Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decision Proposal 132 - Required ID Token claims #132

Closed
CDR-API-Stream opened this issue Jun 29, 2020 · 1 comment
Closed

Decision Proposal 132 - Required ID Token claims #132

CDR-API-Stream opened this issue Jun 29, 2020 · 1 comment
Labels
Category: InfoSec Information Security Technical Working Group Decision Proposal Status: Decision Made A determination on this decision has been made

Comments

@CDR-API-Stream
Copy link
Contributor

CDR-API-Stream commented Jun 29, 2020
edited
Loading

The final decision document has been reviewed and approved by the Data Standards Chair. It is attached below:
Decision Proposal 132 - Mandatory Claims for ID Token.pdf.

This change will be included in the next Consumer Data Standards release v1.4.0.

The related change request is: Urgent documentation change required: content of ID Token as agreed in the outcomes of a workshop held on 5th June 2020.

This decision outlines a recommendation to align to normative standards.

The change will remove the following text in the Token section of the standards:

As described under section 5.2.2 of the [FAPI-RW] profile, ID Tokens MUST include the following claims (in addition to the mandatory claims specified in section 2 of the [OIDC] standard) as part of Hybrid Flow authentication:

  • nonce: String value used to associate a Client session with an ID Token.
  • s_hash: Hash of the state value.
  • c_hash: Hash of the authorisation_code value.

And replace it with:

In addition to the mandatory claims specified in section 2 of the [OIDC] standard, required claims for ID Tokens as part of Hybrid Flow authentication must align to section 3.3 (Authentication using the Hybrid Flow) of the [OIDC] standards and sections 5.2.2 and 8.4.3 of the [FAPI-RW] profile.
@CDR-API-Stream CDR-API-Stream added Status: Proposal Pending A proposal for the decision is still pending Category: InfoSec Information Security Technical Working Group Decision Proposal labels Jun 29, 2020
@CDR-API-Stream CDR-API-Stream changed the title Decision Proposal <Number> - Required ID Token claims Decision Proposal 132 - Required ID Token claims Jun 29, 2020
@CDR-API-Stream
Copy link
Contributor Author

The final decision document has been reviewed and approved by the Data Standards Chair and it is included in the issue above.

@CDR-API-Stream CDR-API-Stream added Status: Decision Made A determination on this decision has been made Status: Feedback Period Closed The feedback period is complete and a final decision is being formulated and removed Status: Proposal Pending A proposal for the decision is still pending labels Jul 6, 2020
@ConsumerDataStandardsAustralia ConsumerDataStandardsAustralia locked and limited conversation to collaborators Jul 6, 2020
@CDR-API-Stream CDR-API-Stream removed the Status: Feedback Period Closed The feedback period is complete and a final decision is being formulated label Aug 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Category: InfoSec Information Security Technical Working Group Decision Proposal Status: Decision Made A determination on this decision has been made
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CDR-API-Stream