Updated @August 23, 2021
The authentication stage involves a consumer verifying who they are with their data holder. This is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
The DSB has determined that a single, consistent, authentication model will be adopted by the CDR regime, referred to as the 'Redirect with One Time Password' flow. The Security Profile supports the authentication flows specified by OpenID Connect as constrained further by FAPI (specifically the Hybrid Flow outlined in section 3.3). No other flows are currently supported.
The supported authentication flow is a type of redirection flow where the consumer's user agent is redirected from a data recipient’s web site to a data holder’s authorisation end point in the context of an authentication request. This flow incorporates aspects of both the implicit flow and authorisation code flow detailed under OpenID Connect.
Note that additional requirements for this flow are contained in the Authentication Flow section of the Security Profile.
CX Guidelines for Authenticate
Examples of the flow where the consumer inputs a user identifier and how to use a One Time Password to authenticate with a data holder. Read more about Redirect with One Time Password
Quick links to CX Guidelines: