Archived 2022.11.20. Content moved to error scenarios and responses.
Question
In the case when a member, flagged as fraud
or vulnerable
, wants to share CDR data with an Accredited Data Recipient (ADR), the member cannot proceed at the authentication stage. and an error must be returned.
CDS Exemptions To Protect Service states "If the data holder identifies a situation where there is the potential for physical or financial harm or abuse (this should result in http error 403 Forbidden being returned)".
Shoud the Data Holder (DH) return error 403 or error 422? What should be displayed in the title
and detail
in the error code structure?
Answer
During consultations, it was determined that for sensitive situations like fraud or consumer vulnerability, the disclosure of too much information could lead to harm. It is up to the DH to determine what data they provide in the error description
. It is also up to the DH to determine the appropriate error code
in these situations. Either error 403 or error 422 would be acceptable, as well as error 404 if the resource being requested is in the URL path. Unavailable Banking Account
and Invalid Banking Account
provide broad and generic error handling if a DH seeks to respond with error 404 or error 422.
Comments
0 comments
Please sign in to leave a comment.