Archived 2022.11.20. This content has been moved to error scenarios and responses.
Question
Does the Error 400 Missing Required Header response apply only to the headers described in the CDS HTTP Headers section? If the missing header is not required by Consumer Data Standards (CDS), but instead by the upstream normative FAPI and OIDC standards, should the error response instead follow those standards?
Answer
If the missing header is required by the CDS, then the Data Holder (DH) should respond with the expected, as described in the CDS Error Codes section. Examples of CDS specific headers are the x-v
header or the x-fapi-interaction-id
.
When upstream normative standards apply, such as FAPI and OIDC, they take precedence.
The DH is likely to respond in line with the normative spec if the Authorization header is missing. Depending on their architecture they may respond with the CDS error but it is not expected.
If the error is handled up their application stack at their WAF or API Gateway, CDS response customisation may not be possible.
See:
Comments
0 comments
Please sign in to leave a comment.