ISO 20078-3:2019 pdf free.Road vehicles — Extended vehicle (ExVe) web services — Part 3: Security.
ISO 20078-3 defines how to authenticate users and Accessing Parties on a web services interface. It also defines how a Resource Owner can delegate Access to its Resources to an Accessing Party. Within this context, this document also defines the necessary roles and required separation of duties between these in order to fulfil requirements stated on security, data privacy and data protection.
The Client Application as a component of the Accessing Party requires Access to Resources on behalf of the Resource Owner. At the authorization step, the Accessing Party requests authorization to access the Resources provided by the Resource Provider (Offering Party). The required authorization is requested at the Authorization Provider, providing the intended scope. By the consent of the Resource Owner, the Authorization Provider returns a limited authorization to the client application of the Accessing Party. Using the obtained authorization, the Client Application can access Resources.
Al Introduction
This reference implementation is designed in accordance with the general approach using OAuth 2.0 framework and OpenID Connect 1.0 specifications. OAuth 2.0 is used to implement an authorization mechanism for requesting of authorization and accessing Resources. OpenID Connect 1.0 is used as an authentication layer on top of the OAuth 2.0 framework for Resource Owner related scenarios, where the proof of the Resource Owner identity using appropriate authentication method through an Identity Provider is required.
The Client Application of the Accessing Party should support an implementation of the standard OAuth 2.0 for authorization requests and access to protected Resources, and may support OpeniD Connect 1.0 for Resource Owner authentication and access to the profile of the Resource Owner.
Both standards are using the term Authorization Server. However, this document differentiates between logical components, the Identity Server maintained by the identity Provider and the Authorization Server maintained by the Authorization Provider. In this reference implementation, the ExVe Identity Server refers to OpeniD Connect 1.0 Authorization Server and the ExVe Authorization Server refers to OAuth 2.0 Authorization Server.
The Reference Implementation does not cover all of the technical details. The terms and definitions to facilitate the understanding of the referenced implementation are provided in Clause 3.ISO 20078-3 pdf download.