-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KYC-Fill-In: define scopes #155
Conversation
Thanks @AxelNennker, @HuubAppelboom, I totally agree that data minimization must be addressed following GDPR recommendations. That was a subject we had to work. But I'm quite surprised we should answer by multiple scopes per attribute. |
if we see what TMF recommends using fields syntax in the query, to do something similar we should have use a GET operation. |
@AxelNennker @GillesInnov35 Another option is to use claims as an Authorization request parameter |
Maybe you are wondering about the kyc-fill-in:fill-in scope value? I started with that because I wanted to use the OIDC standard claim in this API. Then I discovered that this API does not use the OIDC standard claims. There are minimal differences sometimes e.g. given_name vs givenName. I am going to remove the scope value kyc-fill-in:fill-in from this PR and always use the the attributes as scope. The scope value in the authorization request would be "kyc-fill-in:givenName kyc-fill-in:familyName" if the API Consumer wants an access token hat allows the givenName and the familyName to be retrieved in the API call. The API call would not have any attributes as parameters because givenName and familyName would be associated with the access token. |
I wanted to propose here a minimal PR to KYC that allows retrieval of a subset of the claims the API provider has. The attribute/claims and related scopes are defined by KYC-Fill-in and KYC-Match. |
I created a discussion #158 about why KYC uses e.g. givenName instead of the OIDC standard "given_name". |
I closed the discussion #158 This a minimal PR that enables data-minimization. As for the "alternatives", yes "claims" could be an alternative. Although, I think, the "essential" claims and optional claims also gets the API provider in hot GDPR water. |
Hi @AxelNennker , Hi all, Ater yesterday's meeting, I have discussed this internally with my colleagues. Actually, what we are doing for the KYC Fill-in service is that, when we make contract with RPs for the KYC Fill-in API use, it is decided which parameters/attributes each RP (App client) will receive by the API call, based on each RP's requirement. Each RP's requirement for KYC Fill-in API is usually stable, and by this process, we conform to data-minimization concept. So, our view is that for non-GDPR countries including Japan, the proposed 'atomized scope' may be too much, a kind of bother to API users, potentially creating some side effects e.g. it may result in a extremely long URL because of many scopes with percent-encoding. So we tend to be negative. But, at the same time, GDPR countries' circumstances are understandable. One proposal. Why don't we keep 'kyc-fill-in:fill-in' and just add atomized scope proposed by this PR, to fulfill both sides' requirements? Thanks, |
As you know, the agreement on allowed scope is done in CAMARA during the onboarding process of the API consumer.
Current URL limits are at about 4k, I think, which should fit even long lists of scopes. Please see: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
OIDC also defines some scopes like "profile" that means that a collection of attributes is returned in the API response. Merge this PR and then create a new one that defines the special scopes? //Axel ps: I am not too happy that this API returns each attribute that is part of an address separately.
|
Hi Camara people, Just a couple of thoughts for you to add into your decision making... |
Thanks, @AxelNennker , @Macke , We do not have a strong opinion on which to be used, scopes or claims parameters, for each kyc-fill-in parameters, first of all. From KDDI point of view, considering our API Customers' needs, we would still prefer to use scopes including a few or several parameters. For data minimization, taking Axel's suggestion into account, we could define special scopes, each of which would have a specific set of parameters. So the proposal is to add a special scope which includes all parameters to this PR #155, and then to define additional special scopes in later releases. The proposed special scope including all parameters is: 'kyc-fill-in:set-all'. It is easily understood that the scope is for all the parameters. (Meaning easier than 'kyc-fill-in:fill-in'). Best regards, |
So 'kyc-fill-in:set-all' would mean this list: kyc-fill-in:phoneNumber If the API Provider does not know the attribute then that value would not returned. Taking the example from kyc-fill-in the response might be:
If the API Provider would not know e.g. idDocument or e.g. nameKanaHankaku then that value would be missing. |
Hi @AxelNennker , Thanks very much for your proposal 'add section defining kyc-fill-in:set:all'. It is fine with us. Thanks, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM Thanks
The current KYC Fill-In API does not fulfill the GDPR principle of data minimization.
What type of PR is this?
What this PR does / why we need it:
This PR defines the scopes that the API consumer can use when sending an OIDC authentication request or an CIBA authentication request.
Removed 2024-10-29: references to standard claims defined in OIDC. I think it might be a separate discussion why CAMARA KYC uses e.g. givenName and not given_name. As defined in OIDC standard claims.
Which issue(s) this PR fixes:
Fixes #90
Special notes for reviewers:
OpenAPI specification: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-requirement-object
Which means that the API Consumer can request using `scope="openid kyc-fill-in:fill-in kyc-fill-in:phoneNumber name".
The access token would then have the scopes associated with it and the API producer will then find this association and the security requirement would be fulfilled. Then the API producer can go through the list of associated scopes and can add the requested attributes to the KYC Fill-In response.