Question

OIDC defines offline_access scope. The scope definition is:

"This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in)"

What is the relevance of offline_access to the Consumer Data Standards (CDS)?

Answer

Briefly, the offline_access scope is not relevant to the CDR standards. Banking APIs are not restricted by the scope of offline_access.

The CDR standards explicitly limit the value of response_type, as the intent is to restrict all data transfer to the back channel - service to service, as opposed to service to browser. This position would appear to render the offline_access scope redundant.

There are components of the CDR standards that are used to differentiate traffic with customer present from traffic with customer not present. Both types of traffic are sent back channel. These mechanisms are intended for traffic and fraud management only, not for consent management. 

These components serve a similar purpose to the OICD offline_access scope.

See:

• CDS HTTP Headers x-fapi-auth-date, x-fapi-customer-ip-address and x-cds-client-headers
• CDS Non-functional Requirements, Definitions
• CDS Security profile
• Issue 185