Updated schemas for v3.0.0-draft2

working/v3.0.0-draft2/README.md

@@ -0,0 +1,22 @@
+# V3.0.0-draft2 schemas
+
+This folder contains schemas for the V3.0.0 security profile. This includes:
+
+- Client authentication [schema](./client-authentication/jwt-bearer-auth-schema.json) (for use with `private_key_jwt`)
+- Authorization Code Flow request [schema](./authorization-code-flow/authorization-request-schema.json) for Pushed Authorization Requests with PKCE, PAR response [schema](./authorization-code-flow/PAR-response-schema.json) and JARM response [schema](./authorization-code-flow/JARM-response-schema.json)
+- Hybrid flow authorization request [schema](./hybrid-flow/authorization-request-schema.json)
+- CIBA decoupled flow relevant [schemas](./ciba-flow/README.md)
+- ID token [schema](./id-token/id-token-body-schema.json)
+- Generic JWS header [schema](./common/JOSE-header-schema.json)
+
+These are assistive in nature, and supplementary to the Security Profile documentation. It is highly recommended to follow that documentation first.
+
+## Testing schema validation
+
+One method of validating test data with JSON schemas is to use `ajv`, via:
+
+```bash
+npx ajv-cli --strict=false -s .\schema.json -d .\data.json
+```
+
+__Note:__ the `--strict=false` is a `ajv` workaround for "format": "uri", which is valid JSON schema in draft-07, but not recognised by `ajv`

working/v3.0.0-draft2/authorization-code-flow/JARM-response-schema.json

@@ -0,0 +1,78 @@
+{
+    "title": "Version 1 of JARM response payload",
+    "$id": "http://apicentre.paymentsnz.co.nz/schemas/jarm-response-schema.json",
+    "type": "object",
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "additionalProperties": false,
+    "required": [
+      "iss",
+      "code",
+      "aud",
+      "exp",
+      "state",
+      "ConsentId"
+    ],
+    "properties": {
+      "iss": {
+        "$id": "/properties/iss",
+        "type": "string",
+        "format": "uri",
+        "minLength": 1,
+        "description": "Token issuer - e.g. https://secure.examplebank.co.nz/token",
+        "examples": ["https://secure.examplebank.co.nz/token"]
+      },
+      "code": {
+        "$id": "/properties/code",
+        "type": "string",
+        "minLength": 1,
+        "description": "Authorization Code, to be exchanged for Access Token.",
+        "examples": ["AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4"]
+      },
+      "aud": {
+        "$id": "/properties/aud",
+        "description": "The audience for the token, must contain the Client ID of the third party.  May also contain other audiences.",
+        "oneOf": [
+          {
+            "type": "string",
+            "minLength": 1,
+            "examples": ["third_party_client_id", "sadUTdfTANIhditInecaqwEZdsUL"]
+          },
+          {
+            "type": "array",
+            "items": {
+              "$id": "/properties/aud/items",
+              "type": "string",
+              "minLength": 1
+            },
+            "description": "Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.",
+            "examples": [
+              "third_party_client_id",
+              "ERVWyYqQM6AstKLmpuQdTiK8or02pe1i"
+            ]
+          }
+        ]
+      },
+      "ConsentId": {
+        "$id": "/properties/ConsentId",
+        "type": "string",
+        "pattern": "^(.+)$",
+        "minLength": 1,
+        "description": "The ID of the consent to which this token is related",
+        "examples": ["20353a34-8be1-4c76-a0ae-4b8c1bbf9ec6"]
+      },
+      "exp": {
+        "$id": "/properties/exp",
+        "type": "integer",
+        "description": "Expiration time on or after which the ID Token MUST NOT be accepted for processing.",
+        "examples": [1496397168]
+      },
+      "state": {
+        "$id": "/properties/state",
+        "type": "string",
+        "minLength": 1,
+        "description": "The state value as sent by the client in the authorization request",
+        "examples": ["sadrewvdHASDTAW"]
+      }
+    }
+  }
+

working/v3.0.0-draft2/authorization-code-flow/PAR-response-schema.json

@@ -0,0 +1,27 @@
+{
+    "title": "Version 1 of PAR response payload",
+    "$id": "http://apicentre.paymentsnz.co.nz/schemas/par-response-schema.json",
+    "type": "object",
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "additionalProperties": false,
+    "required": [
+      "request_uri",
+      "expires_in"
+    ],
+    "properties": {
+      "request_uri": {
+        "$id": "/properties/request_uri",
+        "type": "string",
+        "format": "uri",
+        "description": "A unique reference for the request object requiring authorization",
+        "examples": ["urn:ietf:params:oauth:request_uri:8qi1b0XAGrV9Ypv1cMyLAS_2AIchvqXx"]
+      },
+      "expires_in": {
+        "$id": "/properties/expires_in",
+        "type": "integer",
+        "description": "Expiration time on or after which the request_uri MUST NOT be accepted for processing.",
+        "examples": [1496397168]
+      }
+    }
+  }
+

