Question

The sequence diagram for continuing an arrangement using Pushed Authorization Request (PAR) on page 15 of the November 2020 Consent Transition Guidance Noting Paper 136 concludes with the ADR receiving an ID Token, a Refresh Token and a CDR Arrangement ID.

The original consent is revoked and a new consent is exchanged as part of this process. There is no concept of amending consent in the current rules. We expect that a subsequent step to send a consent revocation notification is required.  Can this be confirmed?

If there is a notification required, we note that there is the risk of a race condition where consent revocation notification is sent without an ADR successfully receiving tokens and an arrangement ID. How should this be addressed?

Answer

No, a notification should not be sent to the consumer. The mechanism of replacing the old consent and establishing a new consent is a technical solution to the consent flow with which the consumer is interacting. Continuing a sharing arrangement under PAR provides the technical shortcut to continue the existing arrangement to get new tokens and set up the new active consent in one authorisation request.