Decision Proposal 135 - November 2020 Consent Obligations: fixes and clarifications #135
Comments
CDR-API-Stream
added
Status: Open For Feedback
|
Further to this, a Noting Paper has been developed to assist participants with guidance on ecosystem transition. This is available here: Noting Paper 136 - November 2020 Consent Transition Guidance |
|
As per Division 8.3—Reviewing, developing and amending data standards and the modification of the standards in affect from August 1, can the DSB please outline whether this change is considered urgent or minor? Could the DSB also provide the link to the proposed draft located on "on the website of the Data Standards Body" (Division 8.3, part 8.9 subsection (2)c). Finally, as specified in Division 8.3, part 8.9 subsection (2)d please extend the feedback period to the mandatory 28 days from draft publishing on the DSB website:
Given the original proposal for the CDR Arrangement Endpoint has no formal draft and feedback (only the precursor to the originally unpublished end-state) and is neither proven nor shown to be functional in external environments it seems unlikely this decision proposal could be considered minor with urgent being of the governments own creation. |
|
Thanks for highlighting this @perlboy. The DSB has been conscious for some time of the date in the rules regarding the development and amendment of standards. We are currently developing a noting paper, that will initially be tabled with the Advisory Committees for review, outlining our interpretation and alignment with the rules. At this stage we believe our current processes are in alignment with the rules but we will modify our process if we identify any inconsistencies. In regard to your request to extend the consultation, we will not be doing this. The classification of changes is left to the Data Standards Chair under the rules. There is no explicit definition provided. Your rationale for rating this change as being significant is not one the DSB would be aligned with. We do consider this to be a minor amendment arising from implementation and detailed review of a previous consultation that was conducted over a number of months culminating in the v1.3.0 standard and we will be recommending this classification to the Chair. |
I could easily dispute this "consciousness" since the change process adopted by the DSB seems to be one of regular reinterpretation when it suits.
A noting paper is not enforceable and therefore does not achieve the "Data Standards Body is Accountable" principal outlined, also in a non enforceable noting paper in #50 (comment) which described the "Trial" for
The method that the DSB uses to classify changes has been requested many many times with either no answer or a suitably obfuscated answer that provides no further clarity. Additionally, specifically with regard to this proposal, the DSB posted a clarification that explicitly stated:
Is this statement now invalidated?
I didn't provide a rationale, I asked if it was urgent or minor and stated it seemed unlikely on the basis the changes relate to an unproven and unvalidated implementation with direct impacts on the information security profile of the ecosystem. While the Chair may have essentially dictator rights to define whatever he/she likes the rules also state a number of references to secure coding practices required of Recipients. I'd be interested to hear how the DSB understands Data Recipients will comply with Part 2—Minimum information security controls, Part 2.2, Section 4:
Within an environment which has no validated implementation worldwide.
For the clarity of those who just arrived and without the rose coloured glasses government representatives wish to see things through, this is a reference to DP #99 whereby the "CDR Arrangement Endpoint" was finalised in a decision proposal, post consultation and in the face of opposition from no less than 5 participants in the ecosystem. While there was some in principal support from one participant, the API in it's final state and it's name as "CDR Arrangement Endpoint" were introduced at the end and no further response was possible because collaboration was closed. @CDR-API-Stream, as you've apparently decided this is minor and therefore consultation isn't required, why ask for feedback to it in the first place? There is already a precedent of declarations without consultations and the rules don't require you to. Essentially, this leads me to ask, what's the point of bothering to provide feedback, beyond giving some glazed over impression of consultation? |
|
Minor fixes document has been updated to correct formatting of the recommendations so they can be cross referenced to the noting paper and change history is included in the appendix. No changes have been made to the changes to be made. |
|
Commonwealth Bank has the following points in response to this decision proposal: 1) Draft Standards for Review 2) Proposed alternative migration approach
Pros:
Cons:
3) Proposed amendment to draft proposal 4) Strategic Roadmap Data61 also indicated further alignment with FAPI 2. We would like to understand the full impact on consent design and the roadmap. 5) Notice for future changes to consent Commonwealth Bank requests a 6-month notice for any “ecosystem breaking” changes after standards are finalised and transition period is agreed on. 6) cdr_arrangement_id represents a single consent 7) Feature discovery E.g.: currently support for concurrent consent is inferred by the presence of cdr_arrangement_id in certain payloads. Additionally, error codes (404 or 422) are being used to discover which Data recipients’ revocation endpoints to use. 8) ADR Hosting of APIs This position would have significantly reduced transition complexity for cdr_arrangement_id and PAR (along with other benefits outlined in the GitHub issue above). |
|
