From 0a8fcb9df5cfc953b480997b36a81175ff20c15a Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Mon, 6 May 2024 10:52:11 +0200 Subject: [PATCH 01/26] moved CAMARA-ICM-examples.md --- documentation/CAMARA-ICM-examples.md | 352 +++++++++++++++++++++++++++ 1 file changed, 352 insertions(+) create mode 100644 documentation/CAMARA-ICM-examples.md diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md new file mode 100644 index 00000000..ed192628 --- /dev/null +++ b/documentation/CAMARA-ICM-examples.md @@ -0,0 +1,352 @@ +# Identity and Consent Management Examples + +## Specifying One Purpose + +--- +**Note** + +Access tokens content or structure are not part of the OAuth2 nor the OIDC standard. In [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662) only the field `active` is REQUIRED. +`scope` and all other fields are optional. [JSON Web Token](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) defines some common claims. +RFC7662 response values serve as an **example** how an access token might look like. These access tokens might contain additional field carrying what Camara needs regarding "purpose" + +The scope `openid` is needed only in the request to specify that the request is an OpenId request. The scope `openid` is not needed in the access token. + +--- +**Note** + +This document uses the response of the token-introspection endpoint as per RFC7662 to describe an access token. +This document does not say that the access token is self-contained or not. + +--- + +### Purpose as a scope: Requesting one purpose, two scopes of the same API + +#### OIDC authorization code flow with one purpose as scope + +``` +GET /authorize? + response_type=code + &scope=openid%20dpv%3AFraudPreventionAndDetection%20check-sim-swap%20retrieve-sim-swap-date + &client_id=s6BhdRkqt3 + &state=af0ifjsldkj + &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 +Host: server.example.com +``` + +#### RFC9101 request object with one purpose as scope + +``` +{ + "iss": "s6BhdRkqt3", + "aud": "https://server.example.com", + "response_type": "code", + "client_id": "s6BhdRkqt3", + "redirect_uri": "https://client.example.org/cb", + "scope": "openid dpv:FraudPreventionAndDetection check-sim-swap retrieve-sim-swap-date", + "state": "af0ifjsldkj", + "nonce": "n-0S6_WzA2Mj", + "max_age": 86400 +} +``` + + +### Requesting one purpose, two scopes of the same API with purpose encoded in scope + +#### OIDC authorization code flow with two scopes and one purpose + +``` +GET /authorize? + response_type=code + &scope=openid%20dpv%3AFraudPreventionAndDetection%23check-sim-swap%20dpv%3AFraudPreventionAndDetection%23retrieve-sim-swap-date + &client_id=s6BhdRkqt3 + &state=af0ifjsldkj + &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 +Host: server.example.com +``` + +#### RFC9101 request object with two scopes and one purpose + +``` +{ + "iss": "s6BhdRkqt3", + "aud": "https://server.example.com", + "response_type": "code", + "client_id": "s6BhdRkqt3", + "redirect_uri": "https://client.example.org/cb", + "scope": "openid dpv:FraudPreventionAndDetection#check-sim-swap dpv:FraudPreventionAndDetection#retrieve-sim-swap-date", + "state": "af0ifjsldkj", + "nonce": "n-0S6_WzA2Mj", + "max_age": 86400 +} +``` + +### Purpose as a Authentication Request Parameter + +#### OIDC authorization code flow: with purpose as a Authentication Request Parameter + +``` +GET /authorize? + response_type=code + &purpose=dpv%3AFraudPreventionAndDetection + &scope=openid%20check-sim-swap%20retrieve-sim-swap-date + &client_id=s6BhdRkqt3 + &state=af0ifjsldkj + &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 +Host: server.example.com +``` + +#### RFC9101 request object with one purpose + +``` +{ + "iss": "s6BhdRkqt3", + "aud": "https://server.example.com", + "response_type": "code", + "client_id": "s6BhdRkqt3", + "redirect_uri": "https://client.example.org/cb", + "purpose": "dpv:FraudPreventionAndDetection" + "scope": "openid check-sim-swap retrieve-sim-swap-date", + "state": "af0ifjsldkj", + "nonce": "n-0S6_WzA2Mj", + "max_age": 86400 +} +``` + +### Use Rich Authorization Request to convey one purpose + +``` +GET /authorize? + response_type=code + &authorization_details=%5B%7B%22type%22%3A%22org.camaraproject.simswap%22%2C%22purpose%22%3A%22dpv%3AFraudPreventionAndDetection%22%7D%5D + &scope=openid%20check-sim-swap%20retrieve-sim-swap-date + &client_id=s6BhdRkqt3 + &state=af0ifjsldkj + &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 +Host: server.example.com +``` + +#### RFC9101 request object `authorization_details` one purpose + +``` +{ + "iss": "s6BhdRkqt3", + "aud": "https://server.example.com", + "response_type": "code", + "client_id": "s6BhdRkqt3", + "redirect_uri": "https://client.example.org/cb", + "authorization_details": "[{"type":"org.camaraproject.simswap","purpose":"dpv:FraudPreventionAndDetection"}]" + "scope": "openid check-sim-swap retrieve-sim-swap-date", + "state": "af0ifjsldkj", + "nonce": "n-0S6_WzA2Mj", + "max_age": 86400 +} +``` + + +### RFC7662 response with two scopes, one purpose + +#### Access Token Variant 1 Response on introspecting an access token with string scope + +**Note**: The RS might have to split `purpose` and `technical-scope`. + +``` +{ + "active": true, + "client_id": "s6BhdRkqt3", + "username": "jdoe", + "scope": "dpv:FraudPreventionAndDetection#check-sim-swap dpv:FraudPreventionAndDetection#retrieve-sim-swap-date", + "sub": "Z5O3upPC88QrAjx00dis", + "aud": "https://protected.example.net/resource", + "iss": "https://server.example.com/", + "exp": 1419356238, + "iat": 1419350238 +} +``` + +#### Access Token Variant 2 Response on introspecting an access token with scopes object + +``` +{ + "active": true, + "client_id": "s6BhdRkqt3", + "username": "jdoe", + "scopes": { + "check-sim-swap": ["dpv:FraudPreventionAndDetection"], + "retrieve-sim-swap-date": ["dpv:FraudPreventionAndDetection"] + }, + "sub": "Z5O3upPC88QrAjx00dis", + "aud": "https://protected.example.net/resource", + "iss": "https://server.example.com/", + "exp": 1419356238, + "iat": 1419350238 +} +``` + +## Specifying two purpose + +--- +**Note** + +These following examples are only here now to demonstrate extensibility of the different options in requesting `purpose`. +Please ignore for now otherwise. + +--- + +### Requesting two purpose, two scopes of the same API + +#### Two different purpose encoded in scope + +``` +GET /authorize? + response_type=code + &scope=openid%20dpv%3AFraudPreventionAndDetection%23check-sim-swap%20dpv%Advertising%23retrieve-sim-swap-date + &client_id=s6BhdRkqt3 + &state=af0ifjsldkj + &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 +Host: server.example.com +``` + +#### RFC9101 request object two purpose + +``` +{ + "iss": "s6BhdRkqt3", + "aud": "https://server.example.com", + "response_type": "code", + "client_id": "s6BhdRkqt3", + "redirect_uri": "https://client.example.org/cb", + "scope": "openid dpv:FraudPreventionAndDetection#check-sim-swap dpv:Advertising#retrieve-sim-swap-date", + "state": "af0ifjsldkj", + "nonce": "n-0S6_WzA2Mj", + "max_age": 86400 +} +``` + +#### Two different purpose using RAR + + +##### Authorization Details JSON two purpose + +``` +[ + { + "type": "org.camaraproject.simswap", + "purpose": "dpv:Advertising", + "location": "/retrieve-date" + }, + { + "type": "org.camaraproject.simswap", + "purpose": "dpv:FraudPreventionAndDetection", + "location": "/check" + } +] +``` + +``` +GET /authorize? + response_type=code + &authorization_details=%5B%7B%22type%22%3A%22org.camaraproject.simswap%22%2C%22purpose%22%3A%22dpv%3AAdvertising%22%2C%22location%22%3A%22%2Fretrieve-date%22%7D%2C%7B%22type%22%3A%22org.camaraproject.simswap%22%2C%22purpose%22%3A%22dpv%3AFraudPreventionAndDetection%22%2C%22location%22%3A%22%2Fcheck%22%7D%5D + &scope=openid + &client_id=s6BhdRkqt3 + &state=af0ifjsldkj + &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 +Host: server.example.com +``` + +#### RFC9101 request object RAR two purpose + +``` +{ + "iss": "s6BhdRkqt3", + "aud": "https://server.example.com", + "response_type": "code", + "client_id": "s6BhdRkqt3", + "redirect_uri": "https://client.example.org/cb", + "authorization_details": [ + { + "type": "org.camaraproject.simswap", + "purpose": "dpv:Advertising", + "location": "/retrieve-date" + }, + { + "type": "org.camaraproject.simswap", + "purpose": "dpv:FraudPreventionAndDetection", + "location": "/check" + } + ], + "scope": "openid", + "state": "af0ifjsldkj", + "nonce": "n-0S6_WzA2Mj", + "max_age": 86400 +} +``` + +### RFC7662 response: two scopes, two purpose + +Please note again that access token content or structure are not part of the OAuth2 nor the OIDC standard. These are examples. + +#### Access Token Variant 1 Response on introspecting an access token with two purpose + +**Note**: The RS might have to split `purpose` and `technical-scope`. + +``` +{ + "active": true, + "client_id": "s6BhdRkqt3", + "username": "jdoe", + "scope": "dpv:FraudPreventionAndDetection#check-sim-swap dpv:Advertising#retrieve-sim-swap-date", + "sub": "Z5O3upPC88QrAjx00dis", + "aud": "https://protected.example.net/resource", + "iss": "https://server.example.com/", + "exp": 1419356238, + "iat": 1419350238 +} +``` + +#### Access Token Variant 2 Response on introspecting an access token with two purpose + +**Note**: The value of the `technical-scope` is an array of `purpose`, so one `technical-scope` can have different `purpose` values. + +``` +{ + "active": true, + "client_id": "s6BhdRkqt3", + "username": "jdoe", + "scopes": { + "check-sim-swap": ["dpv:FraudPreventionAndDetection"], + "retrieve-sim-swap-date": ["dpv:Advertising"] + }, + "sub": "Z5O3upPC88QrAjx00dis", + "aud": "https://protected.example.net/resource", + "iss": "https://server.example.com/", + "exp": 1419356238, + "iat": 1419350238 +} +``` + +#### Access Token Variant 3 Response on introspecting an access token with two purpose and RAR + +**Note**: [RAR suggests replacing `scope` by `location`](https://www.rfc-editor.org/rfc/rfc9396#name-relationship-to-the-scope-p). `location` is the path-element in openapi.yaml e.g. [sim_swap.yaml](https://github.com/camaraproject/SimSwap/blob/main/code/API_definitions/sim_swap.yaml). + +``` +{ + "active": true, + "client_id": "s6BhdRkqt3", + "username": "jdoe", + "locations": { + "/check": ["dpv:FraudPreventionAndDetection"], + "/retrieve-sim-swap-date/retrieve-date": ["dpv:Advertising"] + }, + "sub": "Z5O3upPC88QrAjx00dis", + "aud": "https://protected.example.net/resource", + "iss": "https://server.example.com/", + "exp": 1419356238, + "iat": 1419350238 +} +``` + + + + + + From 63e931ed88f95c8ac93b1faa21cda312f3d9f70f Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Mon, 6 May 2024 15:45:17 +0200 Subject: [PATCH 02/26] use the scopes as currently defined in simswap API --- documentation/CAMARA-ICM-examples.md | 36 ++++++++++++++-------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index ed192628..c6717d28 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -26,7 +26,7 @@ This document does not say that the access token is self-contained or not. ``` GET /authorize? response_type=code - &scope=openid%20dpv%3AFraudPreventionAndDetection%20check-sim-swap%20retrieve-sim-swap-date + &scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 @@ -42,7 +42,7 @@ Host: server.example.com "response_type": "code", "client_id": "s6BhdRkqt3", "redirect_uri": "https://client.example.org/cb", - "scope": "openid dpv:FraudPreventionAndDetection check-sim-swap retrieve-sim-swap-date", + "scope": "openid dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", "max_age": 86400 @@ -57,7 +57,7 @@ Host: server.example.com ``` GET /authorize? response_type=code - &scope=openid%20dpv%3AFraudPreventionAndDetection%23check-sim-swap%20dpv%3AFraudPreventionAndDetection%23retrieve-sim-swap-date + &scope=openid%20dpv%3AFraudPreventionAndDetection%23sim-swap%3Acheck%20dpv%3AFraudPreventionAndDetection%23sim-swap%3Aretrieve-date &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 @@ -73,7 +73,7 @@ Host: server.example.com "response_type": "code", "client_id": "s6BhdRkqt3", "redirect_uri": "https://client.example.org/cb", - "scope": "openid dpv:FraudPreventionAndDetection#check-sim-swap dpv:FraudPreventionAndDetection#retrieve-sim-swap-date", + "scope": "openid dpv:FraudPreventionAndDetection#sim-swap:check dpv:FraudPreventionAndDetection#sim-swap:retrieve-date", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", "max_age": 86400 @@ -82,13 +82,13 @@ Host: server.example.com ### Purpose as a Authentication Request Parameter -#### OIDC authorization code flow: with purpose as a Authentication Request