From 63dc8bbe737d4a0f9a00443e2b342733cb4553ce Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ Date: Fri, 13 Jan 2023 09:43:13 +1300 Subject: [PATCH 01/11] Updated schemas --- working/v3.0.0-draft2/README.md | 22 ++ .../JARM-response-schema.json | 72 +++++++ .../PAR-response-schema.json | 27 +++ .../authorization-request-schema.json | 203 ++++++++++++++++++ ...A-authorization-request-object-schema.json | 109 ++++++++++ ...authorization-request-response-schema.json | 32 +++ .../CIBA-login-hint-token-schema.json | 64 ++++++ working/v3.0.0-draft2/ciba-flow/README.md | 9 + .../ciba-flow/ping-callback-schema.json | 18 ++ .../token-request-response-schema.json | 45 ++++ .../jwt-bearer-auth-schema.json | 63 ++++++ .../common/JOSE-header-schema.json | 32 +++ .../authorization-request-schema.json | 177 +++++++++++++++ .../id-token/id-token-body-schema.json | 119 ++++++++++ 14 files changed, 992 insertions(+) create mode 100644 working/v3.0.0-draft2/README.md create mode 100644 working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json create mode 100644 working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json create mode 100644 working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json create mode 100644 working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json create mode 100644 working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json create mode 100644 working/v3.0.0-draft2/ciba-flow/CIBA-login-hint-token-schema.json create mode 100644 working/v3.0.0-draft2/ciba-flow/README.md create mode 100644 working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json create mode 100644 working/v3.0.0-draft2/ciba-flow/token-request-response-schema.json create mode 100644 working/v3.0.0-draft2/client-authentication/jwt-bearer-auth-schema.json create mode 100644 working/v3.0.0-draft2/common/JOSE-header-schema.json create mode 100644 working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json create mode 100644 working/v3.0.0-draft2/id-token/id-token-body-schema.json diff --git a/working/v3.0.0-draft2/README.md b/working/v3.0.0-draft2/README.md new file mode 100644 index 0000000..3349c35 --- /dev/null +++ b/working/v3.0.0-draft2/README.md @@ -0,0 +1,22 @@ +# V3.0.0-draft2 schemas + +This folder contains schemas for the V3.0.0 security profile. This includes: + +- Client authentication [schema](./client-authentication/jwt-bearer-auth-schema.json) (for use with `private_key_jwt`) +- Authorization Code Flow request [schema](./authorization-code-flow/authorization-request-schema.json) for Pushed Authorization Requests with PKCE, PAR response [schema](./authorization-code-flow/PAR-response-schema.json) and JARM response [schema](./authorization-code-flow/JARM-response-schema.json) +- Hybrid flow authorization request [schema](./hybrid-flow/authorization-request-schema.json) +- CIBA decoupled flow relevant [schemas](./ciba-flow/README.md) +- ID token [schema](./id-token/id-token-body-schema.json) +- Generic JWS header [schema](./common/JOSE-header-schema.json) + +These are assistive in nature, and supplementary to the Security Profile documentation. It is highly recommended to follow that documentation first. + +## Testing schema validation + +One method of validating test data with JSON schemas is to use `ajv`, via: + +```bash +npx ajv-cli --strict=false -s .\schema.json -d .\data.json +``` + +__Note:__ the `--strict=false` is a `ajv` workaround for "format": "uri", which is valid JSON schema in draft-07, but not recognised by `ajv` diff --git a/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json new file mode 100644 index 0000000..d2e31e1 --- /dev/null +++ b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json @@ -0,0 +1,72 @@ +{ + "title": "Version 1 of JARM response payload", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/jarm-response-schema.json", + "type": "object", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "required": [ + "iss", + "code", + "aud", + "exp", + "state", + "ConsentId" + ], + "properties": { + "iss": { + "$id": "/properties/iss", + "type": "string", + "format": "uri", + "description": "Token issuer - e.g. https://secure.examplebank.co.nz/token", + "examples": ["https://secure.examplebank.co.nz/token"] + }, + "code": { + "$id": "/properties/code", + "type": "string", + "description": "Authorization Code, to be exchanged for Access Token.", + "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"] + }, + "aud": { + "$id": "/properties/aud", + "description": "The audience for the token, must contain the Client ID of the third party. May also contain other audiences.", + "oneOf": [ + { + "type": "string", + "examples": ["third_party_client_id", "sadUTdfTANIhditInecaqwEZdsUL"] + }, + { + "type": "array", + "items": { + "$id": "/properties/aud/items", + "type": "string" + }, + "description": "Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.", + "examples": [ + "third_party_client_id", + "ERVWyYqQM6AstKLmpuQdTiK8or02pe1i" + ] + } + ] + }, + "ConsentId": { + "$id": "/properties/ConsentId", + "type": "string", + "pattern": "^(.