Question

What is the Data Holder (DH)  oAuth response when the value of cdr_arrangement_id in the Pushed Authorisation Requests (PAR) is equal to null or is an empty string?

Answer

A null cdr_arrangement_id should be ignored. The CDS do not require a cdr_arrangement_id to be presented in the request object.

The Data Recipient Software Product MAY provide the cdr_arrangement_id claim in the Request Object sent to the PAR End Point hosted by the DH.

The behaviour for an empty string is not defined by the CDS, however it may be ignored.

Alternatively the DH could return an error. This is covered by RFC9126 and RFC6749. 

A 400 Bad Request error with invalid_request as the title would be appropriate. The DH may provide further details in the oAuth error response including the CDR error code urn:au-cds:error:cds-all:Authorisation/InvalidArrangement.