diff --git a/working/v3.0.0-draft2/README.md b/working/v3.0.0-draft2/README.md new file mode 100644 index 0000000..3349c35 --- /dev/null +++ b/working/v3.0.0-draft2/README.md @@ -0,0 +1,22 @@ +# V3.0.0-draft2 schemas + +This folder contains schemas for the V3.0.0 security profile. This includes: + +- Client authentication [schema](./client-authentication/jwt-bearer-auth-schema.json) (for use with `private_key_jwt`) +- Authorization Code Flow request [schema](./authorization-code-flow/authorization-request-schema.json) for Pushed Authorization Requests with PKCE, PAR response [schema](./authorization-code-flow/PAR-response-schema.json) and JARM response [schema](./authorization-code-flow/JARM-response-schema.json) +- Hybrid flow authorization request [schema](./hybrid-flow/authorization-request-schema.json) +- CIBA decoupled flow relevant [schemas](./ciba-flow/README.md) +- ID token [schema](./id-token/id-token-body-schema.json) +- Generic JWS header [schema](./common/JOSE-header-schema.json) + +These are assistive in nature, and supplementary to the Security Profile documentation. It is highly recommended to follow that documentation first. + +## Testing schema validation + +One method of validating test data with JSON schemas is to use `ajv`, via: + +```bash +npx ajv-cli --strict=false -s .\schema.json -d .\data.json +``` + +__Note:__ the `--strict=false` is a `ajv` workaround for "format": "uri", which is valid JSON schema in draft-07, but not recognised by `ajv` diff --git a/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json new file mode 100644 index 0000000..55a8038 --- /dev/null +++ b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json @@ -0,0 +1,78 @@ +{ + "title": "Version 1 of JARM response payload", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/jarm-response-schema.json", + "type": "object", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "required": [ + "iss", + "code", + "aud", + "exp", + "state", + "ConsentId" + ], + "properties": { + "iss": { + "$id": "/properties/iss", + "type": "string", + "format": "uri", + "minLength": 1, + "description": "Token issuer - e.g. https://secure.examplebank.co.nz/token", + "examples": ["https://secure.examplebank.co.nz/token"] + }, + "code": { + "$id": "/properties/code", + "type": "string", + "minLength": 1, + "description": "Authorization Code, to be exchanged for Access Token.", + "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"] + }, + "aud": { + "$id": "/properties/aud", + "description": "The audience for the token, must contain the Client ID of the third party. May also contain other audiences.", + "oneOf": [ + { + "type": "string", + "minLength": 1, + "examples": ["third_party_client_id", "sadUTdfTANIhditInecaqwEZdsUL"] + }, + { + "type": "array", + "items": { + "$id": "/properties/aud/items", + "type": "string", + "minLength": 1 + }, + "description": "Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.", + "examples": [ + "third_party_client_id", + "ERVWyYqQM6AstKLmpuQdTiK8or02pe1i" + ] + } + ] + }, + "ConsentId": { + "$id": "/properties/ConsentId", + "type": "string", + "pattern": "^(.+)$", + "minLength": 1, + "description": "The ID of the consent to which this token is related", + "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "state": { + "$id": "/properties/state", + "type": "string", + "minLength": 1, + "description": "The state value as sent by the client in the authorization request", + "examples": ["sadrewvdHASDTAW"] + } + } + } + \ No newline at end of file diff --git a/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json b/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json new file mode 100644 index 0000000..250a455 --- /dev/null +++ b/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json @@ -0,0 +1,27 @@ +{ + "title": "Version 1 of PAR response payload", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/par-response-schema.json", + "type": "object", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "required": [ + "request_uri", + "expires_in" + ], + "properties": { + "request_uri": { + "$id": "/properties/request_uri", + "type": "string", + "format": "uri", + "description": "A unique reference for the request object requiring authorization", + "examples": ["urn:ietf:params:oauth:request_uri:8qi1b0XAGrV9Ypv1cMyLAS_2AIchvqXx"] + }, + "expires_in": { + "$id": "/properties/expires_in", + "type": "integer", + "description": "Expiration time on or after which the request_uri MUST NOT be accepted for