Merge pull request #120 from Elisabeth-Ericsson/main

clarification related to issue 108 added to CAMARA-API-access-and-user-consent.md

documentation/CAMARA-API-access-and-user-consent.md

@@ -377,6 +377,13 @@ More details about the standard flow can be found in the official IETF specifica
 
 The purpose of this document section is to standardise the specification of `securitySchemes` and `security` across all CAMARA API subprojects with common mandatory guidelines as agreed by the Technical Steering Committee (TSC) and the participants of this Working Group.
 
+CAMARA guidelines define a set of authorization flows which can grant API Consumers access to the API.
+Which specific authorization flows are to be used will be determined during the onboarding process, happening between the API Consumer (the direct API invoker) and the API producer exposing the API. When API access for an API consumer is ordered,  the declared purpose for accessing the API can be taken into account. This is also being subject to the prevailing legal framework dictated by local legislation and eventually also considers the capabilities of the application (frontend and backend) ultimately involved in the API invocation flow. 
+The authorization flow to be used will therefore be settled when the API access is ordered. 
+The API Consumer is expected to initiate the negotiated authorization flow when requesting ID & access tokens. The AuthZ server is responsible to validate that the authorization flow negotiated between API Invoker and API producer for this application, purpose, API/data scopes is applied.
+
+
+
 ### Use of openIdConnect for `securitySchemes`
 
 In general, OpenID Connect is the protocol to be used for securitization. Each API specification must ONLY define the following openIdConnect entry in `securitySchemes`, as shown below: