The Consumer Data Standards Security Profile outlines data holder endpoint requirements specific to the standards. The standards specify how both client authentication and bearer token usage apply, as well as the transport security requirements.
This article describes how data holders can configure their brand's endpoints on the CDR Register and what considerations can be made to segregate endpoints by functionality and domain.
The CDR Register specifies BaseUris which data holders can use in conjunction with the Consumer Data Standards URI structure conventions, to determine the location of each CDR endpoint.
The Base Uris are defined per brand and are located in the Participant Endpoint section of the CDR Register Design.
The data holder brand BaseUris have been extracted below:
Base URI for the Consumer Data Standard public endpoints. This should encompass all endpoints not requiring authentication
Base URI for the Consumer Data Standard resource endpoints. This should encompass all CDS resource endpoints requiring authentication
Base URI for the Consumer Data Standard InfoSec endpoints. This provides ADRs reference to the OIDC Discovery Endpoint
Base URI for the Consumer Data Standard admin endpoints called by the CDR Register
Base URI for the Data Holder extension endpoints to the Consumer Data Standard (optional)
The grouping of BaseUris provides the flexibility for data holders to split their solution across different paths and domains. This may be desirable to allow:
- Segregation of endpoints by functionality. Public, Resource, Admin and other endpoints may be exposed on different subsystems in an implementation and therefore logically grouped
- Segregation of endpoints by security profile. Endpoints can be grouped based on the security requirements imposed both by the Consumer Data Standards and the data holder. This is especially relevant when applying MTLS and TLS transaction security to these endpoints. Having the ability to group by domain is intended to simplify the application of the transaction security requirements
BaseUris need not be unique. There are no constraints imposed so BaseUris may be used across different configurations. For example, it may be logical to group Admin and Resource endpoints on the same domain and path.
The InfoSecBaseUri currently has only one role, to provide data recipients with a reference to the exposed data holder OIDC Discovery Configuration Endpoint.
The InfoSecBaseUri is not intended to be the BaseUri where all related security endpoints are referenced from. This is an important distinction as different security endpoints have different transport security requirements. Data holders are free to define the appropriate endpoints within the OIDC Discovery Configuration Endpoint as long as they conform to the standards.
Transaction Security using TLS and MTLS
Transaction security requirements are key decision points for data holders to determine how endpoints may be grouped by domain.
The Transaction Security section of the Consumer Data Standards outlines expectations for the use of MTLS and TLS transport security protocols in the CDR.
The End Points section lists the transaction security requirements, detailing where TLS or MTLS applies.
Where MTLS applies, data holders are required to secure their endpoints using ACCC CA issued certs, and ensure MTLS requirements are upheld.
Data holders will need to determine how TLS endpoints are to be secured. Public CA certificates are to be used on browser friendly endpoints, such as the Authorisation endpoint. There is currently no constraint preventing data holders from using Public CA issued certificates on their TLS endpoints.
Please refer to the Certificate Management section of the CDR Register Design for reference on ACCC CA certificate applications, trust model, CSR profile and Certificate Practice Statement.
Certificate validation details have been published on the CDR Support Portal
The Participant Portal user guide will help participants through the process of requesting ACCC CA issued certificates
Configuration on the Register
The on-boarding guide for data holders provides various guidance material detailing how the Base Uris are configured against a data holder brand, on the CDR Register.
BaseUri configuration on the CDR Register assists data holders to expose their endpoints in accordance to the Consumer Data Standards. However the configuration model is not prescriptive on how all endpoints should be exposed. It is intended to provide flexibility to the data holder to segregate their solution as appropriate. Data holders should plan ahead, ensure their endpoint model aligns to the standards and have this reflected both in testing as well as in production.