+)$", + "description": "The ID of the consent to which this token is related", + "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "state": { + "$id": "/properties/state", + "type": "string", + "description": "OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token as the nonce claim. Clients MUST verify that the nonce claim value is equal to the value of the nonce parameter sent in the Authentication Request.", + "examples": ["n-0S6_WzA2Mj"] + } + } + } + \ No newline at end of file diff --git a/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json b/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json new file mode 100644 index 0000000..b6e352a --- /dev/null +++ b/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json @@ -0,0 +1,27 @@ +{ + "title": "Version 1 of PAR response payload", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/par-response-schema.json", + "type": "object", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "required": [ + "request_uri", + "expires_in" + ], + "properties": { + "request_uri": { + "$id": "/properties/request_uri", + "type": "string", + "format": "uri", + "description": "A unique reference for the request object requiring authorization", + "examples": ["urn:ietf:params:oauth:request_uri:8qi1b0XAGrV9Ypv1cMyLAS_2AIchvqXx"] + }, + "expires_in": { + "$id": "/properties/expires_in", + "type": "integer", + "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", + "examples": [1496397168] + } + } + } + \ No newline at end of file diff --git a/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json b/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json new file mode 100644 index 0000000..d07ae50 --- /dev/null +++ b/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json @@ -0,0 +1,203 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/authorization-code-request-schema.json", + "type": "object", + "title": "The schema for the Authorisation Request (OIDC/FAPI compliant) token", + "additionalProperties": false, + "required": [ + "aud", + "iss", + "response_type", + "response_mode", + "client_id", + "redirect_uri", + "scope", + "state", + "nonce", + "claims", + "exp", + "nbf", + "code_challenge", + "code_challenge_method" + ], + "properties": { + "aud": { + "$id": "#/properties/aud", + "title": "The audiences for the token", + "description": "The value should be or include the API Provider Issuer Identifier URL", + "oneOf": [ + { + "type": "string", + "examples": ["https://api.alphanbank.com"], + "format": "uri" + }, + { + "type": "array", + "$id": "#/properties/aud/items", + "items": { + "type": "string", + "pattern": "^(.+)$" + }, + "examples": ["https://api.alphanbank.com"] + } + ] + }, + "iat":{ + "$id": "/properties/iat", + "type": "integer", + "description": "Time on which the Request Object was issued. May be used for determining age", + "examples": [1496397168] + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "nbf": { + "$id": "/properties/nbf", + "type": "integer", + "description": "Time before which the Request Object MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "iss": { + "$id": "#/properties/iss", + "type": "string", + "title": "The Issuer of the token", + "description": "The value should be the client ID of the third party, unless signed by a different party", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "jti": { + "$id": "#/properties/jti", + "type": "string", + "title": "The unique identifier of the token", + "description": "Used for determining token uniqueness. The value should be have sufficient entropy to make likelihood of collisions negligible.", + "examples": ["d92f1393-752e-49c2-8ce3-90abc6b29655"] + }, + "response_type": { + "$id": "#/properties/response_type", + "type": "string", + "title": "The type of the response token", + "default": "code", + "examples": ["code"], + "enum": ["code"] + }, + "response_mode": { + "$id": "#/properties/response_mode", + "type": "string", + "title": "The mode used to deliver the response token", + "default": "jwt", + "examples": ["jwt"], + "enum": ["jwt"] + }, + "client_id": { + "$id": "#/properties/client_id", + "type": "string", + "title": "The ID of the third-party client", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "redirect_uri": { + "$id": "#/properties/redirect_uri", + "type": "string", + "title": "The URI to which to redirect the customer User Agent", + "default": "", + "examples": ["https://api.mytpp.com/cb"], + "format": "uri" + }, + "code_challenge": { + "$id": "#/properties/code_challenge", + "type": "string", + "title": "The PKCE code challenge value", + "examples": ["roXsvRC1K-5WAYWLWsqQJpXTR8NznFgysjjqKhqhSO4"], + "pattern": "^[a-zA-Z0-9\\-_]*$" + }, + "code_challenge_method": { + "$id": "#/properties/code_challenge_method", + "type": "string", + "title": "The mode used to deliver the response token", + "examples": ["S256"], + "default": "S256", + "enum": ["S256"] + }, + "scope": { + "$id": "#/properties/scope", + "type": "string", + "title": "The OAuth scopes requested", + "description": "Must include 'openid' and any other scopes required", + "default": "openid", + "examples": ["openid payments"], + "pattern": "^openid([ ].*)*$" + }, + "state": { + "$id": "#/properties/state", + "type": "string", + "title": "The third-party specific state", + "description": "Opaque to API provider", + "default": "", + "examples": ["af0ifjsldkj"], + "pattern": "^(.+)$" + }, + "nonce": { + "$id": "#/properties/nonce", + "type": "string", + "title": "Third party nonce to avoid replay", + "default": "", + "examples": ["n-0S6_WzA2Mj"], + "pattern": "^(.+)$" + }, + "max_age": { + "$id": "#/properties/max_age", + "type": "integer", + "title": "Third-party specified maximum authentication age", + "default": 0, + "examples": [86400] + }, + "claims": { + "$id": "#/properties/claims", + "type": "object", + "title": "Claims object that holds the id_token request", + "additionalProperties": true, + "required": ["id_token"], + "properties": { + "id_token": { + "$id": "#/properties/claims/properties/id_token", + "type": "object", + "title": "The ID token request claims", + "additionalProperties": true, + "required": ["ConsentId"], + "properties": { + "ConsentId": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId", + "type": "object", + "title": "The Consent ID object", + "additionalProperties": false, + "required": ["value", "essential"], + "properties": { + "value": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/value", + "type": "string", + "title": "The value of Consent ID", + "default": "", + "examples": ["urn-alphabank-intent-58923"], + "pattern": "^(.+)$" + }, + "essential": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/essential", + "type": "boolean", + "title": "Essential claim identifier", + "default": false, + "examples": [true] + } + } + } + } + } + } + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json new file mode 100644 index 0000000..f66f986 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json @@ -0,0 +1,109 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/CIBA-authorization-request-object-schema.json", + "type": "object", + "title": "The schema for the CIBA request object (OIDC/FAPI compliant)", + "additionalProperties": false, + "required": ["aud", "iss", "exp", "iat", "nbf", "jti", "scope", "ConsentId"], + "properties": { + "aud": { + "$id": "#/properties/aud", + "title": "The audiences for the token", + "description": "The value should be or include the client ID of the third party", + "oneOf": [ + { + "type": "string", + "examples": ["https://api.alphanbank.com"], + "format": "uri" + }, + { + "type": "array", + "$id": "#/properties/aud/items", + "items": { + "type": "string", + "pattern": "^(.+)$" + }, + "examples": ["https://api.alphanbank.com"] + } + ] + }, + "iss": { + "$id": "#/properties/iss", + "type": "string", + "title": "The Issuer of the token", + "description": "The value should be the client ID of the third party, unless signed by a different party", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "iat": { + "$id": "/properties/iat", + "type": "integer", + "description": "Time at which the JWT was issued.", + "examples": [1496361168] + }, + "nbf": { + "$id": "/properties/nbf", + "type": "integer", + "description": "The time before which the ID Token MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "jti": { + "$id": "/properties/jti", + "type": "string", + "description": "The unique identifier of the current JWT token", + "examples": ["b8fd0a32-5e00-4b73-b3d8-b4af743b26e8"], + "pattern": "^(.+)$" + }, + "scope": { + "$id": "#/properties/scope", + "type": "string", + "title": "The OAuth scopes requested", + "description": "Must include 'openid' and any other scopes required", + "default": "openid", + "examples": ["openid payments"], + "pattern": "^openid([ ].*)*$" + }, + "ConsentId": { + "$id": "/properties/ConsentId", + "type": "string", + "pattern": "^(.+)$", + "description": "The ID of the consent to which this token is related", + "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] + }, + "client_notification_token": { + "$id": "#/properties/client_notification_token", + "type": "string", + "title": "The bearer token for third party ping callback", + "description": "The API provider must use this to authenticate to the third party for a ping notification", + "maxLength": 1024, + "pattern": "^[A-Za-z0-9\\-\\._~\\+\\/]+=*$", + "examples": [ + "dGhpc2lzYXRlc3RzdHJpbmd1c2Vkb3RnZW5lcmF0ZWFiYXNlNjR0cmluZw==" + ] + }, + "login_hint_token": { + "$id": "/properties/login_hint_token", + "type": "string", + "description": "A JWT token containing information to be used as a hint to the user identity" + }, + "id_token_hint": { + "$id": "/properties/id_token_hint", + "type": "string", + "description": "An ID token that was previously issued to the third party being replayed as a hint to the user identity" + }, + "requested_expiry": { + "$id": "/properties/requested_expiry", + "type": "integer", + "description": "A positive integer allowing the third party to request the expires_in value for auth_req_id the API provider will return", + "examples": [300] + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json new file mode 100644 index 0000000..a3c9106 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json @@ -0,0 +1,32 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/CIBA-authorization-request-response-schema.json", + "type": "object", + "title": "The schema for the CIBA request response object (OIDC/FAPI compliant)", + "additionalProperties": false, + "required": ["auth_req_id", "expires_in"], + "properties": { + "auth_req_id": { + "$id": "/properties/auth_req_id", + "type": "string", + "description": "This is a unique identifier for the authentication request made by the CIBA Client (third party)", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", + "examples": ["1c266114-a1be-4252-8ad1-04986c5b9ac1"] + }, + "expires_in": { + "$id": "/properties/expires_in", + "type": "integer", + "exclusiveMinimum": 0, + "description": "A positive integer value in seconds, indicating the expiration time since the authentication request was received", + "examples": [3600] + }, + "interval": { + "$id": "/properties/interval", + "type": "integer", + "minimum": 0, + "description": "The number of seconds a client MUST wait between polling requests to the token endpoint", + "examples": [10] + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/CIBA-login-hint-token-schema.json b/working/v3.0.0-draft2/ciba-flow/CIBA-login-hint-token-schema.json new file mode 100644 index 0000000..5beb014 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/CIBA-login-hint-token-schema.json @@ -0,0 +1,64 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/CIBA-login-hint-schema.json", + "type": "object", + "title": "The schema for the CIBA request object login_hint_token", + "additionalProperties": false, + "required": ["subject"], + "properties": { + "subject": { + "$id": "/properties/subject", + "type": "object", + "title": "Subject of the token", + "required": ["subject_type"], + "maxProperties": 2, + "minProperties": 2, + "properties": { + "subject_type": { + "$id": "/properties/subject/properties/subject_type", + "type": "string", + "title": "The type of subject hint", + "enum": [ + "phone", + "email", + "username", + "api_provider_token", + "third_party_token" + ] + }, + "phone": { + "$id": "/properties/subject/properties/phone", + "type": "string", + "title": "The phone of the subject identity to authorise", + "examples": ["+64-21-101-1221"] + }, + "email": { + "$id": "/properties/subject/properties/email", + "type": "string", + "title": "The email of the subject identity to authorise", + "format": "email", + "examples": ["user@example.com"] + }, + "username": { + "$id": "/properties/subject/properties/username", + "type": "string", + "title": "The username of the subject identity to authorise", + "examples": ["user.name", "@handle"] + }, + "api_provider_token": { + "$id": "/properties/subject/properties/api_provider_token", + "type": "string", + "title": "A token generated by the customer authentication device", + "description": "Uniquely identifies the Customer authentication device and Customer with the API Provider" + }, + "third_party_token": { + "$id": "/properties/subject/properties/third_party_token", + "type": "string", + "title": "A token generated by the third party and registered with the customer authentication device", + "pattern": "^[A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+\\.[A-Za-z0-9-_.+/=]*$" + } + } + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/README.md b/working/v3.0.0-draft2/ciba-flow/README.md new file mode 100644 index 0000000..fe01687 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/README.md @@ -0,0 +1,9 @@ +# CIBA related schemas + +The following are CIBA authorisation flow relevant schemas: + +* CIBA Authorisation request [schema](./CIBA-authorization-request-object-schema.json) +* CIBA Authorisation request response [schema](./CIBA-authorization-request-response-schema.json) +* CIBA `login_hint_token` [schema](./CIBA-login-hint-token-schema.json) +* CIBA 'ping callback' [schema](./ping-callback-schema.json) +* The `id_token_hint` (ID token that was previously issued by API provider) [schema](../id-token/id-token-body-schema.json) diff --git a/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json b/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json new file mode 100644 index 0000000..38266de --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json @@ -0,0 +1,18 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/ping-callback-schema.json", + "type": "object", + "title": "The schema for the CIBA callback request", + "additionalProperties": false, + "required": ["auth_req_id"], + "properties": { + "auth_req_id": { + "$id": "/properties/auth_req_id", + "type": "string", + "description": "This is a unique identifier for the authentication request made by the CIBA Client (third party)", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", + "examples": ["1c266114-a1be-4252-8ad1-04986c5b9ac1"] + } + } +} diff --git a/working/v3.0.0-draft2/ciba-flow/token-request-response-schema.json b/working/v3.0.0-draft2/ciba-flow/token-request-response-schema.json new file mode 100644 index 0000000..83d85c6 --- /dev/null +++ b/working/v3.0.0-draft2/ciba-flow/token-request-response-schema.json @@ -0,0 +1,45 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/token-request-response-schema.json", + "type": "object", + "title": "The schema for the Open ID Connect token request response", + "additionalProperties": false, + "required": ["access_token", "token_type", "expires_in", "id_token"], + "properties": { + "access_token": { + "$id": "/properties/access_token", + "type": "string", + "title": "Access token", + "description": "The token to be used on subsequent API requests", + "examples": ["G5kXH2wHvUra0sHlDy1iTkDJgsgUO1bN"] + }, + "token_type": { + "$id": "/properties/token_type", + "type": "string", + "title": "The OAuth 2.0 token type", + "enum": ["Bearer", "mac"] + }, + "refresh_token": { + "$id": "/properties/refresh_token", + "type": "string", + "title": "Refresh token", + "description": "The token to be used to refresh the access token", + "examples": ["4bwc0ESC_IAhflf-ACC_vjD_ltc11ne-8gFPfA2Kx16"] + }, + "expires_in": { + "$id": "/properties/expires_in", + "type": "integer", + "exclusiveMinimum": 0, + "title": "Access token expiry time", + "description": "A positive integer value in seconds, indicating the expiration time since the authentication request was received", + "examples": [3600] + }, + "id_token": { + "$id": "/properties/id_token", + "type": "string", + "title": "The ID Token issued to the third party", + "pattern": "^[A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+\\.[A-Za-z0-9-_.