processing.", + "examples": [1496397168] + } + } + } + \ No newline at end of file diff --git a/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json b/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json new file mode 100644 index 0000000..ea8de1c --- /dev/null +++ b/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json @@ -0,0 +1,203 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/authorization-code-request-schema.json", + "type": "object", + "title": "The schema for the Authorisation Request (OIDC/FAPI compliant) token", + "additionalProperties": false, + "required": [ + "aud", + "iss", + "response_type", + "response_mode", + "client_id", + "redirect_uri", + "scope", + "state", + "nonce", + "claims", + "exp", + "nbf", + "code_challenge", + "code_challenge_method" + ], + "properties": { + "aud": { + "$id": "#/properties/aud", + "title": "The audiences for the token", + "description": "The value should be or include the API Provider Issuer Identifier URL", + "oneOf": [ + { + "type": "string", + "examples": ["https://api.alphanbank.com"], + "format": "uri" + }, + { + "type": "array", + "$id": "#/properties/aud/items", + "items": { + "type": "string", + "pattern": "^(.+)$" + }, + "examples": ["https://api.alphanbank.com"] + } + ] + }, + "iat":{ + "$id": "/properties/iat", + "type": "integer", + "description": "Time on which the Request Object was issued. May be used for determining age", + "examples": [1496397168] + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "nbf": { + "$id": "/properties/nbf", + "type": "integer", + "description": "Time before which the Request Object MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "iss": { + "$id": "#/properties/iss", + "type": "string", + "title": "The Issuer of the token", + "description": "The value should be the client ID of the third party, unless signed by a different party", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "jti": { + "$id": "#/properties/jti", + "type": "string", + "title": "The unique identifier of the token", + "description": "Used for determining token uniqueness. The value should be have sufficient entropy to make likelihood of collisions negligible.", + "examples": ["d92f1393-752e-49c2-8ce3-90abc6b29655"] + }, + "response_type": { + "$id": "#/properties/response_type", + "type": "string", + "title": "The type of the response token", + "default": "code", + "examples": ["code"], + "enum": ["code"] + }, + "response_mode": { + "$id": "#/properties/response_mode", + "type": "string", + "title": "The mode used to deliver the response token", + "default": "jwt", + "examples": ["jwt"], + "enum": ["jwt"] + }, + "client_id": { + "$id": "#/properties/client_id", + "type": "string", + "title": "The ID of the third-party client", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "redirect_uri": { + "$id": "#/properties/redirect_uri", + "type": "string", + "title": "The URI to which to redirect the customer User Agent after authorization", + "default": "", + "examples": ["https://api.mytpp.com/cb"], + "format": "uri" + }, + "code_challenge": { + "$id": "#/properties/code_challenge", + "type": "string", + "title": "The PKCE code challenge value", + "examples": ["roXsvRC1K-5WAYWLWsqQJpXTR8NznFgysjjqKhqhSO4"], + "pattern": "^[a-zA-Z0-9\\-_]*$" + }, + "code_challenge_method": { + "$id": "#/properties/code_challenge_method", + "type": "string", + "title": "The mode used to deliver the response token", + "examples": ["S256"], + "default": "S256", + "enum": ["S256"] + }, + "scope": { + "$id": "#/properties/scope", + "type": "string", + "title": "The OAuth scopes requested", + "description": "Must include 'openid' and any other scopes required", + "default": "openid", + "examples": ["openid payments"], + "pattern": "^openid([ ].*)*$" + }, + "state": { + "$id": "#/properties/state", + "type": "string", + "title": "The third-party specific state", + "description": "Opaque to API provider", + "default": "", + "examples": ["af0ifjsldkj"], + "pattern": "^(.+)$" + }, + "nonce": { + "$id": "#/properties/nonce", + "type": "string", + "title": "Third party nonce to avoid replay", + "default": "", + "examples": ["n-0S6_WzA2Mj"], + "pattern": "^(.+)$" + }, + "max_age": { + "$id": "#/properties/max_age", + "type": "integer", + "title": "Third-party specified maximum authentication age", + "default": 0, + "examples": [86400] + }, + "claims": { + "$id": "#/properties/claims", + "type": "object", + "title": "Claims object that holds the id_token request", + "additionalProperties": true, + "required": ["id_token"], + "properties": { + "id_token": { + "$id": "#/properties/claims/properties/id_token", + "type": "object", + "title": "The ID token request claims", + "additionalProperties": true, + "required": ["ConsentId"], + "properties": { + "ConsentId": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId", + "type": "object", + "title": "The Consent ID object", + "additionalProperties": false, + "required": ["value", "essential"], + "properties": { + "value": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/value", + "type": "string", + "title": "The value of Consent ID", + "default": "", + "examples": ["urn-alphabank-intent-58923"], + "pattern": "^(.+)$" + }, + "essential": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/essential", + "type": "boolean", + "title": "Essential claim identifier", + "default": false, + "examples": [true] + } + } + } + } + } + } + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json new file mode 100644 index 0000000..c66cb67 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json @@ -0,0 +1,109 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/CIBA-authorization-request-object-schema.json", + "type": "object", + "title": "The schema for the CIBA request object (OIDC/FAPI compliant)", + "additionalProperties": false, + "required": ["aud", "iss", "exp", "iat", "nbf", "jti", "scope", "ConsentId"], + "properties": { + "aud": { + "$id": "#/properties/aud", + "title": "The audiences for the token", + "description": "The value should be or include the client ID of the third party", + "oneOf": [ + { + "type": "string", + "examples": ["https://api.alphanbank.com"], + "format": "uri" + }, + { + "type": "array", + "$id": "#/properties/aud/items", + "items": { + "type": "string", + "pattern": "^(.+)$" + }, + "examples": ["https://api.alphanbank.com"] + } + ] + }, + "iss": { + "$id": "#/properties/iss", + "type": "string", + "title": "The Issuer of the token", + "description": "The value should be the client ID of the third party, unless signed by a different party", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "iat": { + "$id": "/properties/iat", + "type": "integer", + "description": "Time at which the JWT was issued.", + "examples": [1496361168] + }, + "nbf": { + "$id": "/properties/nbf", + "type": "integer", + "description": "The time before which the ID Token MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "jti": { + "$id": "/properties/jti", + "type": "string", + "description": "The unique identifier of the current JWT token", + "examples": ["b8fd0a32-5e00-4b73-b3d8-b4af743b26e8"], + "pattern": "^(.+)$" + }, + "scope": { + "$id": "#/properties/scope", + "type": "string", + "title": "The OAuth scopes requested", + "description": "Must include 'openid' and any other scopes required", + "default": "openid", + "examples": ["openid payments"], + "pattern": "^openid([ ].*)*$" + }, + "ConsentId": { + "$id": "/properties/ConsentId", + "type": "string", + "pattern": "^(.+)$", + "description": "The ID of the consent to which this token is related", + "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] + }, + "client_notification_token": { + "$id": "#/properties/client_notification_token", + "type": "string", + "title": "The bearer token for third party ping callback", + "description": "The API provider must use this to authenticate to the third party for a ping notification", + "maxLength": 1024, + "pattern": "^[A-Za-z0-9\\-\\._~\\+\\/]+=*$", + "examples": [ + "dGhpc2lzYXRlc3RzdHJpbmd1c2Vkb3RnZW5lcmF0ZWFiYXNlNjR0cmluZw==" + ] + }, + "login_hint_token": { + "$id": "/properties/login_hint_token", + "type": "string", + "description": "A JWT token containing information to be used as a hint to the user identity" + }, + "id_token_hint": { + "$id": "/properties/id_token_hint", + "type": "string", + "description": "An ID token that was previously issued to the third party being replayed as a hint to the user identity" + }, + "requested_expiry": { + "$id": "/properties/requested_expiry", + "type": "integer", + "description": "A positive integer allowing the third party to request the expires_in value for auth_req_id the API provider will return", + "examples": [300] + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json new file mode 100644 index 0000000..fd44fc2 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json @@ -0,0 +1,33 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/CIBA-authorization-request-response-schema.json", + "type": "object", + "title": "The schema for the CIBA request response object (OIDC/FAPI compliant)", + "additionalProperties": false, + "required": ["auth_req_id", "expires_in"], + "properties": { + "auth_req_id": { + "$id": "/properties/auth_req_id", + "type": "string", + "description": "This is a unique identifier for the authentication request made by the CIBA Client (third party)", + "minLength": 22, + "pattern": "^[a-zA-Z0-9.