| ITI71 | ITI71-001 | to be reviewed | Testable |
0
|
0
| | The Authorization Client makes a HTTP(s) POST request to the token endpoint with the grant-type parameter in the HTTP request entity-body [OAuth 2.1, Section 4.2.2] | 9 | Section 3.71.4.1.2.1 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-002 | to be reviewed | Testable |
0
|
0
| | The Authorization Client makes a HTTP(s) POST request to the token endpoint with the resource and scope parameters in the HTTP request entity-body [OAuth 2.1, Section 4.2.2] | 9 | Section 3.71.4.1.2.1 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-003 | to be reviewed | Testable |
0
|
0
| | The request shall use the application/x-www-form-urlencoded format with a character encoding of UTF-8 [OAuth 2.1, Section 4.2.2]. | 10 | Section 3.71.4.1.2.1 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-004 | to be reviewed | Testable |
0
|
0
| | The Authorization Client shall present its client_id and client_secret in a HTTP Basic Authentication Header to the Authorization Server. | 10 | Section 3.71.4.1.2.1 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-005 | to be reviewed | Testable |
0
|
0
| | An Authorization Client that supports the Get Authorization Server Metadata Option shall use the token_endpoint URL from the Authorization Server Metadata Document to obtain the access token (see ITI TF-2: 3.103 Get Authorization Server Metadata). | 10 | Section 3.71.4.1.2.1 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-006 | to be reviewed | Testable |
0
|
0
| | Client authorization code grant type shall be used by confidential, credential and public clients, if the explicit consent of the user is required to authorize the Authorization Client to access data on behalf of the user. | 10 | Section 3.71.4.1.2.2 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-007 | to be reviewed | Testable |
0
|
0
| | An Authorization Client that supports the Authorization Server Metadata Option shall use the "authorization_endpoint" URL from the Authorization Server Metadata Document to redirect the User-Agent. | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-008 | to be reviewed | Testable |
0
|
0
| | A HTTP GET request to the authorization endpoint with response_type, client_id (if known), state and code_challenge parameters using the "application/x-www-form-urlencoded" format [OAuth 2.1, Section 4.1.1.3] | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-009 | to be reviewed | Testable |
0
|
0
| | A HTTP GET request to the authorization endpoint with resource, code_challenge_method, redirect_uri and scope parameters using the "application/x-www-form-urlencoded" format [OAuth 2.1, Section 4.1.1.3] | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-010 | to be reviewed | Testable |
0
|
0
| | The Authorization Server shall redirect the user agent to the Authorization Client's redirect URI with the authorization response parameter in the application/x-www-form-urlencoded format. | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-011 | to be reviewed | Testable |
0
|
0
| | The authorization response parameters shall be code and state. | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-012 | to be reviewed | Testable |
0
|
0
| | The Authorization Client shall use the authorization code in an access token request to retrieve an access token and token metadata from the Authorization Server. | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-013 | to be reviewed | Testable |
0
|
0
| | An Authorization Client that supports the Get Authorization Server Metadata Option shall use the "token_endpoint" URL from the Authorization Server Metadata Document to obtain the access token. | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-014 | to be reviewed | Testable |
0
|
0
| | The Authorization Client makes a HTTP POST request to the token endpoint with grant_type, code, redirect_uri, client_id parameters in the HTTP request entity-body [OAuth 2.1, Section 4.1.3]. | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-015 | to be reviewed | Testable |
0
|
0
| | code_verifier parameter SHALL be used if "code_challenge" parameter was used in the authorization request. | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-016 | to be reviewed | Testable |
0
|
0
| | code_verifier parameter SHALL NOT be used if "code_challenge" parameter was NOT used in the authorization request. | 11 | Section 3.71.4.1.2.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-017 | to be reviewed | Testable |
0
|
0
| | The scope parameter incorporated in the token requests shall be used to restrict authorization grants to specific actions and to convey claims, which at runtime are known to the Authorization Client only. | 11 | Section 3.71.4.1.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-018 | to be reviewed | Testable |
0
|
0
| | The Authorization Server may refuse token requests that mention scope values that are unknown to the Authorization Server. | 11 | Section 3.71.4.1.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-019 | to be reviewed | Testable |
0
|
0
| | The Authorization Client is recommended to provide a resource value to limit usability of the requested token to the intended Resource Server. | 11 | Section 3.71.4.1.3 | 6/27/22 3:54:39 PM by vhofman |
|
| ITI71 | ITI71-020 | to be reviewed | Testable |
0
|
0
| | If provided, the Authorization Server should evaluate any resource values provided as part of the token request procedure. | 11 | Section 3.71.4.1.3 | 6/27/22 3:54:39 PM by vhofman |
|