+/=]*$" + } + } +} diff --git a/working/v3.0.0-draft2/client-authentication/jwt-bearer-auth-schema.json b/working/v3.0.0-draft2/client-authentication/jwt-bearer-auth-schema.json new file mode 100644 index 0000000..2bbd222 --- /dev/null +++ b/working/v3.0.0-draft2/client-authentication/jwt-bearer-auth-schema.json @@ -0,0 +1,63 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/jwt-bearer-auth-schema.json", + "type": "object", + "title": "The schema used with JWT authentication", + "description": "The schema to be used with private_key_jwt as specified by OIDC core final 1.0", + "additionalProperties": true, + "required": ["jti", "sub", "iss", "aud", "exp"], + "properties": { + "jti": { + "$id": "#/properties/jti", + "type": "string", + "description": "The JWT token identifier that must be unique and used only once", + "default": "", + "examples": ["992267bc-8e1c-4909-b4f4-4f47b652f748"], + "pattern": "^(.*)$" + }, + "sub": { + "$id": "#/properties/sub", + "type": "string", + "description": "The JWT subject, which must be client_id", + "default": "", + "examples": ["38174623762"], + "pattern": "^(.*)$" + }, + "iss": { + "$id": "#/properties/iss", + "type": "string", + "description": "The JWT issuer, which must be client_id", + "default": "", + "examples": ["38174623762"], + "pattern": "^(.*)$" + }, + "aud": { + "$id": "#/properties/aud", + "type": "string", + "format": "uri", + "description": "The audience for the JWT, which must be the authorisation server and should be the token endpoint", + "examples": ["http://examplebank.co.nz/oauth2/token"] + }, + "exp": { + "$id": "#/properties/exp", + "type": "integer", + "description": "The time the JWT expires", + "default": 0, + "examples": [1536165540] + }, + "iat": { + "$id": "#/properties/iat", + "type": "integer", + "description": "The time the JWT was issued by authorisation server", + "default": 0, + "examples": [1536132708] + }, + "nbf": { + "$id": "#/properties/nbf", + "type": "integer", + "description": "The time before which the token should not be accepted", + "default": 0, + "examples": [1536132708] + } + } +} diff --git a/working/v3.0.0-draft2/common/JOSE-header-schema.json b/working/v3.0.0-draft2/common/JOSE-header-schema.json new file mode 100644 index 0000000..85455f2 --- /dev/null +++ b/working/v3.0.0-draft2/common/JOSE-header-schema.json @@ -0,0 +1,32 @@ +{ + "title": "Version 2 of JWT header", + "type": "object", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/JOSE-header-schema.json", + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "required": ["alg", "kid"], + "properties": { + "alg": { + "$id": "/properties/alg", + "type": "string", + "description": "The type of algorithm used to sign the JWT", + "examples": ["PS256"], + "enum": ["ES256", "PS256"] + }, + "kid": { + "$id": "/properties/kid", + "type": "string", + "description": "The id of a public key or certificate used to sign the content or verify the signature", + "examples": ["39cfac46-721f-46d5-8031-df6ae0dcb5f8"], + "pattern": "^(.+)$" + }, + "typ": { + "$id": "/properties/typ", + "type": "string", + "description": "Used to denote the media type of the signed token. If included, the value must be 'JWT' or 'secevent+jwt' for event notifications .", + "enum": ["JWT", "secevent+jwt"], + "examples": ["JWT"] + } + } +} diff --git a/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json b/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json new file mode 100644 index 0000000..d91bfff --- /dev/null +++ b/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json @@ -0,0 +1,177 @@ +{ + "definitions": {}, + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/authorization-request-schema.json", + "type": "object", + "title": "The schema for the Authorisation Request (OIDC/FAPI compliant) token", + "additionalProperties": false, + "required": [ + "aud", + "iss", + "response_type", + "client_id", + "redirect_uri", + "scope", + "state", + "nonce", + "claims", + "exp", + "nbf" + ], + "properties": { + "aud": { + "$id": "#/properties/aud", + "title": "The audiences for the token", + "description": "The value should be or include the API Provider Issuer Identifier URL", + "oneOf": [ + { + "type": "string", + "examples": ["https://api.alphanbank.com"], + "format": "uri" + }, + { + "type": "array", + "$id": "#/properties/aud/items", + "items": { + "type": "string", + "pattern": "^(.+)$" + }, + "examples": ["https://api.alphanbank.com"] + } + ] + }, + "iat":{ + "$id": "/properties/iat", + "type": "integer", + "description": "Time on which the Request Object was issued. May be used for determining age", + "examples": [1496397168] + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "nbf": { + "$id": "/properties/nbf", + "type": "integer", + "description": "Time before which the Request Object MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "iss": { + "$id": "#/properties/iss", + "type": "string", + "title": "The Issuer of the token", + "description": "The value should be the client ID of the third party, unless signed by a different party", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "jti": { + "$id": "#/properties/jti", + "type": "string", + "title": "The unique identifier of the token", + "description": "Used for determining token uniqueness. The value should be have sufficient entropy to make likelihood of collisions negligible.", + "examples": ["d92f1393-752e-49c2-8ce3-90abc6b29655"] + }, + "response_type": { + "$id": "#/properties/response_type", + "type": "string", + "title": "The type of the response token", + "default": "code id_token", + "examples": ["code id_token"], + "pattern": "^code id_token$" + }, + "client_id": { + "$id": "#/properties/client_id", + "type": "string", + "title": "The ID of the third-party client", + "default": "", + "examples": ["s6BhdRkqt3"], + "pattern": "^(.