You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: openid-caep-interoperability-profile-1_0.md
+9-10Lines changed: 9 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -77,7 +77,7 @@ normative:
77
77
# Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
78
78
RFC6750: # The OAuth 2.0 Authorization Framework: Bearer Token Usage
79
79
RFC8414: # OAuth 2.0 Authorization Server Metadata
80
-
OAUTH:
80
+
RFC6749:
81
81
target: https://www.rfc-editor.org/info/rfc6749
82
82
title: The OAuth 2.0 Authorization Framework
83
83
author:
@@ -87,10 +87,9 @@ normative:
87
87
org: Microsoft
88
88
89
89
--- abstract
90
-
This document defines an interoperability profile for implementations of the Shared Signals Framework (SSF) {{SSF}}, the Continuous Access Evaluation Profile (CAEP) {{CAEP}} and the OAuth 2.0 Authorization Framework (OAuth) {{OAUTH}}. It is organized around use-cases that improve security of authenticated sessions. It specifies certain optional elements from within the SSF and CAEP specifications as being required to be supported in order to be considered as an interoperable implementation.
90
+
This document defines an interoperability profile for implementations of the Shared Signals Framework (SSF) {{SSF}}, the Continuous Access Evaluation Profile (CAEP) {{CAEP}}. This also profiles The OAuth 2.0 Authorization Framework {{RFC6749}} usage in the context of the SSF framework. The interoperability should It is organized around use-cases that improve security of authenticated sessions. It specifies certain optional elements from within the SSF and CAEP specifications as being required to be supported in order to be considered as an interoperable implementation.
91
91
92
-
Interoperability between the SSF, CAEP and the OAuth framework empowers organizations to leverage the strengths of these standards, bringing in
93
-
more security to the APIs.
92
+
Interoperability between SSF and CAEP, leveraging OAuth {{RFC6749}} provides greater assurance to implementers that their implementations will work out of the box with others.
94
93
95
94
--- middle
96
95
@@ -109,7 +108,7 @@ The following requirements are common across all use-cases defined in this docum
109
108
## Network layer protection
110
109
* The SSF transmitter MUST offer TLS protected endpoints and shall establish connections to other servers using TLS. TLS connections MUST be set up to use TLS version 1.2 or later.
111
110
* When using TLS 1.2, follow the recommendations for Secure Use of Transport Layer Security in [RFC7525]{{RFC7525}}.
112
-
* The SSF receiver MUST perform a TLS server certificate check before calling the SSF transmitter APIs, as per [RFC6125]{{RFC6125}}.
111
+
* The SSF receiver MUST perform a TLS server certificate signature checks, chain of trust validations, expiry and revocation status checks before calling the SSF transmitter APIs, as per [RFC6125]{{RFC6125}}.
113
112
114
113
## Transmitters {#common-transmitters}
115
114
Transmitters MUST implement the following features:
@@ -196,24 +195,24 @@ All events MUST be signed using the `RS256` algorithm using a minimum of 2048-bi
196
195
## OAuth Service
197
196
198
197
### Authorization Server
199
-
* SHALL distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in [RFC8414]{{RFC8414}}
198
+
* MAY distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in [RFC8414]{{RFC8414}}
200
199
* MUST support at least one of the following to obtain a short-lived access token
201
200
** client credential grant flow
202
201
** authorization code flow
203
202
204
203
### OAuth Scopes
205
204
206
-
* Authorization server MUST reserve the scopes for the SSF endpoints with the prefix of `ssf`
205
+
* An OAuth {{RFC6749}} authorization that is used to issue tokens to SSF Receivers, MUST reserve the scopes for the SSF endpoints with the prefix of `ssf`
207
206
* All the SSF stream configuration management API operations MUST be protected using `ssf.manage` scope
208
207
* All the SSF stream configuration Read API operations MUST be protected by `ssf.read` scope
209
-
* Authorization server MAY decide to postfix scope names with more granular operations eg. `ssf.manage.create`, `ssf.manage.update` etc.
208
+
* Authorization server MAY postfix scope names with more granular operations eg. `ssf.manage.create`, `ssf.manage.update` etc.
210
209
* Transmitter managed poll endpoint MAY use the scope in the same nomenclature as `ssf.manage.poll`
211
210
212
211
### The SSF Transmitter as a Resource Server
213
212
* MUST accept access tokens in the HTTP header as in Section 2.1 of OAuth 2.0 Bearer Token Usage [RFC6750]{{RFC6750}}
214
213
* MUST NOT accept access tokens in the query parameters stated in Section 2.3 of OAuth 2.0 Bearer Token Usage [RFC6750]{{RFC6750}}
215
-
* SHALL verify the validity, integrity, expiration and revocation status of access tokens
216
-
* SHALL verify that the authorization represented by the access token is sufficient for the requested resource access and otherwise return errors as in section 3.1 of [RFC6750]{{RFC6750}}
214
+
* MUST verify the validity, integrity, expiration and revocation status of access tokens
215
+
* MUST verify that the authorization represented by the access token is sufficient for the requested resource access and otherwise return errors as in section 3.1 of [RFC6750]{{RFC6750}}
217
216
218
217
# Use Cases
219
218
Implementations MAY choose to support one or more of the following use-cases in order to be considered interoperable implementations
0 commit comments