Skip to content

Latest commit

 

History

History
98 lines (65 loc) · 3.13 KB

CAMARA-ICM-examples.md

File metadata and controls

98 lines (65 loc) · 3.13 KB
Raw

Identity and Consent Management Examples

Specifying One Purpose

Note

Access tokens content or structure are not part of the OAuth2 nor the OIDC standard. In RFC7662 only the field active is REQUIRED. scope and all other fields are optional. JSON Web Token defines some common claims. RFC7662 response values serve as an example how an access token might look like. These access tokens might contain additional fields carrying what Camara needs regarding "purpose"

The openid scope is needed in the request to specify that the request is an OpenID Connect request. However, there is no explicit requirement to include the openid scope in the response.

Note

This document uses the response of the token-introspection endpoint as per RFC7662 to describe an access token. This document does not say that the access token is self-contained or not.

Purpose as a scope: Requesting one purpose, two scopes of the same API

OIDC authorization code flow with one purpose as scope

See OIDC Authentication Request

GET /authorize?
    response_type=code
    &scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date
    &client_id=s6BhdRkqt3
    &state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1
Host: server.example.com

Successful response redirecting the user agent

See OIDC Successful Authentication Response

HTTP/1.1 302 Found 
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj

Access token request

See OIDC Token Request

POST /token HTTP/1.1

Host: server.example.com 
Content-Type: application/x-www-form-urlencoded 

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
    &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
    &client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3Mi......

Successful response

See OIDC Successful Token Response

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token": "SlAV32hkKG",
  "token_type": "Bearer",
  "refresh_token": "8xLOxBtZp8",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJSUz....",
  "scope": "dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date"
}

CIBA authentication request with one purpose and two scopes

See CIBA authentication request

POST /bc-authorize HTTP/1.1
   Host: server.example.com
   Content-Type: application/x-www-form-urlencoded

scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date&
login_hint=tel%3A%2B34666666666