From d116590a2e81e9df936de05165223427e5a7f44b Mon Sep 17 00:00:00 2001
From: Mark Verstege <2514377+markverstege@users.noreply.github.com>
Date: Wed, 13 Jul 2022 16:12:13 +1000
Subject: [PATCH 1/2] Standards Maintenance Issue 521: Updated transition
arrangements for implementation of the CDR Arrangement JWT method for the
Data Recipience Arrangement Revocation endpoint
---
.../endpoint-version-schedule/index.html.md | 2 +-
slate/source/includes/introduction/_fdo.md | 3 +-
.../releasenotes/releasenotes.1.18.0.html.md | 5 ++-
.../endpoints/_cdr_arrangement_revocation.md | 40 ++++++++++++++-----
4 files changed, 35 insertions(+), 15 deletions(-)
diff --git a/slate/source/includes/endpoint-version-schedule/index.html.md b/slate/source/includes/endpoint-version-schedule/index.html.md
index 1a75eb8f..a419d0a8 100644
--- a/slate/source/includes/endpoint-version-schedule/index.html.md
+++ b/slate/source/includes/endpoint-version-schedule/index.html.md
@@ -40,7 +40,7 @@ These dates may be subject to change depending upon new or changed legislative a
| **Y22 #3** | 31/08/2022 | 2 |
| **Legacy FDO** | 16/09/2022 | 1 |
| **Legacy FDO** | 01/10/2022 | 1 |
-| **Y22 #4** | 15/11/2022 | 0 |
+| **Y22 #4** | 15/11/2022 | 1 |
| **Legacy FDO** | 30/11/2022 | 3 |
| **Legacy FDO** | 05/12/2022 | 1 |
| **Legacy FDO** | 28/02/2023 | 3 |
diff --git a/slate/source/includes/introduction/_fdo.md b/slate/source/includes/introduction/_fdo.md
index be26e8d3..fa3f64ab 100644
--- a/slate/source/includes/introduction/_fdo.md
+++ b/slate/source/includes/introduction/_fdo.md
@@ -18,7 +18,7 @@ The table below highlights these areas of the standards.
|[CX Standards: Joint Accounts](#consumer-experience) | Data holders MUST implement the following data standards from 1 July 2022:- Notifications: Alternative notification schedules for joint accounts
- Notifications: Joint account alerts
- Authorisation: Pending status
- Withdrawal: Joint accounts
| July 1st 2022 |
|[Information Security profile](#security-profile) | FAPI 1.0 adoption is introduced across three phases.
Phase 1: Voluntary FAPI 1.0 support & hygiene enhancements includes, amongst other changes:- Enforces requirements for authorisation code, token and request object use
- Data Holders MAY support of FAPI 1.0 Final
- Data Holders MAY support of Authorization Code Flow (including **[[PKCE]](#nref-PKCE)** and **[[JARM]](#nref-JARM)**) in conjunction with Hybrid Flow
| July 4th 2022 |
|[Get Payee Detail V2](#get-payee-detail)|Version 2 of this end point must be made available by affected data holders by July 31st 2022|July 31st 2022|
-|[Data Recipient CDR Arrangement Endpoint](#cdr-arrangement-revocation-end-point) | From July 31st 2022, Data Recipients **MUST** only support "CDR Arrangement JWT" method and **MUST** reject "CDR Arrangement Form Parameter" method.
Data Holders **MUST** revoke consent using "CDR Arrangement JWT" method only.
Data Holders **SHOULD** use the "CDR Arrangement JWT" method from March 31st 2022| July 31st 2022 |
+|[Data Recipient CDR Arrangement Endpoint](#cdr-arrangement-revocation-end-point) | From July 31st 2022, Data Holders **MUST** revoke consent using "CDR Arrangement JWT" method.
Data Holders **SHOULD** use the "CDR Arrangement JWT" method from March 31st 2022| July 31st 2022 |
|[Get Payees V2](#get-payees)|Version 2 of this end point must be made available by affected data holders by July 31st 2022|July 31st 2022|
|[Self-Signed JWT Client Authentication](#self-signed-jwt-client-authentication) | Until July 31st 2022, Data Recipients MUST accept the [Resource Path](#uri-resource-path) for the endpoint and the ```` as a valid audience value. From July 31st 2022, Data Holders MUST use an audience value matching the Resource Path for the endpoint and the Data Recipient MUST verify the audience matches the Resource Path for the endpoint. | July 31st 2022 |
|[Get Payees V1](#get-payees)|Data holders may obsolete version 1 of this end point from August 31st 2022. Data recipients must upgrade their implementations to use version 2 by this time|August 31st 2022|
@@ -26,6 +26,7 @@ The table below highlights these areas of the standards.
|[Information Security profile](#security-profile) | FAPI 1.0 adoption is introduced across three phases.
