openapi: 3.0.3 info: description: This specification defines the APIs for Data Holders exposing Dynamic Client Registration endpoints. title: CDR Dynamic Client Registration API version: 1.29.1 servers: - url: https://data.holder.com.au/ paths: /register: post: description: "Register a client using a CDR Register issued Software Statement\ \ Assertion. \n\nThis endpoint does not require CORS." operationId: PostDataRecipientRegistration requestBody: content: application/jwt: schema: $ref: '#/components/schemas/ClientRegistrationRequest' description: The registration request JWT to be used to register with a Data Holder. required: true responses: "201": content: application/json: schema: $ref: '#/components/schemas/RegistrationProperties' description: Client registration success "400": content: application/json: schema: $ref: '#/components/schemas/RegistrationError' description: Request failed due to client error summary: Register Data Recipient oAuth Client tags: - Client Registration x-codegen-request-body-name: ClientRegistrationRequest /register/{ClientId}: delete: description: Delete a Client Registration for a given Client ID. operationId: DeleteDataRecipientRegistration parameters: - description: The client ID issued by the target Data Holder explode: false in: path name: ClientId required: true schema: type: string style: simple - description: An Authorisation Token as per **[[RFC6750]](#nref-RFC6750)** explode: false in: header name: Authorization required: true schema: type: string x-cds-type: ExternalRef style: simple responses: "204": description: Client deleted "401": description: Request failed due to unknown or invalid Client or invalid access token headers: WWW-Authenticate: description: The Response Header Field as per **[[RFC6750]](#nref-RFC6750)** explode: false schema: type: string x-cds-type: ExternalRef style: simple "403": description: The client does not have permission to read, update or delete the Client "405": description: Method Not Allowed. The requested method is unsupported summary: Delete Data Recipient oAuth Client Registration tags: - Client Registration x-scopes: - cdr:registration get: description: Get a Client Registration for a given Client ID. operationId: GetClientRegistration parameters: - description: The client ID issued by the target Data Holder explode: false in: path name: ClientId required: true schema: type: string style: simple - description: An Authorisation Token as per **[[RFC6750]](#nref-RFC6750)** explode: false in: header name: Authorization required: true schema: type: string x-cds-type: ExternalRef style: simple responses: "200": content: application/json: schema: $ref: '#/components/schemas/RegistrationProperties' description: Client registration retrieval success "401": description: Request failed due to unknown or invalid Client or invalid access token headers: WWW-Authenticate: description: The Response Header Field as per **[[RFC6750]](#nref-RFC6750)** explode: false schema: type: string x-cds-type: ExternalRef style: simple "403": description: The client does not have permission to read, update or delete the Client summary: Get oAuth Client Registration tags: - Client Registration x-scopes: - cdr:registration put: description: Update a Client Registration for a given Client ID. operationId: PutDataRecipientRegistration parameters: - description: The client ID issued by the target Data Holder explode: false in: path name: ClientId required: true schema: type: string style: simple - description: An Authorisation Token as per **[[RFC6750]](#nref-RFC6750)** explode: false in: header name: Authorization required: true schema: type: string x-cds-type: ExternalRef style: simple requestBody: content: application/jwt: schema: $ref: '#/components/schemas/ClientRegistrationRequest' description: The registration request JWT to be used to register with a Data Holder. required: true responses: "200": content: application/json: schema: $ref: '#/components/schemas/RegistrationProperties' description: Client registration update success "400": content: application/json: schema: $ref: '#/components/schemas/RegistrationError' description: Request failed due to client error "401": description: Request failed due to unknown or invalid Client or invalid access token headers: WWW-Authenticate: description: The Response Header Field as per **[[RFC6750]](#nref-RFC6750)** explode: false schema: type: string x-cds-type: ExternalRef style: simple "403": description: The client does not have permission to read, update or delete the Client summary: Update Data Recipient Registration tags: - Client Registration x-scopes: - cdr:registration x-codegen-request-body-name: ClientRegistrationRequest components: parameters: Authorization: description: An Authorisation Token as per **[[RFC6750]](#nref-RFC6750)** explode: false in: header name: Authorization required: true schema: type: string x-cds-type: ExternalRef style: simple ClientId: description: The client ID issued by the target Data Holder explode: false in: path name: ClientId required: true schema: type: string style: simple responses: "400Error": content: application/json: schema: $ref: '#/components/schemas/RegistrationError' description: Request failed due to client error "401Error": description: Request failed due to unknown or invalid Client or invalid access token headers: WWW-Authenticate: description: The Response Header Field as per **[[RFC6750]](#nref-RFC6750)** explode: false schema: type: string x-cds-type: ExternalRef style: simple "403Error": description: The client does not have permission to read, update or delete the Client "405Error": description: Method Not Allowed. The requested method is unsupported schemas: ClientRegistrationRequest: description: The registration request JWT to be used to register with a Data Holder. example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... format: JWT type: string RegistrationProperties: example: legal_entity_id: 3B0B0A7B-3E7B-4A2C-9497-E357A71D07C7 authorization_signed_response_alg: PS256 token_endpoint_auth_signing_alg: PS256 client_uri: https://www.mockcompany.com.au application_type: web logo_uri: https://www.mockcompany.com.au/logos/logo1.png client_id: 2cfefa98-7d4a-4bcb-95da-47063b84d410 client_description: A mock software product token_endpoint_auth_method: private_key_jwt software_statement: software_statement software_id: 740C368F-ECF9-4D29-A2EA-0514A66B0CDE scope: openid profile bank:accounts.basic:read bank:accounts.detail:read bank:transactions:read bank:payees:read bank:regular_payments:read common:customer.basic:read common:customer.detail:read cdr:registration client_id_issued_at: 1574398833 org_name: Mock Company Brand client_name: Mock Software policy_uri: https://www.mockcompany.com.au/policy.html id_token_signed_response_alg: PS256 grant_types: - client_credentials - authorization_code - refresh_token redirect_uris: - https://www.mockcompany.com.au/redirects/redirect1 - https://www.mockcompany.com.au/redirects/redirect2 sector_identifier_uri: https://www.mockcompany.com.au/sector_identifier.json authorization_encrypted_response_alg: RSA-OAEP authorization_encrypted_response_enc: A128CBC-HS256 id_token_encrypted_response_alg: RSA-OAEP org_id: 3B0B0A7B-3E7B-4A2C-9497-E357A71D07C8 id_token_encrypted_response_enc: A256GCM jwks_uri: https://www.mockcompany.com.au/jwks revocation_uri: https://www.mockcompany.com.au/revocation tos_uri: https://www.mockcompany.com.au/tos.html request_object_signing_alg: PS256 software_roles: data-recipient-software-product legal_entity_name: Mock Company Pty Ltd. recipient_base_uri: https://www.mockcompany.com.au response_types: - code - code properties: client_id: description: Data Holder issued client identifier string example: 2cfefa98-7d4a-4bcb-95da-47063b84d410 type: string client_id_issued_at: description: Time at which the client identifier was issued expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC example: 1574398833 type: integer x-cds-type: ExternalRef client_name: description: Human-readable string name of the software product to be presented to the end-user during authorization example: Mock Software type: string client_description: description: Human-readable string name of the software product description to be presented to the end user during authorization example: A mock software product type: string client_uri: description: URL string of a web page providing information about the client example: https://www.mockcompany.com.au type: string x-cds-type: URIString legal_entity_id: description: A unique identifier string assigned by the CDR Register that identifies the Accredited Data Recipient Legal Entity example: 3B0B0A7B-3E7B-4A2C-9497-E357A71D07C7 type: string legal_entity_name: description: Human-readable string name of the Accredited Data Recipient Legal Entity example: Mock Company Pty Ltd. type: string org_id: description: A unique identifier string assigned by the CDR Register that identifies the Accredited Data Recipient Brand example: 3B0B0A7B-3E7B-4A2C-9497-E357A71D07C8 type: string org_name: description: Human-readable string name of the Accredited Data Recipient to be presented to the end user during authorization example: Mock Company Brand type: string redirect_uris: description: Array of redirection URI strings for use in redirect-based flows. If used, redirect_uris MUST match or be a subset of the redirect_uris as defined in the SSA example: - https://www.mockcompany.com.au/redirects/redirect1 - https://www.mockcompany.com.au/redirects/redirect2 items: type: string x-cds-type: URIString type: array sector_identifier_uri: description: URL string referencing the client sector identifier URI, used as an optional input to the Pairwise Identifier example: https://www.mockcompany.com.au/sector_identifier.json type: string x-cds-type: URIString logo_uri: description: URL string that references a logo for the client. If present, the server SHOULD display this image to the end-user during approval example: https://www.mockcompany.com.au/logos/logo1.png type: string x-cds-type: URIString tos_uri: description: URL string that points to a human-readable terms of service document for the Software Product example: https://www.mockcompany.com.au/tos.html type: string x-cds-type: URIString policy_uri: description: URL string that points to a human-readable policy document for the Software Product example: https://www.mockcompany.com.au/policy.html type: string x-cds-type: URIString jwks_uri: description: URL string referencing the client JSON Web Key (JWK) Set **[[RFC7517]](#nref-RFC7517)** document, which contains the client public keys example: https://www.mockcompany.com.au/jwks type: string x-cds-type: URIString revocation_uri: description: URI string that references the location of the Software Product consent revocation endpoint example: https://www.mockcompany.com.au/revocation type: string x-cds-type: URIString recipient_base_uri: description: Base URI for the Consumer Data Standard Data Recipient endpoints. This should be the base to provide reference to all other Data Recipient Endpoints example: https://www.mockcompany.com.au type: string x-cds-type: URIString token_endpoint_auth_method: description: The requested authentication method for the token endpoint enum: - private_key_jwt type: string x-cds-type: Enum token_endpoint_auth_signing_alg: description: The algorithm used for signing the JWT enum: - PS256 - ES256 type: string x-cds-type: Enum grant_types: description: Array of OAuth 2.0 grant type strings that the client can use at the token endpoint example: - client_credentials - authorization_code - refresh_token items: enum: - client_credentials - authorization_code - refresh_token type: string x-cds-type: Enum type: array response_types: description: Array of the OAuth 2.0 response type strings that the client can use at the authorization endpoint.

Response type value `code` is required for Authorization Code Flow. Response type value `code id_token` is required for OIDC Hybrid Flow. items: enum: - code - code id_token type: string x-cds-type: Enum type: array application_type: description: Kind of the application. The only supported application type will be `web` enum: - web type: string x-cds-type: Enum id_token_signed_response_alg: description: Algorithm with which an id_token is to be signed enum: - PS256 - ES256 type: string x-cds-type: Enum id_token_encrypted_response_alg: description: JWE `alg` algorithm with which an id_token is to be encrypted.

Required if OIDC Hybrid Flow (response type `code id_token`) is registered. example: RSA-OAEP type: string x-cds-type: ExternalRef id_token_encrypted_response_enc: description: JWE `enc` algorithm with which an id_token is to be encrypted.

Required if OIDC Hybrid Flow (response type `code id_token`) is registered. example: A256GCM type: string x-cds-type: ExternalRef authorization_signed_response_alg: description: The JWS `alg` algorithm required for signing authorization responses. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm “none” is not allowed.

Required if response_type of “code” is registered by the client. enum: - PS256 - ES256 example: PS256 type: string x-conditional: true authorization_encrypted_response_alg: description: The JWE `alg` algorithm required for encrypting authorization responses. If unspecified, the default is that no encryption is performed.

Required if “authorization_encrypted_response_enc” is included. enum: - RSA-OAEP - RSA-OAEP-256 example: RSA-OAEP type: string x-conditional: true authorization_encrypted_response_enc: description: The JWE `enc` algorithm required for encrypting authorization responses. If “authorization_encrypted_response_alg” is specified, the default for this value is “A128CBC-HS256”. enum: - A256GCM - A128CBC-HS256 example: A128CBC-HS256 type: string request_object_signing_alg: description: Algorithm which the ADR expects to sign the request object if a request object will be part of the authorization request sent to the Data Holder enum: - PS256 - ES256 type: string x-cds-type: Enum software_statement: description: The Software Statement Assertion, as defined in CDR standards format: JWT type: string software_id: description: String representing a unique identifier assigned by the Register and used by registration endpoints to identify the software product to be dynamically registered.

The "software_id" will remain the same for the lifetime of the product, across multiple updates and versions example: 740C368F-ECF9-4D29-A2EA-0514A66B0CDE type: string software_roles: description: String containing a role of the software in the CDR Regime. Initially the only value used will be `data-recipient-software-product` enum: - data-recipient-software-product example: data-recipient-software-product type: string x-cds-type: Enum scope: description: String containing a space-separated list of scope values that the client can use when requesting access tokens. example: openid profile bank:accounts.basic:read bank:accounts.detail:read bank:transactions:read bank:payees:read bank:regular_payments:read common:customer.basic:read common:customer.detail:read cdr:registration type: string required: - client_description - client_id - client_name - client_uri - grant_types - id_token_signed_response_alg - jwks_uri - logo_uri - org_id - org_name - redirect_uris - request_object_signing_alg - response_types - scope - software_id - software_statement - token_endpoint_auth_method - token_endpoint_auth_signing_alg type: object x-conditional: - id_token_encrypted_response_alg - id_token_encrypted_response_enc - authorization_signed_response_alg - authorization_encrypted_response_alg ClientRegistration: allOf: - $ref: '#/components/schemas/ClientRegistration_allOf' - $ref: '#/components/schemas/RegistrationProperties' RegistrationError: properties: error: description: Predefined error code as described in [section 3.3 OIDC Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html) enum: - invalid_redirect_uri - invalid_client_metadata - invalid_software_statement - unapproved_software_statement type: string x-cds-type: Enum error_description: description: Additional text description of the error for debugging. type: string x-cds-type: ASCIIString required: - error type: object ClientRegistration_allOf: properties: iss: description: Contains the identifier for the ADR Software Product (SoftwareProductId) as defined in the CDR Register example: CDR Software Product ID type: string iat: description: The time at which the request was issued by the Data Recipient expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC example: 1571808167 type: integer x-cds-type: ExternalRef exp: description: The time at which the request expires expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC example: 2147483646 type: integer x-cds-type: ExternalRef jti: description: Unique identifier for the JWT, used to prevent replay of the token example: 37747cd1c10545699f754adf28b73e31 type: string aud: description: Contains the Data Holder issuer value as described in the OIDC Discovery Document example: https://secure.api.dataholder.com/issuer type: string x-cds-type: URIString required: - aud - exp - iat - iss - jti type: object