- changed milestone to IDA Final
Move transaction specific purpose out of the main specification
Issue #1386
resolved
No description provided.
Comments (4)
-
-
removal of Transaction specific purpoise from IDA draft in PR #185
following content removed…
This specification introduces the additional field `purpose` to allow an RP to state the purpose for the transfer of a certain End-User Claim it is asking for. The field `purpose` can be a member value of each individually requested Claim, but a Claim cannot have more than one associated purpose. `purpose`: OPTIONAL. String describing the purpose for obtaining a certain End-User Claim from the OP. The purpose MUST NOT be shorter than 3 characters or longer than 300 characters. If this rule is violated, the authentication request MUST fail and the OP return an error `invalid_request` to the RP. The OP MUST display this purpose in the respective End-User consent screen(s) in order to inform the End-User about the designated use of the data to be transferred or the authorization to be approved. If the parameter `purpose` is not present in the request, the OP MAY display a value that was pre-configured for the respective RP. For details on UI localization, see (#purpose). Example: <{{examples/request/purpose.json}} ------- # Transaction-specific Purpose {#purpose} This specification introduces the request parameter `purpose` to allow an RP to state the purpose for the transfer of End-User data it is asking for. `purpose`: OPTIONAL. String describing the purpose for obtaining certain End-User data from the OP. The purpose MUST NOT be shorter than 3 characters and MUST NOT be longer than 300 characters. If these rules are violated, the authentication request MUST fail and the OP returns an error `invalid_request` to the RP. The OP SHOULD use the purpose provided by the RP to inform the respective End-User about the designated use of the data to be transferred or the authorization to be approved. In order to ensure a consistent UX, the RP MAY send the `purpose` in a certain language and request the OP to use the same language using the `ui_locales` parameter. If the parameter `purpose` is not present in the request, the OP MAY utilize a description that was pre-configured for the respective RP. Note: In order to prevent injection attacks, the OP MUST escape the text appropriately before it will be shown in a user interface. The OP MUST expect special characters in the URL decoded purpose text provided by the RP. The OP MUST ensure that any special characters in the purpose text cannot be used to inject code into the web interface of the OP (e.g., cross-site scripting, defacing). Proper escaping MUST be applied by the OP. The OP SHALL NOT remove characters from the purpose text to this end.
-
this issue should not be closed after PR#185 is merged, only oncve a new draft is created or it is decided there won’t be a new draft.
-
- changed status to resolved
resolved by #PR 185
- Log in to comment