Westpac is supportive of the proposed changes. However, as we have already commenced build, it is important that they are finalised as soon as practicable. In addition to the items discussed, the data standards body may wish to consider retaining the existing behaviour of the token revocation endpoint which revokes the consents associated with a token for a period of time before depreciating it in favour of pure token revocation. This is because there is a possible second race condition not currently identified in the standard where a consumer may attempt to revoke consent with a data recipient before that data recipient has obtained a cdr_arrangement_id might occur. Although in principle the cdr_arrangement_id is discoverable as per noting paper 136 sequence table item 3, this relies on all data recipients having built this functionality prior to any data holder release of items 2 and 4 in that sequence table. In regard to the CDR Arrangement Revocation End Point we note that the sentence “For Data Holders, Data Recipients must be authenticated when they call this end point using a valid Access Token as specified in section 10.3 of [OAUTH2]" has been omitted from the definition whereas it was present for the CDR Arrangement Management End Point Definition. We note that client authentication still appears to be required in the endpoint table. Was the omission intentional? It is not clear whether the expectation is that a signed client assertion is to be placed directly into the authorization header, or whether the expectation is that an access token is used. It would make sense for the Data Recipient to present the access token to validate the identity of the user for whom the arrangement is being revoked. |
Feedback from Origin Energy on DP-135
|
|
ANZ agrees with @commbankoss and @WestpacOpenBanking in regards to keeping the existing behaviour of the token revocation endpoint for a transitionary period of time. This means that ADRs can call either the new CDR Arrangement Management end point or existing revocation end point and have the same outcome expected. This will help enable the possible mixed implementations that will be in place until February 2021. |
CDR-API-Stream
added
Status: Feedback Period Closed
|
Thank you to everyone who's put forward views and proposals. Consultation on this decision proposal has been closed and feedback will be considered. |
|
Consultation has been reopened temporarily by request |
|
|
The consultation is now being closed again |
|
Consultation has been reopened temporarily by request |
|
Perhaps our Question 5 posted on #136 should be posted here. We are supportive of @commbankoss comment above for all the points raised with further consideration of point 6. For point 6, Intuit would like to further analyse @commbankoss suggestion. Conceptually, supplying an existing Supplying We suggest
|
|
The consultation is now being closed again |
CDR-API-Stream
added
Status: Decision Made
|
The Data Standards Chair has approved Decision 135 constituting the changes to address November 2020 consent feedback. The decision record is available here: Decision 135 - November 2020 Consent Obligations.pdf |
|
Hi @commbankoss thank you for providing feedback.
Thank you for the suggestion. The DSB will consider this for future decision proposals and standards changes.
The second option has been adopted. This was broadly supported by data holders and data recipients.
This proposal is not accepted. It is important to retrospectively include the
This change was accepted based on community feedback in the context of the transition to provide sufficient time for ADRs to obtain the
This change is not supported. See above.
This is the current position with the expectation that from 1st of November all consents are presented with an arrangement ID and all ADRs actively update their consents with an arrangement ID
This is expected to be the case however this is contingent on when the ADR goes live. Assuming that an ADR goes live after November this would hold true. To avoid impact to ADRs based on when DHs will deploy November obligations, technical discovery mechanisms were used to decouple capability discovery from obligation requirements. ADRs should use the discoverability mechanisms to determine the individual DH supportability. The standards already state that the ADR must use the CDR Arrangement Revocation API if it is available.
The DSB will be consulting on the work plan and transition approach for technical changes to accomodate a longer term target state. Workshops addressing the consumer experience for amending consent are planned for September.
Thank you this input is appreciated. With Maintenance Iteration 4 (#134), care has been given to provide future planning and implementation time in regards to changes.
This is not accepted. The
This suggestion is reasonable and the DSB will consult on a solution in future maintenance iterations. It is worth noting that this is the pattern the DSB has started to establish.
Whilst this has been raised in other maintenance issues and change requests, the current approach stands based on meeting the CDR Rules and privacy safeguard requirements. |
|
Hi @WestpacOpenBanking thank you for providing feedback.
This change has been adopted and it is noted it was broadly supported.
Data recipients would follow the requirements in the Client Authentication section of the data standards. |
|
Hi @mannharleen thank you for providing feedback.
Arrangement ID is a minor change that should not introduce complexity. It is required to support re-authorisation and amending consent.
This change is not supported. Whilst this is the model in the UK it does not align with the pattern established in the CDR and is not part of the problem to solve for this decision proposal.
This is part of the CDR Rules and the data standards are being brought in line.
Refresh token duration is within the control of the DH. Consent duration is defined by the |
|
Hi @anzbankau thank you for providing feedback.
