# RFC020 Authorization credential extension

|                           |                 |
| ------------------------- | --------------- |
| Nuts foundation           | W\.M. Slakhorst |
| Request for Comments: 020 | Nedap           |
| Amends: RFC014            | April 2023      |

## Authorization credential extension

### Abstract

An `assuranceLevel` field is added to the `NutsAuthorizationCredential`. It can be used inside a `resource` to indicate the required assurance level of the authentication.

This RFC is an addition to the means listed in [RFC014](https://nuts-foundation.gitbook.io/drafts/rfc/rfc014-authorization-credential)

### Status of document

This document is currently in draft.

### Copyright Notice

![](https://873755683-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHUwt4RgjbUQ7BsyWka%2F-MHVb3CwN9JR3ryFW9k4%2F-MHVbe2GqfeFWIGvutw1%2Flicense.png?alt=media\&token=2c9b28c4-5ea7-4f0e-a168-86cfb329a597)

This document is released under the [Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license](https://creativecommons.org/licenses/by-sa/4.0/).

## 1. Introduction

A resource server should be able to provide information about the authentication assurance level that is used to access resources. With the introduction of [RFC019](https://nuts-foundation.gitbook.io/drafts/rfc/rfc019-employee-identity-means) an authentication means with a low assurance level has been introduced. This authentication means should not be used on resources that require a high assurance level. An additional field in the NutsAuthorizationCredential allows a resource server to indicate which level of assurance it requires.

## 2. Terminology

* **Authorization server**: The application that evaluates access token requests and creates access tokens.
* **Resource server**: The application that requires authorized access to its APIs.

## 3. AssuranceLevel field

The additional field is called `assuranceLevel`. It MUST contain one of the following values: `low`, `substantial` or `high`. The field is optional. When present it COULD be used by the authorization server to verify the access token request. The field is located within a resource. A resource is located in the `resources` list. If set, `userContext` SHOULD be `true`. If `userContext` is set to `true` and `assuranceLevel` is not set, it defaults to `low`.

The following example shows the location of the new field, other fields have been omitted for brevity:

```json
{
  ...
  "credentialSubject": {
    "id": "did:nuts:SjkuVHVqZndMVVJwcnUzbjhuZklhODB1M1M0LW9LcWY0WUs5S2",
    "resources": [
      {
        "path": "/DocumentReference/f2aeec97-fc0d-42bf-8ca7-0548192d4231",
        "operations": ["read"],
        "userContext": true,
        "assuranceLevel": "low"
      }
    ],
    "purposeOfUse": "test-service"
  },
  ...
}
```