Clarification on which device is authenticated in authorization code flow #255
Labels
documentation
Improvements or additions to documentation
Comments
Elisabeth-Ericsson
added
the
documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem description
The CAMARA -API-access-and-user-consent document describes the authorization code flow as one option for API invocation.
It lacks to clarify that the authorization code flow can only be applied if the device, which is origin of the authorization code request, is also the target device of the API call, for which the authorization is requested.
It should be explicitly mentioned, that the sub claim, contained in the access token generated by the authorization server indicates the target device of the upcoming API call and the data scopes reflect the permissions (or consent) granted by the legal responsible party of the target device.
It is highly recommended that an API implementation compares the access token content against the potential payload parameters indicating the target device.
Expected action
Update chapter on User Authentication/Authorization and Consent Management [(https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md#user-authenticationauthorization--consent-management)] with corresponding clarification.
A pull request will be opened.
Additional context
The text was updated successfully, but these errors were encountered: