V1.37.0 Release Notes
Release notes for version 1.37.0 of the CDR Data Standards.
Changes Made
Change Requests
This release addresses the following minor defects raised on Standards Staging:
This release addresses the following change requests raised on Standards Maintenance:
Decisions
This release addresses the following Decisions published on Standards:
General Changes
| Change |
Description |
Link |
| Standards staging fixes |
Standards Staging #493: Minor updates to the standards development codebase. |
|
Introduction
| Change |
Description |
Link |
| Updated Chair detail |
Decision #210: Added Dr Scott Farrell as the new Data Standards Chair. |
Data Standards Chair |
| Updated FDOs |
Decision #210: Removed past FDOs and added new FDOs for:- Adoption of FAPI 2.0
- Communications Protocol
- Client Authentication
- HTTP Headers
- Resource endpoint version increment
- Shared Responsibility > Energy > Endpoint Variations.
|
Future Dated Obligations |
| Normative References |
Decision #210: Updated Normative References, including titles, descriptions and links to reflect current locations and details. Replaced FAPI 1.0 references with FAPI 2.0. |
Normative References |
| Informative References |
Decision #210: Updated Informative References, including descriptions and links to reflect current locations and details. Added [OpenID-Certification]. |
Informative References |
| Updated FDOs |
Decision #374: Added new FDOs for new Redirect to Web, One Time Password Credential Requirements, and Restricted Credentials sections, the updated Pushed Authorisation Request endpoint, the new Get Configuration endpoint, and updated Get Metrics endpoint. |
Future Dated Obligations |
High Level Standards
| Change |
Description |
Link |
| FAPI and Correlation headers |
Decision #210: - Updated Request Headers:
- removed x-fapi-auth-date and x-fapi-customer-ip-address,
- added x-fapi-end-user-present, x-cds-authorisation-attempt-id, x-cds-authorisation-intent-id.
- Updated Response Headers:
- added x-cds-authorisation-attempt-id, x-cds-authorisation-intent-id.
|
HTTP Headers |
| Updated HTTP Headers |
Decision #374: Added x-cds-originating-channel header for PAR requests. |
HTTP Headers |
Authentication Schedule
Consumer Experience
| Change |
Description |
Link |
| Clarification of Consent Standards |
Decision #210: Removed row: "Consent: Amendment of Collection Consents and Authorisations". |
Consent Standards |
| Clarification of Amending Consent Standards |
Decision #210: Added row: "Amending Consent: Amendment of Collection Consents and Authorisations". |
Amending Consent Standards |
| Clarification of Amending Authorisation Standards |
Decision #210: Minor updates to add introductory text and clarify area titles for consistency. |
Amending Authorisation Standards |
| Authentication Standards additions |
Decision #374: In the Common Authentication Standards table; renamed the 'App install' row to 'Digital onboarding' with additional detail, added new rows for accessibility, error messaging, and unique identifier. |
Common Authentication Standards |
Security Profile
| Change |
Description |
Link |
| General changes |
Decision #210: - Applied section numbering for reference throughout the Security Profile section
- Replaced FAPI 1.0 references with FAPI 2.0
- Removed past FDOs
- Removed deprecated hybrid flow details
- Updated Authorization Code Flow section
- Updated Private Key JWT Client Authentication section
- Updated Self-signed JWT Client Authentication section
- Updated Software Statement Assertion (SSA) section for clarity
- Updated Normative reference link in Scopes and Claims section
- Updated Tokens section to remove past FDOs and references to hybrid flow and FAPI 1.0
- Updated Request Object section to reflect removal of hybrid flow, addition of FAPI 2.0, updated Non-Normative examples, references to updated CX documentation
- Updated Security Endpoints section.
|
Security Profile |
| Added section |
Decision #210: Added Communications Protocol section. |
Communications Protocol |
| Non-normative Examples |
Decision #210: Updated Non-normative Examples for fields: iss, issuer, aud, sub, client_id. |
Security Profile |
| RAR support |
Decision #210: Added detail for the optional support of Rich Authorization Requests (RAR) in applicable sections. |
Security Profile |
| Update to Baseline Credential Requirements |
Decision #374: Updated data holder requirements to expect a risk assessment to determine appropriate authentication levels. |
Credential Requirements |
| Updates to OTPs |
Decision #374: Updated One Time Password Credential Requirements section to increase OTP length requirement to 6-10 digits. Changed OTP algorithm requirement from SHOULD to SHALL. Added detail to state that OTPs SHALL be delivered to a channel that has been pre-registered and currently elected to receive authentication secrets. |
Credential Requirements |
| Updates to Restricted Credentials |
Decision #374: Updated Restricted Credentials section to discourage SMS and email as OTP delivery mechanisms. |
Credential Requirements |
| Updated PAR request headers |
Decision #374: Updated Pushed Authorisation endpoint to include mandatory x-cds-originating-channel header for PAR requests. |
Pushed Authorisation endpoint |
DCR APIs
| Change |
Description |
Link |
| General changes |
Decision #210: Updated Non-Normative example, removed details related to deprecated hybrid flow options and prior optionality of PAR. |
DCR APIs |
Register APIs
None
Authorisation Scopes
None
Non-functional Requirements
| Change |
Description |
Link |
| Updated Definitions |
Decision #210: Updated 'Customer Present' definition by replacing x-fapi-customer-ip-address header with x-fapi-end-user-present. |
Definitions |
Banking APIs
| Change |
Description |
Link |
| Updated Parameters |
Decision #210: Updated endpoint Parameters tables to remove x-fapi-auth-date and replace x-fapi-customer-ip-address with x-fapi-end-user-present. Incremented all affected endpoints. |
Banking APIs |
Energy APIs
| Change |
Description |
Link |
| Updated Parameters |
Decision #210: Updated endpoint Parameters tables to remove x-fapi-auth-date and replace x-fapi-customer-ip-address with x-fapi-end-user-present. Incremented all affected endpoints. |
Energy APIs |
Common APIs
| Change |
Description |
Link |
| Updated Parameters |
Decision #210: Updated endpoint Parameters tables to remove x-fapi-auth-date and replace x-fapi-customer-ip-address with x-fapi-end-user-present. Incremented all affected endpoints. |
Common APIs |
| Added Get Configuration endpoint |
Decision #374: Added Get Configuration endpoint to support discovery of authentication level requirements. |
Common APIs |
Admin APIs
| Change |
Description |
Link |
| Updated Get Metrics |
Decision #374: Updated the Get Metrics endpoint to v6 to support authentication metrics. |
Admin APIs |
Shared Responsibility
| Change |
Description |
Link |
| Updated header detail |
Decision #210: Removed references to deprecated headers x-fapi-auth-date and x-fapi-customer-ip-address in the Endpoint Variations section.
Added requirement for x-fapi-end-user-present to be forwarded to AEMO to support NFRs. |
Endpoint Variations |
Energy Secondary DH APIs
| Change |
Description |
Link |
| Updated endpoint parameters |
Decision #210: Added x-fapi-end-user-present header to Energy Secondary DH APIs to support NFRs. Incremented all affected endpoints. |
Energy Secondary DH APIs |
Additional Standards
None
Known Issues
None
