...
Authorization
An access token must be is used in POST calls to the /delegation
endpoint. For more information, see Access Token.
Excerpt |
---|
|
Panel |
---|
panelIconId | 2705 |
---|
panelIcon | :white_check_mark: |
---|
panelIconText | ✅ |
---|
bgColor | #FFF0B3 |
---|
| Parties MUST validate that a POST call to a /delegation endpoint includes the Authorization header according to RFC 6750 and contains a valid access token |
|
...
For information about the parameters that are common to the trust framework’s API’s see Generic API Requirements.
Excerpt |
---|
|
Panel |
---|
panelIconId | 2705 |
---|
panelIcon | :white_check_mark: |
---|
panelIconText | ✅ |
---|
bgColor | #FFF0B3 |
---|
| The trust framework catalogue Parties MUST validate that the HTTP body of a POST request to the /delegation endpoint contains the parameters as defined in the table below |
|
Parameter | Type | Description |
---|
delegationRequest
| Required | Object | Object MUST contain policyIssuer , target and policySets objects, and may contain the delegation_path and previous_steps arrays as described below |
| policyIssuer
| Required | String in delegationRequest | MUST contain a valid Organisation ID of the delegator (data entitled party), containing an EORI or KvK number. |
| target
| Required | Object in delegationRequest | Object MUST contain an accessSubject . No other elements are allowed. It makes the entire delegation evidence applicable only to this accessSubject . |
| accessSubject
| Required | String in target | MUST contain a valid Organisation ID of the delegate (the data service consumer that receives the delegated rights), containing an EORI or KvK number. |
| policySets
| Required | Array in delegationRequest | MUST contain one or more policySet objects with an indication for further delegation (see /delegation for more information). Note that multiple policySet objects within one delegationEvidence MUST not restrict each other, but rather offer a mechanism to express additional rights. They MUST be evaluated in a permit-override manner, allowing a Permit if only one of the policySet objects evaluates to Permit . |
| delegation_path
| Optional | Array in delegationRequest | Optional array used in a situation where multiple delegation policies need to be linked together. MUST contain one or more valid Organisation ID, containing an EORI or KvK number |
| previous_steps
| Optional | Array in delegationRequest | Optional array used for one or more pieces of evidence such that the client has legitimate reason to request delegation evidence. MUST contain a previous delegationEvidence object or client_assertion for a single step. May contain an array for multiple steps. The minimum is a client_assertion value of the accessSubject , for example if the data service provider requests delegationEvidence for an authorization in which he is neither the policyIssuer nor the accessSubject . |
...
Successful, the response contains data providing the requested parties information in a delegation_token
. The delegation_token
is a signed JWT, which contains the claims as defined in the Authentication JWT, and additionally contains a delegationEvidence
object. Find the definition of the delegationEvidence object here.
Excerpt |
---|
|
Panel |
---|
panelIconId | 2705 |
---|
panelIcon | :white_check_mark: |
---|
panelIconText | ✅ |
---|
bgColor | #FFF0B3 |
---|
| The trust framework catalogue Parties MUST include a delegation_token including of a delegationEvidence object in a response to a successful GET calls to the /delegation endpoint |
|
...