Thank you. This change has been adopted. |
|
Hi @NationalAustraliaBank thank you for providing feedback.
Thank you. This change has been adopted and it is noted it was broadly supported.
In this instance it would be an oAuth error response invalid_request https://tools.ietf.org/html/rfc6749#section-4.2.2
In this instance it would be an oAuth error response invalid_request https://tools.ietf.org/html/rfc6749#section-4.2.2
Thank you for the suggestion. The DSB will consider this for future decision proposals and standards changes.
Thank you. These have been corrected. |
|
Hi @spikejump thank you for providing feedback.
This is not accepted. Please refer to response to @commbankoss's feedback above.
For Nov it will provide an indication to the DH to revoke the existing consent and establish a new consent. As the Rules are anticipated to allow re-authorisaition and amending consent in future, the
If the new consent has nothing to do with the current one, an ADR should establish a separate consent and explicitly revoke the current consent if required.
Could you please elaborate on the issue you see here?
Thanks for this feedback. This has been answered under point 4 of feedback from @commbankoss |
|
@CDR-API-Stream Thanks for the response above.
The unhappy path above can be avoided if careful consideration is specified via CX and spec. While reading the above @CDR-API-Stream responses, we have one more query on the response to @NationalAustraliaBank. IN there, a couple of the answers mentioned
Can @CDR-API-Stream clarify the HTTP response code that is meant to be returned in such a case? Presumably 400 is appropriate and there are no other 4xx possibilities? |
|
Hi @spikejump,
RFC6749 specifies 400 (Bad Request) would apply for error response
|
* Standards Staging Issue #115: Update text description of bulk balance for energy in endpoint version schedule * Cleared out the diff comments presented on the Version Delta tab * Added an empty release 1.16.0 release notes page * Incremented version numbers for swagger files to 1.16.0 * Added archive link to 1.15.0 * Reverted back to standard (non-festive) logo * Incremented version number in introduction * Added normative reference link to RFC9126 * Added link to 1.16.0 release notes * Corrected link for RFC2119 * Clarified requirements for Data Recipient Software Products S256 code challenge method by removing the redundant \'if supported\' text * Standards Staging Issue #116 Change type of page and page-size in Energy APIs to PositiveInteger * Updates for DP166 * Updates for DP166 * Removed duplicate section: Data Holders calling Data Recipients * Corrected GetProducts response reference from ResponseBankingProductList to ResponseBankingProductListV2 * Removed the unintended additional formatting from the cds_banking.json to make diffs easier * Corrected Register Discovery Document definition defect renaming request_object_signing_alg_values_supported to token_endpoint_auth_signing_alg_values_supported * Corrected GetDataHolderBrands RegisterDataHolderAuth and jwksEndpoint schema definitions to clarify their usage in DH to ADR client authentication * Standards Staging Issue #115: Updated release notes for this change * fixed typos and ordering * Removed tables * Rechanged ordering * Build and final checks * Convert swagger to OAS Remove 4xx error codes * Rebuild * Fix json typos Update error codes for energy OAS * Rebuild * Added tooltip support for RFCs and normative/informative references. Also fixed invalid or missing RFC links * Fixed markdown issue with normative references table * Converted more normative reference links to dynamic tooltips * Updated FAPI informative reference * - Formatting improvements. - Added additional tooltip references * - Moved normative references out of the Security section into the Introduction. - Added additional tooltip references * Updated code generation for normative and informative references * Added link to the endpoint versioning schedule to the high level standards * Added 1.16.1 release notes * Added release notes for Standards Staging issue 130 * Added release notes for Standards Staging issue 132 * Updated RFC4122 links in Banking and Common schemas to include tooltips * poc secondary-dataholder-apis: Added changes to include Energy Secondary Data Holder OAS in standards * Fix for staging 139 * fix #138 * Fix for #137 * Fix #136 * Fix #135 * Fix #134 * Initial build for review * Update version number everywhere * Add archive entry for 1.16.0 Clean up diff statements Update release notes * Fixes to SR swagger * Update Swagger to OAS in markdown * Updated Energy SDH swagger file to lastest version with fixes applied for error codes and attribute types * Remove known issues that are resolved Full rebuild * Version bumps to address GitHub security notices * Updated additional informative references to include tooltips * Fix SDH security * Fix for controlledLoad flag in energy Rebuild * Minor release notes and diff fixes Co-authored-by: Hemang Rathod <[email protected]> Co-authored-by: Ivan Hosgood <[email protected]> Co-authored-by: Kirkycdr <[email protected]> Co-authored-by: James Bligh <[email protected]> Co-authored-by: James Bligh <[email protected]> Co-authored-by: Mark Verstege <[email protected]>