Parameter +#### OIDC authorization code flow with purpose as a Authentication Request Parameter ``` GET /authorize? response_type=code &purpose=dpv%3AFraudPreventionAndDetection - &scope=openid%20check-sim-swap%20retrieve-sim-swap-date + &scope=openid%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 @@ -105,7 +105,7 @@ Host: server.example.com "client_id": "s6BhdRkqt3", "redirect_uri": "https://client.example.org/cb", "purpose": "dpv:FraudPreventionAndDetection" - "scope": "openid check-sim-swap retrieve-sim-swap-date", + "scope": "openid sim-swap:check sim-swap:retrieve-date", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", "max_age": 86400 @@ -118,7 +118,7 @@ Host: server.example.com GET /authorize? response_type=code &authorization_details=%5B%7B%22type%22%3A%22org.camaraproject.simswap%22%2C%22purpose%22%3A%22dpv%3AFraudPreventionAndDetection%22%7D%5D - &scope=openid%20check-sim-swap%20retrieve-sim-swap-date + &scope=openid%20sim-swap:check%20sim-swap:retrieve-date &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 @@ -135,7 +135,7 @@ Host: server.example.com "client_id": "s6BhdRkqt3", "redirect_uri": "https://client.example.org/cb", "authorization_details": "[{"type":"org.camaraproject.simswap","purpose":"dpv:FraudPreventionAndDetection"}]" - "scope": "openid check-sim-swap retrieve-sim-swap-date", + "scope": "openid sim-swap:check sim-swap:retrieve-date", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", "max_age": 86400 @@ -154,7 +154,7 @@ Host: server.example.com "active": true, "client_id": "s6BhdRkqt3", "username": "jdoe", - "scope": "dpv:FraudPreventionAndDetection#check-sim-swap dpv:FraudPreventionAndDetection#retrieve-sim-swap-date", + "scope": "dpv:FraudPreventionAndDetection#sim-swap:check dpv:FraudPreventionAndDetection#sim-swap:retrieve-date", "sub": "Z5O3upPC88QrAjx00dis", "aud": "https://protected.example.net/resource", "iss": "https://server.example.com/", @@ -171,8 +171,8 @@ Host: server.example.com "client_id": "s6BhdRkqt3", "username": "jdoe", "scopes": { - "check-sim-swap": ["dpv:FraudPreventionAndDetection"], - "retrieve-sim-swap-date": ["dpv:FraudPreventionAndDetection"] + "sim-swap:check": ["dpv:FraudPreventionAndDetection"], + "sim-swap:retrieve-date": ["dpv:FraudPreventionAndDetection"] }, "sub": "Z5O3upPC88QrAjx00dis", "aud": "https://protected.example.net/resource", @@ -199,7 +199,7 @@ Please ignore for now otherwise. ``` GET /authorize? response_type=code - &scope=openid%20dpv%3AFraudPreventionAndDetection%23check-sim-swap%20dpv%Advertising%23retrieve-sim-swap-date + &scope=openid%20dpv%3AFraudPreventionAndDetection%23sim-swap%3Acheck%20dpvvertising%23sim-swap%3Aretrieve-date &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 @@ -215,7 +215,7 @@ Host: server.example.com "response_type": "code", "client_id": "s6BhdRkqt3", "redirect_uri": "https://client.example.org/cb", - "scope": "openid dpv:FraudPreventionAndDetection#check-sim-swap dpv:Advertising#retrieve-sim-swap-date", + "scope": "openid dpv:FraudPreventionAndDetection#sim-swap:check dpv:Advertising#sim-swap:retrieve-date", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", "max_age": 86400 @@ -294,7 +294,7 @@ Please note again that access token content or structure are not part of the OAu "active": true, "client_id": "s6BhdRkqt3", "username": "jdoe", - "scope": "dpv:FraudPreventionAndDetection#check-sim-swap dpv:Advertising#retrieve-sim-swap-date", + "scope": "dpv:FraudPreventionAndDetection#sim-swap:check dpv:Advertising#sim-swap:retrieve-date", "sub": "Z5O3upPC88QrAjx00dis", "aud": "https://protected.example.net/resource", "iss": "https://server.example.com/", @@ -313,8 +313,8 @@ Please note again that access token content or structure are not part of the OAu "client_id": "s6BhdRkqt3", "username": "jdoe", "scopes": { - "check-sim-swap": ["dpv:FraudPreventionAndDetection"], - "retrieve-sim-swap-date": ["dpv:Advertising"] + "sim-swap:check": ["dpv:FraudPreventionAndDetection"], + "sim-swap:retrieve-date": ["dpv:Advertising"] }, "sub": "Z5O3upPC88QrAjx00dis", "aud": "https://protected.example.net/resource", @@ -335,7 +335,7 @@ Please note again that access token content or structure are not part of the OAu "username": "jdoe", "locations": { "/check": ["dpv:FraudPreventionAndDetection"], - "/retrieve-sim-swap-date/retrieve-date": ["dpv:Advertising"] + "/retrieve-date": ["dpv:Advertising"] }, "sub": "Z5O3upPC88QrAjx00dis", "aud": "https://protected.example.net/resource", From d9183a4289c2d98167830b3eff5e336a369e8ccb Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Mon, 6 May 2024 15:49:46 +0200 Subject: [PATCH 03/26] Better RAR in Access Token Variant 3 Response on introspecting an access token with two purpose and RAR --- documentation/CAMARA-ICM-examples.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index c6717d28..68fa5181 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -326,17 +326,23 @@ Please note again that access token content or structure are not part of the OAu #### Access Token Variant 3 Response on introspecting an access token with two purpose and RAR -**Note**: [RAR suggests replacing `scope` by `location`](https://www.rfc-editor.org/rfc/rfc9396#name-relationship-to-the-scope-p). `location` is the path-element in openapi.yaml e.g. [sim_swap.yaml](https://github.com/camaraproject/SimSwap/blob/main/code/API_definitions/sim_swap.yaml). - ``` { "active": true, "client_id": "s6BhdRkqt3", "username": "jdoe", - "locations": { - "/check": ["dpv:FraudPreventionAndDetection"], - "/retrieve-date": ["dpv:Advertising"] - }, + "authorization_details": [ + { + "type": "org.camaraproject.simswap", + "purpose": "dpv:Advertising", + "location": "/retrieve-date" + }, + { + "type": "org.camaraproject.simswap", + "purpose": "dpv:FraudPreventionAndDetection", + "location": "/check" + } + ], "sub": "Z5O3upPC88QrAjx00dis", "aud": "https://protected.example.net/resource", "iss": "https://server.example.com/", From 7272869c3274637c8981124af6d82bff9448f837 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Mon, 6 May 2024 16:23:34 +0200 Subject: [PATCH 04/26] api independent type --- documentation/CAMARA-ICM-examples.