working/v3.0.0-draft2/authorization-code-flow/authorization-request-schema.json

@@ -0,0 +1,203 @@
+{
+  "definitions": {},
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "http://apicentre.paymentsnz.co.nz/schemas/authorization-code-request-schema.json",
+  "type": "object",
+  "title": "The schema for the Authorisation Request (OIDC/FAPI compliant) token",
+  "additionalProperties": false,
+  "required": [
+    "aud",
+    "iss",
+    "response_type",
+    "response_mode",
+    "client_id",
+    "redirect_uri",
+    "scope",
+    "state",
+    "nonce",
+    "claims",
+    "exp",
+    "nbf",
+    "code_challenge",
+    "code_challenge_method"
+  ],
+  "properties": {
+    "aud": {
+      "$id": "#/properties/aud",
+      "title": "The audiences for the token",
+      "description": "The value should be or include the API Provider Issuer Identifier URL",
+      "oneOf": [
+        {
+          "type": "string",
+          "examples": ["https://api.alphanbank.com"],
+          "format": "uri"
+        },
+        {
+          "type": "array",
+          "$id": "#/properties/aud/items",
+          "items": {
+            "type": "string",
+            "pattern": "^(.+)$"
+          },
+          "examples": ["https://api.alphanbank.com"]
+        }
+      ]
+    },
+    "iat":{
+      "$id": "/properties/iat",
+      "type": "integer",
+      "description": "Time on which the Request Object was issued. May be used for determining age",
+      "examples": [1496397168]
+    },
+    "exp": {
+      "$id": "/properties/exp",
+      "type": "integer",
+      "description": "Expiration time on or after which the Request Object MUST NOT be accepted for processing.",
+      "examples": [1496397168]
+    },
+    "nbf": {
+      "$id": "/properties/nbf",
+      "type": "integer",
+      "description": "Time before which the Request Object MUST NOT be accepted for processing.",
+      "examples": [1496397168]
+    },
+    "iss": {
+      "$id": "#/properties/iss",
+      "type": "string",
+      "title": "The Issuer of the token",
+      "description": "The value should be the client ID of the third party, unless signed by a different party",
+      "default": "",
+      "examples": ["s6BhdRkqt3"],
+      "pattern": "^(.+)$"
+    },
+    "jti": {
+      "$id": "#/properties/jti",
+      "type": "string",
+      "title": "The unique identifier of the token",
+      "description": "Used for determining token uniqueness. The value should be have sufficient entropy to make likelihood of collisions negligible.",
+      "examples": ["d92f1393-752e-49c2-8ce3-90abc6b29655"]
+    },
+    "response_type": {
+      "$id": "#/properties/response_type",
+      "type": "string",
+      "title": "The type of the response token",
+      "default": "code",
+      "examples": ["code"],
+      "enum": ["code"]
+    },
+    "response_mode": {
+      "$id": "#/properties/response_mode",
+      "type": "string",
+      "title": "The mode used to deliver the response token",
+      "default": "jwt",
+      "examples": ["jwt"],
+      "enum": ["jwt"]
+    },
+    "client_id": {
+      "$id": "#/properties/client_id",
+      "type": "string",
+      "title": "The ID of the third-party client",
+      "default": "",
+      "examples": ["s6BhdRkqt3"],
+      "pattern": "^(.+)$"
+    },
+    "redirect_uri": {
+      "$id": "#/properties/redirect_uri",
+      "type": "string",
+      "title": "The URI to which to redirect the customer User Agent after authorization",
+      "default": "",
+      "examples": ["https://api.mytpp.com/cb"],
+      "format": "uri"
+    },
+    "code_challenge": {
+      "$id": "#/properties/code_challenge",
+      "type": "string",
+      "title": "The PKCE code challenge value",
+      "examples": ["roXsvRC1K-5WAYWLWsqQJpXTR8NznFgysjjqKhqhSO4"],
+      "pattern": "^[a-zA-Z0-9\\-_]*$"
+    },
+    "code_challenge_method": {
+      "$id": "#/properties/code_challenge_method",
+      "type": "string",
+      "title": "The mode used to deliver the response token",
+      "examples": ["S256"],
+      "default": "S256",
+      "enum": ["S256"]
+    },
+    "scope": {
+      "$id": "#/properties/scope",
+      "type": "string",
+      "title": "The OAuth scopes requested",
+      "description": "Must include 'openid' and any other scopes required",
+      "default": "openid",
+      "examples": ["openid payments"],
+      "pattern": "^openid([ ].*)*$"
+    },
+    "state": {
+      "$id": "#/properties/state",
+      "type": "string",
+      "title": "The third-party specific state",
+      "description": "Opaque to API provider",
+      "default": "",
+      "examples": ["af0ifjsldkj"],
+      "pattern": "^(.+)$"
+    },
+    "nonce": {
+      "$id": "#/properties/nonce",
+      "type": "string",
+      "title": "Third party nonce to avoid replay",
+      "default": "",
+      "examples": ["n-0S6_WzA2Mj"],
+      "pattern": "^(.+)$"
+    },
+    "max_age": {
+      "$id": "#/properties/max_age",
+      "type": "integer",
+      "title": "Third-party specified maximum authentication age",
+      "default": 0,
+      "examples": [86400]
+    },
+    "claims": {
+      "$id": "#/properties/claims",
+      "type": "object",
+      "title": "Claims object that holds the id_token request",
+      "additionalProperties": true,
+      "required": ["id_token"],
+      "properties": {
+        "id_token": {
+          "$id": "#/properties/claims/properties/id_token",
+          "type": "object",
+          "title": "The ID token request claims",
+          "additionalProperties": true,
+          "required": ["ConsentId"],
+          "properties": {
+            "ConsentId": {
+              "$id": "#/properties/claims/properties/id_token/properties/ConsentId",
+              "type": "object",
+              "title": "The Consent ID object",
+              "additionalProperties": false,
+              "required": ["value", "essential"],
+              "properties": {
+                "value": {
+                  "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/value",
+                  "type": "string",
+                  "title": "The value of Consent ID",
+                  "default": "",
+                  "examples": ["urn-alphabank-intent-58923"],
+                  "pattern": "^(.+)$"
+                },
+                "essential": {
+                  "$id": "#/properties/claims/properties/id_token/properties/ConsentId/properties/essential",
+                  "type": "boolean",
+                  "title": "Essential claim identifier",
+                  "default": false,
+                  "examples": [true]
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}