Data Holder sector_identifier_uri Support
UNDER REVIEW: Issues associated to sector and pairwise identifiers are currently being consulted on in Maintenance Iteration 11, refer Issue #480. The guidance in this article cannot be relied on at this time.
V1.3.0 of the CDR Register Design introduced the new field sector_identifier_uri to the SSA definition. This change was managed through GitHub issue 52: Adopt sector_identifier_uri support for Pairwise Pseudonymous Identifier (PPID) calculations
Sector in the context of the Consumer Data Right relates to the various industries that are designated (e.g. banking, energy, telecommunication etc.). It is synonymous with the term industry. The Consumer Data Standards provides conventions on how this is conveyed in the CDS URI structure for API endpoints
Sector_identifier is a concept introduced in section 8 of OIDC which is optionally used as an input to a data holder’s PPID calculation. The sector_identifier is derived from the host component of the sector_identifier_uri.
There is no overlap in these terms. Sector and sector_identifier are not related.
Sector_identifier_uri support in the CDR ecosystem will give greater flexibility to data recipients managing the domains used in their software applications.
Prior to the introduction of the sector_identifier_uri, the redirect_uris array, captured during registration, is constrained to having a common domain in each entry:
sector_identifier == www.example.com
Changes in the domain names in their redirect_uris may impact the PPID values calculated, which may result in data recipients losing reference to id tokens and mappings against the user info sub claims. This will impact data recipients’ abilities to reference consumer consent agreements
Data recipients will benefit in being able to use multiple domains for their redirect_uris and having mechanisms to allow changes in domain without affecting consumer consent.
The Consumer Data Standards Identifiers and Subject types section states the following:
The Data Holder MUST generate the `sub` value as a Pairwise Pseudonymous Identifier (PPID) as described in section 8 of OIDC.
The introduction of the sector_identifier_uri to the CDR Register design ensures alignment to these standards.
Section 8 of OIDC provides multiple examples for methods to calculate the PPID, including using the sector_identifier as an input.
The sector_identifier is derived from either:
- The domain used in the redirect_uris where all redirect_uris use the same domain or;
- The domain used in the sector_identifier_uri when the redirect_uris use different domains
The introduction of the sector_identifier_uri allows for data recipients to optionally change the domains in their redirect_uris or use redirect_uris with different domains.
For this optionality to be supported, data holders MUST support this field and the associated functionality.
Data holders will need to ensure they support the sector_identifier_uri and will need to satisfy the following use cases:
- Handle registration POST and PUT requests with the new sector_identifier_uri
- Retrieve the redirect_uris from the sector_identifier_uri endpoint during registration POST and PUT requests
- If the sector_identifier_uri is published, validate the contents of the redirect_uris field are published in the sector_identifier_uri
- Incorporate the sector_identifier component of the sector_identifier_uri in their PPID algorithm, if sector_identifier is an input.
Data recipients can optionally choose to use the sector_identifier_uri to transition to use different or multiple domains in their redirect_uris.
This can be accomplished by implementing all the following steps:
- Publish a JSON document containing the redirect_uris on the sector_identifier_uri endpoint. The sector_identifier_uri endpoint uses the same domain as the original set of redirect_uris
- Ensure the redirect_uris field contains a subset of the redirect_uris published on the sector_identifer_uri
- Update the relevant software product on the CDR Participant Portal to populate the sector_identifier_uri field
- Update their registrations with all data holders in the ecosystem
- Repeat these steps when redirect_uris change
Data recipients will need to consider change management activities while they participate in the Consumer Data Right. Engagement with intermediaries and Outsourced Service Providers (OSPs) may result in 3rd parties managing the endpoints that a data recipient exposes as per the Consumer Data Standards.
Data recipients should consider how they may facilitate changes with the 3rd parties they engage, anticipating that there may be a need to switch between these 3rd parties in the future.
Keeping control of the domains these endpoints are exposed on ensures that data recipients have the most flexibility. If a data recipient does not have control over the domains for their exposed endpoints, authentication and consent may be impacted when changes occur.
Further discussion on these topics is expected in future support articles.
Support for the sector_identifier_uri will allow data recipients to change domains or transition to use multiple domains in their redirect_uris by publishing their redirect_uris on the sector_identifier_uri endpoint.
Support for the sector_identifier_uri will give data recipients greater flexibility in managing their software products in the CDR ecosystem. This functionality ensures alignment with the underlying standards and greater supportability.