Skip to main content

附录 A. 附加示例 (Additional Examples)

A.1. OpenID Connect

OpenID Connect [OpenID.Core]定义了一个claims参数来请求关于最终用户的身份声明。该参数可以在授权请求中使用(如[OpenID.Core]第5.5节所定义),或在请求对象中使用(如[OpenID.Core]第6.1节所定义)。

通过RAR,客户端可以选择使用类型为openid_credential的授权详情对象来请求颁发包含特定声明的OpenID Connect ID Token。以下示例展示了客户端如何请求颁发包含emailemail_verified声明的ID Token:

[
   {
      "type": "openid_credential",
      "credential_type": "id_token",
      "locations": ["https://example.com"],
      "claims": {
         "email": null,
         "email_verified": null
      }
   }
]

类型为openid_credentialcredential_typeid_token的授权详情对象可以(MAY)包含以下元素:

  • type: 必需(REQUIRED)。确定授权详情类型的字符串。对于颁发OpenID Connect ID Token,此值必须(MUST)为openid_credential
  • credential_type: 必需(REQUIRED)。确定要颁发的凭证类型的字符串。对于OpenID Connect ID Token,此值必须(MUST)为id_token
  • locations: 可选(OPTIONAL)。字符串数组,每个字符串代表将使用凭证的资源服务器的URI。
  • claims: 可选(OPTIONAL)。描述要嵌入凭证中的声明的对象。该值是一个JSON对象,以请求的声明名称作为成员名称,以null或JSON对象作为成员值来表达特定的声明要求。

A.2. 特定于交易的授权 (Transaction-Specific Authorization)

此示例说明了如何使用RAR来表达支付交易的授权。该示例假设在账户之间进行信用转账。

使用的type值是payment_initiation,这是用于支付发起的(虚构)授权详情类型的标识符。

授权请求示例如下:

GET /authorize?response_type=code
   &client_id=s6BhdRkqt3
   &state=af0ifjsldkj
   &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
   &code_challenge=K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8U
   &code_challenge_method=S256
   &authorization_details=%5B%7B%22type%22%3A%22payment_initiation%22%2C%0A%20%20%20%20%20%20%22actions%22%3A%5B%22initiate%22%2C%22status%22%2C%22cancel%22%5D%2C%0A%20%20%20%20%20%20%22locations%22%3A%5B%22https%3A%2F%2Fexample%2Ecom%2Fpayments%22%5D%2C%0A%20%20%20%20%20%20%22instructedAmount%22%3A%7B%0A%20%20%20%20%20%20%20%20%20%22currency%22%3A%22EUR%22%2C%0A%20%20%20%20%20%20%20%20%20%22amount%22%3A%22123%2E50%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%22creditorName%22%3A%22Merchant%20A%22%2C%0A%20%20%20%20%20%20%22creditorAccount%22%3A%7B%0A%20%20%20%20%20%20%20%20%20%22iban%22%3A%22DE02100100109307118603%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%22remittanceInformationUnstructured%22%3A%22Ref%20Number%20Merchant%22%0A%20%20%20%7D%5D HTTP/1.1
Host: as.example.com

为了更好的可读性,URL解码后的authorization_details参数包含以下JSON文档:

[
   {
      "type": "payment_initiation",
      "actions": ["initiate", "status", "cancel"],
      "locations": ["https://example.com/payments"],
      "instructedAmount": {
         "currency": "EUR",
         "amount": "123.50"
      },
      "creditorName": "Merchant A",
      "creditorAccount": {
         "iban": "DE02100100109307118603"
      },
      "remittanceInformationUnstructured": "Ref Number Merchant"
   }
]

用于支付发起的授权详情对象包含以下元素:

  • type: 必需(REQUIRED)。授权详情的类型,在此示例中为payment_initiation
  • actions: 可选(OPTIONAL)。字符串数组,表示客户端请求授权执行的操作。在此示例中,initiate表示创建新支付,status表示读取支付状态,cancel表示取消支付。
  • locations: 可选(OPTIONAL)。字符串数组,表示客户端打算使用访问令牌的位置。
  • instructedAmount: 必需(REQUIRED)。包含两个元素currencyamount的对象,表示要转账的金额。
  • creditorName: 必需(REQUIRED)。表示商户名称的字符串。
  • creditorAccount: 必需(REQUIRED)。包含商户账号的对象。在此示例中,账户表示为IBAN(国际银行账号),但也可以使用其他表示方式。
  • remittanceInformationUnstructured: 可选(OPTIONAL)。表示支付的汇款信息的字符串。

A.3. 多个访问令牌 (Multiple Access Tokens)

此示例说明了客户端如何请求授权以颁发两个不同的访问令牌,一个用于payment_api资源,另一个用于account_api资源。

[
   {
      "type": "payment_initiation",
      "locations": ["https://example.com/payment_api"],
      "instructedAmount": {
         "currency": "EUR",
         "amount": "123.50"
      },
      "creditorName": "Merchant A",
      "creditorAccount": {
         "iban": "DE02100100103307118603"
      }
   },
   {
      "type": "account_information",
      "locations": ["https://example.com/account_api"],
      "accounts": [
         {
            "iban": "DE40100100103307118608"
         },
         {
            "iban": "DE40100100103307118888"
         }
      ]
   }
]

在此示例中,客户端请求两个不同授权详情对象的授权:

  1. 用于https://example.com/payment_apipayment_initiation授权
  2. 用于https://example.com/account_apiaccount_information授权

如果AS决定为每个资源颁发单独的访问令牌,客户端可以发出两个单独的令牌请求:

令牌请求1(用于payment_api):

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&code_verifier=3641c0461d016ba09c5796b3e7cc5...
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
&authorization_details=%5B%7B%22type%22%3A%22payment_initiation%22%2C%22locations%22%3A%5B%22https%3A%2F%2Fexample.com%2Fpayment_api%22%5D%7D%5D

令牌请求2(用于account_api):

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&code_verifier=3641c0461d016ba09c5796b3e7cc5...
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
&authorization_details=%5B%7B%22type%22%3A%22account_information%22%2C%22locations%22%3A%5B%22https%3A%2F%2Fexample.com%2Faccount_api%22%5D%7D%5D

A.4. 令牌响应中的丰富授权详情 (Enriched Authorization Details in Token Response)

此示例展示了类型为payment_initiation的授权详情对象,该对象在令牌响应中由AS使用额外数据(例如授权的date)进行了丰富:

{
   "type": "payment_initiation",
   "actions": ["initiate", "status", "cancel"],
   "locations": ["https://example.com/payments"],
   "instructedAmount": {
      "currency": "EUR",
      "amount": "123.50"
   },
   "creditorName": "Merchant A",
   "creditorAccount": {
      "iban": "DE02100100109307118603"
   },
   "remittanceInformationUnstructured": "Ref Number Merchant",
   "date": "2021-08-12"
}

AS添加了date字段来指示授权的授予日期。

Last updated on