datarightplus S. Low Internet-Draft Biza.io Intended status: Experimental 1 April 2024 Expires: 3 October 2024 DataRight+: Banking Resource Set draft-authors-datarightplus-resource-set-banking-00 Abstract This is the resource set profile outlining the banking sector related endpoints. Notational Conventions The keywords "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 3 October 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Low Expires 3 October 2024 [Page 1] Internet-Draft DataRight+: Banking Resource Set April 2024 Table of Contents 1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Providers . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3.1. Authorisation Server . . . . . . . . . . . . . . . . . . 2 3.1.1. Authorisation Scopes . . . . . . . . . . . . . . . . 2 3.2. Overlapping Scope Optimisation . . . . . . . . . . . . . 4 3.3. Resource Server . . . . . . . . . . . . . . . . . . . . . 4 4. Initiators . . . . . . . . . . . . . . . . . . . . . . . . . 6 5. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 7 6. Normative References . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Scope The scope of this document is intended to be limited to the resource server endpoints related to banking, and their associated authorisation contexts. 2. Terminology This specification utilises the various terms outlined within [DATARIGHTPLUS-ROSETTA]. 3. Providers Providers which providing banking services are expected to deliver a number of resource server end points. 3.1. Authorisation Server In addition to other provisions incorporated within the relevant ecosystem set, the Provider authorisation server SHALL: 1. Support the [RFC6749] scope parameter with possible values outlined within Authorisation Scopes (#name-authorisation- scopes); 3.1.1. Authorisation Scopes The Provider authorisation server SHALL utilise the following Data Set Language when seeking Consumer authorisation from a User for specific scope values: Low Expires 3 October 2024 [Page 2] Internet-Draft DataRight+: Banking Resource Set April 2024 +============================+=================================+ | scope value | Data Set Language | +============================+=================================+ | bank:accounts.basic:read | *Account name, type and | | | balance* | +----------------------------+---------------------------------+ | | Name of account; | +----------------------------+---------------------------------+ | | Type of account; | +----------------------------+---------------------------------+ | | Account balance; | +----------------------------+---------------------------------+ | bank:accounts.detail:read | *Account numbers and features* | +----------------------------+---------------------------------+ | | Account number; | +----------------------------+---------------------------------+ | | Interest rates; | +----------------------------+---------------------------------+ | | Fees; | +----------------------------+---------------------------------+ | | Discounts; | +----------------------------+---------------------------------+ | | Account terms; | +----------------------------+---------------------------------+ | | Account mail address; | +----------------------------+---------------------------------+ | bank:transactions:read | *Transaction details* | +----------------------------+---------------------------------+ | | Incoming and outgoing | | | transactions; | +----------------------------+---------------------------------+ | | Amounts; | +----------------------------+---------------------------------+ | | Dates; | +----------------------------+---------------------------------+ | | Descriptions of transactions; | +----------------------------+---------------------------------+ | | Who you have sent money to and | | | received money from; (e.g. | | | their name) | +----------------------------+---------------------------------+ | bank:regular_payments:read | *Direct debits and scheduled | | | payments* | +----------------------------+---------------------------------+ | | Direct debits; | +----------------------------+---------------------------------+ | | Scheduled payments; | +----------------------------+---------------------------------+ Low Expires 3 October 2024 [Page 3] Internet-Draft DataRight+: Banking Resource Set April 2024 | bank:payees:read | *Saved payees* | +----------------------------+---------------------------------+ | | Names and details of accounts | | | you have saved; (e.g. their BSB | | | and Account Number, BPAY CRN | | | and Biller code, or NPP PayID) | +----------------------------+---------------------------------+ Table 1 3.2. Overlapping Scope Optimisation Alternative Data Cluster Language SHALL be used when pairs of scope value are used as follows: +==============================+===============================+ | scope pairing | Data Set Language | +==============================+===============================+ | bank:accounts.basic:read and | *Account balance and details* | +------------------------------+-------------------------------+ | bank:accounts.detail:read | Name of account; | +------------------------------+-------------------------------+ | | Type of account; | +------------------------------+-------------------------------+ | | Account balance; | +------------------------------+-------------------------------+ | | Account number; | +------------------------------+-------------------------------+ | | Interest rates; | +------------------------------+-------------------------------+ | | Fees; | +------------------------------+-------------------------------+ | | Discounts; | +------------------------------+-------------------------------+ | | Account terms; | +------------------------------+-------------------------------+ | | Account mail address; | +------------------------------+-------------------------------+ Table 2 3.3. Resource Server The Provider SHALL make available, as described further in [DATARIGHTPLUS-REDOCLY-ID1] endpoints, the following endpoints where the token is granted the bank:accounts.basic:read scope value: Low Expires 3 October 2024 [Page 4] Internet-Draft DataRight+: Banking Resource Set April 2024 +===========================================+=========+ | Resource Server Endpoint | x-v | +===========================================+=========+ | GET /banking/accounts | 1 and 2 | +-------------------------------------------+---------+ | GET /banking/accounts/balances | 1 | +-------------------------------------------+---------+ | POST /banking/accounts/balances | 1 | +-------------------------------------------+---------+ | GET /banking/accounts/{accountId}/balance | 1 | +-------------------------------------------+---------+ Table 3 The Provider SHALL make available, as described further in [DATARIGHTPLUS-REDOCLY-ID1] endpoints, the following endpoints where the token is granted the bank:accounts.detail:read scope value: +===================================+============+ | Resource Server Endpoint | x-v | +===================================+============+ | GET /banking/accounts/{accountId} | 1, 2 and 3 | +-----------------------------------+------------+ Table 4 The Provider SHALL make available, as described further in [DATARIGHTPLUS-REDOCLY-ID1] endpoints, the following endpoints where the token is granted the bank:regular_payments:read scope value: +======================================================+=====+ | Resource Server Endpoint | x-v | +======================================================+=====+ | GET /banking/accounts/direct-debits | 1 | +------------------------------------------------------+-----+ | POST /banking/accounts/direct-debits | 1 | +------------------------------------------------------+-----+ | GET /banking/accounts/{accountId}/direct-debits | 1 | +------------------------------------------------------+-----+ | GET /banking/accounts/{accountId}/payments/scheduled | 1 | +------------------------------------------------------+-----+ | POST /banking/payments/scheduled | 1 | +------------------------------------------------------+-----+ | GET /banking/payments/scheduled | 1 | +------------------------------------------------------+-----+ Table 5 Low Expires 3 October 2024 [Page 5] Internet-Draft DataRight+: Banking Resource Set April 2024 The Provider SHALL make available, as described further in [DATARIGHTPLUS-REDOCLY-ID1] endpoints, the following endpoints where the token is granted the bank:payees:read scope value: +===============================+=========+ | Resource Server Endpoint | x-v | +===============================+=========+ | GET /banking/payees | 2 | +-------------------------------+---------+ | GET /banking/payees/{payeeId} | 1 and 2 | +-------------------------------+---------+ Table 6 The Provider SHALL make available, as described further in [DATARIGHTPLUS-REDOCLY-ID1] endpoints, the following endpoints where the token is granted the bank:transactions:read scope value: +===================================================+=====+ | Resource Server Endpoint | x-v | +===================================================+=====+ | GET /banking/accounts/{accountId}/transactions | 1 | +---------------------------------------------------+-----+ | GET /banking/ | 1 | | accounts/{accountId}/transactions/{transactionId} | | +---------------------------------------------------+-----+ Table 7 In addition, the Provider SHALL deliver the following unauthenticated and generally available endpoints, in accordance with [DATARIGHTPLUS-REDOCLY-ID1]: +===================================+=========+ | Resource Server Endpoint | x-v | +===================================+=========+ | GET /banking/products | 2 | +-----------------------------------+---------+ | GET /banking/products/{productId} | 3 and 4 | +-----------------------------------+---------+ Table 8 4. Initiators Initiators SHALL describe the requested scope values using the same Data Set Language as Providers, as outlined in Authorisation Scopes (#name-authorisation-scopes). Low Expires 3 October 2024 [Page 6] Internet-Draft DataRight+: Banking Resource Set April 2024 5. Acknowledgement The following people contributed to this document: * Stuart Low (Biza.io) - Editor We acknowledge the contribution to the [CDS] of the following individuals: * James Bligh (Data Standards Body) - Lead Architect for the Consumer Data Right * Mark Verstege (Data Standards Body) - Lead Architect, Banking & Information Security for the Consumer Data Right * Ivan Hosgood (formerly Data Standards Body & ACCC) - Solutions Architect 6. Normative References [CDS] Data Standards Body (Treasury), "Consumer Data Standards (CDS)", . [DATARIGHTPLUS-REDOCLY-ID1] Low, S., Kolera, B., and W. Cai, "DataRight+: Redocly (ID1)", . [DATARIGHTPLUS-ROSETTA] Low, S., "DataRight+ Rosetta Stone", . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", October 2012, . Author's Address Stuart Low Biza.io Email: stuart@biza.io Low Expires 3 October 2024 [Page 7]