From af94823f6dac3c7e6cb5b70898ca1b8d6f29d77b Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ Date: Tue, 19 Sep 2023 12:23:36 +1200 Subject: [PATCH 1/4] Update version number --- working/v3.0.0-rc2/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/working/v3.0.0-rc2/README.md b/working/v3.0.0-rc2/README.md index e3f0d28..705edaa 100644 --- a/working/v3.0.0-rc2/README.md +++ b/working/v3.0.0-rc2/README.md @@ -1,4 +1,4 @@ -# V3.0.0-rc1 schemas +# V3.0.0-rc2 schemas This folder contains schemas for the V3.0.0 security profile. This includes: From 8733ee1c9a3f37bfca58e8521fe86ca9d8faa18b Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ Date: Tue, 19 Sep 2023 12:26:26 +1200 Subject: [PATCH 2/4] Align with OIDC Core, CIBA, FAPI --- .../authorization-request-schema.json | 31 ++++++++++++++++++- ...A-authorization-request-object-schema.json | 15 +++++++++ .../authorization-request-schema.json | 31 ++++++++++++++++++- 3 files changed, 75 insertions(+), 2 deletions(-) diff --git a/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json b/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json index ea8de1c..4811f10 100644 --- a/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json +++ b/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json @@ -4,7 +4,7 @@ "$id": "http://apicentre.paymentsnz.co.nz/schemas/authorization-code-request-schema.json", "type": "object", "title": "The schema for the Authorisation Request (OIDC/FAPI compliant) token", - "additionalProperties": false, + "additionalProperties": true, "required": [ "aud", "iss", @@ -157,6 +157,35 @@ "default": 0, "examples": [86400] }, + "display": { + "$id": "#/properties/display", + "type": "string", + "title": "Specify how to display authentication and consent to customer", + "enum": ["page", "popup", "touch", "wap"] + }, + "prompt": { + "$id": "#/properties/prompt", + "type": "string", + "title": "Specify whether the authorisation server should prompt for authentication and consent to customer", + "examples": ["none", "login consent", "consent", "select_account"] + }, + "ui_locales": { + "$id": "#/properties/ui_locales", + "type": "string", + "title": "Specify preferred languages to display authentication and consent to customer", + "examples": ["en-nz", "mi", "en-nz mi"] + }, + "id_token_hint": { + "$id": "/properties/id_token_hint", + "type": "string", + "description": "An ID token that was previously issued to the third party being replayed as a hint to the user identity" + }, + "claims_locales":{ + "$id": "#/properties/claims_locales", + "type": "string", + "title": "Specify preferred languages to return claims to third party", + "examples": ["en-nz", "mi", "en-nz mi"] + }, "claims": { "$id": "#/properties/claims", "type": "object", diff --git a/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-object-schema.json b/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-object-schema.json index c66cb67..86acff6 100644 --- a/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-object-schema.json +++ b/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-object-schema.json @@ -104,6 +104,21 @@ "type": "integer", "description": "A positive integer allowing the third party to request the expires_in value for auth_req_id the API provider will return", "examples": [300] + }, + "binding_message": { + "$id": "/properties/binding_message", + "type": "string", + "description": "A human-readable identifier or message intended to be displayed on both the consumption device and the authentication device to interlock them" + }, + "user_code": { + "$id": "/properties/user_code", + "type": "string", + "description": "A secret code, such as a password or pin, that is known only to the user but verifiable by the authorisation server" + }, + "request_context": { + "$id": "/properties/request_context", + "type": "object", + "description": "A JSON object containing information to inform fraud and threat decisions. See CIBA FAPI." } } } diff --git a/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json b/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json index 4199b8d..ef7b709 100644 --- a/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json +++ b/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json @@ -4,7 +4,7 @@ "$id": "http://apicentre.paymentsnz.co.nz/schemas/authorization-request-schema.json", "type": "object", "title": "The schema for the Authorisation Request (OIDC/FAPI compliant) token", - "additionalProperties": false, + "additionalProperties": true, "required": [ "aud", "iss", @@ -131,6 +131,35 @@ "default": 0, "examples": [86400] }, + "display": { + "$id": "#/properties/display", + "type": "string", + "title": "Specify how to display authentication and consent to customer", + "enum": ["page", "popup", "touch", "wap"] + }, + "prompt": { + "$id": "#/properties/prompt", + "type": "string", + "title": "Specify whether the authorisation server should prompt for authentication and consent to customer", + "examples": ["none", "login consent", "consent", "select_account"] + }, + "ui_locales": { + "$id": "#/properties/ui_locales", + "type": "string", + "title": "Specify preferred languages to display authentication and consent to customer", + "examples": ["en-nz", "mi", "en-nz mi"] + }, + "id_token_hint": { + "$id": "/properties/id_token_hint", + "type": "string", + "description": "An ID token that was previously issued to the third party being replayed as a hint to the user identity" + }, + "claims_locales":{ + "$id": "#/properties/claims_locales", + "type": "string", + "title": "Specify preferred languages to return claims to third party", + "examples": ["en-nz", "mi", "en-nz mi"] + }, "claims": { "$id": "#/properties/claims", "type": "object", From d212ad6a2ca343ddebdef7ab75d9c798ad068aa4 Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ Date: Tue, 19 Sep 2023 14:05:12 +1200 Subject: [PATCH 3/4] Updated id_token $id fields --- .../authorization-code-flow/authorization-request-schema.json | 2 +- .../v3.0.0-rc2/hybrid-flow/authorization-request-schema.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json b/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json index 4811f10..3045ba0 100644 --- a/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json +++ b/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json @@ -176,7 +176,7 @@ "examples": ["en-nz", "mi", "en-nz mi"] }, "id_token_hint": { - "$id": "/properties/id_token_hint", + "$id": "#/properties/id_token_hint", "type": "string", "description": "An ID token that was previously issued to the third party being replayed as a hint to the user identity" }, diff --git a/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json b/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json index ef7b709..606de81 100644 --- a/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json +++ b/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json @@ -150,7 +150,7 @@ "examples": ["en-nz", "mi", "en-nz mi"] }, "id_token_hint": { - "$id": "/properties/id_token_hint", + "$id": "#/properties/id_token_hint", "type": "string", "description": "An ID token that was previously issued to the third party being replayed as a hint to the user identity" }, From b98f9ecb0e79360baa689d8224e5d84ded5800e8 Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ Date: Tue, 19 Sep 2023 14:12:30 +1200 Subject: [PATCH 4/4] Update schema $id fields with leading # --- .../JARM-response-schema.json | 12 +++++----- .../PAR-response-schema.json | 4 ++-- .../authorization-request-schema.json | 6 ++--- ...A-authorization-request-object-schema.json | 22 ++++++++--------- ...authorization-request-response-schema.json | 6 ++--- .../CIBA-login-hint-token-schema.json | 22 ++++++++--------- .../ciba-flow/ping-callback-schema.json | 2 +- .../token-request-response-schema.json | 10 ++++---- .../authorization-request-schema.json | 6 ++--- .../id-token/id-token-body-schema.json | 24 +++++++++---------- 10 files changed, 57 insertions(+), 57 deletions(-) diff --git a/working/v3.0.0-rc2/authorization-code-flow/JARM-response-schema.json b/working/v3.0.0-rc2/authorization-code-flow/JARM-response-schema.json index 21ee4b0..0f47294 100644 --- a/working/v3.0.0-rc2/authorization-code-flow/JARM-response-schema.json +++ b/working/v3.0.0-rc2/authorization-code-flow/JARM-response-schema.json @@ -13,7 +13,7 @@ ], "properties": { "iss": { - "$id": "/properties/iss", + "$id": "#/properties/iss", "type": "string", "format": "uri", "minLength": 1, @@ -21,14 +21,14 @@ "examples": ["https://secure.examplebank.co.nz/token"] }, "code": { - "$id": "/properties/code", + "$id": "#/properties/code", "type": "string", "minLength": 1, "description": "Authorization Code, to be exchanged for Access Token.", "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"] }, "aud": { - "$id": "/properties/aud", + "$id": "#/properties/aud", "description": "The audience for the token, must contain the Client ID of the third party. May also contain other audiences.", "oneOf": [ { @@ -39,7 +39,7 @@ { "type": "array", "items": { - "$id": "/properties/aud/items", + "$id": "#/properties/aud/items", "type": "string", "minLength": 1 }, @@ -52,13 +52,13 @@ ] }, "exp": { - "$id": "/properties/exp", + "$id": "#/properties/exp", "type": "integer", "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", "examples": [1496397168] }, "state": { - "$id": "/properties/state", + "$id": "#/properties/state", "type": "string", "minLength": 1, "description": "The state value as sent by the client in the authorization request", diff --git a/working/v3.0.0-rc2/authorization-code-flow/PAR-response-schema.json b/working/v3.0.0-rc2/authorization-code-flow/PAR-response-schema.json index 250a455..3fbfab5 100644 --- a/working/v3.0.0-rc2/authorization-code-flow/PAR-response-schema.json +++ b/working/v3.0.0-rc2/authorization-code-flow/PAR-response-schema.json @@ -10,14 +10,14 @@ ], "properties": { "request_uri": { - "$id": "/properties/request_uri", + "$id": "#/properties/request_uri", "type": "string", "format": "uri", "description": "A unique reference for the request object requiring authorization", "examples": ["urn:ietf:params:oauth:request_uri:8qi1b0XAGrV9Ypv1cMyLAS_2AIchvqXx"] }, "expires_in": { - "$id": "/properties/expires_in", + "$id": "#/properties/expires_in", "type": "integer", "description": "Expiration time on or after which the request_uri MUST NOT be accepted for processing.", "examples": [1496397168] diff --git a/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json b/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json index 3045ba0..b5b7345 100644 --- a/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json +++ b/working/v3.0.0-rc2/authorization-code-flow/authorization-request-schema.json @@ -44,19 +44,19 @@ ] }, "iat":{ - "$id": "/properties/iat", + "$id": "#/properties/iat", "type": "integer", "description": "Time on which the Request Object was issued. May be used for determining age", "examples": [1496397168] }, "exp": { - "$id": "/properties/exp", + "$id": "#/properties/exp", "type": "integer", "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.", "examples": [1496397168] }, "nbf": { - "$id": "/properties/nbf", + "$id": "#/properties/nbf", "type": "integer", "description": "Time before which the Request Object MUST NOT be accepted for processing.", "examples": [1496397168] diff --git a/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-object-schema.json b/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-object-schema.json index 86acff6..4884670 100644 --- a/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-object-schema.json +++ b/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-object-schema.json @@ -38,25 +38,25 @@ "pattern": "^(.+)$" }, "exp": { - "$id": "/properties/exp", + "$id": "#/properties/exp", "type": "integer", "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.", "examples": [1496397168] }, "iat": { - "$id": "/properties/iat", + "$id": "#/properties/iat", "type": "integer", "description": "Time at which the JWT was issued.", "examples": [1496361168] }, "nbf": { - "$id": "/properties/nbf", + "$id": "#/properties/nbf", "type": "integer", "description": "The time before which the ID Token MUST NOT be accepted for processing.", "examples": [1496397168] }, "jti": { - "$id": "/properties/jti", + "$id": "#/properties/jti", "type": "string", "description": "The unique identifier of the current JWT token", "examples": ["b8fd0a32-5e00-4b73-b3d8-b4af743b26e8"], @@ -72,7 +72,7 @@ "pattern": "^openid([ ].*)*$" }, "ConsentId": { - "$id": "/properties/ConsentId", + "$id": "#/properties/ConsentId", "type": "string", "pattern": "^(.+)$", "description": "The ID of the consent to which this token is related", @@ -90,33 +90,33 @@ ] }, "login_hint_token": { - "$id": "/properties/login_hint_token", + "$id": "#/properties/login_hint_token", "type": "string", "description": "A JWT token containing information to be used as a hint to the user identity" }, "id_token_hint": { - "$id": "/properties/id_token_hint", + "$id": "#/properties/id_token_hint", "type": "string", "description": "An ID token that was previously issued to the third party being replayed as a hint to the user identity" }, "requested_expiry": { - "$id": "/properties/requested_expiry", + "$id": "#/properties/requested_expiry", "type": "integer", "description": "A positive integer allowing the third party to request the expires_in value for auth_req_id the API provider will return", "examples": [300] }, "binding_message": { - "$id": "/properties/binding_message", + "$id": "#/properties/binding_message", "type": "string", "description": "A human-readable identifier or message intended to be displayed on both the consumption device and the authentication device to interlock them" }, "user_code": { - "$id": "/properties/user_code", + "$id": "#/properties/user_code", "type": "string", "description": "A secret code, such as a password or pin, that is known only to the user but verifiable by the authorisation server" }, "request_context": { - "$id": "/properties/request_context", + "$id": "#/properties/request_context", "type": "object", "description": "A JSON object containing information to inform fraud and threat decisions. See CIBA FAPI." } diff --git a/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-response-schema.json b/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-response-schema.json index fd44fc2..542e0be 100644 --- a/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-response-schema.json +++ b/working/v3.0.0-rc2/ciba-flow/CIBA-authorization-request-response-schema.json @@ -8,7 +8,7 @@ "required": ["auth_req_id", "expires_in"], "properties": { "auth_req_id": { - "$id": "/properties/auth_req_id", + "$id": "#/properties/auth_req_id", "type": "string", "description": "This is a unique identifier for the authentication request made by the CIBA Client (third party)", "minLength": 22, @@ -16,14 +16,14 @@ "examples": ["1c26_6114-a1be-4252-8ad1-04986c5b.9ac1"] }, "expires_in": { - "$id": "/properties/expires_in", + "$id": "#/properties/expires_in", "type": "integer", "exclusiveMinimum": 0, "description": "A positive integer value in seconds, indicating the expiration time since the authentication request was received", "examples": [3600] }, "interval": { - "$id": "/properties/interval", + "$id": "#/properties/interval", "type": "integer", "minimum": 0, "description": "The number of seconds a client MUST wait between polling requests to the token endpoint", diff --git a/working/v3.0.0-rc2/ciba-flow/CIBA-login-hint-token-schema.json b/working/v3.0.0-rc2/ciba-flow/CIBA-login-hint-token-schema.json index 65bab91..afb79bf 100644 --- a/working/v3.0.0-rc2/ciba-flow/CIBA-login-hint-token-schema.json +++ b/working/v3.0.0-rc2/ciba-flow/CIBA-login-hint-token-schema.json @@ -8,7 +8,7 @@ "required": ["subject"], "properties": { "subject": { - "$id": "/properties/subject", + "$id": "#/properties/subject", "type": "object", "title": "Subject of the token", "required": ["subject_type"], @@ -17,7 +17,7 @@ "additionalProperties": false, "properties": { "subject_type": { - "$id": "/properties/subject/properties/subject_type", + "$id": "#/properties/subject/properties/subject_type", "type": "string", "title": "The type of subject hint", "enum": [ @@ -29,33 +29,33 @@ ] }, "phone": { - "$id": "/properties/subject/properties/phone", + "$id": "#/properties/subject/properties/phone", "type": "string", "title": "The phone of the subject identity to authorise", "pattern": "^\\+[0-9]{1,3}\\s?[0-9]{1,14}(\\s[0-9]{1,13})?$", "examples": ["+64 211011221", "+64211011221", "+64 21 1011221"] }, "email": { - "$id": "/properties/subject/properties/email", + "$id": "#/properties/subject/properties/email", "type": "string", "title": "The email of the subject identity to authorise", "format": "email", "examples": ["user@example.com"] }, "username": { - "$id": "/properties/subject/properties/username", + "$id": "#/properties/subject/properties/username", "type": "string", "title": "The username of the subject identity to authorise", "examples": ["user.name", "@handle"] }, "api_provider_token": { - "$id": "/properties/subject/properties/api_provider_token", + "$id": "#/properties/subject/properties/api_provider_token", "type": "string", "title": "A token generated by the customer authentication device", "description": "Uniquely identifies the Customer authentication device and Customer with the API Provider" }, "third_party_token": { - "$id": "/properties/subject/properties/third_party_token", + "$id": "#/properties/subject/properties/third_party_token", "type": "string", "title": "A token generated by the third party and registered with the customer authentication device", "pattern": "^[A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+\\.[A-Za-z0-9-_.+/=]*$" @@ -84,19 +84,19 @@ ] }, "iat":{ - "$id": "/properties/iat", + "$id": "#/properties/iat", "type": "integer", "description": "Time on which the login hint token was issued. May be used for determining age", "examples": [1496397168] }, "exp": { - "$id": "/properties/exp", + "$id": "#/properties/exp", "type": "integer", "description": "Expiration time on or after which the login hint token SHOULD NOT be accepted for processing.", "examples": [1496397168] }, "nbf": { - "$id": "/properties/nbf", + "$id": "#/properties/nbf", "type": "integer", "description": "Time before which the login hint token SHOULD NOT be accepted for processing.", "examples": [1496397168] @@ -118,7 +118,7 @@ "examples": ["d92f1393-752e-49c2-8ce3-90abc6b29655"] }, "sub": { - "$id": "/properties/sub", + "$id": "#/properties/sub", "type": "string", "description": "Subject Identifier, optionally to be consumed by the API provider", "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"] diff --git a/working/v3.0.0-rc2/ciba-flow/ping-callback-schema.json b/working/v3.0.0-rc2/ciba-flow/ping-callback-schema.json index 5ca4d15..7edbbf5 100644 --- a/working/v3.0.0-rc2/ciba-flow/ping-callback-schema.json +++ b/working/v3.0.0-rc2/ciba-flow/ping-callback-schema.json @@ -8,7 +8,7 @@ "required": ["auth_req_id"], "properties": { "auth_req_id": { - "$id": "/properties/auth_req_id", + "$id": "#/properties/auth_req_id", "type": "string", "description": "This is a unique identifier for the authentication request made by the CIBA Client (third party)", "format": "uuid", diff --git a/working/v3.0.0-rc2/ciba-flow/token-request-response-schema.json b/working/v3.0.0-rc2/ciba-flow/token-request-response-schema.json index 83d85c6..f5efc62 100644 --- a/working/v3.0.0-rc2/ciba-flow/token-request-response-schema.json +++ b/working/v3.0.0-rc2/ciba-flow/token-request-response-schema.json @@ -8,27 +8,27 @@ "required": ["access_token", "token_type", "expires_in", "id_token"], "properties": { "access_token": { - "$id": "/properties/access_token", + "$id": "#/properties/access_token", "type": "string", "title": "Access token", "description": "The token to be used on subsequent API requests", "examples": ["G5kXH2wHvUra0sHlDy1iTkDJgsgUO1bN"] }, "token_type": { - "$id": "/properties/token_type", + "$id": "#/properties/token_type", "type": "string", "title": "The OAuth 2.0 token type", "enum": ["Bearer", "mac"] }, "refresh_token": { - "$id": "/properties/refresh_token", + "$id": "#/properties/refresh_token", "type": "string", "title": "Refresh token", "description": "The token to be used to refresh the access token", "examples": ["4bwc0ESC_IAhflf-ACC_vjD_ltc11ne-8gFPfA2Kx16"] }, "expires_in": { - "$id": "/properties/expires_in", + "$id": "#/properties/expires_in", "type": "integer", "exclusiveMinimum": 0, "title": "Access token expiry time", @@ -36,7 +36,7 @@ "examples": [3600] }, "id_token": { - "$id": "/properties/id_token", + "$id": "#/properties/id_token", "type": "string", "title": "The ID Token issued to the third party", "pattern": "^[A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+\\.[A-Za-z0-9-_.+/=]*$" diff --git a/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json b/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json index 606de81..b557000 100644 --- a/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json +++ b/working/v3.0.0-rc2/hybrid-flow/authorization-request-schema.json @@ -41,19 +41,19 @@ ] }, "iat":{ - "$id": "/properties/iat", + "$id": "#/properties/iat", "type": "integer", "description": "Time on which the Request Object was issued. May be used for determining age", "examples": [1496397168] }, "exp": { - "$id": "/properties/exp", + "$id": "#/properties/exp", "type": "integer", "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.", "examples": [1496397168] }, "nbf": { - "$id": "/properties/nbf", + "$id": "#/properties/nbf", "type": "integer", "description": "Time before which the Request Object MUST NOT be accepted for processing.", "examples": [1496397168] diff --git a/working/v3.0.0-rc2/id-token/id-token-body-schema.json b/working/v3.0.0-rc2/id-token/id-token-body-schema.json index 137f31c..953df06 100644 --- a/working/v3.0.0-rc2/id-token/id-token-body-schema.json +++ b/working/v3.0.0-rc2/id-token/id-token-body-schema.json @@ -17,20 +17,20 @@ ], "properties": { "iss": { - "$id": "/properties/iss", + "$id": "#/properties/iss", "type": "string", "format": "uri", "description": "Token issuer - e.g. https://secure.examplebank.co.nz/token", "examples": ["https://secure.examplebank.co.nz/token"] }, "sub": { - "$id": "/properties/sub", + "$id": "#/properties/sub", "type": "string", "description": "Subject Identifier, intended to be consumed by the Client. It must be a locally unique, never reassigned and opaque identifier within the Issuer for the End-User.", "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"] }, "aud": { - "$id": "/properties/aud", + "$id": "#/properties/aud", "description": "The audience for the token, must contain the Client ID of the third party. May also contain other audiences.", "oneOf": [ { @@ -40,7 +40,7 @@ { "type": "array", "items": { - "$id": "/properties/aud/items", + "$id": "#/properties/aud/items", "type": "string" }, "description": "Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.", @@ -52,49 +52,49 @@ ] }, "ConsentId": { - "$id": "/properties/ConsentId", + "$id": "#/properties/ConsentId", "type": "string", "pattern": "^(.+)$", "description": "The ID of the consent to which this token is related", "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] }, "exp": { - "$id": "/properties/exp", + "$id": "#/properties/exp", "type": "integer", "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", "examples": [1496397168] }, "iat": { - "$id": "/properties/iat", + "$id": "#/properties/iat", "type": "integer", "description": "Time at which the JWT was issued.", "examples": [1496361168] }, "nonce": { - "$id": "/properties/nonce", + "$id": "#/properties/nonce", "type": "string", "description": "String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token as the nonce claim. Clients MUST verify that the nonce claim value is equal to the value of the nonce parameter sent in the Authentication Request.", "examples": ["n-0S6_WzA2Mj"] }, "amr": { - "$id": "/properties/amr", + "$id": "#/properties/amr", "type": "array", "items": { - "$id": "/properties/amr/items", + "$id": "#/properties/amr/items", "type": "string" }, "description": "Authentication Methods References.", "examples": ["pwd"] }, "azp": { - "$id": "/properties/azp", + "$id": "#/properties/azp", "type": "string", "pattern": "^(.+)$", "description": "Authorised party to which the token is issued. This is the the third party, rather than the customer", "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] }, "auth_time": { - "$id": "/properties/auth_time", + "$id": "#/properties/auth_time", "type": "integer", "description": "Time when the End-User authentication occurred.", "examples": [1496361168]