Data Holder sector_identifier_uri Support
UNDER REVIEW: Issues associated to sector and pairwise identifiers are currently being consulted on in Maintenance Iteration 11, refer Issue #480. The guidance in this article cannot be relied on at this time.
___________________________
Introduction
V1.3.0 of the CDR Register Design introduced the new field sector_identifier_uri to the SSA definition. This change was managed through GitHub issue 52: Adopt sector_identifier_uri support for Pairwise Pseudonymous Identifier (PPID) calculations
Terminology Clarification
Sector in the context of the Consumer Data Right relates to the various industries that are designated (e.g. banking, energy, telecommunication etc.). It is synonymous with the term industry. The Consumer Data Standards provides conventions on how this is conveyed in the CDS URI structure for API endpoints
Sector_identifier is a concept introduced in section 8 of OIDC which is optionally used as an input to a data holder’s PPID calculation. The sector_identifier is derived from the host component of the sector_identifier_uri.
There is no overlap in these terms. Sector and sector_identifier are not related.
Rationale
Sector_identifier_uri support in the CDR ecosystem will give greater flexibility to data recipients managing the domains used in their software applications.
Prior to the introduction of the sector_identifier_uri, the redirect_uris array, captured during registration, is constrained to having a common domain in each entry:
e.g.
[
www.example.com/redirect_1,
www.example.com/redirect_2
]
Pre sector_identifier_uri
sector_identifier == www.example.com
Changes in the domain names in their redirect_uris may impact the PPID values calculated, which may result in data recipients losing reference to id tokens and mappings against the user info sub claims. This will impact data recipients’ abilities to reference consumer consent agreements
Data recipients will benefit in being able to use multiple domains for their redirect_uris and having mechanisms to allow changes in domain without affecting consumer consent.
Problem
The Consumer Data Standards Identifiers and Subject types section states the following:
The Data Holder MUST generate the `sub` value as a Pairwise Pseudonymous Identifier (PPID) as described in section 8 of OIDC.
The introduction of the sector_identifier_uri to the CDR Register design ensures alignment to these standards.
Section 8 of OIDC provides multiple examples for methods to calculate the PPID, including using the sector_identifier as an input.
The sector_identifier is derived from either:
- The domain used in the redirect_uris where all redirect_uris use the same domain or;
- The domain used in the sector_identifier_uri when the redirect_uris use different domains
The introduction of the sector_identifier_uri allows for data recipients to optionally change the domains in their redirect_uris or use redirect_uris with different domains.
For this optionality to be supported, data holders MUST support this field and the associated functionality.
Requirements
Data holders will need to ensure they support the sector_identifier_uri and will need to satisfy the following use cases:
- Handle registration POST and PUT requests with the new sector_identifier_uri
- Retrieve the redirect_uris from the sector_identifier_uri endpoint during registration POST and PUT requests
- If the sector_identifier_uri is published, validate the contents of the redirect_uris field are published in the sector_identifier_uri
- Incorporate the sector_identifier component of the sector_identifier_uri in their PPID algorithm, if sector_identifier is an input.
Data recipients can optionally choose to use the sector_identifier_uri to transition to use different or multiple domains in their redirect_uris.
This can be accomplished by implementing all the following steps:
- Publish a JSON document containing the redirect_uris on the sector_identifier_uri endpoint. The sector_identifier_uri endpoint uses the same domain as the original set of redirect_uris
- Ensure the redirect_uris field contains a subset of the redirect_uris published on the sector_identifer_uri
- Update the relevant software product on the CDR Participant Portal to populate the sector_identifier_uri field
- Update their registrations with all data holders in the ecosystem
- Repeat these steps when redirect_uris change
Recommendations
Data recipients will need to consider change management activities while they participate in the Consumer Data Right. Engagement with intermediaries and Outsourced Service Providers (OSPs) may result in 3rd parties managing the endpoints that a data recipient exposes as per the Consumer Data Standards.
Data recipients should consider how they may facilitate changes with the 3rd parties they engage, anticipating that there may be a need to switch between these 3rd parties in the future.
