Welcome to the Consumer Data Right Support Portal

Check out our guides, browse through our FAQs, and post your own questions for Support.

New to the Consumer Data Right? Learn more

Data Holder sector_identifier_uri Support Follow

Comments

2 comments

  • Avatar
    Stuart Low

    Cross posting this from a ticket regarding CTS 3.1. This guidance appears to extend the standards definition because the CDR Register specification states the registration follows RFC7591 but this guidance appears to include OIDC-DCR.

    Pasting from ticket response to CTS:

    The reference to sector_identifier_uri within the CDR Register standards is a specific reference to pairwise generation notably OpenID Connect Core 1.0 Section 8 – this reference is not in debate because it relates to pairwise generation. The Register documentation does not explicitly state that sector_identifier_uri must be followed in accordance with the OpenID Connect Dynamic Client Registration 1.0 (OIDC-DCR) specification and in fact states “The CDR Registration model follows standard [RFC7591] and is derived from Open Banking UK model”. RFC7591 makes no mention at all of sector identifier uri and on that basis the implication that OIDC-DCR specifically applying beyond being used as a key for pairwise identifiers does not appear to be valid (nor could it be, see below).

    There has been an implication that content of the sector identifier uri (if OIDC-DCR was in play) MAY change at any time however as per OIDC-DCR, Section 5 "sector_identifier_uri" Validation the following statement is made:

    This MUST be validated at registration time; there is no requirement for the OP to retain the contents of this JSON file or to retrieve or revalidate its contents in the future.

    That is to say that if we were to follow the guidance we have received from the CTS (and this article appears to imply) an update (PUT) on the registration containing an updated set of redirect uri’s would potentially be misaligned with the sector identifier uri anyway and on that basis the behaviour is undefined.

    While the CTS team have indicated that the global standard is not intended to be challenged it would appear, assuming OIDC-DCR is in play which doesn’t seem like it should be because the CDR Register standard makes no mention of it, that the ACCC’s implementation of sector identifier uri has already challenged them (the global standards) because the ACCC has chosen to override OIDC-DCR by mandating that the SSA’s redirect_uri’s are validated instead of the explicit guidance in Section 5 that states: The values registered in redirect_uris MUST be included in the elements of the array, or registration MUST fail.

    Our reading of OIDC-DCR is that if we followed the specification to the letter a redirect uri supplied by the Recipient and signed within the SSA by the ACCC must be rejected if it is not contained within the sector identifier uri. This would result in a situation where technically the standard is followed but legally a Holder would not be following the CDR Rules, particularly those with respect to complying with the Data Standards.

    Consequently our implementation leans towards using the sector identifier uri for keying of pairwise identifiers (allowing redirect uri's to be changed) while relying on the redirect_uri's in the SSA as the "source of truth" for valid redirect uri's.

    4
    Comment actions Permalink
  • Avatar
    Ivan Hosgood

    Stuart,

    Thanks for your feedback.

    This guidance has helped flesh out deficiencies in the design where further specification, clarification and guidance is required.

    We are keen to do further work to identify where the validation should occur, which standards should apply and where deviations from the standards will be required to meet the requirements of the CDR.

    We will work this as part of the design process and will incorporate your feedback.

     

    Regards,

    Ivan Hosgood

    0
    Comment actions Permalink

Please sign in to leave a comment.