iSHARE Developer Portal
Other resources
Version 2.1 (current version)
Version 2.1 (current version)
  • Welcome to the iSHARE Developer Portal
  • Introduction
    • Getting started
      • Test certificates
      • Test participants
      • Postman collections
    • Release info
    • Help & support
    • Specific technical standards
      • JSON Web Token (JWT)
      • OAuth 2.0
      • OpenID Connect 1.0
      • PKI
      • TLS
      • XACML 3.0
      • Caching
      • DID
      • UTC
      • X.509
      • HTTP response codes
    • UI Guidelines
    • Conformance test tool
  • Roles
    • Roles
  • All roles (common endpoints)
    • Access token (M2M)
    • Capabilities
  • Authorisation Registry Role
    • Getting started
    • Access token (M2M)
    • Capabilities
    • Delegation
    • Delegation Policy
  • Entitled Party
    • Getting started
  • Identity Provider
    • Getting started
    • Authorize
    • Login
    • Access token
    • User info
    • Capabilities
  • Participant Registry role
    • Getting started
    • Access token (M2M)
    • Capabilities
    • Parties
    • Parties (single party)
    • Trusted list
    • Versions
    • Data Spaces
    • Create Entitled Party / Service Consumer
  • Service Consumer Role
    • Getting started
  • Service Provider Role
    • Getting started
      • Service
    • Access token (M2M)
    • Capabilities
    • Return
  • Reference
    • iSHARE JWT
      • Client Assertion
    • Authentication
    • Authorization
    • Authorisation rules
Powered by GitBook
LogoLogo

  • Cookie Policy

  • Privacy Policy

  • Imprint

  • Contact Us

Copyright © 2024 iSHARE Foundation

On this page
  • Machine to Machine (M2M) Authentication
  • Generic Authentication Flow
  • Certificate Validation
  • Human to Machine (H2M) Authentication
  • Generic Authentication Flow
  1. Reference

Authentication

PreviousClient AssertionNextAuthorization

Last updated 2 months ago

This page must be considered part of the iSHARE Framework

This page is considered normative and is therefore compliant with RFC 2119.

Machine to Machine (M2M) Authentication

iSHARE refers to the OAuth 2.0 protocol for authenticating parties and providing access tokens based on the iSHARE agreements when requesting access to a iSHARE compliant service. For the most recent version of the OAuth 2.0 specification visit . In addition or overriding to the OAuth 2.0 specifications, the following requirements apply for iSHARE:

  • Clients MUST NOT be pre-registered. A look-up in the Participant Registry is sufficient. It is up to the server to create a new entry for Clients that perform requests for the first time.

  • The client_id MUST contain a valid of the client.

  • In case of potential HTTP message size restrictions on the server, a POST call alternative MUST be offered to the /oauth2.0/token endpoint. Therefore, to avoid unaccepted HTTP GET calls, HTTP GET calls MUST be disabled to the /oauth2.0/token endpoint.

  • Servers MUST NOT issue refresh tokens

In OAuth 2.0 clients are generally pre-registered. Since in iSHARE, servers interact with clients that have been previously unknown this is not a workable requirement. Therefore this spec implements a client identification and authentication scheme, which allows participants to still establish the connection with each other based on the claims about themselves which are digitally signed with a PKI certificate which are trusted in the iSHARE Trust Framework and thereby trusted by its members.

M2M Interaction sections explain how authentication and authorization happens between participants of iSHARE. Authentication part requires a proper /token endpoint implementation. If you are already familiar how authentication works within iSHARE and ready to implement the endpoint, please visit .

Generic Authentication Flow

Based on the described standards and specifications in this scheme, the generic iSHARE Authentication flow is described in the following sequence diagram.

For a deeper understanding of the various roles within the iSHARE network, take a look at the in the iSHARE Trust Framework.

The sequence diagram refers to Service Consumer, Service Provider and Participant Registry. Please note that this Authentication flow applies to various possible interactions. Each party that needs to authenticate another party requesting data or services can be authenticated through this flow.

