BS ISO 20078-3:2019 pdf download.Road vehicles – Extended vehicle ( ExVe ] web services.
BS ISO 20078-3 defines how to authenticate users and Accessing Parties on a web services interface. It also defines how a Resource Owner can delegate Access to its Resources to an Accessing Party. Within this context, this document also defines the necessary roles and required separation of duties between these in order to fulfil requirements stated on security, data privacy and data protection.
All conditions and dependencies of the roles are defined towards a reference implementation using OAuth 2.0 cotnpatible framework and OpenID Connect 1.0 compatible framework.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 2OO78-1 Road vehicles — Extended vehicle (ExVe) ‘web services’ — Content
1 The Resource Owner is authenticated by the Identity Provider.
2 The Resource Owner is granting access to the Accessing Party. The granting is handled by the Authorization Provider.
3 The Accessing Party is accessing resources from the Resource Provider.
Figure 1 — The roles and the three distinct communication flows
5.2 Authentication
The Identity Provider is responsible for authenticating the Resource Owner and managing the Resource Owner profile, based on the Resource Owner registration. The Resource Owner credentials are revealed only to the Identity Provider, and the Identity Provider confirms a successful authentication to concerned parties. lithe Resource Owner has given consent, the Accessing Party will be authorized to access the Resource Owner’s profile (Figure 2).
The Client Application as a component of the Accessing Party requires Access to Resources on behalf of the Resource Owner. At the authorization step, the Accessing Party requests authorization to access the Resources provided by the Resource Provider (Offering Party). The required authorization is requested at the Authorization Provider, providing the intended scope. By the consent of the Resource Owner, the Authorization Provider returns a limited authorization to the client application of the Accessing Party. Using the obtained authorization, the Client Application can access Resources.BS-ISO-20078-3-2019