RFC020 Authorization credential extension

Nuts foundation

W.M. Slakhorst

Request for Comments: 020

Nedap

Amends: RFC014

April 2023

Authorization credential extension

Abstract

An assuranceLevel field is added to the NutsAuthorizationCredential. It can be used inside a resource to indicate the required assurance level of the authentication.

This RFC is an addition to the means listed in RFC014

Status of document

This document is currently in draft.

Copyright Notice

This document is released under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

1. Introduction

A resource server should be able to provide information about the authentication assurance level that is used to access resources. With the introduction of RFC019 an authentication means with a low assurance level has been introduced. This authentication means should not be used on resources that require a high assurance level. An additional field in the NutsAuthorizationCredential allows a resource server to indicate which level of assurance it requires.

2. Terminology

Authorization server: The application that evaluates access token requests and creates access tokens.
Resource server: The application that requires authorized access to its APIs.

3. AssuranceLevel field

The additional field is called assuranceLevel. It MUST contain one of the following values: low, substantial or high. The field is optional. When present it COULD be used by the authorization server to verify the access token request. The field is located within a resource. A resource is located in the resources list. If set, userContext SHOULD be true. If userContext is set to true and assuranceLevel is not set, it defaults to low.

The following example shows the location of the new field, other fields have been omitted for brevity:

{
  ...
  "credentialSubject": {
    "id": "did:nuts:SjkuVHVqZndMVVJwcnUzbjhuZklhODB1M1M0LW9LcWY0WUs5S2",
    "resources": [
      {
        "path": "/DocumentReference/f2aeec97-fc0d-42bf-8ca7-0548192d4231",
        "operations": ["read"],
        "userContext": true,
        "assuranceLevel": "low"
      }
    ],
    "purposeOfUse": "test-service"
  },
  ...
}

PreviousRFC019 Employee Identity Authentication Means NextRFC021 VP Token Grant Type

Last updated 2 years ago

Was this helpful?

hashtagAuthorization credential extension

hashtagAbstract

hashtagStatus of document

hashtagCopyright Notice

hashtag1. Introduction

hashtag2. Terminology

hashtag3. AssuranceLevel field