{ "swagger" : "2.0", "info" : { "description" : "This specification defines the APIs for Data Holders exposing Dynamic Client Registration endpoints.", "version" : "1.13.0", "title" : "CDR Dynamic Client Registration API" }, "host" : "data.holder.com.au", "basePath" : "/register", "schemes" : [ "https" ], "consumes" : [ "application/jwt" ], "produces" : [ "application/json" ], "paths" : { "/register" : { "post" : { "tags" : [ "Client Registration" ], "summary" : "Register Data Recipient oAuth Client", "description" : "Register a client using a CDR Register issued Software Statement Assertion.", "operationId" : "PostDataRecipientRegistration", "parameters" : [ { "in" : "body", "name" : "ClientRegistrationRequest", "description" : "The registration request JWT to be used to register with a Data Holder.", "required" : true, "schema" : { "$ref" : "#/definitions/ClientRegistrationRequest" } } ], "responses" : { "201" : { "description" : "Client registration success", "schema" : { "$ref" : "#/definitions/RegistrationProperties" } }, "400" : { "description" : "Request failed due to client error", "schema" : { "$ref" : "#/definitions/RegistrationError" } } } } }, "/register/{ClientId}" : { "get" : { "tags" : [ "Client Registration" ], "summary" : "Get oAuth Client Registration", "description" : "Get a Client Registration for a given Client ID.", "operationId" : "GetClientRegistration", "parameters" : [ { "name" : "ClientId", "in" : "path", "description" : "The client ID issued by the target Data Holder", "required" : true, "type" : "string" }, { "name" : "Authorization", "in" : "header", "description" : "An Authorisation Token as per [RFC6750](https://tools.ietf.org/html/rfc6750)", "required" : true, "type" : "string" } ], "responses" : { "200" : { "description" : "Client registration retrieval success", "schema" : { "$ref" : "#/definitions/RegistrationProperties" } }, "401" : { "description" : "Request failed due to unknown or invalid Client or invalid access token", "headers" : { "WWW-Authenticate" : { "type" : "string", "description" : "The Response Header Field as per [RFC6750](https://tools.ietf.org/html/rfc6750)", "pattern" : "^Bearer .*" } } }, "403" : { "description" : "The client does not have permission to read, update or delete the Client" } }, "x-scopes" : [ "cdr:registration" ] }, "put" : { "tags" : [ "Client Registration" ], "summary" : "Update Data Recipient Registration", "description" : "Update a Client Registration for a given Client ID.", "operationId" : "PutDataRecipientRegistration", "parameters" : [ { "in" : "body", "name" : "ClientRegistrationRequest", "description" : "The registration request JWT to be used to register with a Data Holder.", "required" : true, "schema" : { "$ref" : "#/definitions/ClientRegistrationRequest" } }, { "name" : "ClientId", "in" : "path", "description" : "The client ID issued by the target Data Holder", "required" : true, "type" : "string" }, { "name" : "Authorization", "in" : "header", "description" : "An Authorisation Token as per [RFC6750](https://tools.ietf.org/html/rfc6750)", "required" : true, "type" : "string" } ], "responses" : { "200" : { "description" : "Client registration update success", "schema" : { "$ref" : "#/definitions/RegistrationProperties" } }, "400" : { "description" : "Request failed due to client error", "schema" : { "$ref" : "#/definitions/RegistrationError" } }, "401" : { "description" : "Request failed due to unknown or invalid Client or invalid access token", "headers" : { "WWW-Authenticate" : { "type" : "string", "description" : "The Response Header Field as per [RFC6750](https://tools.ietf.org/html/rfc6750)", "pattern" : "^Bearer .*" } } }, "403" : { "description" : "The client does not have permission to read, update or delete the Client" } }, "x-scopes" : [ "cdr:registration" ] }, "delete" : { "tags" : [ "Client Registration" ], "summary" : "Delete Data Recipient oAuth Client Registration", "description" : "Delete a Client Registration for a given Client ID.", "operationId" : "DeleteDataRecipientRegistration", "parameters" : [ { "name" : "ClientId", "in" : "path", "description" : "The client ID issued by the target Data Holder", "required" : true, "type" : "string" }, { "name" : "Authorization", "in" : "header", "description" : "An Authorisation Token as per [RFC6750](https://tools.ietf.org/html/rfc6750)", "required" : true, "type" : "string" } ], "responses" : { "204" : { "description" : "Client deleted" }, "401" : { "description" : "Request failed due to unknown or invalid Client or invalid access token", "headers" : { "WWW-Authenticate" : { "type" : "string", "description" : "The Response Header Field as per [RFC6750](https://tools.ietf.org/html/rfc6750)", "pattern" : "^Bearer .