Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAMARA ICM-examples #148

Merged
merged 26 commits into from
Jun 4, 2024
Merged

CAMARA ICM-examples #148

Changes from 19 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
0a8fcb9
moved CAMARA-ICM-examples.md
AxelNennker May 6, 2024
63e931e
use the scopes as currently defined in simswap API
AxelNennker May 6, 2024
d9183a4
Better RAR in Access Token Variant 3 Response on introspecting an acc…
AxelNennker May 6, 2024
7272869
api independent type
AxelNennker May 6, 2024
8d6e23e
locations is an array
AxelNennker May 6, 2024
fc50526
locations is an array
AxelNennker May 6, 2024
c662fcb
removed "Purpose as a Authentication Request Parameter" example
AxelNennker May 10, 2024
7299850
Add note to RAR example
AxelNennker May 10, 2024
82f3bc6
removed "purpose encoded in scope" example
AxelNennker May 10, 2024
40207a8
remove non-RAR two-purpose examples
AxelNennker May 10, 2024
ad824a3
Update CAMARA-ICM-examples.md
AxelNennker May 10, 2024
5b02c7b
added note about type
AxelNennker May 10, 2024
44e54f0
Update documentation/CAMARA-ICM-examples.md
AxelNennker May 22, 2024
0cd9692
Update documentation/CAMARA-ICM-examples.md
AxelNennker May 22, 2024
c0adc5d
Update documentation/CAMARA-ICM-examples.md
AxelNennker May 22, 2024
38b1bca
Update documentation/CAMARA-ICM-examples.md
AxelNennker May 22, 2024
adff78a
Removed the RAR section
AxelNennker May 28, 2024
ffc39c5
added references to OIDC spec
AxelNennker May 29, 2024
1f1a9e6
added an CIBA example
AxelNennker May 29, 2024
9b27c31
removed binding_message and client_notification_token
AxelNennker May 30, 2024
0c34d6f
formatted POST request
AxelNennker May 30, 2024
04b959a
remove openid scope because this is not a request
AxelNennker May 31, 2024
09aee87
removed client_notification_token
AxelNennker May 31, 2024
33e1be3
removed rfc9101 jar example
AxelNennker May 31, 2024
3653e91
removed (with line wraps within values for display purposes only)
AxelNennker May 31, 2024
63eb1ba
changed text on scope
AxelNennker Jun 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 128 additions & 0 deletions documentation/CAMARA-ICM-examples.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
# Identity and Consent Management Examples

## Specifying One Purpose

---
**Note**

Access tokens content or structure are not part of the OAuth2 nor the OIDC standard. In [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662) only the field `active` is REQUIRED.
`scope` and all other fields are optional. [JSON Web Token](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) defines some common claims.
RFC7662 response values serve as an **example** how an access token might look like. These access tokens might contain additional fields carrying what Camara needs regarding "purpose"

The scope `openid` is needed only in the request to specify that the request is an OpenId request. The scope `openid` is not needed in the access token.
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved

---
**Note**

This document uses the response of the token-introspection endpoint as per RFC7662 to describe an access token.
This document does not say that the access token is self-contained or not.

---

### Purpose as a scope: Requesting one purpose, two scopes of the same API

#### OIDC authorization code flow with one purpose as scope

See [OIDC Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)

```
GET /authorize?
response_type=code
&scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1
Host: server.example.com
```

AxelNennker marked this conversation as resolved.
Show resolved Hide resolved
#### Successful response redirecting the user agent

See [OIDC Successful Authentication Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse)

(with line wraps within values for display purposes only)

```
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
```

#### Access token request

See [OIDC Token Request](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest)


```
POST /token HTTP/1.1

Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3Mi......
```

#### Successful response

See [OIDC Successful Token Response](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse)

```
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUz....",
"scope": "openid dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date"
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved
}
```

#### RFC9101 request object with one purpose as scope
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved

```
{
"iss": "s6BhdRkqt3",
"aud": "https://server.example.com",
"response_type": "code",
"client_id": "s6BhdRkqt3",
"redirect_uri": "https://client.example.org/cb",
"scope": "openid dpv:FraudPreventionAndDetection sim-swap:check sim-swap:retrieve-date",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
"max_age": 86400,
"exp": 1419356238,
"iat": 1419350238
}
```

#### CIBA authentication request with one purpose and two scopes

See [CIBA authentication request](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7.1)

```
POST /bc-authorize HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

scope=openid%20dpv%3AFraudPreventionAndDetection%20sim-swap%3Acheck%20sim-swap%3Aretrieve-date&
client_notification_token=8d67dc78-7faa-4d41-aabd-67707b374255&
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved
binding_message=W4SCT&
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved
login_hint=tel%3A%2B34666666666&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
client-assertion-type%3Ajwt-bearer&
client_assertion=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IkVTMjU2In0.eyJ
pc3MiOiJzNkJoZFJrcXQzIiwic3ViIjoiczZCaGRSa3F0MyIsImF1ZCI6Imh0dHB
zOi8vc2VydmVyLmV4YW1wbGUuY29tIiwianRpIjoiYmRjLVhzX3NmLTNZTW80RlN
6SUoyUSIsImlhdCI6MTUzNzgxOTQ4NiwiZXhwIjoxNTM3ODE5Nzc3fQ.Ybr8mg_3
E2OptOSsA8rnelYO_y1L-yFaF_j1iemM3ntB61_GN3APe5cl_-5a6cvGlP154XAK
7fL-GaZSdnd9kg
```