Building CDR Consumer Consent Dashboards
Learn how to build Consumer Data Right (CDR)-compliant consumer consent self-service portals utilizing built-in consent APIs provided by SecureAuth.
Sandbox
SecureAuth offers CDR quickstart that you can use as a reference application to build your CDR consumer consent dashboard. Also, it showcases how you can integrate CDR workflows with the SecureAuth platform.
For guidance on how to use reference portals, see Using reference consent self-service and admin portals.
Consumer Dashboards
"Consent in the CDR must be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn (rule 4.9)". Allowing consumers to manage their authorizations (consents) is critical in CDR.
Consumer dashboards, or consent self-service portals, are the tools consumers can use to review and manage their authorizations. They allow a consumer to see the list of all CDR data recipients they are sharing their data with, as well as the specific sharing arrangements the consumer has with the data recipients.
It allows the consumer to withdraw (revoke) their consent at any given moment. As per the CX guidelines, dashboards must provide consumers with information like:
When they gave an authorization.
The period the authorization is given for.
When the authorization is scheduled to expire.
Whether the authorization is expired or active.
Requirements
A consumer dashboard must meet the following requirements:
Applications connected to consumer dashboards must be of the confidential client type to store client credentials securely. This requirement is essential since the client credentials grant type is applied to the part of API requests. For example, you can consider using the secure Backend for Frontend (BFF) design pattern.
Applications must be created within the System workspace of your SecureAuth tenant since you'll be calling the system-level APIs.
System Workspace
Access to the System workspace is behind a feature flag. To request access to the System workspace, contact SecureAuth Sales Team.
Applications must have the
manage_openbanking_consentsscope assigned.Add New Scope
When you have no
manage_openbanking_consentsscope available for assigning to your application, add it to the required CDR service first. Then, you can assign it to your client app.The same scope is recommended to be explicitly defined when calling the
/tokenendpoint . Pass it as the value of thescopeparameter to make the flow compliant with the best security practices.Consumer dashboards must be developed according to the CDR CX Guidelines and Rules.
Consumer dashboards must display to consumers all consents they gave.
Consumer dashboards must allow the consumers to withdraw their authorization. The withdrawal journey contains, for example:
Identify the authorization to be withdrawn.
Review the implications and confirm the withdrawal.
Receive a final notification of success.
Integrate Consumer Dashboards
To integrate your Consumer Dashboard with SecureAuth, use the following SecureAuth APIs:
- Authorization (step 3)
Authenticate your client application to SecureAuth.
The consent application calls the
/tokenendpoint for the only purpose of authenticating itself before calling SecureAuth consent APIs.Authentication can be performed before steps 9 or 13 as well.
- Fetching arrangements (step 5)
Fetch the list of CDR arrangements.
It returns the list of all CDR arrangements, so you can provide it to the consumer, as required by the CDR rules. To narrow the list down, pass filters in the request body.
- Getting arrangement details (step 9)
Obtain the details of a specific consent after the consumer selects an arrangement on the consent page.
This allows you to display the arrangement details to the consumer.
- Revocation (step 13)
DELETERevoke CDR ArrangementRevoke an arrangement.
Consumer Dashboards are required to allow consent revocation (withdrawal). To revoke an arrangement, pass its identifier as the path parameter.
To provide consumers access to the consumer dashboard, you need to have an Identity Provider connected. SecureAuth allows you to manage IDPs and give your consumers the means to authenticate.