The new optional 'legal_entity_id' and 'legal_entity_name' fields are listed as not updatable in the SSA definition in the Dynamic Client Registration section of the new v1.3.0 standard. In particular the current specification implies that those two claims are optional during client creation, but once the client is created, they cannot be updated to add them. We would appreciate it if the ACCC could confirm that this was intended or advise if it was not intended and amend the documentation.
The behaviour described is correct and we will elaborate here:
1. Data holders introducing support for 'legal_entity_id' and 'legal_entity_name' would result in empty fields being made available in their identity stack
2. The data recipient isn't aware of data holder support for these new fields and will only know if supported after the registration has been updated and appropriate values returned
3. If the data holder does not support these new fields, it should ignore these fields rather than return an error
4. Once included, these values are immutable.
We currently flag the field as 'optional' and once we are confident that support is ubiquitous, the documentation will then be updated to flag this as mandatory.
We are working through SSA Change Management as part of Design iteration #1 so there is an opportunity for feedback once we have published our current process.
The above position is subject to change based on work in progress on Brand portability. Mutability of `legal_entity_id` and `legal_entity_name` may be required and therefore the current design may change in the future. GitHub issue 178 has been raised to track and discuss this issue.