+)$" + }, + "redirect_uri": { + "$id": "#/properties/redirect_uri", + "type": "string", + "title": "The URI to which to redirect the customer User Agent", + "default": "", + "examples": ["https://api.mytpp.com/cb"], + "format": "uri" + }, + "scope": { + "$id": "#/properties/scope", + "type": "string", + "title": "The OAuth scopes requested", + "description": "Must include 'openid' and any other scopes required", + "default": "openid", + "examples": ["openid payments"], + "pattern": "^openid([ ].*)*$" + }, + "state": { + "$id": "#/properties/state", + "type": "string", + "title": "The third-party specific state", + "description": "Opaque to API provider", + "default": "", + "examples": ["af0ifjsldkj"], + "pattern": "^(.+)$" + }, + "nonce": { + "$id": "#/properties/nonce", + "type": "string", + "title": "Third party nonce to avoid replay", + "default": "", + "examples": ["n-0S6_WzA2Mj"], + "pattern": "^(.+)$" + }, + "max_age": { + "$id": "#/properties/max_age", + "type": "integer", + "title": "Third-party specified maximum authentication age", + "default": 0, + "examples": [86400] + }, + "claims": { + "$id": "#/properties/claims", + "type": "object", + "title": "Claims object that holds the id_token request", + "additionalProperties": true, + "required": ["id_token"], + "properties": { + "id_token": { + "$id": "#/properties/claims/properties/id_token", + "type": "object", + "title": "The ID token request claims", + "additionalProperties": true, + "required": ["ConsentId"], + "properties": { + "ConsentId": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId", + "type": "object", + "title": "The Consent ID object", + "additionalProperties": false, + "required": ["value", "essential"], + "properties": { + "value": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/value", + "type": "string", + "title": "The value of Consent ID", + "default": "", + "examples": ["urn-alphabank-intent-58923"], + "pattern": "^(.+)$" + }, + "essential": { + "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/essential", + "type": "boolean", + "title": "Essential claim identifier", + "default": false, + "examples": [true] + } + } + } + } + } + } + } + } +} diff --git a/working/v3.0.0-draft2/id-token/id-token-body-schema.json b/working/v3.0.0-draft2/id-token/id-token-body-schema.json new file mode 100644 index 0000000..6f03695 --- /dev/null +++ b/working/v3.0.0-draft2/id-token/id-token-body-schema.json @@ -0,0 +1,119 @@ +{ + "title": "Version 1 of ID Token JWT payload", + "$id": "http://apicentre.paymentsnz.co.nz/schemas/id-token-body-schema.json", + "type": "object", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": true, + "required": [ + "iss", + "sub", + "aud", + "exp", + "iat", + "nonce", + "ConsentId", + "c_hash", + "s_hash" + ], + "properties": { + "iss": { + "$id": "/properties/iss", + "type": "string", + "format": "uri", + "description": "Token issuer - e.g. https://secure.examplebank.co.nz/token", + "examples": ["https://secure.examplebank.co.nz/token"] + }, + "sub": { + "$id": "/properties/sub", + "type": "string", + "description": "Subject Identifier, intended to be consumed by the Client. It must be a locally unique, never reassigned and opaque identifier within the Issuer for the End-User.", + "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"] + }, + "aud": { + "$id": "/properties/aud", + "description": "The audience for the token, must contain the Client ID of the third party. May also contain other audiences.", + "oneOf": [ + { + "type": "string", + "examples": ["third_party_client_id", "sadUTdfTANIhditInecaqwEZdsUL"] + }, + { + "type": "array", + "items": { + "$id": "/properties/aud/items", + "type": "string" + }, + "description": "Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.", + "examples": [ + "third_party_client_id", + "ERVWyYqQM6AstKLmpuQdTiK8or02pe1i" + ] + } + ] + }, + "ConsentId": { + "$id": "/properties/ConsentId", + "type": "string", + "pattern": "^(.+)$", + "description": "The ID of the consent to which this token is related", + "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] + }, + "exp": { + "$id": "/properties/exp", + "type": "integer", + "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", + "examples": [1496397168] + }, + "iat": { + "$id": "/properties/iat", + "type": "integer", + "description": "Time at which the JWT was issued.", + "examples": [1496361168] + }, + "nonce": { + "$id": "/properties/nonce", + "type": "string", + "description": "OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token as the nonce claim. Clients MUST verify that the nonce claim value is equal to the value of the nonce parameter sent in the Authentication Request.", + "examples": ["n-0S6_WzA2Mj"] + }, + "amr": { + "$id": "/properties/amr", + "type": "array", + "items": { + "$id": "/properties/amr/items", + "type": "string" + }, + "description": "Authentication Methods References.", + "examples": ["pwd"] + }, + "azp": { + "$id": "/properties/azp", + "type": "string", + "pattern": "^(.+)$", + "description": "Authorised party to which the token is issued. This is the the third party, rather than the customer", + "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] + }, + "auth_time": { + "$id": "/properties/auth_time", + "type": "integer", + "description": "Time when the End-User authentication occurred.", + "examples": [1496361168] + }, + "c_hash": { + "$id": "#/properties/c_hash", + "type": "string", + "title": "Code hash value", + "pattern": "^[a-zA-Z0-9_-]+$", + "description": "Base64 representation of the left-most half of the hash of the octets of authorization code, when hashed using the algorithm specified in 'alg'", + "examples": ["dGhpc2lzYW5leGFtcGxlYXV0aG9yaXNhdGlvbmNvZGU"] + }, + "s_hash": { + "$id": "#/properties/s_hash", + "type": "string", + "title": "State hash value", + "pattern": "^[a-zA-Z0-9_-]+$", + "description": "Base64 representation of the left-most half of the hash of the octets of state, when hashed using the algorithm specified in 'alg'", + "examples": ["dGhpc2lzYW5leGFtcGxlc3RhdGU"] + } + } +} From d612c9bb7d874264a2a706eb55eaa878c12ba754 Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ Date: Thu, 9 Feb 2023 15:49:41 +1300 Subject: [PATCH 02/11] Updated to use "format": "uuid" --- .../ciba-flow/CIBA-authorization-request-response-schema.json | 2 +- working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json index a3c9106..63a1b1f 100644 --- a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json +++ b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json @@ -11,7 +11,7 @@ "$id": "/properties/auth_req_id", "type": "string", "description": "This is a unique identifier for the authentication request made by the CIBA Client (third party)", - "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", + "format": "uuid", "examples": ["1c266114-a1be-4252-8ad1-04986c5b9ac1"] }, "expires_in": { diff --git a/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json b/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json index 38266de..5ca4d15 100644 --- a/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json +++ b/working/v3.0.0-draft2/ciba-flow/ping-callback-schema.json @@ -11,7 +11,7 @@ "$id": "/properties/auth_req_id", "type": "string", "description": "This is a unique identifier for the authentication request made by the CIBA Client (third party)", - "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", + "format": "uuid", "examples": ["1c266114-a1be-4252-8ad1-04986c5b9ac1"] } } From 55c90652721b4d1b8a80617392d3a57a375231ac Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ <108706210+NigelSomerfieldPNZ@users.noreply.github.com> Date: Tue, 21 Feb 2023 19:53:10 +1300 Subject: [PATCH 03/11] Update working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json Agreed, copy and paste error Co-authored-by: James McCann --- .../authorization-code-flow/JARM-response-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json index d2e31e1..3752a28 100644 --- a/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json +++ b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json @@ -64,7 +64,7 @@ "state": { "$id": "/properties/state", "type": "string", - "description": "OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token as the nonce claim. Clients MUST verify that the nonce claim value is equal to the value of the nonce parameter sent in the Authentication Request.", + "description": "The state value as sent by the client in the authorization request", "examples": ["n-0S6_WzA2Mj"] } } From 448890d4a247ac636f2bb82bc65bb4ef349dcf00 Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ <108706210+NigelSomerfieldPNZ@users.noreply.github.com> Date: Tue, 21 Feb 2023 19:53:30 +1300 Subject: [PATCH 04/11] Update working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json Co-authored-by: James McCann --- .../authorization-code-flow/JARM-response-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json index 3752a28..2c46d69 100644 --- a/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json +++ b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json @@ -65,7 +65,7 @@ "$id": "/properties/state", "type": "string", "description": "The state value as sent by the client in the authorization request", - "examples": ["n-0S6_WzA2Mj"] + "examples": ["sadrewvdHASDTAW"] } } } From 1724e09d7207295ff34bc2271e8a7d444786f599 Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ <108706210+NigelSomerfieldPNZ@users.noreply.github.com> Date: Tue, 21 Feb 2023 20:13:44 +1300 Subject: [PATCH 05/11] Update working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json Co-authored-by: James McCann --- .../authorization-code-flow/authorization-request-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json b/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json index d07ae50..ea8de1c 100644 --- a/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json +++ b/working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json @@ -104,7 +104,7 @@ "redirect_uri": { "$id": "#/properties/redirect_uri", "type": "string", - "title": "The URI to which to redirect the customer User Agent", + "title": "The URI to which to redirect the customer User Agent after authorization", "default": "", "examples": ["https://api.mytpp.com/cb"], "format": "uri" From 038b58db33c74a60e84acaf73d52473940860e66 Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ <108706210+NigelSomerfieldPNZ@users.noreply.github.com> Date: Tue, 21 Feb 2023 20:14:22 +1300 Subject: [PATCH 06/11] Update working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json Co-authored-by: James McCann --- .../ciba-flow/CIBA-authorization-request-object-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json index f66f986..c66cb67 100644 --- a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json +++ b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-object-schema.json @@ -40,7 +40,7 @@ "exp": { "$id": "/properties/exp", "type": "integer", - "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", + "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.", "examples": [1496397168] }, "iat": { From 