Archived 06/06/2023 - See CDS Guide ID Permanence and PPID, and Consumer Data Standards: Security Profile.
Question
Under the heading CDS End Points, Pushed Authorisation End Point [PAR], this statement appears:
"Data Recipients MAY send authorisation requests using [PAR] if supported by the Data Holder. Request objects which contain the cdr_arrangement_id
claim MUST only be sent using [PAR]. If a Data Holder does not support [PAR], a Data Recipient SHOULD NOT provide the cdr_arrangement_id
claim in the request object".
Should the Data Holder (DH) reject the request if there is a request to the authorise
endpoint that contains the cdr_arrangement_id
claim?
Can the Accredited Data Recipient (ADR) use the par
endpoint to establish a new arrangement, with no arrangement id provided, and to amend an existing consent, with arrangement id provided?
Alternatively, should the ADR use the authorise
endpoint for new arrangements and the par
endpoint for existing arrangements?
Answer
Yes, the DH should reject a request to the authorise
endpoint if it contains the cdr_arrangement_id
claim. That is a SHOULD, not a MUST.
The par
end point is only used to supply the request object in a secure manner. It does not remove the need to call the authorise
end point. A new arrangement can be created with or without the use of PAR. An existing arrangement can only be amended with a request object supplied via PAR. To create or amend consent, the ADR always uses the authorise
end point.
See:
Comments
0 comments
Please sign in to leave a comment.