Keeping control of the domains these endpoints are exposed on ensures that data recipients have the most flexibility. If a data recipient does not have control over the domains for their exposed endpoints, authentication and consent may be impacted when changes occur.
Further discussion on these topics is expected in future support articles.
Conclusion
Support for the sector_identifier_uri will allow data recipients to change domains or transition to use multiple domains in their redirect_uris by publishing their redirect_uris on the sector_identifier_uri endpoint.
Support for the sector_identifier_uri will give data recipients greater flexibility in managing their software products in the CDR ecosystem. This functionality ensures alignment with the underlying standards and greater supportability.
Comments
3 comments
Cross posting this from a ticket regarding CTS 3.1. This guidance appears to extend the standards definition because the CDR Register specification states the registration follows RFC7591 but this guidance appears to include OIDC-DCR.
Pasting from ticket response to CTS:
The reference to sector_identifier_uri within the CDR Register standards is a specific reference to pairwise generation notably OpenID Connect Core 1.0 Section 8 – this reference is not in debate because it relates to pairwise generation. The Register documentation does not explicitly state that sector_identifier_uri must be followed in accordance with the OpenID Connect Dynamic Client Registration 1.0 (OIDC-DCR) specification and in fact states “The CDR Registration model follows standard [RFC7591] and is derived from Open Banking UK model”. RFC7591 makes no mention at all of sector identifier uri and on that basis the implication that OIDC-DCR specifically applying beyond being used as a key for pairwise identifiers does not appear to be valid (nor could it be, see below).
There has been an implication that content of the sector identifier uri (if OIDC-DCR was in play) MAY change at any time however as per OIDC-DCR, Section 5 "sector_identifier_uri" Validation the following statement is made:
This MUST be validated at registration time; there is no requirement for the OP to retain the contents of this JSON file or to retrieve or revalidate its contents in the future.
That is to say that if we were to follow the guidance we have received from the CTS (and this article appears to imply) an update (PUT) on the registration containing an updated set of redirect uri’s would potentially be misaligned with the sector identifier uri anyway and on that basis the behaviour is undefined.
While the CTS team have indicated that the global standard is not intended to be challenged it would appear, assuming OIDC-DCR is in play which doesn’t seem like it should be because the CDR Register standard makes no mention of it, that the ACCC’s implementation of sector identifier uri has already challenged them (the global standards) because the ACCC has chosen to override OIDC-DCR by mandating that the SSA’s redirect_uri’s are validated instead of the explicit guidance in Section 5 that states: The values registered in redirect_uris MUST be included in the elements of the array, or registration MUST fail.
Our reading of OIDC-DCR is that if we followed the specification to the letter a redirect uri supplied by the Recipient and signed within the SSA by the ACCC must be rejected if it is not contained within the sector identifier uri. This would result in a situation where technically the standard is followed but legally a Holder would not be following the CDR Rules, particularly those with respect to complying with the Data Standards.
Consequently our implementation leans towards using the sector identifier uri for keying of pairwise identifiers (allowing redirect uri's to be changed) while relying on the redirect_uri's in the SSA as the "source of truth" for valid redirect uri's.
Stuart,
Thanks for your feedback.
This guidance has helped flesh out deficiencies in the design where further specification, clarification and guidance is required.
We are keen to do further work to identify where the validation should occur, which standards should apply and where deviations from the standards will be required to meet the requirements of the CDR.
We will work this as part of the design process and will incorporate your feedback.
Regards,
Ivan Hosgood
Hi,
Has there been any further progress on this topic ?
Agree with the comments, there does not seem any point for the OP to call out to the sector_identifier_uri end point during DCR
This requires build and an extra callout during the DCR process which is unnecessary
Our implementation also follows the approach of using sector identifier uri for PPID logic and the redirect_uris in the SSA (source of truth) for valid redirect_uri's
Unfortunately CTS now has a test scenario that checks if a call to the end point has been made during the DCR process
Thanks and regards
Please sign in to leave a comment.