Phase 2: FAPI 1.0 Final (Baseline & Advanced) includes, amongst other changes:- Enforces additional requirements for authorisation code, token and request object use
- Enforces PAR-only authorisation request data submission
- Refresh token cycling is not permitted
- Data Holders and Data Recipients MUST support FAPI 1.0 Final including **[[RFC9126]](#nref-RFC9126)**, **[[RFC7636]](#nref-RFC7636)** and **[[JARM]](#nref-JARM)**
- Data Holders SHOULD support of Authorization Code Flow in conjunction with Hybrid Flow
| September 16th 2022 |
|[Get Metrics V3](#get-metrics)|Version 3 of this end point must be made available by affected data holders by October 1st 2022|October 1st 2022|
|[Standard Error Codes](#error-codes) | Data Holders MAY retire application-specific error codes in favour of standard error codes from November 1st 2022 | November 1st 2022 |
+|[Data Recipient CDR Arrangement Endpoint](#cdr-arrangement-revocation-end-point) | From November 15th 2022, Data Recipients **MUST** validate the `cdr_arrangement_id`, if presented, is the same as the value included in the "CDR Arrangement JWT".| November 15th 2022 |
|[Registration Validation](#registration-validation) | Data Holders **MUST** ignore unsupported authorisation scopes presented in the SSA for the creation and update of client registrations from November 15th 2022 | November 15th 2022 |
|[Get Account Detail V2](#get-account-detail)|Version 2 of this end point must be made available by affected data holders by November 30th 2022|November 30th 2022|
|[Get Customer Detail V2](#get-customer-detail)|Version 2 of this end point must be made available by affected data holders by November 30th 2022|November 30th 2022|
diff --git a/slate/source/includes/releasenotes/releasenotes.1.18.0.html.md b/slate/source/includes/releasenotes/releasenotes.1.18.0.html.md
index 30dcb27a..f22965e6 100644
--- a/slate/source/includes/releasenotes/releasenotes.1.18.0.html.md
+++ b/slate/source/includes/releasenotes/releasenotes.1.18.0.html.md
@@ -17,7 +17,7 @@ Release notes for version v1.18.0 of the [CDR Standards](../../index.html).
This release addresses the following change requests raised on [Standards Maintenance](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues):
-
+- [Standards Maintenance Issue 521: Transition of required parameters in the CDR Arrangement JWT](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/521)
### Decision Proposals
@@ -43,7 +43,8 @@ This release addresses the following Decision Proposals published on [Standards]
|Change|Description|Link|
|------|-----------|----|
-| | | |
+| ADR hosted CDR Arrangement Revocation Endpoint | [**Standards Maintenance #521**](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/521): Updates to accomodate JWT transition for lodgement of the CDR Arrangement ID and validation logic for ADRs. | [CDR Arrangement Revocation Endpoint](../../#security-endpoints) |
+
## Consumer Experience
diff --git a/slate/source/includes/security/endpoints/_cdr_arrangement_revocation.md b/slate/source/includes/security/endpoints/_cdr_arrangement_revocation.md
index a1ff345f..0df67e6e 100644
--- a/slate/source/includes/security/endpoints/_cdr_arrangement_revocation.md
+++ b/slate/source/includes/security/endpoints/_cdr_arrangement_revocation.md
@@ -39,13 +39,18 @@ The request **MUST** include the following parameters using the ``application/x-
**CDR Arrangement JWT method**
-The request MUST include the following parameters using the ``application/x-www-form-urlencoded`` format in the HTTP request entity-body:
+The request **MUST** include the following parameters using the application/x-www-form-urlencoded format in the HTTP request entity-body:
-* ``cdr_arrangement_jwt``: A signed JWT that includes the ``cdr_arrangement_id``.
-* ``cdr_arrangement_jwt``: A newly signed JWT with the following parameters in accordance with **[[JWT]](#nref-JWT)**:
- * All parameters in accordance with Data Holders calling Data Recipients using [Self-Signed JWT Client Authentication](https://consumerdatastandardsaustralia.github.io/standards/#self-signed-jwt-client-authentication).
+* ``cdr_arrangement_jwt``: A signed JWT that includes the ``cdr_arrangement_id``.
+* ``cdr_arrangement_jwt``: A newly signed JWT with the following parameters in accordance with **[[JWT]](#nref-JWT)**:
* ``cdr_arrangement_id``: The ID of the arrangement that the client wants to revoke.
+```diff
+Changed requirements for Data Holders to advise the CDR Arrangement JWT should include all Self-Signed JWT claims
+```
+
+The ``cdr_arrangement_jwt`` **SHOULD** include all parameters in accordance with Data Holders calling Data Recipients using [Self-Signed JWT Client Authentication](https://consumerdatastandardsaustralia.github.io/standards/#self-signed-jwt-client-authentication).
+
**Data Holder hosted endpoint**
The location of the Data Holder CDR Arrangement Revocation End Point is determined by the ``cdr_arrangement_revocation_endpoint`` in the Data Holder's OpenID Provider metadata.
@@ -87,6 +92,7 @@ Host: data.recipient.com.au
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey ...
