BS ISO 20078-3:2019 download free.Road vehicles – Extended vehicle (ExVe ) web services.
1 Scope
BS ISO 20078-3 defines how to authenticate users and Accessing Parties on a web services interface. It also defines how a Resource Owner can delegate Access to its Resources to an Accessing Party. Within this context, BS ISO 20078-3 also defines the necessary roles and required separation of duties between these in order to fulfil requirements stated on security, data privacy and data protection.
All conditions and dependencies of the roles are defined towards a reference implementation using OAuth 2.0 compatible framework and OpenID Connect 1.0 compatible framework.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 20078-1, Road vehicles — Extended vehicle (ExVe) ‘web services’ — Content
3.1
Identity Token
ID Token
digitally signed JWT and contains claims about the authenticated Resource Owner
3.2
Access Token
AT
digitally signed JWT issued by the identity Provider or Authorization Provider and consumed by the
Resource Provider
Note 1 to entry: An Access Token represents an authorization that is issued to the client and limited by scope and has a defined expiration time.
3.3
Refresh Token
RT
credential (string) issued to the Accessing Party by the identity Provider or the Authorization Provider and used to obtain a new Access Token when the currently used AT expires, or to obtain additional ATs depending on the intended scope of use
1 The Resource Owner is authenticated by the Identity Provider.
2 The Resource Owner is granting access to the Accessing Party The granting is handled by the Authorization Provider.
3 The Accessing Party is accessing resources from the Resource Provider.
Figure 1 — The roles and the three distinct communication flows
5.2 Authentication
The Identity Provider is responsible for authenticating the Resource Owner and managing the Resource Owner profile, based on the Resource Owner registration. The Resource Owner credentials are revealed only to the Identity Provider, and the Identity Provider confirms a successful authentication to concerned parties. If the Resource Owner has given consent, the Accessing Party will be authorized to access the Resource Owner’s profile (Figure 2).
5.3 Authorization
The Client Application as a component of the Accessing Party requires Access to Resources on behalf of the Resource Owner. At the authorization step, the Accessing Party requests authorization to access the Resources provided by the Resource Provider (Offering Party). The required authorization is requested at the Authorization Provider, providing the intended scope. By the consent of the Resource Owner, the Authorization Provider returns a limited authorization to the client application of the Accessing Party. Using the obtained authorization, the Client Application can access Resources.
Additionally, actual implementation often depends on national legal requirements (e.g. handling of
Resource Owner Profile, implemented Resource Owner’s Verification Process etc.) and the required
trusted relationship between involved components especially Identity Provider, Authorization
Provider, and Resource Provider.
I REQ_05_06_O1
All communication paths between i
nvolved entities shall u
se secured connections.I
REQ_05_06_02
The Identity for ensuring
Provider, Authorization
that only recent cipher
Provider, and Resource suites are used.
Provider
are
responsible
NOTE Changes in the interface are communicated to Accessing Parties within a reasonable notice period.
If the Offering Party encounters an unreliable Accessing Party, the Offering Party can temporarily or permanently revoke the Accessing Party’s access. This is done in order to protect the Resource Owners. Examples of circumstances that could trigger this are: insecure srnartphone applications, disabled host verification, data breach of database, forbidden caching or storage of resource data, usage of discouraged security algorithms.
REQ_05_06_03 It shall be possible to validate the authenticity and integrity of information provided by the Identity Provider, Authorization Provider and Resource Provider.