If the getDataHolder brands are expected to be called by the Accredited Data Recipient (ADR) to get a list of registered brands during the consent flow.
Which of the service endpoints the ADR is supposed to call to kick-start the Data Holder (DH) authorisation flow?
- Is it in publicBaseUri or resourceBaseUri?
It is assumed the ADR is then expected to register with each and every DH they need to get data from, but nowhere does it state when this is expected to be done. (before/after/in parallel with user authentication)
The Client Registration section of the CDR Register Specification describes the process, including prerequisites.
Registering with Data Holders is strongly recommended before consumers engage with ADR goods and services (applications).
Trust between an ADR and DH should be established before the consent flow is initiated by a consumer.
The sequence diagram illustrating the Registration Flows may also assist.