RFC020 Authorization credential extension
Last updated
Was this helpful?
Last updated
Was this helpful?
Nuts foundation
W.M. Slakhorst
Request for Comments: 020
Nedap
Amends: RFC014
April 2023
An assuranceLevel
field is added to the NutsAuthorizationCredential
. It can be used inside a resource
to indicate the required assurance level of the authentication.
This RFC is an addition to the means listed in
This document is currently in draft.
Authorization server: The application that evaluates access token requests and creates access tokens.
Resource server: The application that requires authorized access to its APIs.
The additional field is called assuranceLevel
. It MUST contain one of the following values: low
, substantial
or high
. The field is optional. When present it COULD be used by the authorization server to verify the access token request. The field is located within a resource. A resource is located in the resources
list. If set, userContext
SHOULD be true
. If userContext
is set to true
and assuranceLevel
is not set, it defaults to low
.
The following example shows the location of the new field, other fields have been omitted for brevity:
This document is released under the .
A resource server should be able to provide information about the authentication assurance level that is used to access resources. With the introduction of an authentication means with a low assurance level has been introduced. This authentication means should not be used on resources that require a high assurance level. An additional field in the NutsAuthorizationCredential allows a resource server to indicate which level of assurance it requires.