V1.24.0 Release Notes

Release notes for version v1.24.0 of the CDR Standards.

Changes Made

Change Requests

This release addresses the following minor defects raised on Standards Staging:

• None

This release addresses the following change requests raised on Standards Maintenance:

• Standards Maintenance Issue 483 - Large payload tier description error
• Standards Maintenance Issue 496 - Unauthenticated energy routes have unclear header documentation
• Standards Maintenance Issue 520 - Stepped solar feed in tariffs in Energy
• Standards Maintenance Issue 532 - Update x-fapi-auth-date description for Customer APIs
• Standards Maintenance Issue 535 - Standard appears to redefine requirements for private_key_jwt authentication
• Standards Maintenance Issue 565 - Maintenance Iteration 14 Holistic Feedback
• Standards Maintenance Issue 574 - Additional functionality to support account selection
• Standards Maintenance Issue 577 - Updates to Certificate Management

Decision Proposals

This release addresses the following Decision Proposals published on Standards:

• Decision Proposal 281 - Maintenance Iteration 14

Introduction

No Change

High Level Standards

Change	Description	Link
Non Functional Requirements - Large Payloads	Corrected the requirement to remove reference to "unattended" because the tier applies to all calls both attended and unattended.	Non-Functional Requirements
RateString example clarification	Standards Maintenance #565: Added actual % values represented by examples for RateString field type. Addresses Issue 565 comment.	Common Field Types

API End Points

Change	Description	Link
Bug Fix: Energy Public Endpoints	Standards Maintenance #496: Removed x-fapi-interaction-id from response headers of Get Energy Plans and Get Energy Plan Details public APIs.	Energy APIs
x-fapi-auth-date references in Customer resource APIs	Standards Maintenance #532: Aligned header documentation for for x-fapi-auth-date references in the Customer APIs to be consistent with the Banking APIs and Header section definitions.	Customer APIs
Admin APIs - spelling correction	Standards Maintenance #565: Corrected spelling mistake in description of RejectionMetricsV2.unauthenticated field. Addresses Issue 565 comment.	Admin APIs
Banking APIs - description update	Standards Maintenance #565: Fixed description of BankingAccountDetailV3.lendingRates field. Addresses Issue 565 comment.	Banking APIs
Minor corrections	Standards Maintenance #565: Corrected various spelling and grammatical mistakes. Standardised post codes into postcode. Addresses Issue 565 comment. Corrected grammatical mistakes in Session Requirements section. Addresses Issue 565 comment. Corrected typo in Error Codes section. Addresses Issue 565 comment.	Banking APIs Energy APIs Telco APIs Session Requirements Error Codes
Get Metrics APIs - description update	Standards Maintenance #565: Updated description of period parameter in Get Metrics API. Addresses Issue 565 comment. Updated description of SecondaryHolderMetrics.rejections. Addresses Issue 565 comment.	Admin APIs
Product & Account Components - description update	Standards Maintenance #565: Updated description of PENSION_RECIPIENT value in Product Eligibility Types and Product Discount Eligibility Types tables. Addresses Issue 565 comment.	Product & Account Components
CORS clarification	Standards Maintenance #565: Added statements noting CORS is not required at relevant DCR and Register APIs. Addresses Issue 565 comment.	DCR APIs Register APIs
Energy APIs	Standards Maintenance #520: Added rates object to EnergyPlanSolarFeedInTariff structure. Incremented versions of Get Generic Plan Detail and Get Energy Account Detail APIs.	Energy APIs

Information Security Profile

Change	Description	Link
RFC6749 conformant Private Key JWT Client Authentication	Change to support [RFC7521] such that, until November 13th 2023, clients authenticating using Private Key JWT are recommended to provide the client_id, but no longer required. From November 13th 2023, it is then optional to provide the client_id. This applies to ADRs and the CDR Register authenticating with Data Holders and ADRs authenticating with the CDR Register. During the RECOMMENDED phase in period, Data Holders and the CDR Register may reject clients that do not provide the client_id. ADRs may re-attempt client authentication by providing the client_id. During this phase in period, Data Holders and the CDR Register may stop requiring the client_id. If the client provides the client_id, the Data Holder/CDR Register must validate that its value is the same as the iss and sub claims in accordance with RFC7521	Private Key JWT Client Authentication
Certificate Management corrections	Standards Maintenance #565: Updated wording and corrected a typo in the "Issued by the Register CA for Data Recipients" table. Corrected a typo in the "CDR Certificate Authority" section. Addresses Issue 565 comment.	Certificate Management
CORS clarification	Standards Maintenance #565: Added statements noting CORS is not required at relevant endpoints in Security Endpoints section. Addresses Issue 565 comment.	Security Endpoints
Certificate Management	Updated the Certificate Management Section with following: Made various changes to the Certificate Signing Request Profile table to provide additional guidance to participants. Removed the Test Environment details from the Certificate Trust Model section	Certificate Management

Consumer Experience

Change	Description	Link
New Authorisation CX Standard	Standards Maintenance #574: Added new Authorisation CX Standard for additional account selection functionality in the authorisation flow.	Authorisation Standards

Non Functional Requirements

Change	Description	Link
Performance Requirements	Standards Maintenance #565: Listed specific APIs in the Unattended section. Fixed incorrect Energy API names. Addresses Issue 565 comment.	Performance Requirements

Known Issues

No Change