*" } } }, "403" : { "description" : "The client does not have permission to read, update or delete the Client" }, "405" : { "description" : "Method Not Allowed. The requested method is unsupported" } }, "x-scopes" : [ "cdr:registration" ] } } }, "definitions" : { "ClientRegistrationRequest" : { "type" : "string", "format" : "JWT", "description" : "The registration request JWT to be used to register with a Data Holder.", "example" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }, "RegistrationProperties" : { "type" : "object", "required" : [ "client_description", "client_id", "client_name", "client_uri", "grant_types", "id_token_encrypted_response_alg", "id_token_encrypted_response_enc", "jwks_uri", "logo_uri", "org_id", "org_name", "redirect_uris", "request_object_signing_alg", "response_types", "scope", "software_id", "software_statement", "token_endpoint_auth_method", "token_endpoint_auth_signing_alg" ], "properties" : { "client_id" : { "type" : "string", "example" : "35a5a70b-5b8d-41f4-9cbd-96cfbc15c58a", "description" : "Data Holder issued client identifier string" }, "client_id_issued_at" : { "type" : "integer", "format" : "int32", "example" : 1571808167, "description" : "Time at which the client identifier was issued expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC" }, "client_name" : { "type" : "string", "example" : "Mock Software", "description" : "Human-readable string name of the software product to be presented to the end-user during authorization" }, "client_description" : { "type" : "string", "example" : "A mock software product", "description" : "Human-readable string name of the software product description to be presented to the end user during authorization" }, "client_uri" : { "type" : "string", "example" : "https://www.mockcompany.com.au", "description" : "URL string of a web page providing information about the client" }, "legal_entity_id" : { "type" : "string", "example" : "344F0E809-BDBE-4F8E-BD30-5E6C3CB78D7B", "description" : "A unique identifier string assigned by the CDR Register that identifies the Accredited Data Recipient Legal Entity" }, "legal_entity_name" : { "type" : "string", "example" : "Mock Company Pty Ltd.", "description" : "Human-readable string name of the Accredited Data Recipient Legal Entity" }, "org_id" : { "type" : "string", "example" : "3B0B0A7B-3E7B-4A2C-9497-E357A71D07C8", "description" : "A unique identifier string assigned by the CDR Register that identifies the Accredited Data Recipient Brand" }, "org_name" : { "type" : "string", "example" : "Mock Company Brand.", "description" : "Human-readable string name of the Accredited Data Recipient to be presented to the end user during authorization" }, "redirect_uris" : { "type" : "array", "example" : [ "https://www.mockcompany.com.au/redirects/redirect1", "https://www.mockcompany.com.au/redirects/redirect2" ], "description" : "Array of redirection URI strings for use in redirect-based flows. If used, redirect_uris MUST match or be a subset of the redirect_uris as defined in the SSA", "items" : { "type" : "string", "format" : "uri" } }, "sector_identifier_uri" : { "type" : "string", "example" : "https://www.mockcompany.com.au/sector_identifier.json", "description" : "URL string referencing the client sector identifier URI, used as an optional input to the Pairwise Identifier" }, "logo_uri" : { "type" : "string", "example" : "https://www.mockcompany.com.au/logos/logo1.png", "description" : "URL string that references a logo for the client. If present, the server SHOULD display this image to the end-user during approval" }, "tos_uri" : { "type" : "string", "example" : "https://www.mockcompany.com.au/tos.html", "description" : "URL string that points to a human-readable terms of service document for the Software Product" }, "policy_uri" : { "type" : "string", "example" : "https://www.mockcompany.com.au/policy.html", "description" : "URL string that points to a human-readable policy document for the Software Product" }, "jwks_uri" : { "type" : "string", "example" : "https://www.mockcompany.com.au/jwks", "description" : "URL string referencing the client JSON Web Key (JWK) Set [RFC7517] document, which contains the client public keys" }, "revocation_uri" : { "type" : "string", "example" : "https://www.mockcompany.com.au/revocation", "description" : "URI string that references the location of the Software Product consent revocation endpoint" }, "recipient_base_uri" : { "type" : "string", "example" : "https://www.mockcompany.com.au", "description" : "Base URI for the Consumer Data Standard Data Recipient endpoints. This should be the base to provide reference to all other Data Recipient Endpoints" }, "token_endpoint_auth_method" : { "type" : "string", "description" : "The requested authentication method for the token endpoint", "enum" : [ "private_key_jwt" ] }, "token_endpoint_auth_signing_alg" : { "type" : "string", "description" : "The algorithm used for signing the JWT", "enum" : [ "PS256", "ES256" ] }, "grant_types" : { "type" : "array", "description" : "Array of OAuth 2.0 grant type strings that the client can use at the token endpoint", "items" : { "type" : "string", "enum" : [ "client_credentials", "authorization_code", "refresh_token" ] } }, "response_types" : { "type" : "array", "description" : "Array of the OAuth 2.0 response type strings that the client can use at the authorization endpoint.", "items" : { "type" : "string", "enum" : [ "code id_token" ] } }, "application_type" : { "type" : "string", "description" : "Kind of the application. The only supported application type will be `web`", "enum" : [ "web" ] }, "id_token_signed_response_alg" : { "type" : "string", "description" : "Algorithm with which an id_token is to be signed", "enum" : [ "PS256", "ES256" ] }, "id_token_encrypted_response_alg" : { "type" : "string", "example" : "RSA-OAEP", "description" : "JWE `alg` algorithm with which an id_token is to be encrypted" }, "id_token_encrypted_response_enc" : { "type" : "string", "example" : "A256GCM", "description" : "JWE `enc` algorithm with which an id_token is to be encrypted" }, "request_object_signing_alg" : { "type" : "string", "description" : "Algorithm which the ADR expects to sign the request object if a request object will be part of the authorization request sent to the Data Holder", "enum" : [ "PS256", "ES256" ] }, "software_statement" : { "type" : "string", "format" : "JWT", "description" : "The Software Statement Assertion, as defined in CDR standards" }, "software_id" : { "type" : "string", "example" : "740C368F-ECF9-4D29-A2EA-0514A66B0CDE", "description" : "String representing a unique identifier assigned by the Register and used by registration endpoints to identify the software product to be dynamically registered.

The \"software_id\" will remain the same for the lifetime of the product, across multiple updates and versions" }, "software_roles" : { "type" : "string", "example" : "data-recipient-software-product", "description" : "String containing a role of the software in the CDR Regime. Initially the only value used with be `data-recipient-software-product`" }, "scope" : { "type" : "string", "example" : "openid profile bank:accounts.basic:read bank:accounts.detail:read bank:transactions:read bank:payees:read bank:regular_payments:read common:customer.basic:read common:customer.detail:read cdr:registration", "description" : "String containing a space-separated list of scope values that the client can use when requesting access tokens." } } }, "ClientRegistration" : { "allOf" : [ { "type" : "object", "required" : [ "aud", "exp", "iat", "iss", "jti" ], "properties" : { "iss" : { "type" : "string", "example" : "CDR Software Product ID", "description" : "Contains the identifier for the ADR Software Product (SoftwareProductId) as defined in the CDR Register" }, "iat" : { "type" : "integer", "format" : "int32", "example" : 1571808167, "description" : "The time at which the request was issued by the Data Recipient expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC" }, "exp" : { "type" : "integer", "format" : "int32", "example" : 2147483646, "description" : "The time at which the request expires expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC" }, "jti" : { "type" : "string", "example" : "37747cd1c10545699f754adf28b73e31", "description" : "Unique identifier for the JWT, used to prevent replay of the token" }, "aud" : { "type" : "string", "example" : "https://secure.api.dataholder.com/issuer", "description" : "'Contains the Data Holder issuer value as described in the OIDC Discovery Document" } } }, { "$ref" : "#/definitions/RegistrationProperties" } ] }, "RegistrationError" : { "type" : "object", "required" : [ "error" ], "properties" : { "error" : { "type" : "string", "description" : "Predefined error code as described in [section 3.3 OIDC Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html)", "enum" : [ "invalid_redirect_uri", "invalid_client_metadata", "invalid_software_statement", "unapproved_software_statement" ] }, "error_description" : { "type" : "string", "description" : "Additional text description of the error for debugging." } } } }, "parameters" : { "Authorization" : { "name" : "Authorization", "in" : "header", "description" : "An Authorisation Token as per [RFC6750](https://tools.ietf.org/html/rfc6750)", "required" : true, "type" : "string" }, "ClientId" : { "name" : "ClientId", "in" : "path", "description" : "The client ID issued by the target Data Holder", "required" : true, "type" : "string" } }, "responses" : { "400Error" : { "description" : "Request failed due to client error", "schema" : { "$ref" : "#/definitions/RegistrationError" } }, "401Error" : { "description" : "Request failed due to unknown or invalid Client or invalid access token", "headers" : { "WWW-Authenticate" : { "type" : "string", "description" : "The Response Header Field as per [RFC6750](https://tools.ietf.org/html/rfc6750)", "pattern" : "^Bearer .*" } } }, "403Error" : { "description" : "The client does not have permission to read, update or delete the Client" }, "405Error" : { "description" : "Method Not Allowed. The requested method is unsupported" } } }