+ cdr_arrangement_id=5a1bf696-ee03-408b-b315-97955415d1f0&
cdr_arrangement_jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IjEyNDU2In0.ey ...
## Decoded cdr_arrangement_jwt JWT
@@ -96,10 +102,20 @@ Authorization: Bearer eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyNDU2In0.ey
"kid":"12456"
}
{
- "cdr_arrangement_id": "5a1bf696-ee03-408b-b315-97955415d1f0"
+ "cdr_arrangement_id": "5a1bf696-ee03-408b-b315-97955415d1f0",
+ "iss":"dataholderbrand-123",
+ "sub":"dataholderbrand-123",
+ "aud":"https://data.recipient.com.au/arrangements/revoke",
+ "iat":1516239022,
+ "exp":1516239322,
+ "jti":"dba86502-7cf5-4719-9638-c5339a0ddb06"
}
```
+```diff
++ Added November 15th 2022 transition for ADR validation of the cdr_arrangement_id
+Changed requirements to allow Data Holders to additionally send the cdr_arrangement_id as a form parameter
+```
**Data Recipient hosted endpoint**
@@ -107,13 +123,15 @@ The location of the Data Recipient Software Product CDR Arrangement Revocation E
This end point will be implemented according to the following:
-* Data Recipient Software Products MUST expose their CDR Arrangement Revocation End Point under their `recipient_base_uri` published in their Software Statement Assertion
+* Data Recipient Software Products **MUST** expose their CDR Arrangement Revocation End Point under their `recipient_base_uri` published in their Software Statement Assertion.
* Data Holders must be authenticated when they call this end point according to the guidance in the Client Authentication section.
-* If the ``cdr_arrangement_id`` is not related to the client making the call it MUST be rejected
-* **From March 31st 2022**, Data Recipients MUST support "CDR Arrangement JWT" method.
-* **Until July 31st 2022**, Data Recipients MUST support both "CDR Arrangement Form Parameter" method and "CDR Arrangement JWT" method presented to their CDR Arrangement Revocation Endpoint.
-* **From July 31st 2022**, Data Recipients MUST only support "CDR Arrangement JWT" method and MUST reject "CDR Arrangement Form Parameter" method.
-
+* If the `cdr_arrangement_id` is not related to the client making the call it **MUST** be rejected.
+* **From March 31st 2022**, Data Recipients **MUST** support the "CDR Arrangement JWT" method.
+* **From July 31st 2022**, Data Holders **MUST** send the `cdr_arrangement_id` using the "CDR Arrangement JWT" method.
+* Data Holders **MAY** additionally send a duplicate of the `cdr_arrangement_id` as a form parameter.
+* Data Recipient Software Products **MUST NOT** reject requests including the `cdr_arragement_id` as a form parameter.
+* If the `cdr_arrangement_id` is presented as a form parameter, Data Recipient Software Products **SHOULD** validate it is identical to the `cdr_arrangement_id` presented in the "CDR Arrangement JWT".
+* **From November 15th 2022**, if the `cdr_arrangement_id` is presented as a form parameter, Data Recipient Software Products **MUST** validate it is identical to the `cdr_arrangement_id` presented in the "CDR Arrangement JWT".
**Response Codes**
From 7aac481f3013e9c82ea3f7c1fb1634ab7598901a Mon Sep 17 00:00:00 2001
From: Mark Verstege <2514377+markverstege@users.noreply.github.com>
Date: Thu, 21 Jul 2022 14:49:10 +1000
Subject: [PATCH 2/2] Added clarifying statement for Data Recipient validation
---
.../includes/security/endpoints/_cdr_arrangement_revocation.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/slate/source/includes/security/endpoints/_cdr_arrangement_revocation.md b/slate/source/includes/security/endpoints/_cdr_arrangement_revocation.md
index 0df67e6e..a5b777e3 100644
--- a/slate/source/includes/security/endpoints/_cdr_arrangement_revocation.md
+++ b/slate/source/includes/security/endpoints/_cdr_arrangement_revocation.md
@@ -132,6 +132,7 @@ This end point will be implemented according to the following:
* Data Recipient Software Products **MUST NOT** reject requests including the `cdr_arragement_id` as a form parameter.
* If the `cdr_arrangement_id` is presented as a form parameter, Data Recipient Software Products **SHOULD** validate it is identical to the `cdr_arrangement_id` presented in the "CDR Arrangement JWT".
* **From November 15th 2022**, if the `cdr_arrangement_id` is presented as a form parameter, Data Recipient Software Products **MUST** validate it is identical to the `cdr_arrangement_id` presented in the "CDR Arrangement JWT".
+* **From November 15th 2022**, if the Self-Signed JWT claims are presented in the "CDR Arrangement JWT", Data Recipient Software Products **MUST** validate in accordance with Data Holders calling Data Recipients using [Self-Signed JWT Client Authentication](#self-signed-jwt-client-authentication).
**Response Codes**