Validating Accredited Data Recipients

Data Holders have the responsibility to periodically check the accreditation status of Accredited Data Recipients (ADRs) and their Software Products (SPs). SecureAuth ensures that, in case the accreditation can no longer be found, all arrangements for the ADR are marked as expired, access and refresh tokens are revoked, and the client's status in SecureAuth will change to Inactive, meaning that this application can no longer request data from the Data Holder.

SecureAuth polls the CDR registry for the current status of both ADRs and their SPs registered as SecureAuth clients regularly, as required by the CDR specification, and caches the result. SecureAuth then runs ADR validation based on its cache in the following scenarios:

In accordance with the CDR specification, SecureAuth periodically checks the CDR Registry to verify ADRs and their Software Products. CDR Registry returns data using the Refresh ADR Metadata endpoint. The result is cached by SecureAuth.

If the status is removed for ADR Software Product, SecureAuth will invalidate all consents granted to this SP and remove its client application. This means that the SP users will no longer be able to request data from Data Holder.

The following validation occurs every time an Accredited Data Recipient makes a request to the Data Holder, to ensure Data Holder compliance with CDR standards before processing the request. ADR represents the Accredited Data Recipient while ADR SP represents the ADR's Software Product.

ADR validation is enabled in CDR-compliant workspaces by default. You have the option to disable it if it's necessary to run a test scenario.