954442e94709e9a463cec0503d2bc71bc557b9bd Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ <108706210+NigelSomerfieldPNZ@users.noreply.github.com> Date: Tue, 21 Feb 2023 20:22:23 +1300 Subject: [PATCH 07/11] Update working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json Co-authored-by: James McCann --- .../v3.0.0-draft2/hybrid-flow/authorization-request-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json b/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json index d91bfff..4199b8d 100644 --- a/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json +++ b/working/v3.0.0-draft2/hybrid-flow/authorization-request-schema.json @@ -80,7 +80,7 @@ "title": "The type of the response token", "default": "code id_token", "examples": ["code id_token"], - "pattern": "^code id_token$" + "enum": ["code id_token"] }, "client_id": { "$id": "#/properties/client_id", From 4f25601bac41dee698e3a29b7ca0f5d44329b788 Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ <108706210+NigelSomerfieldPNZ@users.noreply.github.com> Date: Tue, 21 Feb 2023 20:28:39 +1300 Subject: [PATCH 08/11] Update working/v3.0.0-draft2/id-token/id-token-body-schema.json Co-authored-by: James McCann --- working/v3.0.0-draft2/id-token/id-token-body-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/working/v3.0.0-draft2/id-token/id-token-body-schema.json b/working/v3.0.0-draft2/id-token/id-token-body-schema.json index 6f03695..137f31c 100644 --- a/working/v3.0.0-draft2/id-token/id-token-body-schema.json +++ b/working/v3.0.0-draft2/id-token/id-token-body-schema.json @@ -73,7 +73,7 @@ "nonce": { "$id": "/properties/nonce", "type": "string", - "description": "OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token as the nonce claim. Clients MUST verify that the nonce claim value is equal to the value of the nonce parameter sent in the Authentication Request.", + "description": "String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token as the nonce claim. Clients MUST verify that the nonce claim value is equal to the value of the nonce parameter sent in the Authentication Request.", "examples": ["n-0S6_WzA2Mj"] }, "amr": { From 238ddb431c9c5122f3cb48b9b5ae40970743d76f Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ Date: Tue, 21 Feb 2023 20:34:01 +1300 Subject: [PATCH 09/11] Updated expires_in description --- .../authorization-code-flow/PAR-response-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json b/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json index b6e352a..250a455 100644 --- a/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json +++ b/working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json @@ -19,7 +19,7 @@ "expires_in": { "$id": "/properties/expires_in", "type": "integer", - "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.", + "description": "Expiration time on or after which the request_uri MUST NOT be accepted for processing.", "examples": [1496397168] } } From 1010b2bf2378186a6f30647a2cd335a343299527 Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ Date: Mon, 27 Feb 2023 13:29:08 +1300 Subject: [PATCH 10/11] Updated auth_req_id format and length constraints --- .../CIBA-authorization-request-response-schema.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json index 63a1b1f..fd44fc2 100644 --- a/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json +++ b/working/v3.0.0-draft2/ciba-flow/CIBA-authorization-request-response-schema.json @@ -11,8 +11,9 @@ "$id": "/properties/auth_req_id", "type": "string", "description": "This is a unique identifier for the authentication request made by the CIBA Client (third party)", - "format": "uuid", - "examples": ["1c266114-a1be-4252-8ad1-04986c5b9ac1"] + "minLength": 22, + "pattern": "^[a-zA-Z0-9.\\-_]{22,}$", + "examples": ["1c26_6114-a1be-4252-8ad1-04986c5b.9ac1"] }, "expires_in": { "$id": "/properties/expires_in", From ae9017fa56d3de1949f165557e7e1ef73460ad40 Mon Sep 17 00:00:00 2001 From: NigelSomerfieldPNZ Date: Mon, 27 Feb 2023 13:30:05 +1300 Subject: [PATCH 11/11] Added minimum length constraint --- .../authorization-code-flow/JARM-response-schema.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json index 2c46d69..55a8038 100644 --- a/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json +++ b/working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json @@ -17,12 +17,14 @@ "$id": "/properties/iss", "type": "string", "format": "uri", + "minLength": 1, "description": "Token issuer - e.g. https://secure.examplebank.co.nz/token", "examples": ["https://secure.examplebank.co.nz/token"] }, "code": { "$id": "/properties/code", "type": "string", + "minLength": 1, "description": "Authorization Code, to be exchanged for Access Token.", "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"] }, @@ -32,13 +34,15 @@ "oneOf": [ { "type": "string", + "minLength": 1, "examples": ["third_party_client_id", "sadUTdfTANIhditInecaqwEZdsUL"] }, { "type": "array", "items": { "$id": "/properties/aud/items", - "type": "string" + "type": "string", + "minLength": 1 }, "description": "Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.", "examples": [ @@ -52,6 +56,7 @@ "$id": "/properties/ConsentId", "type": "string", "pattern": "^(.+)$", + "minLength": 1, "description": "The ID of the consent to which this token is related", "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"] }, @@ -64,6 +69,7 @@ "state": { "$id": "/properties/state", "type": "string", + "minLength": 1, "description": "The state value as sent by the client in the authorization request", "examples": ["sadrewvdHASDTAW"] }