* Standards Staging Issue #115: Update text description of bulk balance for energy in endpoint version schedule * Cleared out the diff comments presented on the Version Delta tab * Added an empty release 1.16.0 release notes page * Incremented version numbers for swagger files to 1.16.0 * Added archive link to 1.15.0 * Reverted back to standard (non-festive) logo * Incremented version number in introduction * Added normative reference link to RFC9126 * Added link to 1.16.0 release notes * Corrected link for RFC2119 * Clarified requirements for Data Recipient Software Products S256 code challenge method by removing the redundant \'if supported\' text * Standards Staging Issue #116 Change type of page and page-size in Energy APIs to PositiveInteger * Updates for DP166 * Updates for DP166 * Removed duplicate section: Data Holders calling Data Recipients * Corrected GetProducts response reference from ResponseBankingProductList to ResponseBankingProductListV2 * Removed the unintended additional formatting from the cds_banking.json to make diffs easier * Corrected Register Discovery Document definition defect renaming request_object_signing_alg_values_supported to token_endpoint_auth_signing_alg_values_supported * Corrected GetDataHolderBrands RegisterDataHolderAuth and jwksEndpoint schema definitions to clarify their usage in DH to ADR client authentication * Standards Staging Issue #115: Updated release notes for this change * fixed typos and ordering * Removed tables * Rechanged ordering * Build and final checks * Convert swagger to OAS Remove 4xx error codes * Rebuild * Fix json typos Update error codes for energy OAS * Rebuild * Added tooltip support for RFCs and normative/informative references. Also fixed invalid or missing RFC links * Fixed markdown issue with normative references table * Converted more normative reference links to dynamic tooltips * Updated FAPI informative reference * - Formatting improvements. - Added additional tooltip references * - Moved normative references out of the Security section into the Introduction. - Added additional tooltip references * Updated code generation for normative and informative references * Added link to the endpoint versioning schedule to the high level standards * Added 1.16.1 release notes * Added release notes for Standards Staging issue 130 * Added release notes for Standards Staging issue 132 * Updated RFC4122 links in Banking and Common schemas to include tooltips * poc secondary-dataholder-apis: Added changes to include Energy Secondary Data Holder OAS in standards * Fix for staging 139 * fix #138 * Fix for #137 * Fix #136 * Fix #135 * Fix #134 * Initial build for review * Update version number everywhere * Add archive entry for 1.16.0 Clean up diff statements Update release notes * Fixes to SR swagger * Update Swagger to OAS in markdown * Updated Energy SDH swagger file to lastest version with fixes applied for error codes and attribute types * Remove known issues that are resolved Full rebuild * Version bumps to address GitHub security notices * Updated additional informative references to include tooltips * Fix SDH security * Fix for controlledLoad flag in energy Rebuild * Minor release notes and diff fixes * Standards Release 1.17.0: Added release notes file * Standards Maintenance Issue #448: Changed percentOfBill, percentOfUse, fixedAmount and percentOverThreshold attributes from optional to conditional within EnergyPlanDiscounts schema * Standards Release 1.17.0: Removed version deltas, incremented version numbers in swagger files, added archieve entry for 1.16.1 * Updates to baseline 1.17.0 to remove legacy diffs and include a link to the release notes * Standards Maintenance Issue 503: Fixed documentation for CDR Arrangement Form Parameter and JWT method requirements * Added scrollabe diffs and examples to support previous and next scrolling * Added release notes * Updated prev/next button titles * Minor refactoring to remove unused vars * Standards Maintenance Issue 504: Corrected the profile scope data language to clarify request of individual claims * Added diff * Standards Maintenance Issue #449: Made EnergyPlanSolarFeedInTariff.timeVaryingTariffs.timeVariations.days field mandatory * Added proof of concept to highlight obligations in the endpoint versioning schedule based on a selected mileston date * Added release notes * Removed diff comments * Fix for padding of last input field in datepicker * Added collapsible obligations that hide any future, retired, and inactive obligations * Tweaks to collapsed highlighting * Updated release notes to include standards maintenance issue number * Corrected release description * Updated CDR Arrangement Recovation JWT documentation to articulate requirements in accordance to self signed JWTs * Added a new section to summarise all change requests in the release notes * Added headings * Added obligation milestones * Improvement to wording of profile scope data language based on commmunity feedback * Updated diff * corrected non-normative examples using the unsupported HS256 alg. Changed examples to PS256 to align with FAPI requirements * Added 482 descriptions to the release notes * Updated release notes * Update dcr OAS so it compiles * Standards Maintenance Issue #457: Made EnergyServicePointDetail.meters.registers.registerSuffix field optional * Updated release notes to contain links to the associated change request * Updated