\\-_]{22,}$", + "examples": ["1c26_6114-a1be-4252-8ad1-04986c5b.9ac1"] + }, + "expires_in": { + "$id": "/properties/expires_in", + "type": "integer", + "exclusiveMinimum": 0, + "description": "A positive integer value in seconds, indicating the expiration time since the authentication request was received", + "examples": [3600] + }, + "interval": { + "$id": "/properties/interval", + "type": "integer", + "minimum": 0, + "description": "The number of seconds a client MUST wait between polling requests to the token endpoint", + "examples": [10] + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/CIBA-login-hint-token-schema.json b/working/v3.0.0-draft2/ciba-flow/CIBA-login-hint-token-schema.json new file mode 100644 index 0000000..5beb014 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/CIBA-login-hint-token-schema.json @@ -0,0 +1,64 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/CIBA-login-hint-schema.json", + "type": "object", + "title": "The schema for the CIBA request object login_hint_token", + "additionalProperties": false, + "required": ["subject"], + "properties": { + "subject": { + "$id": "/properties/subject", + "type": "object", + "title": "Subject of the token", + "required": ["subject_type"], + "maxProperties": 2, + "minProperties": 2, + "properties": { + "subject_type": { + "$id": "/properties/subject/properties/subject_type", + "type": "string", + "title": "The type of subject hint", + "enum": [ + "phone", + "email", + "username", + "api_provider_token", + "third_party_token" + ] + }, + "phone": { + "$id": "/properties/subject/properties/phone", + "type": "string", + "title": "The phone of the subject identity to authorise", + "examples": ["+64-21-101-1221"] + }, + "email": { + "$id": "/properties/subject/properties/email", + "type": "string", + "title": "The email of the subject identity to authorise", + "format": "email", + "examples": ["user@example.com"] + }, + "username": { + "$id": "/properties/subject/properties/username", + "type": "string", + "title": "The username of the subject identity to authorise", + "examples": ["user.name", "@handle"] + }, + "api_provider_token": { + "$id": "/properties/subject/properties/api_provider_token", + "type": "string", + "title": "A token generated by the customer authentication device", + "description": "Uniquely identifies the Customer authentication device and Customer with the API Provider" + }, + "third_party_token": { + "$id": "/properties/subject/properties/third_party_token", + "type": "string", + "title": "A token generated by the third party and registered with the customer authentication device", + "pattern": "^[A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+\\.[A-Za-z0-9-_.+/=]*$" + } + } + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/README.md b/working/v3.0.0-draft2/ciba-flow/README.md new file mode 100644 index 0000000..fe01687 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/README.md @@ -0,0 +1,9 @@ +# CIBA related schemas + +The following are CIBA authorisation flow relevant schemas: + +* CIBA Authorisation request [schema](./CIBA-authorization-request-object-schema.json) +* CIBA Authorisation request response [schema](./CIBA-authorization-request-response-schema.json) +* CIBA `login_hint_token` [schema](./CIBA-login-hint-token-schema.json) +* CIBA 'ping callback' [schema](./ping-callback-schema.json) +* The `id_token_hint` (ID token that was previously issued by API provider) [schema](../id-token/id-token-body-schema.json) diff --git a/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json b/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json new file mode 100644 index 0000000..5ca4d15 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json @@ -0,0 +1,18 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/ping-callback-schema.json", + "type": "object", + "title": "The schema for the CIBA callback request", + "additionalProperties": false, + "required": ["auth_req_id"], + "properties": { + "auth_req_id": { + "$id": "/properties/auth_req_id", + "type": "string", + "description": "This is a unique identifier for the