Question
Is support required for:
- OAuth Token revocation endpoint
- ADR token revocation endpoint
- CDR Arrangement Revocation endpoint
Some CDS statements on this issue require clarification. In the CDS Endpoints Token Revocation Endpoint section there are notes:
NOTE: Data Recipients MUST continue to support this Token Revocation End Point until February 2021.
NOTE: Data Holders MUST continue to support consent revocation via the oAuth Token Revocation end point until February 2021.
Does the above statement imply:
- Data Holder and Accredited Data Recipients must support the CDR Arrangement Revocation endpoint by Feb 2021.
- Post Feb 2021 , the Data Holders are expected to decommission the Revoke Consent via Refresh Token endpoint and the output for OIDC config must reflect only the cdr_arrangement_revocation endpoint and NOT revoke consent via token.
Answer
Data Holders (DHs) must support the oAuth Token revocation (token revocation endpoint).
The Consumer Data standards made a change to separate withdrawal of consent from the management of tokens. To withdraw consent, ADRs are now required to call the Data Holder's CDR Arrangement Revocation Endpoint.
The dates above apply only to the existing players: the big four banks and three ADRs.
These dates do not affect Data Holders or ADRs implementing the CDS after Feb 2021. Implementations from 2nd February 2021 do not support the token revocation endpoint and must expose the CDR Arrangement Revocation End Point (CARE) to provide the revocation functionality.
CDS Future Dated Obligations states the following:
Data recipients may obsolete this end point from February 1st 2021.
Data holders may obsolete consent revocation via this end point from February 1st 2021, however they must still support oAuth token revocation. Data recipients must upgrade their implementations to use the Data Holder CDR Arrangement Revocation End Point by this time.
See:
Comments
0 comments
Please sign in to leave a comment.