In the following flowchart, we describe the steps within the authentication flow in greater detail.

Certificate Validation

Validating the certificate mainly consists of two steps:

  1. Verifying the validity of the certificate (steps 2.2.2 and 2.2.3 of the above generic authentication flow).

  2. Verifying the iSHARE Status of the party (step 2.2.6 of the above generic authentication flow).

1. Verifying the validity of the certificate

A request in iSHARE must always be signed by a certificate that is issued by a certificate authority on the trusted list of iSHARE. Participants can get the trusted list via the /trusted_list endpoint. The trusted list consists of certificate authorities of the qualified Trust Service Providers. The party receiving the request signed by such a certificate is responsible for verifying that the certificate is issued by a certificate authority on the trusted list.

For eIDAS eSEALs it is “Is the Key Usage ( 2.5.29.15 ) equal to "Non-Repudiation".

Any other best practices for validating certificates (such as a check on revocation lists) still apply.

2. Verifying the iSHARE Status

Within iSHARE, it is necessary to match the identity on the certificate that is used to sign the client_assertion with the party identifier within that client_assertion. It is possible that the party identifier is not recorded on the certificate. Therefore, the standard procedure to verify the status of an iSHARE Party is as follows:

  1. Authenticate yourself with the Participant Registry at the /token endpoint.

  2. Decode the parties_token received and check the signature.

  3. In the information, the status of the party is listed under “status” and should be equal to “Active”. The x5c value or x5t#s256 of the certificate can be compared with the certificate which has signed the client assertion in the request.

Note

The old method of validating participant using the certificate subject name is highly discouraged as in practice that method was quite unreliable. In any case the party validating token request (client_assertion) is responsible for proper validation of the incoming requests and with the whole certificate provided in the parties_token must be used for that purposes. This specifications can only provide guidance about it.


Example of iSHARE status verification of Test Service Consumer (see Test participants):

  1. The x5c value of Test Service Consumer’s request:

[
    "MIIGiDCCBHCgAwIBAgIURMIL+omg6v5pU6qFOMFceG1YjDAwDQYJKoZIhvcNAQELBQAwXTEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9Jc3NDQUc0MRkwFwYDVQRhExBOVFJOTC1pU0hBUkVURVNUMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDAeFw0yNDExMDYxNDQ1NDFaFw0yNzExMDYxNDQ1NDBaMGYxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVUZXN0IFNlcnZpY2UgQ29uc3VtZXIxHjAcBgNVBAMMFVRlc3QgU2VydmljZSBDb25zdW1lcjEXMBUGA1UEYQwOTlRSTkwtMTAwMDAwMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYSKOvmB6UxEaYOPT7APgU4mauSh9vbPacJtM3a4cdzN8KippjoWSbgr6Jb4Fc7tGvNk6nvWZHlHzADFe0aQIGl8IDhuq1BhXJTxHZ4krw/6AEbC/GRcgtJdcanlc3WkM5rMEsoDRd8gOvNTnL7m52DIWb3RS8bCitVH6qn3hoWSwX9XeeU6JrGu1kp6lfT19u1zJKZuBaB0Ia4uzmM+QSd1kU6PeCXQ+trEfVUQkP8g/rzZGnSH8u7NqiwwUfFSiaUyq9P4Ip+K0JBTtAuQ9xpQ6wQxt0ioFNFb9ipmc3xxekowMRykZzEdoHO/ynY3W4sbTSl2eN4EmfHzQGRLJLAgMBAAGjggI1MIICMTAOBgNVHQ8BAf8EBAMCBkAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSzGk9CQOnYeJ1r//wksBCxNDzwiTBXBggrBgEFBQcBAQRLMEkwRwYIKwYBBQUHMAGGO2h0dHBzOi8vY2E3LmlzaGFyZXRlc3QubmV0Ojg0NDIvZWpiY2EvcHVibGljd2ViL3N0YXR1cy9vY3NwMBAGA1UdIAQJMAcwBQYDVR0gMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMFsGCCsGAQUFBwEDBE8wTTATBgYEAI5GAQYwCQYHBACORgEGAjA2BggrBgEFBQcBAwwqVGhpcyBpcyB0ZXN0IGVzZWFsIGNlcnRpZmljYXRlIGZvciB0ZXN0aW5nMB4GBWeBDAMBBBUwExMDTlRSEwJOTAwIMTAwMDAwMDEwgccGA1UdHwSBvzCBvDCBuaCBtqCBs4aBsGh0dHBzOi8vY2E3LmlzaGFyZXRlc3QubmV0Ojg0NDIvZWpiY2EvcHVibGljd2ViL3dlYmRpc3QvY2VydGRpc3Q/Y21kPWNybCZpc3N1ZXI9Q04lM0RlSURBU2VTRUFMT0lEX0lzc0NBRzQlMkNvcmdhbml6YXRpb25JZGVudGlmaWVyJTNETlRSTkwtaVNIQVJFVEVTVCUyQ08lM0RpU0hBUkVUZXN0JTJDQyUzRFhYMB0GA1UdDgQWBBRdyUNPiwe2WprwzYgvyZ+6fC1oNDANBgkqhkiG9w0BAQsFAAOCAgEAsXZrFG5ajsFNgTflnbTfD6aL/W0O9uywQ7VTTurZHboHTxDIIL3Gq9Vj/d0vpJJgrfysnR/MBHC9fXonV9WuwSKho91mHquUc7ytlyFwoAN5ROVIR1RBhUosMG0JgTw5PgW9xXBogAZ+7EFDiM70BJUr+ojqlZ2yYS324IDCpgFe9ySXinzTg8+d3jBsQLE0IXnR/+dNNthHhAl1HLfl6wZ9RbPpZgp0AeCcdKbn1IfUzePYMnRyuDjRgnmQYVYD31Qa68gx5Ys1qb/fYwSSpeER0Zf06S0exPUYShtOwRlYqia2z8LgN4TurdwcDcTijmekE9+/oSSITehFroA2eHLsqYte8jQgFBPEcy2syFw1VFDqTa/GnJJkoFCf8jPnlnAHEFJmkhAZ3xeP1Dag30CP+aoCQVNykhO5Z73V6BpNhdpgaYX4B/QRePUhqUoYbHLefAlyO7SFRahycW+o66K5GueptgtQ2DrrjvCtaCG8EtJczihAjBN0OQZsQWnU8vooLss+Rmfg9MXTR8k85cYT9ZMdU/46zlgAMIaJizv8j4eHaKgfRBB1gw71oW97oW5QKQx861UrR1u0DJmSQSUwNYlopKVRnHvXJWUIreOqLfSSB/1uVQfvq0UzsJKdeOCKRLpXXgxB3w7S2+5KFETS7tcbZ6mIxZlJlh0VRSs=",
    "MIIF2jCCA8KgAwIBAgIUPG3+TAnxVOBce9NaPt9pTAgm5R4wDQYJKoZIhvcNAQELBQAwQjEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9TdWJDQUczMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDAeFw0yMzA4MjUwOTAxMzJaFw00ODA4MjUwOTAwMDVaMF0xHjAcBgNVBAMMFWVJREFTZVNFQUxPSURfSXNzQ0FHNDEZMBcGA1UEYRMQTlRSTkwtaVNIQVJFVEVTVDETMBEGA1UEChMKaVNIQVJFVGVzdDELMAkGA1UEBhMCWFgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDanUgM1/PQyXNTX+UOLGrZjS8HaTWR/P4xD8SMCRxOXHKzHLQqEQOuHD/w+rx9/bEwzH4wVfJ0m6/r56KOg0wLUlVwOyikOXGoITD2u+Ui9t24tYIkx8zjLG7VHVcw4dXOt92svKY1LybvlproWzTHlRwoIO1YQ4hO+rybsw/KEDEXUbkowjlHAPcwnsOW64367EN+ezT1sS8dzFIxmG8qC2LrM2sXJWqq5vJeE/86TfZ2NMO+CUxkjj7uPgbW2V/MOUhYyAtGAjzd/KwOrLMRMYaXOIj61m8R71nh/LV9n8dnj0wTQONTHhuM7mdZQxhqOdkL2ckSrBWi3atEVT1OhBRX4FmmhIhmSWuCtgyKiDCIotyGAsX2o6817fee4Rdtwfw9Q4oN3NAhtod60iOAWApVt+BT5tvdgGOYWPcbMR5pGzbp38dGUyuwYZV4LAnIGSm5yaucNE2E2xrQCbEeZm4RPsx5JleWzipk+42d7vqvWD88IQcQ+bZM2X4rJBZNs166Clx+m6HmKxKALebUtjszsgyH8cq10d+k4Ao8oCaOYjv2IaEbMd+fV/Uf8kPkzTtKlttdqiixoIqycXMEgBaSgkub7XoQ6K26tRPJ0w5Qkuuh3MKtGEWfW7EEGmpnCqjOv6/rAMJiMWyh1IgLgNBUPP7zaVPpDAtC88OSJQIDAQABo4GsMIGpMBIGA1UdEwEB/wQIMAYBAf8CAQEwHwYDVR0jBBgwFoAU4ubX0p6DVjN9DKtOWWMYAs+HxdQwGAYDVR0gBBEwDzAFBgNVHSAwBgYEVR0gADApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcKAwwwHQYDVR0OBBYEFLMaT0JA6dh4nWv//CSwELE0PPCJMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAZv5Gukx0PEvVREIt8MTaPfCH4awyiiYyi17h6R5LLk1rerwQsSSSHfVqftdwRF0ocLp2PXJhe075qV406C04CjamNk3ez9ZiNHCNjPtfid6oOxqz1Xk8XPjNYElbAFmP7eKl/441vZhGuk/RhXGNxQbto0Q16g8IRcGDvWgNhtrtB1G2xSmtB1S2uUpSaiZVNOrkdzThiEJseURBoXxUXIqpLyPTRl6MMgVaLGRYRc3vYij4B7M2hBN7/cjnGLsMVtgbOv6CV21g2SXowbgOqzByH51UTR6ObHiGj0kSCALG14IQPkzQPiSpju++9M2jAjPM3o421