> For the complete documentation index, see [llms.txt](https://nuts-foundation.gitbook.io/drafts/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nuts-foundation.gitbook.io/drafts/rfc/rfc020-authorization-credential-extension.md). # RFC020 Authorization credential extension | | | | ------------------------- | --------------- | | Nuts foundation | W\.M. Slakhorst | | Request for Comments: 020 | Nedap | | Amends: RFC014 | April 2023 | ## Authorization credential extension ### Abstract An `assuranceLevel` field is added to the `NutsAuthorizationCredential`. It can be used inside a `resource` to indicate the required assurance level of the authentication. This RFC is an addition to the means listed in [RFC014](/drafts/rfc/rfc014-authorization-credential.md) ### Status of document This document is currently in draft. ### Copyright Notice ![](/files/-MHVbe2GqfeFWIGvutw1) This document is released under the [Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license](https://creativecommons.org/licenses/by-sa/4.0/). ## 1. Introduction A resource server should be able to provide information about the authentication assurance level that is used to access resources. With the introduction of [RFC019](/drafts/rfc/rfc019-employee-identity-means.md) an authentication means with a low assurance level has been introduced. This authentication means should not be used on resources that require a high assurance level. An additional field in the NutsAuthorizationCredential allows a resource server to indicate which level of assurance it requires. ## 2. Terminology * **Authorization server**: The application that evaluates access token requests and creates access tokens. * **Resource server**: The application that requires authorized access to its APIs. ## 3. AssuranceLevel field The additional field is called `assuranceLevel`. It MUST contain one of the following values: `low`, `substantial` or `high`. The field is optional. When present it COULD be used by the authorization server to verify the access token request. The field is located within a resource. A resource is located in the `resources` list. If set, `userContext` SHOULD be `true`. If `userContext` is set to `true` and `assuranceLevel` is not set, it defaults to `low`. The following example shows the location of the new field, other fields have been omitted for brevity: ```json { ... "credentialSubject": { "id": "did:nuts:SjkuVHVqZndMVVJwcnUzbjhuZklhODB1M1M0LW9LcWY0WUs5S2", "resources": [ { "path": "/DocumentReference/f2aeec97-fc0d-42bf-8ca7-0548192d4231", "operations": ["read"], "userContext": true, "assuranceLevel": "low" } ], "purposeOfUse": "test-service" }, ... } ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://nuts-foundation.gitbook.io/drafts/rfc/rfc020-authorization-credential-extension.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.