Validation Decisions

As per above section, SP might have invoked the validation API and below are some guidelines on how to make decision on token validation response.

Based on the response from earlier section, “Verify Access Token” and “Obtain User information API”, SP should check below in chronological order:

1.(Mandatory) As per response of “Verify Access Token” API, If the token is not active i.e. active=false, then the resource server or SP should deny access to the resource.

2.(Mandatory) If the SP wants to verify if the token presented is issued by a particular client, then it should verify the value of “client_id” or the values available under “client_claims” from the response of “Verify Access Token” API.

  • For example, if SP wants to validate that the token presented is issued by “SDG Digital Vault App” then it should check below values:

"client_id":"sdg_digivault",
"client_claims": 
{
    "distinguished_name":"CN=SDG DigitalVault",
    "sub":"sdg_digitalvault",
    "name":"SDG Digital Vault App",
    "domain":"urn:safelayer:eidas:domain:oauth:client",
    "acr":"urn:safelayer:tws:policies:authentication:level:low",
    "amr":"["urn:oasis:names:tc:SAML:1:0:am:password"]
}

3.(Optional but recommended) If SP needs to determine the "uuid" of the user who has been authenticated with the presented access token, then it should check the value of "sub" attribute returned in "Verify Access Token" API response.

  • For example, SP needs to get the "uuid" of the authenticated user as per below:

{
"sub": "800F475AC0E7A9ED01B2D5D2C25A59B3",

…………
………… 
"acr":
"urn:safelayer:tws:policies:authentication:level:high", 
"mobile": "9715555555555",
"amr": [ "urn:safelayer:tws:policies:authentication:adaptive:methods:mobileid", "urn:uae:authentication:method:verified"] 
}

4.(Optional but recommended) If SP needs to fetch the claims or attributes (e.g. Emirates ID etc.) of the user belonging to the access token, then SP should invoke “User information API” as mentioned in previous Section.

  • For example: SP needs to get the Emirates ID of the authenticated user, then they should call "User information API" and validate the attributes returned in the response.

5.(Optional) If SP needs to make sure that the presented access token is issued for a particular scope, in order to decide whether to provide access or not, then it should check the value of the “scope” parameter in the validation token response.

{
    "active": true, 
    "scope": 
    "urn:uae:digitalid:profile:general", "exp":
}

Last updated