Register swagger to addres empty content fields causing compilation issues * header requirements for versioned Register APIs moved from mandatory to optional * Standards Maintenance Issue #438: Added calculationFactors and adjustments objects to EnergyBillingOtherTransaction model * Added version delta comments * Rebuild Fix minor typos in diffs * Removed debugging output for date picker * Standards Maintenance Issue #439: Added timezone field to EnergyPlanTariffPeriod * Fixed compile issues for date picker scripts * Added Register dependency schedule table to differentiate Register delivery from Participant future dated obligations * Added requirement for data holders to ignore unsupported authorisation scopes * Updated endpoint version schedule to 2022-11-15 for register API versions where binding date was subject to ACCC review * Standards Maintenance Issue #476: Updated EnergyConcession model to cater for variable concessions. Changed RateString to represent generic percentages. * Standards Maintenance Issue #476: Moved RateString change description to High Level Standards in Release Notes. Move RateString diff in High Level Standards * Moved change description to API Endpoints sections in Release Notes * Set retirement dates for outstanding deprecated Register APIs * Added standards maintenance issue reference to release notes * Added standards maintenance issue reference to release notes * New authenticated endpoints only require cdr-register:read as the authorisation scope * Added clarification that when statuses are not received or recognised from the CDR Register, the ACCC can inform Data Holders of statuses to trust using an alternative mechanism * Added GetDataHolderBrandsSummary API to expose public details of Data Holder Brands from the CDR Register to public clients * Standards Maintenance Issue #478: Made EnergyServicePointDetail.meters and EnergyServicePointDetail.meters.registers fields optional and updated their descriptions * Documented scopes usage for the authenticated Register endpoint versions * Changed formatting of dependency dates to remove leading zero * XV header is a required field * Made SHOULD requirement bold * Added version-deltas for register scope usage * Standards Staging Issue #133: Corrected description of 'oldest-date' by removing the word 'days' * Standards Staging Issue #170: Documentation fix - EnergyServicePointDetail.meters and EnergyServicePointDetail.meters.registers have been converted into arrays * Standards Maintenance Issue #439: Updated description of EnergyPlanContract.timezone and EnergyPlanTariffPeriod.timezone to specify default values * Standards Staging Issue #131: Minor edit- clarification added that ServicePointId to be replaced with NMI in path param as well * Corrected version delta presentation * Added Get Data Holder Brands Summary to the endpoints table * Corrected whitespacing in version deltas * Standards Staging Issue #153: Modified Energy location to be a CommonPhysicalAddress model * Added support for 404 response code * Full rebuild * Add release date Reorder release notes * Standards Staging Issue #167: Corrected x-fapi-interaction-id header to be mandatory for Energy SDH APIs * Fix to force version delta code blocks to break at word boundaries not at overflow * 404 now only applies when industry is not found * Cosmetic improvements in the release notes * Cleaned up version deltas to follow conventions * Removed reference to the ACCC delivery schedule * Full rebuild * Correct change for staging issue 170 Co-authored-by: Hemang Rathod <[email protected]> Co-authored-by: Ivan Hosgood <[email protected]> Co-authored-by: Kirkycdr <[email protected]> Co-authored-by: James Bligh <[email protected]> Co-authored-by: James Bligh <[email protected]> Co-authored-by: Mark Verstege <[email protected]> Co-authored-by: Ivan Hosgood <[email protected]>
The approved decision record is available here: Decision 135 - November 2020 Consent Obligations.pdf.
This decision proposal outlines a recommendation for changes to November 2020 consent obligations including the CDR Arrangement End Point and PAR based on community feedback and clarification of ecosystem transition from single extant consent to concurrent consent.
The consultation draft for this decision proposal is attached below:
Decision Proposal 135 - November 2020 Consent Obligations-v2.pdf
This document has been updated to fix formatting of the recommendations so they can be cross referenced to the noting paper and change history is included in the appendix. No changes have been made to the changes to be made.
Feedback is now open for this proposal. Feedback is planned to be closed on Wednesday 12th August 2020.
The original consultation draft for this decision proposal is available below:
Decision Proposal 135 - November 2020 Consent Obligations.pdf
This issue takes into consideration, amongst others, the issues raised here:
NOTE: This Decision Proposal will not consider removal of solution components or changes to obligation dates. It seeks to correct issues with the standards which are currently in place for November 2020. Whilst some Data Holders may choose to seek extensions to their support of PAR for November 2020 this matter is handled through engagement with ACCC Compliance.
The text was updated successfully, but these errors were encountered: