From 4a72b1e7da73287ecee75dcafddbe078f3aca12c Mon Sep 17 00:00:00 2001 From: Nils Berge <60594671+nils-work@users.noreply.github.com> Date: Tue, 26 Mar 2024 11:38:31 +1100 Subject: [PATCH] Removed outdated statements and examples Addresses: https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/543 --- .../releasenotes/releasenotes.1.30.0.html.md | 3 ++- slate/source/includes/security/_consent.md | 12 ++++++++---- .../security/_identifiers_and_subject_types.md | 18 ------------------ .../includes/security/_request_object.md | 8 +++++++- slate/source/includes/security/_tokens.md | 18 ------------------ .../security/endpoints/_authorisation.md | 6 ------ .../endpoints/_oidc_provider_configuration.md | 2 +- 7 files changed, 18 insertions(+), 49 deletions(-) diff --git a/slate/source/includes/releasenotes/releasenotes.1.30.0.html.md b/slate/source/includes/releasenotes/releasenotes.1.30.0.html.md index f5a017af..c678c81e 100644 --- a/slate/source/includes/releasenotes/releasenotes.1.30.0.html.md +++ b/slate/source/includes/releasenotes/releasenotes.1.30.0.html.md @@ -21,7 +21,7 @@ This release addresses the following minor defects raised on [Standards Staging] This release addresses the following change requests raised on [Standards Maintenance](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues): -- [Standards Maintenance #XXX - Title](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/XXX) +- [Standards Maintenance #543 - refresh_token_expires_at and sharing_expires_at claims listed as MUST be supported](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/543) ### Decision Proposals @@ -56,6 +56,7 @@ This release addresses the following Decision Proposals published on [Standards] ## Information Security Profile |Change|Description|Link| |------|-----------|----| +| Removed outdated statements | [**Standards Maintenance #543**](https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/543): Removed outdated statements related to the `refresh_token_expires_at` and `sharing_expires_at` claims | [Scopes and Claims](../../#scopes-and-claims)
[Request Object](../../#request-object) ## Register Standards diff --git a/slate/source/includes/security/_consent.md b/slate/source/includes/security/_consent.md index 23f3b174..ee565807 100644 --- a/slate/source/includes/security/_consent.md +++ b/slate/source/includes/security/_consent.md @@ -13,7 +13,6 @@ In addition to CDR data scopes the following scopes **MUST** be supported: ### Claims - The following [normal](https://openid.net/specs/openid-connect-core-1_0.html#NormalClaims) **[[OIDC]](#nref-OIDC)** and [standard claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) claims **MUST** be supported for the authenticated End-User*: - `sub`: [Pairwise Pseudonymous Identifier (PPID)](#identifiers) for the End-User at the Data Holder. @@ -24,10 +23,15 @@ The following [normal](https://openid.net/specs/openid-connect-core-1_0.html#Nor - `family_name`: Surname(s) or last name(s) of the End-User. - `updated_at`: Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T00:00:00Z to the UTC `updated_at` time. -The following additional claims **MUST** be supported: +```diff +Removed outdated statements and Non-normative Examples referring to the `refresh_token_expires_at` and `sharing_expires_at` in the following sections: +* Security Profile > Scopes and Claims > Claims +* Security Profile > Tokens +* Security Profile > Identifiers and Subject Types +* Security Profile > Security Endpoints > OpenID Provider Configuration End Point +* Security Profile > Security Endpoints > Authorisation End Point -- `refresh_token_expires_at`: indicates the date-time at which the most recently provided refresh token will expire. Its value **MUST** be a number containing a NumericDate value, as specified in section 2 of [section 2](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-2) **[[JWT]](#nref-JWT)**. If no refresh token has been provided then a zero value should be returned. -- `sharing_expires_at`: indicates the date-time at which the current sharing arrangement will expire. Its value **MUST** be a number containing a NumericDate value, as specified in [section 2](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-2) of **[[JWT]](#nref-JWT)**. If consent is not complete or a `sharing_duration` was not requested in the authorisation request object then a zero value should be returned. +``` The following standard **[[OIDC]](#nref-OIDC)** claims **MAY** be supported: diff --git a/slate/source/includes/security/_identifiers_and_subject_types.md b/slate/source/includes/security/_identifiers_and_subject_types.md index 2c2d8676..6d5378b3 100644 --- a/slate/source/includes/security/_identifiers_and_subject_types.md +++ b/slate/source/includes/security/_identifiers_and_subject_types.md @@ -42,24 +42,6 @@ client_id=s6BhdRkqt3 } ``` -> Decoded JWT - -``` -{ - "iss": "https://data.holder.com.au", - "sub": "a9ebbef6-1f0b-44eb-96cf-0c5b51b37ab2", - "aud": "12345", - "nonce": "n-0S6_WzA2Mj", - "exp": 1311281970, - "iat": 1311280970, - "nbf": 1311280970, - "auth_time": 1311280969, - "acr": "urn:cds.au:cdr:3", - "refresh_token_expires_at": 1311281970, - "sharing_expires_at": 1311281970 -} -``` - > Decoded JWT - FAPI 1.0 Final Phase 3 Obligation ``` diff --git a/slate/source/includes/security/_request_object.md b/slate/source/includes/security/_request_object.md index 56028bf2..ac5a8375 100644 --- a/slate/source/includes/security/_request_object.md +++ b/slate/source/includes/security/_request_object.md @@ -91,7 +91,13 @@ To accomplish this, the Data Holder **MUST** support an additional claim in the Note that the period of `one year` in the above statements **SHOULD** be interpreted as 365, 24 hour days (or 31,536,000 seconds). -The Data Recipient Software Product is able to obtain the expiration of sharing via the `sharing_expires_at` claim. +```diff +Updated statement referring to the `sharing_expires_at` claim, replacing it with a reference to the `exp` field: +- The Data Recipient Software Product is able to obtain the expiration of sharing via the `sharing_expires_at` claim. ++ The Data Recipient Software Product is able to obtain the expiration of sharing via the `exp` field in tokens and the introspection endpoint. +``` + +The Data Recipient Software Product is able to obtain the expiration of sharing via the `exp` field in tokens and the introspection endpoint. ### Specifying an existing arrangement Provided a Data Holder supports PAR, they **MUST** also support the ``cdr_arrangement_id`` claim provided in the Request Object sent to the [PAR End Point](#pushed-authorisation-end-point). The Data Recipient Software Product **MAY** provide the ``cdr_arrangement_id`` claim in the Request Object sent to the [PAR End Point](#pushed-authorisation-end-point). diff --git a/slate/source/includes/security/_tokens.md b/slate/source/includes/security/_tokens.md index d1d2e520..21631874 100644 --- a/slate/source/includes/security/_tokens.md +++ b/slate/source/includes/security/_tokens.md @@ -1,24 +1,6 @@ ## Tokens ### ID Token -> Non-Normative Example - acr - -``` -{ - "iss": "https://www.holder.com.au", - "sub": "a9ebbef6-1f0b-44eb-96cf-0c5b51b37ab2", - "aud": "12345", - "nonce": "n-0S6_WzA2Mj", - "exp": 1311281970, - "iat": 1311280970, - "nbf": 1311280970, - "auth_time": 1311280969, - "acr": "urn:cds.au:cdr:3", - "refresh_token_expires_at": 1311281970, - "sharing_expires_at": 1311281970 -} -``` - > Non-Normative Example - FAPI 1.0 Final Phase 3 Obligations ``` diff --git a/slate/source/includes/security/endpoints/_authorisation.md b/slate/source/includes/security/endpoints/_authorisation.md index 648997ae..9365ef24 100644 --- a/slate/source/includes/security/endpoints/_authorisation.md +++ b/slate/source/includes/security/endpoints/_authorisation.md @@ -39,12 +39,6 @@ Host: www.holder.com.au "acr": { "essential": true, "values": ["urn:cds.au:cdr:2"] - }, - "refresh_token_expires_at": { - "essential": true - }, - "sharing_expires_at": { - "essential": true } } } diff --git a/slate/source/includes/security/endpoints/_oidc_provider_configuration.md b/slate/source/includes/security/endpoints/_oidc_provider_configuration.md index d4b04450..adedb868 100644 --- a/slate/source/includes/security/endpoints/_oidc_provider_configuration.md +++ b/slate/source/includes/security/endpoints/_oidc_provider_configuration.md @@ -15,7 +15,7 @@ Content-Type: application/json { "acr_values_supported": ["urn:cds.au:cdr:2","urn:cds.au:cdr:3"], "authorization_endpoint": "https://www.dh.com.au/authorise", - "claims_supported": ["name", "given_name", "family_name", "acr", "auth_time", "sub", "refresh_token_expires_at", "sharing_expires_at"], + "claims_supported": ["name", "given_name", "family_name", "acr", "auth_time", "sub"], "grant_types_supported": ["authorization_code", "client_credentials", "urn:openid:params:modrna:grant-type:backchannel_request"], "id_token_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "dir", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW", "A128KW", "A192KW", "A256KW", "A128GCMKW", "A192GCMKW", "A256GCMKW" ], "id_token_encryption_enc_values_supported": [ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ],