r4.2

Release Notes

This public release contains the definition and documentation of:

• "Identity and Consent Management" 0.5.0

The content of the release includes the "Identity And Consent Management" approved deliverables in documentation folder.

Added

• Recommendations to help API Consumers and API Providers select the appropriate authorization flow for their use case @jpengar in #320
• High-level example of the JWT Bearer Flow with an Operator Token by @jpengar in #334
• Strengthen DPoP support with additional security measures and claims by @RamTMO in #325
• CAMARA format for sub claim values in the JWT Bearer assertion by @jpengar in #346
• Security Considerations regarding audience values by @AxelNennker in #348

Changed

• Clarify the trust assumptions when using a phone number as sub claim in JWT Bearer Flow by @sfnuser in #343

Fixed

• Add missing openid scope for the OIDC Auth Code Flow and the CIBA Flow to the CAMARA-API-access-and-user-consent.md document by @sebdewet in #317
• Remove openid scope typo for JWT Bearer Flow in the CAMARA-API-access-and-user-consent.md document by @shilpa-padgaonkar in #333
• Add missing offline_access scope for Refresh Token examples to the CAMARA-ICM-examples.md document by @sebdewet in #332

Removed

• Rich Authorization Request (RAR) references from the "Identity And Consent Management" documentation by @jpengar in #342

Full Changelog: r3.3...r4.2

r4.1

Release Notes

This pre-release contains the definition and documentation of:

• "Identity and Consent Management" 0.5.0-rc.1

The content of the release includes the "Identity And Consent Management" approved deliverables in documentation folder.

Added

• Recommendations to help API Consumers and API Providers select the appropriate authorization flow for their use case @jpengar in #320
• High-level example of the JWT Bearer Flow with an Operator Token by @jpengar in #334
• Strengthen DPoP support with additional security measures and claims by @RamTMO in #325

Changed

• Clarify the trust assumptions when using a phone number as sub claim in JWT Bearer Flow by @sfnuser in #343

Fixed

• Add missing openid scope for the OIDC Auth Code Flow and the CIBA Flow to the CAMARA-API-access-and-user-consent.md document by @sebdewet in #317
• Remove openid scope typo for JWT Bearer Flow in the CAMARA-API-access-and-user-consent.md document by @shilpa-padgaonkar in #333
• Add missing offline_access scope for Refresh Token examples to the CAMARA-ICM-examples.md document by @sebdewet in #332

Removed

• Rich Authorization Request (RAR) references from the "Identity And Consent Management" documentation by @jpengar in #342

Full Changelog: r3.3...r4.1

r3.3

Release Notes

This public release contains the definition and documentation of:

• "Identity and Consent Management" 0.4.0

The content of the release includes the "Identity And Consent Management" approved deliverables in documentation folder.

Added

• Mandatory fields in signed Authorization Code Flow request objects by @AxelNennker & @garciasolero in #285
• New JWT Bearer Flow specification in addition to the three previously supported flows: Authorization Code Flow, CIBA and Client Credentials by @jpengar, @AxelNennker & @subha5h in #294
• Statement of future adoption of OAuth 2.1 by @jpengar in #303
• Recommended value for the audience field of signed authentication requests for CIBA by @mhfoo in #306

Changed

• Further alignment of CAMARA-API-access-and-user-consent.md with CAMARA terms and definitions by @jpengar in #280
• Update request object errors by @garciasolero in #287
• Clarify protocols for CAMARA API access by @AxelNennker in #281
• Document when Authorization Code Flow is applicable with regards to involved devices by @Elisabeth-Ericsson in #256
• CIBA Flow descriptions to further clarify the Authentication request authorization process with regard to User privacy by @jpengar & @AxelNennker in #293
• Clarify and generalize login_hint usage to include Operator and Temporary Tokens (TS.43) in the ICM documentation by @AxelNennker in #297
• Client assertion audience clarification for CIBA by @jpengar in #302

Fixed

• Fix typo autenticate -> authenticate by @AxelNennker in #274
• Update the references to the OAuth 2.0 Security Best Practices (RFC 9700) by @AxelNennker in #263
• Consistent consent check statement in Authorization Code Flow and CIBA by @shilpa-padgaonkar in #305

Removed

N/A

Full Changelog: r2.3...r3.3

r3.2

Release Notes

This pre-release contains the definition and documentation of:

• "Identity and Consent Management" 0.4.0-rc.1

The content of the release includes the "Identity And Consent Management" approved deliverables in documentation folder.

Added

• Mandatory fields in signed Authorization Code Flow request objects by @AxelNennker & @garciasolero in #285
• New JWT Bearer Flow specification in addition to the three previously supported flows: Authorization Code Flow, CIBA and Client Credentials by @jpengar, @AxelNennker & @subha5h in #294

Changed

• Further alignment of CAMARA-API-access-and-user-consent.md with CAMARA terms and definitions by @jpengar in #280
• Update request object errors by @garciasolero in #287
• Clarify protocols for CAMARA API access by @AxelNennker in #281
• Document when Authorization Code Flow is applicable with regards to involved devices by @Elisabeth-Ericsson in #256
• CIBA Flow descriptions to further clarify the Authentication request authorization process with regard to User privacy by @jpengar & @AxelNennker in #293

Fixed

• Fix typo autenticate -> authenticate by @AxelNennker in #274
• Update the references to the OAuth 2.0 Security Best Practices (RFC 9700) by @AxelNennker in #263

Removed

N/A

Full Changelog: r2.3...r3.2

r3.1

Release Notes

This pre-release contains the definition and documentation of:

• "Identity and Consent Management" 0.4.0-alpha.1

The content of the release includes the "Identity And Consent Management" approved deliverables in documentation folder.

Added

N/A

Changed

• Further alignment of CAMARA-API-access-and-user-consent.md with CAMARA terms and definitions by @jpengar in #280
• Update request object errors by @garciasolero in #287
• Clarify protocols for CAMARA API access by @AxelNennker in #281

Fixed

• Fix typo autenticate -> authenticate by @AxelNennker in #274

Removed

N/A

Full Changelog: r2.3...r3.1

r2.3

Release Notes

This public release contains the definition and documentation of:

• "Identity and Consent Management" v0.3.0

The content of the release includes the "Identity And Consent Management" approved deliverables in documentation folder.

The mandatory info.description template defined for "Authorization and authentication" has been modified and will eventually need to be adopted by all API definitions.

NOTE: The Working Group release numbering has been updated to adopt the same release notation as is used for API sub-projects.

Added

• Lifetime handling of client assertions on client authentication by @eric-murray in #216
• Recommend signed authentication requests for CIBA by @eric-murray in #217
• Operator token login_hint format by @AxelNennker in #218
• Response codes for error scenarios by @garciasolero in #220
• Clarification on the use of sender constraint tokens via "Demonstrating Proof of Possession" (DPoP) by @AxelNennker in #225
• login_hint statement for Authorization Code Flow by @jpengar in #242
• Recommend signed authentication requests for Authorization Code Flow by @AxelNennker in #251
• Agreed conclusion statement about authentication method in the Authorization Code Flow by @jpengar in #253

Changed

• Updated the CAMARA-Security-Interoperability.md document to replace Telco and Operator terms with API Provider by @AxelNennker in #201
• Updated terms and definitions in the CAMARA-API-access-and-user-consent.md document for better writing and understanding by @jpengar and @chrishowell in #212
• Updated the CAMARA-API-access-and-user-consent.md document with editorial and general writing improvements by @jpengar and @chrishowell in #213
• Updated info.description template in the CAMARA-API-access-and-user-consent.md document with revised wording by @jpengar and @chrishowell in #214
• Updated the CAMARA-ICM-examples.md document with more CIBA examples by @sebdewet in #237

Fixed

• Fixed error description for missing openid scope in the CAMARA-Security-Interoperability.md document by @AxelNennker in #210
• Clarify case sensitivity of parameter names and values in the CAMARA-Security-Interoperability.md document by @eric-murray in #221
• Fixed "bc_authorize" typo in the CAMARA-API-access-and-user-consent.md document by @AxelNennker in #248
• Fixed operator token login_hint formatting and encoding references by @garciarolero in #262

Removed

N/A

Full Changelog: r0.2.1...r2.3

r2.2

Release Notes

This pre-release contains the definition and documentation of:

• "Identity and Consent Management" v0.3.0-rc.1

The content of the release includes the "Identity And Consent Management" approved deliverables in documentation folder.

The mandatory info.description template defined for "Authorization and authentication" has been modified and will eventually need to be adopted by all API definitions.

NOTE: The Working Group release numbering has been updated to adopt the same release notation as is used for API sub-projects.

Added

• Lifetime handling of client assertions on client authentication by @eric-murray in #216
• Recommend signed authentication requests for CIBA by @eric-murray in #217
• Operator token login_hint format by @AxelNennker in #218
• Response codes for error scenarios by @garciasolero in #220
• Clarification on the use of sender constraint tokens via "Demonstrating Proof of Possession" (DPoP) by @AxelNennker in #225
• login_hint statement for Authorization Code Flow by @jpengar in #242
• Recommend signed authentication requests for Authorization Code Flow by @AxelNennker in #251
• Agreed conclusion statement about authentication method in the Authorization Code Flow by @jpengar in #253

Changed

• Updated the CAMARA-Security-Interoperability.md document to replace Telco and Operator terms with API Provider by @AxelNennker in #201
• Updated terms and definitions in the CAMARA-API-access-and-user-consent.md document for better writing and understanding by @jpengar and @chrishowell in #212
• Updated the CAMARA-API-access-and-user-consent.md document with editorial and general writing improvements by @jpengar and @chrishowell in #213
• Updated info.description template in the CAMARA-API-access-and-user-consent.md document with revised wording by @jpengar and @chrishowell in #214
• Updated the CAMARA-ICM-examples.md document with more CIBA examples by @sebdewet in #237

Fixed

• Fixed error description for missing openid scope in the CAMARA-Security-Interoperability.md document by @AxelNennker in #210
• Clarify case sensitivity of parameter names and values in the CAMARA-Security-Interoperability.md document by @eric-murray in #221
• Fixed "bc_authorize" typo in the CAMARA-API-access-and-user-consent.md document by @AxelNennker in #248

Removed

N/A

Full Changelog: r0.2.1...r2.2

r2.1

Release Notes

This pre-release contains the definition and documentation of:

• "Identity and Consent Management" v0.3.0-alpha.1

NOTE: The Working Group release numbering has been updated to adopt the same release notation as is used for API sub-projects.

Added

• Recommend signed authentication requests for CIBA by @eric-murray in #217
• Operator token login_hint format by @AxelNennker in #218

Changed

• Updated the CAMARA-Security-Interoperability.md document to replace Telco and Operator terms with API Provider by @AxelNennker in #201
• Updated terms and definitions in the CAMARA-API-access-and-user-consent.md for better writing and understanding by @jpengar and @chrishowell in #212
• Updated the CAMARA-API-access-and-user-consent.md document with editorial and general writing improvements by @jpengar and @chrishowell in #213

Fixed

• Fixed error description for missing openid scope in the CAMARA-Security-Interoperability.md document by @AxelNennker in #210
• Clarify case sensitivity of parameter names and values in the CAMARA-Security-Interoperability.md document by @eric-murray in #221

Removed

N/A

Full Changelog: r0.2.1...r2.1

r0.2.1

This is the public release of "Identity And Consent Management" version 0.2.1, a patch release from r0.2.0

Please note:

• The r0.2.1 release is a patch release of r0.2.0. Please read also the release notes and changes of r0.2.0.

Fixed

• Fixed broken W3C Data Privacy Vocabulary (DPV) reference links in ICM documentation by @jpengar in #196

Full Changelog: r0.2.0...r0.2.1

r0.2.0

This is the public release of "Identity And Consent Management" version 0.2.0

Please note:

• The content of the release includes the "Identity And Consent Management" approved deliverables in documentation folder.
• The document Authentication and Authorization Concept for Service APIs was part of the 0.1.0 release. It has been deprecated and been removed in the course of the public release of "Identity and Consent Management" version 0.2.0.

Main Changes

• Creation of the CAMARA Security and Interoperability Profile document.
• Creation of the Identity and Consent Management Examples document.
• Aligment of the CAMARA APIs access and user consent management document with the latest decisions of the working group in the new profile.

Added

• Added paragraph describing the handling on authorization flow selection during API product ordering in the CAMARA-API-access-and-user-consent.md document by @Elisabeth-Ericsson in #120
• Added the CAMARA-Security-Interoperability.md profile document by @AxelNennker in #121
• Added the CAMARA-ICM-examples.md document by @AxelNennker in #148
• Added 2-legged/3-legged access token definition to CAMARA-API-access-and-user-consent.md document by @jpengar in #162

Changed

• Clarified resource server terminology by @Elisabeth-Ericsson in #135
• Updated the CAMARA-API-access-and-user-consent.md document with the latest decisions of the working group in the new profile by @jpengar in #155
• Adapted the info.description template in CAMARA-API-access-and-user-consent.md document to "CAMARA Security and Interoperability Profile" by @AxelNennker in #168
• Editorial changes to CAMARA-API-access-and-user-consent.md by @AxelNennker in #183
• Replaced link into main branch of Identity and Consent Management within "Authorization and authentication" text template (need to be applied to all APIs who have copied the template previously) by @hdamker in #186
• Replace internal links between icm documents with relative links by @hdamker in #188

Fixed

• Fixed Auth code flow error scenario when user refuses consent in CAMARA-API-access-and-user-consent.md document by @jpengar in #170.
• Fix returned error in authentication code flow by @garciasolero in #180
• Fixed the release tag according to Release Management Working Group guidelines.

Removed

• Removed deprecated CAMARA-AuthN-AuthZ-Concept.md document by @jpengar in #192

New Contributors

• @Elisabeth-Ericsson made their first contribution in #120
• @AxelNennker made their first contribution in #121
• @hdamker made their first contribution in #147
• @garciasolero made their first contribution in #180

Full Changelog: v0.1.0...r0.2.0