How-tos

3 mins read

Consumer Data Right Workspace

Learn how a Consumer Data Right (CDR) compliant workspace can be setup within Cloudentity and how it satisfies the CDR security profile requirements.

Cloudentity CDR Workspace

Cloudentity enables a simple way to configure a CDR compliant FAPI certified OAuth authorization server with a couple of clicks. Adopting Cloudentity accelerates the entire effort to achieve CDR compliance drastically and allows faster time to market. Cloudentity solution offers a highly performant, multi-tenant advanced FAPI-compliant and certified authorization server built on open standards and compatible with advanced OAuth 2.0 & OIDC specifications. Cloudentity also provides a rich set of APIs that facilitates consent collection & management for Data Holder to implement the CDR recommended safe and secure customer journey experiences using various digital channels.

CDR Security Profile

CDR security profile conformance and Financial Grade API (FAPI) compliance can be enabled in the Cloudentity platform with a single click security profile for meeting the CDR regulations. You get a FAPI grade authorization server configured to meet all CDR requirements for FAPI compliance.

Consumer Data Right workspace

Choosing an industry allows you to tailor the Authorization scopes that gets added automatically to the security profile within Cloudentity. For example, energy sector Data Holders might not be interested in a scope defined for banking sector (energy:electricity.usage:read vs bank:accounts.detail:read).

Consumer Data Right workspace

Let’s finish the configuration at a high level by connecting the integrating systems

  • Connect an identity provider that handles consumer authentication
  • Skip the developer portal in case you don’t need to capability to expose a portal for developers to sign up for applications

CDR Workspace Settings

Let’s look at all the advanced OAuth requirements that was configured for the workspace to meet the CDR security profile requirements. Most of these configurations can be found under Auth Settings under the workspace.

  • Industry - specify the application CDR industry sector like banking, energy, telco, and more.

  • Enable ADR validation - Data Holders have the responsibility to periodically check the accreditation status of Data Recipients and their Software Products. Cloudentity ensures that, in case the accreditation can no longer be found, all arrangements for the ADR are marked as expired, access and refresh tokens are revoked, and the client’s status in Cloudentity will change to Inactive, meaning that this application can no longer request data from the Data Holder. This setting can be disabled for testing purposes only.

  • Register URL - URL to register maintained by the Australian Competition and Consumer Commission (ACCC). Production URL is https://api.cdr.gov.au

  • Allowed Grant types specifies the OAuth grant types allowed by CDR specifications and for other integrating applications to participate in the integration like consent app, dashboard, api-gateway introspections, and more.

  • Client authentication private_key_jwt for ADR and other methods for internal applications

  • Client registration DCR enabled by default protected with SSA issued by ACCC

  • Tokens

    • TTL
    • ID Token encryption
    • Signing key rotation
  • Pairwise identifiers for sub

  • Consent - the capability to add a custom consent page

In addition to these settings, Cloudentity automatically enforces other restrictions & validation in the Security Profile as specified by the CDR security profile requirements.

Next Steps

Updated: Jun 22, 2023