PaymentsNZ · NigelSomerfieldPNZ · Jan 30, 2024 · Jan 12, 2023 · Feb 9, 2023 · Feb 21, 2023
diff --git a/dist/v3.0.0/README.md b/dist/v3.0.0/README.md
@@ -0,0 +1,13 @@
+# V3.0.0 schemas
+
+This folder contains schemas for the V3.0.0 security profile. This includes:
+
+- Client authentication [schema](./client-authentication/jwt-bearer-auth-schema.json) (for use with `private_key_jwt`)
+- Authorization Code Flow request [schema](./authorization-code-flow/authorization-request-schema.json) for Pushed Authorization Requests with PKCE, PAR response [schema](./authorization-code-flow/PAR-response-schema.json) and JARM response [schema](./authorization-code-flow/JARM-response-schema.json)
+- Hybrid flow authorization request [schema](./hybrid-flow/authorization-request-schema.json)
+- CIBA decoupled flow relevant [schemas](./ciba-flow/README.md)
+- ID token [schema](./id-token/id-token-body-schema.json)
+- Generic JWS header [schema](./common/JOSE-header-schema.json)
+- Authorisation Server Metadata [schema](authorization-server-metadata/metadata-schema.json)
+
+These are assistive in nature, and supplementary to the Security Profile documentation. It is highly recommended to follow that documentation first.
diff --git a/dist/v3.0.0/authorization-code-flow/JARM-response-schema.json b/dist/v3.0.0/authorization-code-flow/JARM-response-schema.json
@@ -0,0 +1,63 @@
+{
+    "title": "Version 1 of JARM response payload",
+    "$id": "http://apicentre.paymentsnz.co.nz/schemas/jarm-response-schema.json",
+    "type": "object",
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "additionalProperties": false,
+    "required": [
+      "iss",
+      "code",
+      "aud",
+      "exp",
+      "state"
+    ],
+    "properties": {
+      "iss": {
+        "type": "string",
+        "format": "uri",
+        "minLength": 1,
+        "description": "Token issuer - e.g. https://secure.examplebank.co.nz/token",
+        "examples": ["https://secure.examplebank.co.nz/token"]
+      },
+      "code": {
+        "type": "string",
+        "minLength": 1,
+        "description": "Authorization Code, to be exchanged for Access Token.",
+        "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"]
+      },
+      "aud": {
+        "description": "The audience for the token, must contain the Client ID of the third party.  May also contain other audiences.",
+        "oneOf": [
+          {
+            "type": "string",
+            "minLength": 1,
+            "examples": ["third_party_client_id", "sadUTdfTANIhditInecaqwEZdsUL"]
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string",
+              "minLength": 1
+            },
+            "description": "Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.",
+            "examples": [
+              "third_party_client_id",
+              "ERVWyYqQM6AstKLmpuQdTiK8or02pe1i"
+            ]
+          }
+        ]
+      },
+      "exp": {
+        "type": "integer",
+        "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.",
+        "examples": [1496397168]
+      },
+      "state": {
+        "type": "string",
+        "minLength": 1,
+        "description": "The state value as sent by the client in the authorization request",
+        "examples": ["sadrewvdHASDTAW"]
+      }
+    }
+  }
+
diff --git a/dist/v3.0.0/authorization-code-flow/PAR-response-schema.json b/dist/v3.0.0/authorization-code-flow/PAR-response-schema.json
@@ -0,0 +1,25 @@
+{
+    "title": "Version 1 of PAR response payload",
+    "$id": "http://apicentre.paymentsnz.co.nz/schemas/par-response-schema.json",
+    "type": "object",
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "additionalProperties": false,
+    "required": [
+      "request_uri",
+      "expires_in"
+    ],
+    "properties": {
+      "request_uri": {
+        "type": "string",
+        "format": "uri",
+        "description": "A unique reference for the request object requiring authorization",
+        "examples": ["urn:ietf:params:oauth:request_uri:8qi1b0XAGrV9Ypv1cMyLAS_2AIchvqXx"]
+      },
+      "expires_in": {
+        "type": "integer",
+        "description": "Expiration time on or after which the request_uri MUST NOT be accepted for processing.",
+        "examples": [1496397168]
+      }
+    }
+  }
+
diff --git a/dist/v3.0.0/authorization-code-flow/authorization-request-schema.json b/dist/v3.0.0/authorization-code-flow/authorization-request-schema.json
@@ -0,0 +1,205 @@
+{
+  "definitions": {},
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "http://apicentre.paymentsnz.co.nz/schemas/authorization-code-request-schema.json",
+  "type": "object",
+  "title": "The schema for the Authorisation Request (OIDC/FAPI compliant) token",
+  "additionalProperties": true,
+  "required": [
+    "aud",
+    "iss",
+    "response_type",
+    "response_mode",
+    "client_id",
+    "redirect_uri",
+    "scope",
+    "state",
+    "nonce",
+    "claims",
+    "exp",
+    "nbf",
+    "code_challenge",
+    "code_challenge_method"
+  ],
+  "properties": {
+    "aud": {
+      "title": "The audiences for the token",
+      "description": "The value should be or include the API Provider Issuer Identifier URL",
+      "oneOf": [
+        {
+          "type": "string",
+          "examples": ["https://api.alphanbank.com"],
+          "format": "uri"
+        },
+        {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "pattern": "^(.+)$"
+          },
+          "examples": ["https://api.alphanbank.com"]
+        }
+      ]
+    },
+    "iat":{
+      "type": "integer",
+      "description": "Time on which the Request Object was issued. May be used for determining age",
+      "examples": [1496397168]
+    },
+    "exp": {
+      "type": "integer",
+      "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.",
+      "examples": [1496397168]
+    },
+    "nbf": {
+      "type": "integer",
+      "description": "Time before which the Request Object MUST NOT be accepted for processing.",
+      "examples": [1496397168]
+    },
+    "iss": {
+      "type": "string",
+      "title": "The Issuer of the token",
+      "description": "The value should be the client ID of the third party, unless signed by a different party",
+      "default": "",
+      "examples": ["s6BhdRkqt3"],
+      "pattern": "^(.+)$"
+    },
+    "jti": {
+      "type": "string",
+      "title": "The unique identifier of the token",
+      "description": "Used for determining token uniqueness. The value should be have sufficient entropy to make likelihood of collisions negligible.",
+      "examples": ["d92f1393-752e-49c2-8ce3-90abc6b29655"]
+    },
+    "response_type": {
+      "type": "string",
+      "title": "The type of the response token",
+      "default": "code",
+      "examples": ["code"],
+      "enum": ["code"]
+    },
+    "response_mode": {
+      "type": "string",
+      "title": "The mode used to deliver the response token",
+      "default": "jwt",
+      "examples": ["jwt"],
+      "enum": ["jwt"]
+    },
+    "client_id": {
+      "type": "string",
+      "title": "The ID of the third-party client",
+      "default": "",
+      "examples": ["s6BhdRkqt3"],
+      "pattern": "^(.+)$"
+    },
+    "redirect_uri": {
+      "type": "string",
+      "title": "The URI to which to redirect the customer User Agent after authorization",
+      "default": "",
+      "examples": ["https://api.mytpp.com/cb"],
+      "format": "uri"
+    },
+    "code_challenge": {
+      "type": "string",
+      "title": "The PKCE code challenge value",
+      "examples": ["roXsvRC1K-5WAYWLWsqQJpXTR8NznFgysjjqKhqhSO4"],
+      "pattern": "^[a-zA-Z0-9\\-_]*$"
+    },
+    "code_challenge_method": {
+      "type": "string",
+      "title": "The mode used to deliver the response token",
+      "examples": ["S256"],
+      "default": "S256",
+      "enum": ["S256"]
+    },
+    "scope": {
+      "type": "string",
+      "title": "The OAuth scopes requested",
+      "description": "Must include 'openid' and any other scopes required",
+      "default": "openid",
+      "examples": ["openid payments"],
+      "pattern": "^openid([ ].*)*$"
+    },
+    "state": {
+      "type": "string",
+      "title": "The third-party specific state",
+      "description": "Opaque to API provider",
+      "default": "",
+      "examples": ["af0ifjsldkj"],
+      "pattern": "^(.+)$"
+    },
+    "nonce": {
+      "type": "string",
+      "title": "Third party nonce to avoid replay",
+      "default": "",
+      "examples": ["n-0S6_WzA2Mj"],
+      "pattern": "^(.+)$"
+    },
+    "max_age": {
+      "type": "integer",
+      "title": "Third-party specified maximum authentication age",
+      "default": 0,
+      "examples": [86400]
+    },
+    "display": {
+      "type": "string",
+      "title": "Specify how to display authentication and consent to customer",
+      "enum": ["page", "popup", "touch", "wap"]
+    },
+    "prompt": {
+      "type": "string",
+      "title": "Specify whether the authorisation server should prompt for authentication and consent to customer",
+      "examples": ["none", "login consent", "consent", "select_account"]
+    },
+    "ui_locales": {
+      "type": "string",
+      "title": "Specify preferred languages to display authentication and consent to customer",
+      "examples": ["en-nz", "mi", "en-nz mi"]
+    },
+    "id_token_hint": {
+      "type": "string",
+      "description": "An ID token that was previously issued to the third party being replayed as a hint to the user identity"
+    },
+    "claims_locales":{
+      "type": "string",
+      "title": "Specify preferred languages to return claims to third party",
+      "examples": ["en-nz", "mi", "en-nz mi"]
+    },
+    "claims": {
+      "type": "object",
+      "title": "Claims object that holds the id_token request",
+      "additionalProperties": true,
+      "required": ["id_token"],
+      "properties": {
+        "id_token": {
+          "type": "object",
+          "title": "The ID token request claims",
+          "additionalProperties": true,
+          "required": ["ConsentId"],
+          "properties": {
+            "ConsentId": {
+              "type": "object",
+              "title": "The Consent ID object",
+              "additionalProperties": false,
+              "required": ["value", "essential"],
+              "properties": {
+                "value": {
+                  "type": "string",
+                  "title": "The value of Consent ID",
+                  "default": "",
+                  "examples": ["urn-alphabank-intent-58923"],
+                  "pattern": "^(.+)$"
+                },
+                "essential": {
+                  "type": "boolean",
+                  "title": "Essential claim identifier",
+                  "default": false,
+                  "examples": [true]
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/dist/v3.0.0/authorization-server-metadata/README.md b/dist/v3.0.0/authorization-server-metadata/README.md
@@ -0,0 +1,9 @@
+# PNZ Authorisation Server Metadata
+
+## Schema
+
+The [schema](metadata-schema.json) may be used to validate authorisation server metadata.  For example:
+
+- `npx ajv validate -c ajv-formats -s .\metadata-schema.json -d .\example.json`
+
+This validates the indicated `example.json`.