://github.com/ConsumerDataStandardsAustralia/standards/wiki/ACCC-&-DSB-%7C-CDR-Implementation-Call-Agenda-&-Meeting-Notes-(15th-of-July-2021)

[commbankoss]

CBA is of the view that if this change is implemented, participants should be provided with a minimum of six months between the finalisation of updated CX Standards and compliance dates to ensure adequate time for participants to implement the change.

[CDR-CX-Stream]

This issue is being consulted on in DP216: ConsumerDataStandardsAustralia/standards#216

[CDR-API-Stream]

This change was incorporated into release v1.15.0. Refer to Decision 212 for further details.