This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Deploying CDR Arrangement Management API v1.0.0

Owned by Former user (Deleted)
Last updated: Nov 12, 2021
5 min read

When a consumer revoke granted consents there should be a mechanism to inform relevant parties that the particular CDR Arrangement ID is not valid anymore. The Data Recipients use the CDR Arrangement Management API, which facilitates this requirement.  If this communication does not take place, the Data Holder will continue to expose the consumer’s data and the Data Recipient will continue to have the consumer’s data within their system. Therefore, it is important to communicate the revocation to both parties to protect consumer data and prevent misuse.

This page explains how to configure and deploy the CDR Arrangement Management API as per the latest changes introduced in the latest updates of WSO2 Open Banking.

These changes are available only as a WSO2 Update and are effective from June 30, 2021 (06-30-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

Before we begin:

Do the following configurations to reflect the latest changes related to CDR Arrangement Management API.

 Click here to expand...
  1. Open the in <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file. 

  2. Add the following event listener tags to configure the Private key JWT Client Authenticator. 

    • Update the placeholder in the TokenEndpointAlias with the hostname of the API Manager.
    [[event_listener]]
id = "au_arrangement_revocation_private_key_jwt_authenticator"
type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
name = "com.wso2.finance.open.banking.identity.extensions.clientauthenticators.au.AUArrangementPrivateKeyJWTAuthenticator"
order = "-13"
enable = true

[event_listener.properties]
TokenEndpointAlias = "https://<WSO2_OB_APIM_HOST>:8243/arrangements/1.0.0"

  3. Add the given filters and filter mappings to enforce private key JWT client authentication to the CDR Arrangement Revocation endpoint.

    [[tomcat.filter]]
name = "PrivateKeyJwtAuthenticationFilter"
class = "com.wso2.finance.open.banking.identity.extensions.filter.PrivateKeyJwtAuthenticationFilter"

[[tomcat.filter_mapping]]
name = "TokenFilter"
url_pattern = "/arrangements/*"

[[tomcat.filter_mapping]]
name = "PrivateKeyJwtAuthenticationFilter"
url_pattern = "/arrangements/*"

Data Holder Initiated Consent Revocation via Data Recipient's Consent Revocation Endpoint 

This is available only as a WSO2 Update and is effective from July 21, 2021 (07-21-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

As per the CDS specification, if a consent is withdrawn by a customer via the Data Holder’s Consent Dashboard, the Data Holders must notify the Data Recipient of this revocation of the sharing arrangement. This is done by invoking the Data Recipient's CDR Arrangement Revocation endpoint with a valid CDR Arrangement ID. 

  • The Data Recipients must expose their CDR Arrangement Revocation endpoint under the recipient_base_uri claim in their SSA. 

     Click here to see a sample SSA...

    Given below is a sample of a decoded SSA with recipient_base_uri

    {
  "iss": "cdr-register",
  "iat": 1571808167,
  "exp": 2147483646,
  "jti": "3bc205a1ebc943fbb624b14fcb241196",
  "legal_entity_id": "3B0B0A7B-3E7B-4A2C-9497-E357A71D07C7",
  "legal_entity_name": "Mock Company Pty Ltd.",
  "org_id": "3B0B0A7B-3E7B-4A2C-9497-E357A71D07C8",
  "org_name": "Mock Company Brand",
  "client_name": "Mock Software",
  "client_description": "A mock software product for testing SSA",
  "client_uri": "https://www.mockcompany.com.au",
  "redirect_uris": [
    "https://www.mockcompany.com.au/redirects/redirect1",
    "https://www.mockcompany.com.au/redirects/redirect2"
  ],
  "sector_identifier_uri": "https://www.mockcompany.com.au/sector_identifier",
  "logo_uri": "https://www.mockcompany.com.au/logos/logo1.png",
  "tos_uri": "https://www.mockcompany.com.au/tos.html",
  "policy_uri": "https://www.mockcompany.com.au/policy.html",
  "jwks_uri": "https://www.mockcompany.com.au/jwks",
  "revocation_uri": "https://www.mockcompany.com.au/revocation",
  "recipient_base_uri": "https://www.mockcompany.com.au",
  "software_id": "740C368F-ECF9-4D29-A2EA-0514A66B0CDE",
  "software_roles": "data-recipient-software-product",
  "scope": "openid profile bank:accounts.basic:read bank:accounts.detail:read bank:transactions:read bank:payees:read bank:regular_payments:read common:customer.basic:read common:customer.detail:read cdr:registration"
}

    • The Data Recipient's CDR Arrangement Revocation endpoint is <recipient_base_uri>/arrangements/revoke. For example, https://www.mockcompany.com.au/arrangements/revoke

  • This needs to be done before enabling this feature, using a DCR PUT request.
  • If the Data Recipients modify this endpoint, they should update their client registrations with each Data Holder as well.

  1. Add the following configuration changes to the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file 

    [open_banking.au.recipient_consent_revocation_endpoint]
enable = true

[open_banking.uk]
consent_revocation_listener = "com.wso2.finance.open.banking.uk.consent.mgt.listener.AUConsentRevocationListener"

  2. To persist recipient_base_uri as service provider metadata, add the following configuration to the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file. 

    [[apim.devportal.application_attributes]]
required = false
hidden = false
name ="recipient_base_uri_sandbox"
description = "Recipient Base URI of the sandbox"

[[apim.devportal.application_attributes]]
required = false
hidden = false
name ="recipient_base_uri_production"
description = "Recipient Base URI of the production"

  3. The “sub” and “iss” claims in the Bearer JWT of the request sent to the Data Recipient's CDR Arrangement Revocation endpoint should be the ID of the Data Holder, which was obtained from the CDR Register. You can configure this in the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file.

    [open_banking.au.data_holder]
client_id = "dataholderbrand"

Given below are the steps to deploy the CDR Arrangement Management API v1.0.0.

  1. Sign in to the API Publisher Portal (https://<WSO2_OB_APIM_HOST>:9443/publisher) as an API creator/publisher.

  2. In the APIs tab, select CREATE NEW API > I Have an Existing REST API

  3. Set the Input Type to OpenAPI File
  4. Click BROWSE FILE TO UPLOAD and select the <WSO2_OB_APIM_HOME>/repository/resources/finance/apis/consumerdatastandards.org.au/CDRArrangement/cdr-arrangement-mgt-api.yaml  Swagger file.
  5. Click Next

  6. Set the endpoint as follows: 

    https://<WSO2_OB_IAM_HOST>:9446/cdr-arrangement-management/arrangements
  7. Set the business plan to Unlimited : Allows unlimited  requests unless you want to limit the requests. 
  8. Click Create to create the API.
  9. Once you get the message that the API is successfully updated, go to Properties using the left menu panel.
  10. Click  Add New Property.

  11. Add the API Properties according to your API and click the Add button. 

    Property NameProperty Value
    ob-specau
    ob-api-typecdr-arrangement

  12. Click  SAVE.
  13. Go back to  Overview using the left menu panel. 
  14. Click PUBLISH.
  15. The published API is available in the Developer Portal at https://<WSO2_OB_APIM_HOST>:9443/devportal.

Invoking CDR Arrangement Management API  

This API consists of the following endpoint.

Revoke a sharing arrangement

This endpoint is to revoke a sharing arrangement (consent) between the Data Holder and the Data Recipient. This endpoint must be implemented by both Data Holders and Data Recipients and notifies each other when a CDR Arrangement ID is revoked.    

Given below is a sample request: