opin-claim-notification-damages-api-test - inclusion of scope in token
1. What happened and what were you expecting?
Although the conformance suit is operating in accordance with RFC specification 6749, Item 4.1.1 which can be found via the following link:https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1.
This RFC states that:
[en] 4.1.1 Authorization Request
The client constructs the request URI by adding the following parameters to the URI query component of the authorization endpoint using the “application/x-www-form-urlencoded” format, as per Appendix B:
scope - OPTIONAL. The scope of the access request, as described in Section 3.3.
In addition to the RFC mentioned above, there is also the specification of the OPEN FINANCE Security Profile, which ends in item:
[en] 7.2.2 Authorization Servers
- shall ensure access tokens are issued with sufficient scope necessary for access to data specified in the Permission element of a linked Consent Resource object;
- shall not reject an authorisation request requesting scopes broader than those necessary to access data specified in the Permissions element of a linked Consent Resource object;
These specifications state that, since sending the scope is optional during the authorization request (redirection), the authorization server is responsible for issuing access tokens with the scopes related to the permissions sent during the request to the consent endpoint. Given that the conformance suit has sent permissions for all phase 2 APIs, i.e. enough to access the resources needed to execute the GET call insurance-transport/
Nonetheless, in order to facilitate test module execution, an improvement will be made in this test module so that the scope is included on the Token used by conformance suit to call the correspondent API policy-info endpoint .
2. Test Id
test name | test id | plan id |
---|---|---|
opin-claim-notification-damages-api-test | qXuI7upTVqKd1 | 0SOFfCFwjBicZ |