...
Information contained in an id_token
Parameters | Validations |
---|---|
iss |
|
sub |
|
aud |
|
exp |
|
iat |
|
auth_time |
|
nonce |
|
acr |
|
amr |
|
azp |
|
Parameters for validating an id_token.
All parameters must be present in the JWT header (header).
Parameters | Description | Recommended Values |
---|---|---|
alg | The "alg" (algorithm) parameter identifies the cryptographic algorithm used to secure the JWS/JWE. The JWS Signature value is invalid if the "alg" value does not represent a supported algorithm or if there is no compatible key available for the algorithm associated with the entity that digitally signed the content. | PS256 or PS512 |
jku | The "jku" (JWK Set URL) parameter is a URI (RFC3986) that points to a resource for a set of public keys encoded in JSON, one of which matches the key used to digitally sign the JWS. The keys MUST be encoded as a JWK Set. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the JWK Set MUST use Transport Layer Security (TLS); and the server's identity MUST be validated, according to Section 6 of RFC6125. (OPTIONAL) |
|
jwk |
The "jwk" (JSON Web Key) |
parameter is the public key that matches the key used to digitally sign the JWS. This key is represented as a JWK. (OPTIONAL) |
|
kid |
The "kid" (Key ID) |
parameter indicates which key was used to secure the JWS/JWE. This parameter allows senders to explicitly signal a key change to recipients. The "kid" value MUST be a case-sensitive string. When used with a JWK, the "kid" value matches a "kid" parameter value of the JWK. (OPTIONAL) |
|
x5u |
The "x5u" (X.509 URL) |
parameter is a URI (RFC3986) |
pointing to a resource for the X.509 public key certificate or certificate chain (RFC5280) corresponding to the key used to digitally sign the JWS. (OPTIONAL) |
|
x5c |
The "x5c" (X.509 Certificate Chain) |
parameter contains the X.509 |
public key certificate or certificate chain (RFC5280) corresponding to the key used to digitally sign the JWS. ( |
OPTIONAL) |
|
x5t |
The "x5t" (X.509 Certificate SHA-1 Thumbprint) |
is a base64url encoded SHA-1 |
thumbprint (hash) |
of the DER encoding of the X.509 certificate (RFC5280) |
corresponding to the key used to digitally sign the JWS. ( |
OPTIONAL) |
|
x5t#S256 |
The "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) |
is a base64url encoded SHA-256 |
thumbprint (hash) |
of the DER encoding of the X.509 certificate (RFC5280) |
corresponding to the key used to digitally sign the JWS. It can be used alternatively to "x5t". ( |
OPTIONAL) |
|
typ |
The "typ" (Type) |
parameter is used by JWS applications to declare the media type (IANA.MediaTypes) |
of this complete JWS |
. It is intended for use by the application when more than one type of object can be present in an application data structure that might contain a JWS; the application can use this value to disambiguate between the different types of objects that could be present. (OPTIONAL) | JWT |
cty |
The "cty" (Content Type) |
parameter is used by JWS applications to declare the media type (IANA.MediaTypes) |
of the secured content (payload). |
ao invés de usar “application/example” usar “example”
crit
It is intended for use by the application when multiple types of objects might be present in the JWS Payload; the application can use this value to disambiguate between the different types of objects that could be present. | use “example” instead “application/example” |
crit | The "crit" (Critical) |
...
parameter indicates that extensions to this specification and/or [JWA] are being used and MUST be understood and processed. Its value is an array containing the names of the Header Parameters present in the JOSE Header that are using these extensions. |
|
Step by step to save an id_token
Informações |
---|
Lembre-se, o fluxo para a geração de um id_token é um fluxo de consentimento Remember, the flow for generating an id_token is a regular FAPI Hybrid-Flow comum! A Iniciadora de Pagamentos deverá salvar o id_token que vem no redirecionamento de volta da detentora via query parameters. |
...
consent! The Payment Initiator should save the id_token that comes in the redirection back from the holder via query parameters. |
Follow the steps of the Sequence Diagram of a Payment Initiation via Hybrid-Flow;.
Na etapa de recebimento do code, state, id_token no redirectURL (redirecionamento de volta da detentora para a iniciadora) a iniciadora deve salvar o id_token que também vem nos parâmetros da url de redirect. Atentar-se ao item 4 do diagrama de sequência do link acima;
Realizar o pagamento normalmente, pois apenas no próximo pagamento será possível a utilização do canal CIBA para a comunicação com o cliente para autorizar um consentimento.
...
Lista de possíveis erros:
Error Code | Error Description |
---|---|
authorization_pending | The user has not yet been authenticated, and the authorization request is still pending |
slow_down | The authorization request is still pending, and the client must increase the interval for polling requests by at least x seconds |
expired_token | The transaction (auth_req_id) has expired. The client must start over with a new Authentication Request |
access_denied | The user did not consent to the authorization request |
Seguir com o processo de uma iniciação de pagamento e realizar as chamadas na API de pagamento, caso o acesso for concedido com sucesso.
...