BS ISO 20078-3:2019 pdf free.Road vehicles – Extended vehicle (ExVe) web services.
The Client Application as a component of the Accessing Party requires Access to Resources on behalf of the Resource Owner. At the authorization step, the Accessing Party requests authorization to access the Resources provided by the Resource Provider (Offering Party). The required authorization is requested at the Authorization Provider, providing the intended scope. By the consent of the Resource Owner, the Authorization Provider returns a limited authorization to the client application of the Accessing Party. Using the obtained authorization, the Client Application can access Resources.The implementation of the components should comply with the following guidelines. For Resource Owner authentication, OpenID Connect 1.0 Authorization Code Flow, OIDC Core[2] should be used by the Accessing Party. The Identity Provider should provide a“UserInfo” endpoint as defined in OpenID Connect 1.0[2] to make the Resource Owner Profile available. OAuth 2.0 grant type Authorization Code is recommended when requesting authorization for protected Resources owned by a Resource Owner, RFC 6749[1]. Offering Party and Accessing Party can agree on other grant types. In the authorization code flow, the Client Application will first get an Authorization Code which then needs to be exchanged for the identity token (Identity Provider) or the access token (Authorization Provider). The ldentity Provider and/or the Authorization Provider may request a registration of the Client Application before the Client Application can consume services provided by the Identity Server and/or the Authorization Server. With successful registration the Client Application will receive client credentials. The design of the client registration process, the credential type and the client authentication method are under the responsibility of the Identity Provider and the Authorization Provider.The Access tokens may be self- contained or may reference the authorization information stored at the token issuer. Self-contained access tokens allow the Resource Server to perform an authorization decision without further interaction with the Authorization Server. To allow the reliable revocation of self-contained tokens the lifetime should be limited to maximum one hour. If issued, the Client Application should store refresh tokens in a long-term secure storage and continue to use them as long as they remain valid. Refresh tokens should be treated by the clients as a secret and need only be sent exclusively to the issuer of the refresh token.BS ISO 20078-3 pdf download.