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 68fa5181..18e814fd 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -117,7 +117,7 @@ Host: server.example.com ``` GET /authorize? response_type=code - &authorization_details=%5B%7B%22type%22%3A%22org.camaraproject.simswap%22%2C%22purpose%22%3A%22dpv%3AFraudPreventionAndDetection%22%7D%5D + &authorization_details=%5B%7B%22type%22%3A%22org.camaraproject.purpose%22%2C%22purpose%22%3A%22dpv%3AFraudPreventionAndDetection%22%7D%5D &scope=openid%20sim-swap:check%20sim-swap:retrieve-date &client_id=s6BhdRkqt3 &state=af0ifjsldkj @@ -134,7 +134,7 @@ Host: server.example.com "response_type": "code", "client_id": "s6BhdRkqt3", "redirect_uri": "https://client.example.org/cb", - "authorization_details": "[{"type":"org.camaraproject.simswap","purpose":"dpv:FraudPreventionAndDetection"}]" + "authorization_details": "[{"type":"org.camaraproject.purpose","purpose":"dpv:FraudPreventionAndDetection"}]" "scope": "openid sim-swap:check sim-swap:retrieve-date", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", @@ -230,12 +230,12 @@ Host: server.example.com ``` [ { - "type": "org.camaraproject.simswap", + "type": "org.camaraproject.purpose", "purpose": "dpv:Advertising", "location": "/retrieve-date" }, { - "type": "org.camaraproject.simswap", + "type": "org.camaraproject.purpose", "purpose": "dpv:FraudPreventionAndDetection", "location": "/check" } @@ -245,7 +245,7 @@ Host: server.example.com ``` GET /authorize? response_type=code - &authorization_details=%5B%7B%22type%22%3A%22org.camaraproject.simswap%22%2C%22purpose%22%3A%22dpv%3AAdvertising%22%2C%22location%22%3A%22%2Fretrieve-date%22%7D%2C%7B%22type%22%3A%22org.camaraproject.simswap%22%2C%22purpose%22%3A%22dpv%3AFraudPreventionAndDetection%22%2C%22location%22%3A%22%2Fcheck%22%7D%5D + &authorization_details=%5B%7B%22type%22%3A%22org.camaraproject.purpose%22%2C%22purpose%22%3A%22dpv%3AAdvertising%22%2C%22location%22%3A%22%2Fretrieve-date%22%7D%2C%7B%22type%22%3A%22org.camaraproject.purpose%22%2C%22purpose%22%3A%22dpv%3AFraudPreventionAndDetection%22%2C%22location%22%3A%22%2Fcheck%22%7D%5D &scope=openid &client_id=s6BhdRkqt3 &state=af0ifjsldkj @@ -264,12 +264,12 @@ Host: server.example.com "redirect_uri": "https://client.example.org/cb", "authorization_details": [ { - "type": "org.camaraproject.simswap", + "type": "org.camaraproject.purpose", "purpose": "dpv:Advertising", "location": "/retrieve-date" }, { - "type": "org.camaraproject.simswap", + "type": "org.camaraproject.purpose", "purpose": "dpv:FraudPreventionAndDetection", "location": "/check" } @@ -333,12 +333,12 @@ Please note again that access token content or structure are not part of the OAu "username": "jdoe", "authorization_details": [ { - "type": "org.camaraproject.simswap", + "type": "org.camaraproject.purpose", "purpose": "dpv:Advertising", "location": "/retrieve-date" }, { - "type": "org.camaraproject.simswap", + "type": "org.camaraproject.purpose", "purpose": "dpv:FraudPreventionAndDetection", "location": "/check" } From 8d6e23ef381369318d5e5f809537b358aaa0e27d Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Mon, 6 May 2024 16:44:00 +0200 Subject: [PATCH 05/26] locations is an array --- documentation/CAMARA-ICM-examples.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 18e814fd..e6a7adf5 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -333,14 +333,14 @@ Please note again that access token content or structure are not part of the OAu "username": "jdoe", "authorization_details": [ { - "type": "org.camaraproject.purpose", + "type": "org.camaraproject.sim-swap", "purpose": "dpv:Advertising", - "location": "/retrieve-date" + "locations": ["/retrieve-date"] }, { - "type": "org.camaraproject.purpose", + "type": "org.camaraproject.sim-swap", "purpose": "dpv:FraudPreventionAndDetection", - "location": "/check" + "locations": ["/check"] } ], "sub": "Z5O3upPC88QrAjx00dis", From fc50526f0e49ac657f92905c607135be56e04ed5 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Mon, 6 May 2024 16:47:43 +0200 Subject: [PATCH 06/26] locations is an array --- documentation/CAMARA-ICM-examples.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index e6a7adf5..ce77ee77 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -230,14 +230,14 @@ Host: server.example.com ``` [ { - "type": "org.camaraproject.purpose", + "type": "org.camaraproject.sim-swap", "purpose": "dpv:Advertising", - "location": "/retrieve-date" + "locations": ["/retrieve-date"] }, { - "type": "org.camaraproject.purpose", + "type": "org.camaraproject.sim-swap", "purpose": "dpv:FraudPreventionAndDetection", - "location": "/check" + "locations": ["/check"] } ] ``` From c662fcb30ff303e59572e51ba2aa286d6277b422 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 10 May 2024 12:08:26 +0200 Subject: [PATCH 07/26] removed "Purpose as a Authentication Request Parameter" example --- documentation/CAMARA-ICM-examples.md | 31 ---------------------------- 1 file changed, 31 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index ce77ee77..1d141165 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -80,37 +80,6 @@ Host: server.example.com } ``` -### Purpose as a Authentication Request Parameter - -#### OIDC authorization code flow with purpose as a Authentication Request Parameter - -``` -GET /authorize? - response_type=code - &purpose=dpv%3AFraudPreventionAndDetection - &scope=openid%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date - &client_id=s6BhdRkqt3 - &state=af0ifjsldkj - &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 -Host: server.example.com -``` - -#### RFC9101 request object with one purpose - -``` -{ - "iss": "s6BhdRkqt3", - "aud": "https://server.example.com", - "response_type": "code", - "client_id": "s6BhdRkqt3", - "redirect_uri": "https://client.example.org/cb", - "purpose": "dpv:FraudPreventionAndDetection" - "scope": "openid sim-swap:check sim-swap:retrieve-date", - "state": "af0ifjsldkj", - "nonce": "n-0S6_WzA2Mj", - "max_age": 86400 -} -``` ### Use Rich Authorization Request to convey one purpose From 72998509cd4526bd9eed51dc5d545cdd7ab10145 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 10 May 2024 12:11:50 +0200 Subject: [PATCH 08/26] Add note to RAR example --- documentation/CAMARA-ICM-examples.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 1d141165..333859f0 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -83,6 +83,13 @@ Host: server.example.com ### Use Rich Authorization Request to convey one purpose +--- +**Note** + +Please note that Rich Authorization Request examples are here to help in the discussion how RAR might be used in Camara **in the FUTURE** + +--- + ``` GET /authorize? response_type=code From 82f3bc6568cf3af0523aa50c14ce000e6e2ee850 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 10 May 2024 12:13:26 +0200 Subject: [PATCH 09/26] removed "purpose encoded in scope" example --- documentation/CAMARA-ICM-examples.md | 31 ---------------------------- 1 file changed, 31 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 333859f0..8746e125 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -50,37 +50,6 @@ Host: server.example.com ``` -### Requesting one purpose, two scopes of the same API with purpose encoded in scope - -#### OIDC authorization code flow with two scopes and one purpose - -``` -GET /authorize? - response_type=code - &scope=openid%20dpv%3AFraudPreventionAndDetection%23sim-swap%3Acheck%20dpv%3AFraudPreventionAndDetection%23sim-swap%3Aretrieve-date - &client_id=s6BhdRkqt3 - &state=af0ifjsldkj - &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 -Host: server.example.com -``` - -#### RFC9101 request object with two scopes and one purpose - -``` -{ - "iss": "s6BhdRkqt3", - "aud": "https://server.example.com", - "response_type": "code", - "client_id": "s6BhdRkqt3", - "redirect_uri": "https://client.example.org/cb", - "scope": "openid dpv:FraudPreventionAndDetection#sim-swap:check dpv:FraudPreventionAndDetection#sim-swap:retrieve-date", - "state": "af0ifjsldkj", - "nonce": "n-0S6_WzA2Mj", - "max_age": 86400 -} -``` - - ### Use Rich Authorization Request to convey one purpose --- From 40207a8b0f4c1ffcae3801cb706469b908cc820c Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 10 May 2024 12:24:15 +0200 Subject: [PATCH 10/26] remove non-RAR two-purpose examples --- documentation/CAMARA-ICM-examples.md | 116 +-------------------------- 1 file changed, 2 insertions(+), 114 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 8746e125..3e3588cc 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -88,90 +88,20 @@ Host: server.example.com ``` -### RFC7662 response with two scopes, one purpose - -#### Access Token Variant 1 Response on introspecting an access token with string scope - -**Note**: The RS might have to split `purpose` and `technical-scope`. - -``` -{ - "active": true, - "client_id": "s6BhdRkqt3", - "username": "jdoe", - "scope": "dpv:FraudPreventionAndDetection#sim-swap:check dpv:FraudPreventionAndDetection#sim-swap:retrieve-date", - "sub": "Z5O3upPC88QrAjx00dis", - "aud": "https://protected.example.net/resource", - "iss": "https://server.example.com/", - "exp": 1419356238, - "iat": 1419350238 -} -``` - -#### Access Token Variant 2 Response on introspecting an access token with scopes object - -``` -{ - "active": true, - "client_id": "s6BhdRkqt3", - "username": "jdoe", - "scopes": { - "sim-swap:check": ["dpv:FraudPreventionAndDetection"], - "sim-swap:retrieve-date": ["dpv:FraudPreventionAndDetection"] - }, - "sub": "Z5O3upPC88QrAjx00dis", - "aud": "https://protected.example.net/resource", - "iss": "https://server.example.com/", - "exp": 1419356238, - "iat": 1419350238 -} -``` - ## Specifying two purpose --- **Note** These following examples are only here now to demonstrate extensibility of the different options in requesting `purpose`. -Please ignore for now otherwise. +Please ignore for now. --- -### Requesting two purpose, two scopes of the same API - -#### Two different purpose encoded in scope - -``` -GET /authorize? - response_type=code - &scope=openid%20dpv%3AFraudPreventionAndDetection%23sim-swap%3Acheck%20dpvvertising%23sim-swap%3Aretrieve-date - &client_id=s6BhdRkqt3 - &state=af0ifjsldkj - &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 -Host: server.example.com -``` - -#### RFC9101 request object two purpose -``` -{ - "iss": "s6BhdRkqt3", - "aud": "https://server.example.com", - "response_type": "code", - "client_id": "s6BhdRkqt3", - "redirect_uri": "https://client.example.org/cb", - "scope": "openid dpv:FraudPreventionAndDetection#sim-swap:check dpv:Advertising#sim-swap:retrieve-date", - "state": "af0ifjsldkj", - "nonce": "n-0S6_WzA2Mj", - "max_age": 86400 -} -``` #### Two different purpose using RAR - -##### Authorization Details JSON two purpose - ``` [ { @@ -226,50 +156,8 @@ Host: server.example.com } ``` -### RFC7662 response: two scopes, two purpose - -Please note again that access token content or structure are not part of the OAuth2 nor the OIDC standard. These are examples. - -#### Access Token Variant 1 Response on introspecting an access token with two purpose - -**Note**: The RS might have to split `purpose` and `technical-scope`. - -``` -{ - "active": true, - "client_id": "s6BhdRkqt3", - "username": "jdoe", - "scope": "dpv:FraudPreventionAndDetection#sim-swap:check dpv:Advertising#sim-swap:retrieve-date", - "sub": "Z5O3upPC88QrAjx00dis", - "aud": "https://protected.example.net/resource", - "iss": "https://server.example.com/", - "exp": 1419356238, - "iat": 1419350238 -} -``` - -#### Access Token Variant 2 Response on introspecting an access token with two purpose - -**Note**: The value of the `technical-scope` is an array of `purpose`, so one `technical-scope` can have different `purpose` values. - -``` -{ - "active": true, - "client_id": "s6BhdRkqt3", - "username": "jdoe", - "scopes": { - "sim-swap:check": ["dpv:FraudPreventionAndDetection"], - "sim-swap:retrieve-date": ["dpv:Advertising"] - }, - "sub": "Z5O3upPC88QrAjx00dis", - "aud": "https://protected.example.net/resource", - "iss": "https://server.example.com/", - "exp": 1419356238, - "iat": 1419350238 -} -``` -#### Access Token Variant 3 Response on introspecting an access token with two purpose and RAR +#### Response on introspecting an access token with two purpose and RAR ``` { From ad824a378d7d85025090159651928cb9e7d470dc Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 10 May 2024 12:33:17 +0200 Subject: [PATCH 11/26] Update CAMARA-ICM-examples.md --- documentation/CAMARA-ICM-examples.md | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 3e3588cc..43396405 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -7,7 +7,7 @@ Access tokens content or structure are not part of the OAuth2 nor the OIDC standard. In [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662) only the field `active` is REQUIRED. `scope` and all other fields are optional. [JSON Web Token](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) defines some common claims. -RFC7662 response values serve as an **example** how an access token might look like. These access tokens might contain additional field carrying what Camara needs regarding "purpose" +RFC7662 response values serve as an **example** how an access token might look like. These access tokens might contain additional fields carrying what Camara needs regarding "purpose" The scope `openid` is needed only in the request to specify that the request is an OpenId request. The scope `openid` is not needed in the access token. @@ -50,7 +50,7 @@ Host: server.example.com ``` -### Use Rich Authorization Request to convey one purpose +## Using Rich Authorization Request to convey purpose --- **Note** @@ -59,6 +59,9 @@ Please note that Rich Authorization Request examples are here to help in the dis --- +### Using Rich Authorization Request to convey one purpose + + ``` GET /authorize? response_type=code @@ -88,19 +91,7 @@ Host: server.example.com ``` -## Specifying two purpose - ---- -**Note** - -These following examples are only here now to demonstrate extensibility of the different options in requesting `purpose`. -Please ignore for now. - ---- - - - -#### Two different purpose using RAR +### Use Rich Authorization Request to convey two purpose ``` [ From 5b02c7bb80ac08e20b1c6677ff5f94479916d445 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 10 May 2024 12:39:22 +0200 Subject: [PATCH 12/26] added note about type --- documentation/CAMARA-ICM-examples.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 43396405..fa81b30d 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -59,6 +59,12 @@ Please note that Rich Authorization Request examples are here to help in the dis --- +Please note that the `type` in the ONE purpose requests is `org.camaraproject.purpose` and thus NOT API-specific. + +In the TWO-or-more purpose request the `type` proposed to be API-specific. + +--- + ### Using Rich Authorization Request to convey one purpose From 44e54f04accc418f7b656e4da3c8c17e1fe9aca0 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Wed, 22 May 2024 13:59:26 +0200 Subject: [PATCH 13/26] Update documentation/CAMARA-ICM-examples.md Co-authored-by: Ming Hui <134043190+mhfoo@users.noreply.github.com> --- documentation/CAMARA-ICM-examples.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index fa81b30d..6f0799aa 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -45,7 +45,9 @@ Host: server.example.com "scope": "openid dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", - "max_age": 86400 + "max_age": 86400, + "exp": 1419356238, + "iat": 1419350238 } ``` From 0cd9692094a7cf60b4fb4523e0459fc8ab538383 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Wed, 22 May 2024 14:00:27 +0200 Subject: [PATCH 14/26] Update documentation/CAMARA-ICM-examples.md Co-authored-by: Ming Hui <134043190+mhfoo@users.noreply.github.com> --- documentation/CAMARA-ICM-examples.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 6f0799aa..e8878eba 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -94,7 +94,9 @@ Host: server.example.com "scope": "openid sim-swap:check sim-swap:retrieve-date", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", - "max_age": 86400 + "max_age": 86400, + "exp": 1419356238, + "iat": 1419350238 } ``` From c0adc5da66b39797551f3d870cc7a8668169c1d2 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Wed, 22 May 2024 14:36:07 +0200 Subject: [PATCH 15/26] Update documentation/CAMARA-ICM-examples.md Co-authored-by: Elisabeth-Ericsson <121795930+Elisabeth-Ericsson@users.noreply.github.com> --- documentation/CAMARA-ICM-examples.md | 30 +++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index e8878eba..7045fd2f 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -32,7 +32,35 @@ GET /authorize? &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 Host: server.example.com ``` - +#### Successful response redirecting the user agent +(with line wraps within values for display purposes only) + +HTTP/1.1 302 Found +Location: https://client.example.com/cb? +code=SplxlOBeZQQYbYS6WxSbIA& +state=af0ifjsldkj + +#### Access token request + +POST /token HTTP/1.1 +Host: server.example.com +Content-Type: application/x-www-form-urlencoded +grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA + &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb + &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer + &client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3Mi...... + +#### Successful response +HTTP/1.1 200 OK +Content-Type: application/json +{ + "access_token": "SlAV32hkKG", + "token_type": "Bearer", + "refresh_token": "8xLOxBtZp8", + "expires_in": 3600, + "id_token": "eyJhbGciOiJSUz....", + "scope": "openid dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date" +} #### RFC9101 request object with one purpose as scope ``` From 38b1bcaaae0bd44e8ec1b8e77728040eab437b29 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Wed, 22 May 2024 15:44:33 +0200 Subject: [PATCH 16/26] Update documentation/CAMARA-ICM-examples.md Co-authored-by: Ming Hui <134043190+mhfoo@users.noreply.github.com> --- documentation/CAMARA-ICM-examples.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 7045fd2f..0844d5bf 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -181,7 +181,9 @@ Host: server.example.com "scope": "openid", "state": "af0ifjsldkj", "nonce": "n-0S6_WzA2Mj", - "max_age": 86400 + "max_age": 86400, + "exp": 1419356238, + "iat": 1419350238 } ``` From adff78ac9fdc971fe29554bd56755a10620c44aa Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Tue, 28 May 2024 12:33:22 +0200 Subject: [PATCH 17/26] Removed the RAR section --- documentation/CAMARA-ICM-examples.md | 136 --------------------------- 1 file changed, 136 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 0844d5bf..1b135d40 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -80,142 +80,6 @@ Content-Type: application/json ``` -## Using Rich Authorization Request to convey purpose - ---- -**Note** - -Please note that Rich Authorization Request examples are here to help in the discussion how RAR might be used in Camara **in the FUTURE** - ---- - -Please note that the `type` in the ONE purpose requests is `org.camaraproject.purpose` and thus NOT API-specific. - -In the TWO-or-more purpose request the `type` proposed to be API-specific. - ---- - -### Using Rich Authorization Request to convey one purpose - - -``` -GET /authorize? - response_type=code - &authorization_details=%5B%7B%22type%22%3A%22org.camaraproject.purpose%22%2C%22purpose%22%3A%22dpv%3AFraudPreventionAndDetection%22%7D%5D - &scope=openid%20sim-swap:check%20sim-swap:retrieve-date - &client_id=s6BhdRkqt3 - &state=af0ifjsldkj - &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 -Host: server.example.com -``` - -#### RFC9101 request object `authorization_details` one purpose - -``` -{ - "iss": "s6BhdRkqt3", - "aud": "https://server.example.com", - "response_type": "code", - "client_id": "s6BhdRkqt3", - "redirect_uri": "https://client.example.org/cb", - "authorization_details": "[{"type":"org.camaraproject.purpose","purpose":"dpv:FraudPreventionAndDetection"}]" - "scope": "openid sim-swap:check sim-swap:retrieve-date", - "state": "af0ifjsldkj", - "nonce": "n-0S6_WzA2Mj", - "max_age": 86400, - "exp": 1419356238, - "iat": 1419350238 -} -``` - - -### Use Rich Authorization Request to convey two purpose - -``` -[ - { - "type": "org.camaraproject.sim-swap", - "purpose": "dpv:Advertising", - "locations": ["/retrieve-date"] - }, - { - "type": "org.camaraproject.sim-swap", - "purpose": "dpv:FraudPreventionAndDetection", - "locations": ["/check"] - } -] -``` - -``` -GET /authorize? - response_type=code - &authorization_details=%5B%7B%22type%22%3A%22org.camaraproject.purpose%22%2C%22purpose%22%3A%22dpv%3AAdvertising%22%2C%22location%22%3A%22%2Fretrieve-date%22%7D%2C%7B%22type%22%3A%22org.camaraproject.purpose%22%2C%22purpose%22%3A%22dpv%3AFraudPreventionAndDetection%22%2C%22location%22%3A%22%2Fcheck%22%7D%5D - &scope=openid - &client_id=s6BhdRkqt3 - &state=af0ifjsldkj - &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 -Host: server.example.com -``` - -#### RFC9101 request object RAR two purpose - -``` -{ - "iss": "s6BhdRkqt3", - "aud": "https://server.example.com", - "response_type": "code", - "client_id": "s6BhdRkqt3", - "redirect_uri": "https://client.example.org/cb", - "authorization_details": [ - { - "type": "org.camaraproject.purpose", - "purpose": "dpv:Advertising", - "location": "/retrieve-date" - }, - { - "type": "org.camaraproject.purpose", - "purpose": "dpv:FraudPreventionAndDetection", - "location": "/check" - } - ], - "scope": "openid", - "state": "af0ifjsldkj", - "nonce": "n-0S6_WzA2Mj", - "max_age": 86400, - "exp": 1419356238, - "iat": 1419350238 -} -``` - - -#### Response on introspecting an access token with two purpose and RAR - -``` -{ - "active": true, - "client_id": "s6BhdRkqt3", - "username": "jdoe", - "authorization_details": [ - { - "type": "org.camaraproject.sim-swap", - "purpose": "dpv:Advertising", - "locations": ["/retrieve-date"] - }, - { - "type": "org.camaraproject.sim-swap", - "purpose": "dpv:FraudPreventionAndDetection", - "locations": ["/check"] - } - ], - "sub": "Z5O3upPC88QrAjx00dis", - "aud": "https://protected.example.net/resource", - "iss": "https://server.example.com/", - "exp": 1419356238, - "iat": 1419350238 -} -``` - - From ffc39c50245a99a8c94f02c7b34104bb29665696 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Wed, 29 May 2024 15:57:04 +0200 Subject: [PATCH 18/26] added references to OIDC spec --- documentation/CAMARA-ICM-examples.md | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 1b135d40..2e12368e 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -23,6 +23,8 @@ This document does not say that the access token is self-contained or not. #### OIDC authorization code flow with one purpose as scope +See [OIDC Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) + ``` GET /authorize? response_type=code @@ -32,25 +34,40 @@ GET /authorize? &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 Host: server.example.com ``` + #### Successful response redirecting the user agent + +See [OIDC Successful Authentication Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse) + (with line wraps within values for display purposes only) +``` HTTP/1.1 302 Found -Location: https://client.example.com/cb? -code=SplxlOBeZQQYbYS6WxSbIA& -state=af0ifjsldkj +Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj +``` #### Access token request -POST /token HTTP/1.1 +See [OIDC Token Request](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest) + + +``` +POST /token HTTP/1.1 + Host: server.example.com Content-Type: application/x-www-form-urlencoded + grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3Mi...... +``` #### Successful response + +See [OIDC Successful Token Response](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse) + +``` HTTP/1.1 200 OK Content-Type: application/json { @@ -61,6 +78,8 @@ Content-Type: application/json "id_token": "eyJhbGciOiJSUz....", "scope": "openid dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date" } +``` + #### RFC9101 request object with one purpose as scope ``` From 1f1a9e611a58a473d06212a97025d361887f5fe8 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Wed, 29 May 2024 16:07:59 +0200 Subject: [PATCH 19/26] added an CIBA example --- documentation/CAMARA-ICM-examples.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 2e12368e..5ef75a68 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -98,6 +98,29 @@ Content-Type: application/json } ``` +#### CIBA authentication request with one purpose and two scopes + +See [CIBA authentication request](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7.1) + +``` +POST /bc-authorize HTTP/1.1 + Host: server.example.com + Content-Type: application/x-www-form-urlencoded + + scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date& + client_notification_token=8d67dc78-7faa-4d41-aabd-67707b374255& + binding_message=W4SCT& + login_hint=tel%3A%2B34666666666& + client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A + client-assertion-type%3Ajwt-bearer& + client_assertion=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IkVTMjU2In0.eyJ + pc3MiOiJzNkJoZFJrcXQzIiwic3ViIjoiczZCaGRSa3F0MyIsImF1ZCI6Imh0dHB + zOi8vc2VydmVyLmV4YW1wbGUuY29tIiwianRpIjoiYmRjLVhzX3NmLTNZTW80RlN + 6SUoyUSIsImlhdCI6MTUzNzgxOTQ4NiwiZXhwIjoxNTM3ODE5Nzc3fQ.Ybr8mg_3 + E2OptOSsA8rnelYO_y1L-yFaF_j1iemM3ntB61_GN3APe5cl_-5a6cvGlP154XAK + 7fL-GaZSdnd9kg +``` + From 9b27c31e75163c7a3ac1b69776b0698e2680cb8b Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Thu, 30 May 2024 16:33:18 +0200 Subject: [PATCH 20/26] removed binding_message and client_notification_token --- documentation/CAMARA-ICM-examples.md | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 5ef75a68..d6fdccc3 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -109,16 +109,7 @@ POST /bc-authorize HTTP/1.1 scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date& client_notification_token=8d67dc78-7faa-4d41-aabd-67707b374255& - binding_message=W4SCT& - login_hint=tel%3A%2B34666666666& - client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A - client-assertion-type%3Ajwt-bearer& - client_assertion=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IkVTMjU2In0.eyJ - pc3MiOiJzNkJoZFJrcXQzIiwic3ViIjoiczZCaGRSa3F0MyIsImF1ZCI6Imh0dHB - zOi8vc2VydmVyLmV4YW1wbGUuY29tIiwianRpIjoiYmRjLVhzX3NmLTNZTW80RlN - 6SUoyUSIsImlhdCI6MTUzNzgxOTQ4NiwiZXhwIjoxNTM3ODE5Nzc3fQ.Ybr8mg_3 - E2OptOSsA8rnelYO_y1L-yFaF_j1iemM3ntB61_GN3APe5cl_-5a6cvGlP154XAK - 7fL-GaZSdnd9kg + login_hint=tel%3A%2B34666666666 ``` From 0c34d6f686fbf28d10502de9ccd288d338306b77 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Thu, 30 May 2024 16:35:28 +0200 Subject: [PATCH 21/26] formatted POST request --- documentation/CAMARA-ICM-examples.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index d6fdccc3..d051df9f 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -107,9 +107,9 @@ POST /bc-authorize HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded - scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date& - client_notification_token=8d67dc78-7faa-4d41-aabd-67707b374255& - login_hint=tel%3A%2B34666666666 +scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date& +client_notification_token=8d67dc78-7faa-4d41-aabd-67707b374255& +login_hint=tel%3A%2B34666666666 ``` From 04b959ad9be7559e91206e3c4c8ab64b57b144ef Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 31 May 2024 11:14:17 +0200 Subject: [PATCH 22/26] remove openid scope because this is not a request Co-authored-by: Shilpa Padgaonkar <77152136+shilpa-padgaonkar@users.noreply.github.com> --- documentation/CAMARA-ICM-examples.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index d051df9f..8dec96ad 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -76,7 +76,7 @@ Content-Type: application/json "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJhbGciOiJSUz....", - "scope": "openid dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date" + "scope": "dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date" } ``` From 09aee8757944c555ec267a7d12c0263c5d209ac2 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 31 May 2024 16:50:10 +0200 Subject: [PATCH 23/26] removed client_notification_token Co-authored-by: Shilpa Padgaonkar <77152136+shilpa-padgaonkar@users.noreply.github.com> --- documentation/CAMARA-ICM-examples.md | 1 - 1 file changed, 1 deletion(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 8dec96ad..4d21f6f7 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -108,7 +108,6 @@ POST /bc-authorize HTTP/1.1 Content-Type: application/x-www-form-urlencoded scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date& -client_notification_token=8d67dc78-7faa-4d41-aabd-67707b374255& login_hint=tel%3A%2B34666666666 ``` From 33e1be397c27f5b2bb23f3326ddfb02ad62ad798 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 31 May 2024 16:51:53 +0200 Subject: [PATCH 24/26] removed rfc9101 jar example --- documentation/CAMARA-ICM-examples.md | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 4d21f6f7..d6873f5c 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -80,24 +80,6 @@ Content-Type: application/json } ``` -#### RFC9101 request object with one purpose as scope - -``` -{ - "iss": "s6BhdRkqt3", - "aud": "https://server.example.com", - "response_type": "code", - "client_id": "s6BhdRkqt3", - "redirect_uri": "https://client.example.org/cb", - "scope": "openid dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date", - "state": "af0ifjsldkj", - "nonce": "n-0S6_WzA2Mj", - "max_age": 86400, - "exp": 1419356238, - "iat": 1419350238 -} -``` - #### CIBA authentication request with one purpose and two scopes See [CIBA authentication request](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7.1) From 3653e913de334dcfb182d0c5486c26d5828bec69 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Fri, 31 May 2024 17:07:50 +0200 Subject: [PATCH 25/26] removed (with line wraps within values for display purposes only) --- documentation/CAMARA-ICM-examples.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index d6873f5c..03865e94 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -39,8 +39,6 @@ Host: server.example.com See [OIDC Successful Authentication Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse) -(with line wraps within values for display purposes only) - ``` HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj From 63eb1bae84735bd2ddbfdb4829ead1ea3c2dbdea Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Tue, 4 Jun 2024 09:18:37 +0200 Subject: [PATCH 26/26] changed text on scope MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jesús Peña García-Oliva --- documentation/CAMARA-ICM-examples.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/CAMARA-ICM-examples.md b/documentation/CAMARA-ICM-examples.md index 03865e94..a2b371f1 100644 --- a/documentation/CAMARA-ICM-examples.md +++ b/documentation/CAMARA-ICM-examples.md @@ -9,7 +9,7 @@ Access tokens content or structure are not part of the OAuth2 nor the OIDC stand `scope` and all other fields are optional. [JSON Web Token](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) defines some common claims. RFC7662 response values serve as an **example** how an access token might look like. These access tokens might contain additional fields carrying what Camara needs regarding "purpose" -The scope `openid` is needed only in the request to specify that the request is an OpenId request. The scope `openid` is not needed in the access token. +The `openid` scope is needed in the request to specify that the request is an OpenID Connect request. However, there is no explicit requirement to include the `openid` scope in the response. --- **Note**