-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Addition of a DH-side endpoint for querying the status of a consent establishment flow #628
Comments
Implementing this presupposes that all PAR requests will involve an interactive consent flow of a single individual. While that's broadly (but not entirely) true for now, future modes as a result of ConsumerDataStandardsAustralia/standards#327 will invalidate this. I think there's probably more longevity in establishing a way of tracking the lifecycle of an arrangement (of any form) from the beginning (i.e. pre authorisation) rather than the status of a specific PAR. |
Thanks for the feedback @perlboy ! When putting together this request we tried to balance the size of the change vs the benefit. Tracking arrangements end-to-end I agree would be optimal longer term (potentially as a mandatory output of DP327?). What I was hoping for here was a, comparatively, "quick win" for what we feel is one of the major issues blocking CDR uptake. Or, at least something that will stem discussion on ways to address this problem in the short-to-medium term. |
@markskript Thanks for raising this; broadly speaking, we are in agreement with you that dropoffs are a significant concern, and some form of tracking & ability to determine status would assist all stakeholders regarding consumer support. Your suggestion makes a lot of sense, and again, we'd support this, even though we acknowledge & agree with the issue raised by @perlboy . This issue has rattled around internally without any clear winning solution. Liquid stronger than coffee was required. We will consider this some more and give a more detailed piece of feedback soon |
Are there any statistics on how many of these dropouts are happening per DH? I'd like to understand how widespread this issue is, given there may be a decent amount of development work on our side to support. If I missed a link or mention to said statistics - my apologies! |
The ACCC presented some statistics on one of the implementation calls late last year. These were based on situations where the problem was raised as a ticket in the CDR support portal. I know that one of the other ADRs reported much higher percentages, that due to the nature of their product were never reported as the customer just "gave up and went away". For us, the percentages are high. This is predominantly because we work with business/corporate customers and are running afoul of the pre-consent requirements of some DHs (i.e. paper forms that need to be completed before the consent is established). |
Hi @markskript, I definitely agree having a mechanism to query the status of an authorisation on the DH side is valuable. I don't agree with using the Leveraging or extending PAR would be off spec and create custom code on an oAuth endpoint. If you're open to it, can I suggest we use this thread to explore alternative options. I also support @DougFromPayPal's comments that getting some insight into the frequency of this issue would be helpful. What we need is a way to look up the status of an authorisation after the user has been redirected to the Data Holder (in other words, after a call is made to the Authorization Endpoint). This could (should) also provide a way to inspect the properties of the authorisation after its establishment. This would then provide a mechanism to check on the status of what the consumer has authorised and allow the RP to poll the endpoint periodically to identify any changes (either status or grant details such as the list of accounts associated with the grant) Outcomes:
Please feel free to suggest changes or additional outcomes. Solution Properties:
Binding Identifier Inspection Endpoint This sort of capability has been envisaged for a while and I see a few options: (b) We could define a "consent" API where the RP presents a (c) A lodged intent pattern is used to stage the authorisation and in return receives a Personally I prefer (a) as we can define our requirements to feed into an upstream spec that would have vendor supportability. Discovery State Machine Other questions to consider:
|
Thanks @markverstege - that is fantastic feedback. Will review and post if we have any feedback on your proposal. We were just trying to find a "quick win" knowing the challenges with resourcing at the DH's. |
AGL requests that before we consider introducing a new end point, that we should confirm: a) The higher-than-acceptable levels of drop offs during consent flow are occurring at DH end inappropriately, and not as a direct result of Rules and Standards, etc. We have recently performed an identical review having received this feedback internally and the most common reasons for drop off were:
With these observations in mind, I am skeptical that the introduction of a new end point would lead directly to the reduction of drop offs in the consent flow. |
Apart from us having not set any benchmarks to refer to, we are probably dealing with a number of reasons from different domains that need to be dealt with separately.
Are we mixing technical request issues with UI user behaviour and consent management? Our technical authorisation flow is based on the FAPI family of standards. We should not be hacking this technical flow that is implemented by many implementers and vendors in the ecosystem, formally proofed, conformance tested and deployed globally.
There is definitely a value in exposing the status of the consent (#1) but it won’t give you the complete solution for drop offs. I suggest trying to understand the issues your customers are experiencing one by one before trying to implement any solution even if it’s just reporting. Some of the examples of different solutions to different problems:
I appreciate why the ticket was raised by @markskript. We (the ecosystem) definitely need to try to improve customer's experience reduce drop offs where it makes sense. We can review consumer issues, categorise them into technical, CX, rules or operational. Once we list the technical issues here, we can prioritise them, design and implement solutions for them. |
Hi @dpostnikov thanks for your thoughts - I agree - if we go down a path of getting authorisation status, the the GM API makes sense although to my knowledge it still has limited vendor adoption and is working towards a final implementer's draft. I've also previously proposed that we leverage Shared Signals and Events in DP 182 for security events as well as adding a business event layer for pushing secure notifications to ADRs. So it sounds like we're aligned in our thinking. I think that makes a lot of sense not just in this scenario but more broadly for a variety of events that may occur with the consumer's consent or at the resource layer including data correction notifications. In the Maintenance Iteration call today we also discussed more informative error responses delivered using the oAuth error structure when authorisations fail. A few takeaways from the discussion:
|
As discussed in the meeting today, Basiq is supportive of Option 3 but believe the scope should be extended outside of the Consent Flow from a consumer perspective and should also include the data retrieval for a consumer. The reason is, from a consumer perspective, the interaction is not complete until the data is retrieved. We also made clear, from our perspective, the outcome we are all trying to achieve is a lower friction interaction for a consumer and an improved conversion rate. In Basiq's opinion, the best way to do this is to reduce the interaction repeated for every DH arrangement e.g. data being shared. |
Attached is a report detailing the findings from DSBs work with a number of ADRs to understand the factors contributing to Authentication and Authorisation drop-offs. This report has been presented to DSAC and identifies a number of opportunities available to ecosystem participants to change some of the behaviours. The DSB would like to thank the ADRs for their open and collaborative participation in this forum. |
@CDR-API-Stream - what is the expected ETA on a response from DSAC on this so we can decide how to move forward? |
Description
There is a general consensus in the Accredited Data Recipient (ADR) community that there are higher-than-acceptable levels of dropoffs during the consent flow after the ADR has handed off the customer to the data holder. Right now there is no way of determining the status of a consent flow after the handoff has occurred, unless the data holder completes either a 'successful' or 'error' hand back to the ADR platform, which is not always feasible.
Area Affected
Change Proposed
We propose the following options to help address the issue, with Option 3 being our recommended approach.
Option 1: Manual case raising in the CDR Portal
This is the current solution, and we feel it is inadequate, especially as consent volumes grow in the eco-system. Ignoring the manual effort involved by the ADR, data holder and ACCC in managing the support cases, there are considerable gaps in the information that is collected prior to the handoff from ADR to data holder which makes it hard to provide the data holder with enough 'useful' information to debug on a case-by-case basis.
Option 2: We rely on summarised data from GetMetrics
The GetMetrics V4/V5 enhancements add more granular reporting from the data holder back to the DSB on dropoff cases, and while this is great for viewing trends at the eco-system level, it does not assist in debugging specific consumer issues on a case-by-case basis.
Option 3: A new data holder side endpoint for real-time querying
We propose a new endpoint be added at the data-holder-side that allows ADR's to pass in the request_uri value from the PAR and obtain a 'status'. The proposed design of that endpoint is as follows.
Data Holder's OpenID Provider Metadata proposed new property:
Example
PAR Introspection End Point
HTTP Method: POST
The location of the Data Holder PAR Introspection End Point is determined by the pushed_authorization_request_introspection_endpoint in the Data Holder's OpenID Provider metadata.
This end point will be implemented according to the following:
Data Holders MUST publish their PAR Introspection End Point using their OpenID Provider Metadata Discovery End Point
The request MUST include the following parameters using the application/x-www-form-urlencoded format in the HTTP request entity-body:
A PAR Introspection End Point Response should include the following fields:
with more information
Data Holders MUST return the appropriate consent flow status during the period of when the PAR is provided to AT LEAST 24 hours after the latest action on the consent, regardless of the PAR expires_in value. Valid requests outside that time window should return UNKNOWN_REQUEST_URI status.
Status Enumerated Values
Where logical, the following status values have been aligned with the V5 GetMetrics standard.
Response Codes
The following responses are in addition to error responses covered by normative references. Error scenarios in the following table MUST use the error structure defined in the Payload Conventions.
Non-Normative Request Example
Successful Response Example
Error Response Example
Non-functional requirements
It is expected that this introspection endpoint will only be called in non-successful and long-lasting flows, and as such, could be defined as Low Priority as per https://consumerdatastandardsaustralia.github.io/standards/#performance-requirements
Scope of change
Note that this option does not currently allow for the "recovery" of a consent flow, and while we see this as being potentially valuable we feel it increases the scope of the change too much to be warranted at this stage.
Feedback
We welcome further suggestions, discussions and feedback on the above from everyone, especially from the data holders on how best to approach this to minimise implementation effort as much as possible, acknowledging that many data holders have outsourced this part of their platform.
The text was updated successfully, but these errors were encountered: