This section covers the authentication stage. This involves a consumer verifying who they are with their data holder.
<aside> <img src="/icons/info-alternate_gray.svg" alt="/icons/info-alternate_gray.svg" width="40px" /> New CX Guidelines URL September 21, 2023
The CX guidelines have been re-launched on a new domain: cx.cds.gov.au
For more information, refer to Change log: Consumer Experience (CX) Guidelines
</aside>
<aside>
Authenticate is the second stage of ‣.
The authentication stage involves a consumer verifying who they are with their data holder. This is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
The DSB has determined that a single, consistent, authentication model will be adopted by the CDR regime, referred to as the 'Redirect with One Time Password' flow. The Security Profile supports the authentication flows specified by OpenID Connect as constrained further by FAPI (specifically the Hybrid Flow outlined in section 3.3). No other flows are currently supported.
The supported authentication flow is a type of redirection flow where the consumer's user agent is redirected from a data recipient’s web site to a data holder’s authorisation end point in the context of an authentication request. This flow incorporates aspects of both the implicit flow and authorisation code flow detailed under OpenID Connect.
Note that additional requirements for this flow are contained in the Authentication Flow section of the Security Profile.
Redirect with One Time Password
Examples of the flow where the consumer inputs a user identifier and how to use a One Time Password to authenticate with a data holder. Read more about Redirect with One Time Password