authentication request made by the CIBA Client (third party)", + "format": "uuid", + "examples": ["1c266114-a1be-4252-8ad1-04986c5b9ac1"] + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/token-request-response-schema.json b/working/v3.0.0-draft2/ciba-flow/token-request-response-schema.json new file mode 100644 index 0000000..83d85c6 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/token-request-response-schema.json @@ -0,0 +1,45 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/token-request-response-schema.json", + "type": "object", + "title": "The schema for the Open ID Connect token request response", + "additionalProperties": false, + "required": ["access_token", "token_type", "expires_in", "id_token"], + "properties": { + "access_token": { + "$id": "/properties/access_token", + "type": "string", + "title": "Access token", + "description": "The token to be used on subsequent API requests", + "examples": ["G5kXH2wHvUra0sHlDy1iTkDJgsgUO1bN"] + }, + "token_type": { + "$id": "/properties/token_type", + "type": "string", + "title": "The OAuth 2.0 token type", + "enum": ["Bearer", "mac"] + }, + "refresh_token": { + "$id": "/properties/refresh_token", + "type": "string", + "title": "Refresh token", + "description": "The token to be used to refresh the access token", + "examples": ["4bwc0ESC_IAhflf-ACC_vjD_ltc11ne-8gFPfA2Kx16"] + }, + "expires_in": { + "$id": "/properties/expires_in", + "type": "integer", + "exclusiveMinimum": 0, + "title": "Access token expiry time", + "description": "A positive integer value in seconds, indicating the expiration time since the authentication request was received", + "examples": [3600] + }, + "id_token": { + "$id": "/properties/id_token", + "type": "string", + "title": "The ID Token issued to the third party", + "pattern": "^[A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+\\.[A-Za-z0-9-_.+/=]*$" + } + } +} diff --git a/working/v3.0.0-draft2/client-authentication/jwt-bearer-auth-schema.json b/working/v3.0.0-draft2/client-authentication/jwt-bearer-auth-schema.json new file mode 100644 index 0000000..2bbd222 --- /dev/null +++ b/working/v3.0.0-draft2/client-authentication/jwt-bearer-auth-schema.json @@ -0,0 +1,63 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/jwt-bearer-auth-schema.json", + "type": "object", + "title": "The schema used with JWT authentication", + "description": "The schema to be used with private_key_jwt as specified by OIDC core final 1.0", + "additionalProperties": true, + "required": ["jti", "sub", "iss", "aud", "exp"], + "properties": { + "jti": { + "$id": "#/properties/jti", + "type": "string", + "description": "The JWT token identifier that must be unique and used only once", + "default": "", + "examples": ["992267bc-8e1c-4909-b4f4-4f47b652f748"], + "pattern": "^(.*)$" + }, + "sub": { + "$id": "#/properties/sub", + "type": "string", + "description": "The JWT subject, which must be client_id", + "default": "", + "examples": ["38174623762"], + "pattern": "^(.*)$" + }, + "iss": { + "$id": "#/properties/iss", + "type": "string", + "description": "The JWT issuer, which must be client_id", + "default": "", + "examples": ["38174623762"], + "pattern": "^(.*)$" + }, + "aud": { + "$id": "#/properties/aud", + "type": "string", + "format": "uri", + "description": "The audience for the JWT, which must be the authorisation server and should be the token endpoint", + "examples": ["http://examplebank.co.nz/oauth2/token"] + }, + "exp": { + "$id": "#/properties/exp", + "type": "integer", + "description": "The time the JWT expires", + "default": 0, + "examples": [1536165540] + }, + "iat": { + "$id": "#/properties/iat", + "type": "integer", + "description": "The time the JWT was issued by authorisation server", + "default": 0, + "examples": [1536132708] + }, + "nbf": { + "$id": "#/properties/nbf", + "type": "integer", + "description": "The time before which the token should not be accepted", + "default": 0, + "examples": [1536132708] + } + } +} diff --git a/working/v3.0.0-draft2/common/JOSE-header-schema.json b/working/v3.0.0-draft2/common/JOSE-header-schema.json new file mode 100644 index 0000000..85455f2 --- /dev/null +++ b/working/v3.0.0-draft2/common/JOSE-header-schema.json @@ -0,0 +1,32 @@ +{ + "title": "Version 2 of JWT header", + "type": "object", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/JOSE-header-schema.json", + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "required": ["alg", "kid"], + "properties": { + "alg": { + "$id": "/properties/alg", + "type": "string", + "description": "The type of algorithm used to sign the JWT", + "examples": ["PS256"], + "enum": ["ES256", "PS256"] + }, + "kid": { + "$id": "/properties/kid", + "type": "string", + "description": "The id of a public key or certificate used to sign the content or verify the signature", + "examples": ["39cfac46-721f-46d5-8031-df6ae0dcb5f8"], + "pattern": "^(.+)$" + }, + "typ": { + "$id": "/properties/typ", + "type": "string", + "description": "Used to denote the media type of the signed token. If included, the value must be 'JWT' or 'secevent+jwt' for event notifications .", + "enum": ["JWT", "secevent+jwt"], + "examples": ["JWT"] + } + } +} diff --git a/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json b/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json new file mode 100644 index 0000000..4199b8d --- /dev/null +++ b/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json @@ -0,0 +1,177 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/authorization-request-schema.json", + "type": "object", + "title": "The schema for the Authorisation Request (OIDC/FAPI compliant) token", + "additionalProperties": false, + "required": [ + "aud", + "iss", + "response_type", + "client_id", + "redirect_uri", + "scope", + "state", + "nonce", + "claims", + "exp", + "nbf" + ], + "properties": { + "aud": { + "$id": "#/properties/aud", + "title": "The audiences for the token", + "description": "The value should be or include the API Provider Issuer Identifier URL", + "oneOf": [ + { + "type": "string", + "examples": ["https://api.alphanbank.com"], + "format": "uri" + }, + { + "type": "array", + "$id": "#/properties/aud/items", + "items": { + "type": "string", + "pattern": "^(.+)$" + }, + "examples": ["https://api.alphanbank.com"] + } + ] + }, + "iat":{ + "$id": "/properties/iat", + "type": "integer", + "description": "Time on which the Request Object was issued. May be used for determining age", + "examples": [1496397168] + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "nbf": { + "$id": "/properties/nbf", + "type": "integer", + "description": "Time before which the Request Object MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "iss": { + "$id": "#/properties/iss", + "type": "string", + "title": "The Issuer of the token", + "description": "The value should be the client ID of the third party, unless signed by a different party", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "jti": { + "$id": "#/properties/jti", + "type": "string", + "title": "The unique identifier of the token", + "description": "Used for determining token uniqueness. The value should be have sufficient entropy to make likelihood of collisions negligible.", + "examples": ["d92f1393-752e-49c2-8ce3-90abc6b29655"] + }, + "response_type": { + "$id": "#/properties/response_type", + "type": "string", + "title": "The type of the response token", + "default": "code id_token", + "examples": ["code id_token"], + "enum": ["code id_token"] + }, + "client_id": { + "$id": "#/properties/client_id", + "type": "string", + "title": "The ID of the third-party client", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "redirect_uri": { + "$id": "#/properties/redirect_uri", + "type": "string", + "title": "The URI to which to redirect the customer User Agent", + "default": "", + "examples": ["https://api.mytpp.com/cb"], + "format": "uri" + }, + "scope": { + "$id": "#/properties/scope", + "type": "string", + "title": "The OAuth scopes requested", + "description": "Must include 'openid' and any other scopes required", + "default": "openid", + "examples": ["openid payments"], + "pattern": "^openid([ ].*)*$" + }, + "state": { + "$id": "#/properties/state", + "type": "string", + "title": "The third-party specific state", + "description": "Opaque to API provider", + "default": "", + "examples": ["af0ifjsldkj"], + "pattern": "^(.+)$" + }, + "nonce": { + "$id": "#/properties/nonce", + "type": "string", + "title": "Third party nonce to avoid replay", + "default": "", + "examples": ["n-0S6_WzA2Mj"], + "pattern": "^(.+)$" + }, + "max_age": { + "$id": "#/properties/max_age", + "type": "integer", + "title": "Third-party specified maximum authentication age", + "default": 0, + "examples": [86400] + }, + "claims": { + "$id": "#/properties/claims", + "type": "object", + "title": "Claims object that holds the id_token request", + "additionalProperties": true, + "required": ["id_token"], + "properties": { + "id_token": { + "$id": "#/properties/claims/properties/id_token", + "type": "object", + "title": "The ID token request claims", + "additionalProperties": true, + "required": ["ConsentId"], + "properties": { + "ConsentId": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId", + "type": "object", + "title": "The Consent ID object", + "additionalProperties": false, + "required": ["value", "essential"], + "properties": { + "value": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/value", + "type": "string", + "title": "The value of Consent ID", + "default": "", + "examples": ["urn-alphabank-intent-58923"], + "pattern": "^(.+)$" + }, + "essential": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/essential", + "type": "boolean", + "title": "Essential claim identifier", + "default": false, + "examples": [true] + } + } + } + } + } + } + } + } +} diff --git a/working/v3.0.0-draft2/id-token/id-token-body-schema.json b/working/v3.0.0-draft2/id-token/id-token-body-schema.json new file mode 100644 index 0000000..137f31c --- /dev/null +++ b/working/v3.0.0-draft2/id-token/id-token-body-schema.json @@ -0,0 +1,119 @@ +{ + "title": "Version 1 of ID Token JWT payload", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/id-token-body-schema.json", + "type": "object", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": true, + "required": [ + "iss", + "sub", + "aud", + "exp", + "iat", + "nonce", + "ConsentId", + "c_hash", + "s_hash" + ], + "properties": { + "iss": { + "$id": "/properties/iss", + "type": "string", + "format": "uri", + "description": "Token issuer - e.g. https://secure.examplebank.co.nz/token", + "examples": ["https://secure.examplebank.co.nz/token"] + }, + "sub": { + "$id": "/properties/sub", + "type": "string", + "description": "Subject Identifier, intended to be consumed by the Client. It must be a locally unique, never reassigned and opaque identifier within the Issuer for the End-User.", + "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"] + }, + "aud": { + "$id": "/properties/aud", + "description": "The audience for the token, must contain the Client ID of the third party. May also contain other audiences.", + "oneOf": [ + { + "type": "string", + "examples": ["third_party_client_id", "sadUTdfTANIhditInecaqwEZdsUL"] + }, + { + "type": "array", + "items": { + "$id": "/properties/aud/items", + "type": "string" + }, + "description": "Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.", + "examples": [ + "third_party_client_id", + "ERVWyYqQM6AstKLmpuQdTiK8or02pe1i" + ] + } + ] + }, + "ConsentId": { + "$id": "/properties/ConsentId", + "type": "string", + "pattern": "^(.+)$", + "description": "The ID of the consent to which this token is related", + "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "iat": { + "$id": "/properties/iat", + "type": "integer", + "description": "Time at which the JWT was issued.", + "examples": [1496361168] + }, + "nonce": { + "$id": "/properties/nonce", + "type": "string", + "description": "String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token as the nonce claim. Clients MUST verify that the nonce claim value is equal to the value of the nonce parameter sent in the Authentication Request.", + "examples": ["n-0S6_WzA2Mj"] + }, + "amr": { + "$id": "/properties/amr", + "type": "array", + "items": { + "$id": "/properties/amr/items", + "type": "string" + }, + "description": "Authentication Methods References.", + "examples": ["pwd"] + }, + "azp": { + "$id": "/properties/azp", + "type": "string", + "pattern": "^(.+)$", + "description": "Authorised party to which the token is issued. This is the the third party, rather than the customer", + "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] + }, + "auth_time": { + "$id": "/properties/auth_time", + "type": "integer", + "description": "Time when the End-User authentication occurred.", + "examples": [1496361168] + }, + "c_hash": { + "$id": "#/properties/c_hash", + "type": "string", + "title": "Code hash value", + "pattern": "^[a-zA-Z0-9_-]+$", + "description": "Base64 representation of the left-most half of the hash of the octets of authorization code, when hashed using the algorithm specified in 'alg'", + "examples": ["dGhpc2lzYW5leGFtcGxlYXV0aG9yaXNhdGlvbmNvZGU"] + }, + "s_hash": { + "$id": "#/properties/s_hash", + "type": "string", + "title": "State hash value", + "pattern": "^[a-zA-Z0-9_-]+$", + "description": "Base64 representation of the left-most half of the hash of the octets of state, when hashed using the algorithm specified in 'alg'", + "examples": ["dGhpc2lzYW5leGFtcGxlc3RhdGU"] + } + } +}