How the Open Banking Consent Flow is driven by OAuth 2.0 (OIDC 1.0) metadata
Consumer Data Right specification of Australia defines a Consent Flow journey which consumer navigates to authorize sharing of his/her banking data. Consent journey is dynamic and modeled by the meta data sent by the Accredited Data Recipient (ADR) through OIDC 1.0 interaction.
Consent flow is triggered when ADR makes a OAuth 2.0 authorization request to the Data Holder’s (DH) authorization endpoint. ADR is already registered with DH using Dynamic Client Registration (DCR). ADR uses client_id issued at the DCR to identify it self on the authorization request. This client_id is used by DH to lookup the internal ADR registry to validate the request and if successful load the ADR profile. Details on the ADR profile is used to generate the content on the login page as shown below.
Additionally Level of Assurance (LoA) attribute of the JWT request object may define the authentication credential requirement at the login page.
acr (access control requirement) attribute value “urn:cds.au:cdr:2” which translate to LoA 2 maps to CL1 level of Trusted Digital Identity Framework (TDIF) requirements. Please see below.
Once Consumer is logged in, the relevant accounts need to be selected. Information on the JWT Request Object is used to define the authorization scope (e.g : bank:accounts.details:read) as shown below.
Authorization scopes defined in the CDS 1.3.0 specification is shown below.
Duration of data sharing need to be shown on the data sharing confirmation page. Value of the duration of data sharing comes from “sharing duration” claim as shown below.
With the confirmation consent flow terminates and authorization flow returns to ADR with authorization code.
