Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Controlling User Interaction #228

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Controlling User Interaction #228

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
1520a3e
controlling_user_interaction
AxelNennker Nov 14, 2024
4b58d3b
CIBA MAYBE consent
AxelNennker Nov 15, 2024
b635a6b
typo and Producer to pProvider
AxelNennker Nov 15, 2024
14e5e3a
add to toc
AxelNennker Nov 15, 2024
55edde1
API producer -> API Provider in the new section
AxelNennker Nov 15, 2024
7adc3da
Authentication Error Response to Authentication error response
AxelNennker Nov 15, 2024
7114f08
API Invoker -> API Consumer, API Producer -> API Provider
AxelNennker Nov 15, 2024
681fb37
Invoker -> API Consumer
AxelNennker Nov 19, 2024
75e18e7
invoker_callback -> api_consumer_callback
AxelNennker Nov 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions documentation/CAMARA-API-access-and-user-consent.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,24 @@ The Purpose definition (naming + description) and format within CAMARA follows t

Purpose must be specified in the authorization request for a CAMARA Three-Legged Access Token, this is achieved by extending the `scope` parameter as defined in [Purpose as a Scope](CAMARA-Security-Interoperability.md#purpose-as-a-scope) section of the CAMARA Security and Interoperability Profile.

## Controlling User-Interaction
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved

In CIBA User-Interaction in initiated by the API Producer if Consent is needed and NOT granted. The `login_hint` parameter is mandatory in CIBA and is used to identify the authentication devicde. Consent is captured out-of-band by e.g. sending a push notification, or by sending an SMS with a code or link, or by sending a message by some other means to the authentication devide. CAMARA does not mandate a communication method or any message format or content.
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved

In OIDC Authorization Code flow User-Interaction is initiated by the API Producer if consent is needed. The Authorization Server obtains End-User Consent/Authorization accorinding to [OIDC section 3.2.1.4](https://openid.net/specs/openid-connect-core-1_0.html#Consent).
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved

If the API Consumer wants to make sure that no User-Interaction happens they MUST use the `prompt` parameter with a value of `none`. Authentication Error Response values (`interaction_required`, `login_required`, `account_selection_required`, `consent_required`) for `prompt=none` are defined in [OIDC section 3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthError).
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved

It is up to the operator to make a decision when consent collection is needed or not, based on the scope(s)/purpose declared by the API Consumer and aligned with local legislation, ensuring that all operators under the same regulatory framework adopt a **consistent** approach.
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved

The API Consumer can use the `prompt` parameter value `consent` to ask the API producer for End-User Consent collection.
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved
> The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.

The `prompt` parameter is defined in [OIDC section 3.1.2.1](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

OIDC specifies that the `prompt` parameter is [mandatory to implement for all OpenId Providers](https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI).


## User Authentication/Authorization & Consent Management

**CAMARA User Authentication/Authorization & Consent Management follows the [CAMARA Security and Interoperability Profile](CAMARA-Security-Interoperability.md) technical specification**
Expand Down