ZOUDMP246CsqPXrTAbPXJVUR/gi4u53kmzC210jvVq9hHwelxQOTPFhlM6E1Ch4Jb4PQRLKDPFl+5NW4Fy2JADjyupyVHncdLEuPy0PgCL2Yo147HSpPj4u7jc1RmHU7NO12EV2ZCMfFlRwdGv6if8qO7s/6lpZJjpPtLEObA5tD4ahc+aPNAi9WCk0peRm1KE5VGDWKFNSNAiLJNzP7m2Q6y8fOy38cNgFBhGOF/KgEIsT10V+5K5o+ylVVtPVeRRENEvKO9ELkze0IHgsTB/6cwOij4pxM9Jvauj06GglhIhiIA6q0iDUqB1MUR0HziY9BsnWY9kR8hwV3OW+nsmztQwGVEw2kjU=",
    "MIIFjjCCA3agAwIBAgIUFj9/3jGORhtIpZ98OLRtRHs0AYswDQYJKoZIhvcNAQELBQAwQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMB4XDTIzMDgyNTA5MDA0NFoXDTQ4MDgyNTA5MDAwNVowQjEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9TdWJDQUczMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7nzkyoFXWg1ghdG6fnuzuvAdMWsm/I+mX3Dbz3I/KyqLdWt7XG3OWVSnhosAD2W2SXnlGXqxye0hPtEgkQIdel7FnFosWWrsEOratgXlnM4NWpYDKMWEVYro7hzHgCZ126ZPQULls52NcvpRM8S3dZk+XK1kf3VeS0J2hUSFEAZHLyXCXkhTnUI7qo1ur1TmDWYsNQwxDGOu7CQyZYdKIwKqI9eGsRLgM6PQlg3vZCropOodM7loTuirCl3UKw4HrGk2cOiAf4Id//eaVCafwkjKsJTQuAahuRz4qMsHYA3kDQz+0+hgnR74r+iLr+8lr044glnaWIWvrEGciRR+PectfrLOQQIW7ha13dzWozkT0agnT1Lk/CGrgNXVqhosGC0ruAQPI6DcPNy2INM9JgtCmBsSjMM185FIBX4Cy17m73h9rKjXZMxb6TxX7CIZyesgAS0bBRb6xIpKsZrlrjEazsjC2VHRRWOMJWYqcXLD5ZNzGMZUr6Tt2yCUAtamecDATKN6/Gbsxe0tABN0pk0rx5ic+4TXdBroN9OAZchH4tJCsOCKonCzApPxVThDNMxsooyFq9DmgXhyEUOOoeS+Fr4FgH+jSANm/l178Jh9epfXQ9gE/6aqPxYjNSBgS60S1EVqCpxw2rT1mUYeGfwibVm53ixGptR8kte70nAgMBAAGjfTB7MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU2LubNS1bP+/ha8vMDM+iLrppeowwGAYDVR0gBBEwDzAFBgNVHSAwBgYEVR0gADAdBgNVHQ4EFgQU4ubX0p6DVjN9DKtOWWMYAs+HxdQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQB8jqYUw7Tv+W4ZH06PraF6zfdCxT03DhRChw4Z/Qm0XVS2gRyRwcMptQFERhPNOA221u9LqozZ1aK3B35wkcGD/dFJgJCJB96SMttQl2Hp/EiQz9PFF02dBSruXhIaraPbM+NIGdmyN2ZywGGXI1aU7JD3XG29Sh2AAdOkv8dI6gEgzt/DHSIIbakbaLdEIc7WB95GUHcHnNj58TzTSyVfBmtb3vBK9JG0Io6NAPWQYx2VP8+fIylja2d128hgh0dsDrXFAM+9AX8hae5vvxVi8TWs/z2ing+k+immtSNfzzKMiO7r5wJAkyjwtUBlBStKIA6Zer22pmSTZZeucHdEThabcWQidVZmMP3If6ix5UeyX8V6OAw0gsI3IUb91Q76d4sLWbzoGNONAYFC1Iyz0xWj47Zd6P7Z2Gfh1ViIbMxViFDlNmbEZflpES87K/yhBUQ/tnCNGQoSdtsuyuWg3NfWbyJoNZzlU96JWxcqSaXkzse9j8wahayKNM6SWKSY1Z05h8JScOCmFB5F8V3bd5nP/uKja7H8O4GOAAPM3OtG+eq37xW/xN0oAsjbvt4ojnUbJs2kiAxEdwXx0K7mcPeS7zWmVt8h4RdcDm/PGTDa9m8OqhQuck80QnuxIUWVr7GWadh1Ly/tl0+bvmkcnO2ybRJ+gbqREHDTe0sxsw==",
    "MIIFczCCA1ugAwIBAgIUCvfSvQerjFDmM2LvmjoTDOInLAwwDQYJKoZIhvcNAQELBQAwQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMB4XDTIzMDgyNTA5MDAwNloXDTQ4MDgyNTA5MDAwNVowQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxVMKI9RMhnOSA2LorgEC3YDNd2itn72LOdfRRUu45fG70Iev+E4kRrzJ1k23WXH5sHTbcslpETeAZnj0/xKBYdELuwe6HX8kIwd1s6WGlZc0l7ki1fmj4HqSstGJ/BKGj1a7236WwPJEWEHqfx9QMEeuJKlUSVFFyE4jMsfYp87ifIpuwE8oLOw4ykDDOP52Td06vHCIYrqDBrvxFdAuEnFxNxlPXRE4gLsygg62HOxOuGmhWfsy6TccIp5XIOdj2CzeoXJ82m5/imBPJvkefnrjEQXziSE2mi2IBDtGP/AwFWI7WpsEyDXWImMSR0T3CuDmkeQ14pNmcqMp/bqX3i1aetadFTWsuhl0nH2iRqKZDJxZlScu99toq5GrdcFUcxGRQyl+sFhUh3XcBWJV7Y2wnFL2tY7thtQ8ZPmzTO8kPKCbEl5U6gCSIkpRPNZBPG4dT0qu+8Bd71Pu7nAy1iB4U6ys34cFlOlJpGM0FGr35LefbPR8bgz6M9XNjRbgMDQcXDMnfiDJ7E81oVBpCXN9ydHi1blhakuEBaoa9M/kazipGPmAuxrWBMmp2q0wzQp9GS2e8keJIDwJuyzELaRZC4yjVsVZQMK//D+4J3boU5drCmmm6C1rwNRfSZuFGNcIYDZeHteGoCF4EA5jcgdFaIYrDej6VAab42vN5LUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTYu5s1LVs/7+Fry8wMz6Iuuml6jDAdBgNVHQ4EFgQU2LubNS1bP+/ha8vMDM+iLrppeowwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQBbcHyV2b5mGwHWxCSbDwr5V7PgSZIJa1scrCnIHD3Z/yxG7Xp5cIlBj4My4lRHjZtJVvUfTjFpsEDEv/PAq74OIolN/kPdMfTczFBGpvsZr0x2yUPEJzQsTSLx0gwZ+wvoKHWE0C7GqgkABNrFW8FLqRzNqXsmM5oI4c3V5syxwBYFDUY5MPWdqJEDfRvjjJPCXmKOP1lO+i+E07vsFpDzHS2FKB5c6sTIZkvt+H/CG4hVu6ZvcFXXzv2JK/EoVZ6wUdClt4pLgTQZ/W0qQCJ3GjFe/PZ74mckW1x/zk9z0VQjUpTqz3AjPLIjj60nMLTLp50oFcMLjuXss0vv4tUjCTps2Qg9n0GwLlDR42Nyw2TKcMMB6ycEoNiUEu0lga1JM0SVSsFP7GSU/W9VqatK7xp/XW9/GDvgp3Z/pPM0E3i1tqp/nOU43Yof8Wi4JJ6zOgXBzqQxO6MILZJ4qEfenAtI7o95Ty5yk9vRboUstywsfC6CVsu08NL/ttw4OSXOvbkQ+7zMxCYT9YyQD5l/ltC3bgdj/lBZznsBuGYNOB16wDNcGpuuaeksfQfBDPHT+vR6gPVFZpyVwy/tzH6NTpUGDjoHVsCxUjY870OM4D2Jcj9OIqqdlkCoWO6i4Vec7sTzxiX39oNSr1G7Cobc3sYdhnxg/vlg1BeCJ87p0A=="
]
  1. The call to /parties/{party_id} endpoint to verify the iSHARE status:

GET /parties/did:ishare:EU.NL.NTRLNL-10000001

(URL encoding removed)

  1. The decoded response lists Test Service Consumer as “Active” and includes certificate x5c and x5t#s256 values of the certificate used during registration. One of these certificates should be matching the certificate used for signing the JWT (client assertion):

{
  "party_info": {
      "party_id": ["did:ishare:EU.NL.NTRNL-10000001"],
      "party_name": "Test Service Consumer",
      "capability_url": "",
      "registrar_id": "did:ishare:EU.NL.NTRNL-1000000",
      "adherence": {
          "status": "Active",
          "start_date": "2024-01-31T00:00:00.000Z",
          "end_date": "2025-02-01T00:00:00.000Z"
      },
      "additional_info": {
          "description": "",
          "logo": "",
          "website": "",
          "company_phone": "",
          "company_email": "",
          "publicly_publishable": "false",
          "countriesOfOperation": [],
          "sectorIndustry": [],
          "tags": ""
      },
      "agreements": [
          {
              "type": "TermsOfUse",
              "title": "Terms of use",
              "status": "Accepted",
              "sign_date": "2024-01-31T00:00:00.000Z",
              "expiry_date": "2025-01-31T00:00:00.000Z",
              "hash_file": "614331b0003219f2d2d123b0cd6105fb",
              "framework": "iSHARE",
              "dataspace_id": "",
              "dataspace_title": "",
              "compliancy_verified": "yes"
          },
          {
              "type": "AccessionAgreement",
              "title": "Accession agreement",
              "status": "Accepted",
              "sign_date": "2024-01-31T00:00:00.000Z",
              "expiry_date": "2025-01-31T00:00:00.000Z",
              "hash_file": "f50a036402b3b243910ce572930be9f5",
              "framework": "iSHARE",
              "dataspace_id": "",
              "dataspace_title": "",
              "compliancy_verified": "yes"
          }
      ],
      "certificates": [
          {
              "subject_name": "C=NL, O=Test Service Consumer, CN=Test Service Consumer, organizationIdentifier=NTRNL-10000001",
              "certificate_type": "PKIo",
              "enabled_from": "2024-12-20T00:00:00.000Z",
              "x5c": "[
                        "MIIGiDCCBHCgAwIBAgIURMIL+omg6v5pU6qFOMFceG1YjDAwDQYJKoZIhvcNAQELBQAwXTEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9Jc3NDQUc0MRkwFwYDVQRhExBOVFJOTC1pU0hBUkVURVNUMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDAeFw0yNDExMDYxNDQ1NDFaFw0yNzExMDYxNDQ1NDBaMGYxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVUZXN0IFNlcnZpY2UgQ29uc3VtZXIxHjAcBgNVBAMMFVRlc3QgU2VydmljZSBDb25zdW1lcjEXMBUGA1UEYQwOTlRSTkwtMTAwMDAwMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYSKOvmB6UxEaYOPT7APgU4mauSh9vbPacJtM3a4cdzN8KippjoWSbgr6Jb4Fc7tGvNk6nvWZHlHzADFe0aQIGl8IDhuq1BhXJTxHZ4krw/6AEbC/GRcgtJdcanlc3WkM5rMEsoDRd8gOvNTnL7m52DIWb3RS8bCitVH6qn3hoWSwX9XeeU6JrGu1kp6lfT19u1zJKZuBaB0Ia4uzmM+QSd1kU6PeCXQ+trEfVUQkP8g/rzZGnSH8u7NqiwwUfFSiaUyq9P4Ip+K0JBTtAuQ9xpQ6wQxt0ioFNFb9ipmc3xxekowMRykZzEdoHO/ynY3W4sbTSl2eN4EmfHzQGRLJLAgMBAAGjggI1MIICMTAOBgNVHQ8BAf8EBAMCBkAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSzGk9CQOnYeJ1r//wksBCxNDzwiTBXBggrBgEFBQcBAQRLMEkwRwYIKwYBBQUHMAGGO2h0dHBzOi8vY2E3LmlzaGFyZXRlc3QubmV0Ojg0NDIvZWpiY2EvcHVibGljd2ViL3N0YXR1cy9vY3NwMBAGA1UdIAQJMAcwBQYDVR0gMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMFsGCCsGAQUFBwEDBE8wTTATBgYEAI5GAQYwCQYHBACORgEGAjA2BggrBgEFBQcBAwwqVGhpcyBpcyB0ZXN0IGVzZWFsIGNlcnRpZmljYXRlIGZvciB0ZXN0aW5nMB4GBWeBDAMBBBUwExMDTlRSEwJOTAwIMTAwMDAwMDEwgccGA1UdHwSBvzCBvDCBuaCBtqCBs4aBsGh0dHBzOi8vY2E3LmlzaGFyZXRlc3QubmV0Ojg0NDIvZWpiY2EvcHVibGljd2ViL3dlYmRpc3QvY2VydGRpc3Q/Y21kPWNybCZpc3N1ZXI9Q04lM0RlSURBU2VTRUFMT0lEX0lzc0NBRzQlMkNvcmdhbml6YXRpb25JZGVudGlmaWVyJTNETlRSTkwtaVNIQVJFVEVTVCUyQ08lM0RpU0hBUkVUZXN0JTJDQyUzRFhYMB0GA1UdDgQWBBRdyUNPiwe2WprwzYgvyZ+6fC1oNDANBgkqhkiG9w0BAQsFAAOCAgEAsXZrFG5ajsFNgTflnbTfD6aL/W0O9uywQ7VTTurZHboHTxDIIL3Gq9Vj/d0vpJJgrfysnR/MBHC9fXonV9WuwSKho91mHquUc7ytlyFwoAN5ROVIR1RBhUosMG0JgTw5PgW9xXBogAZ+7EFDiM70BJUr+ojqlZ2yYS324IDCpgFe9ySXinzTg8+d3jBsQLE0IXnR/+dNNthHhAl1HLfl6wZ9RbPpZgp0AeCcdKbn1IfUzePYMnRyuDjRgnmQYVYD31Qa68gx5Ys1qb/fYwSSpeER0Zf06S0exPUYShtOwRlYqia2z8LgN4TurdwcDcTijmekE9+/oSSITehFroA2eHLsqYte8jQgFBPEcy2syFw1VFDqTa/GnJJkoFCf8jPnlnAHEFJmkhAZ3xeP1Dag30CP+aoCQVNykhO5Z73V6BpNhdpgaYX4B/QRePUhqUoYbHLefAlyO7SFRahycW+o66K5GueptgtQ2DrrjvCtaCG8EtJczihAjBN0OQZsQWnU8vooLss+Rmfg9MXTR8k85cYT9ZMdU/46zlgAMIaJizv8j4eHaKgfRBB1gw71oW97oW5QKQx861UrR1u0DJmSQSUwNYlopKVRnHvXJWUIreOqLfSSB/1uVQfvq0UzsJKdeOCKRLpXXgxB3w7S2+5KFETS7tcbZ6mIxZlJlh0VRSs=",
                        "MIIF2jCCA8KgAwIBAgIUPG3+TAnxVOBce9NaPt9pTAgm5R4wDQYJKoZIhvcNAQELBQAwQjEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9TdWJDQUczMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDAeFw0yMzA4MjUwOTAxMzJaFw00ODA4MjUwOTAwMDVaMF0xHjAcBgNVBAMMFWVJREFTZVNFQUxPSURfSXNzQ0FHNDEZMBcGA1UEYRMQTlRSTkwtaVNIQVJFVEVTVDETMBEGA1UEChMKaVNIQVJFVGVzdDELMAkGA1UEBhMCWFgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDanUgM1/PQyXNTX+UOLGrZjS8HaTWR/P4xD8SMCRxOXHKzHLQqEQOuHD/w+rx9/bEwzH4wVfJ0m6/r56KOg0wLUlVwOyikOXGoITD2u+Ui9t24tYIkx8zjLG7VHVcw4dXOt92svKY1LybvlproWzTHlRwoIO1YQ4hO+rybsw/KEDEXUbkowjlHAPcwnsOW64367EN+ezT1sS8dzFIxmG8qC2LrM2sXJWqq5vJeE/86TfZ2NMO+CUxkjj7uPgbW2V/MOUhYyAtGAjzd/KwOrLMRMYaXOIj61m8R71nh/LV9n8dnj0wTQONTHhuM7mdZQxhqOdkL2ckSrBWi3atEVT1OhBRX4FmmhIhmSWuCtgyKiDCIotyGAsX2o6817fee4Rdtwfw9Q4oN3NAhtod60iOAWApVt+BT5tvdgGOYWPcbMR5pGzbp38dGUyuwYZV4LAnIGSm5yaucNE2E2xrQCbEeZm4RPsx5JleWzipk+42d7vqvWD88IQcQ+bZM2X4rJBZNs166Clx+m6HmKxKALebUtjszsgyH8cq10d+k4Ao8oCaOYjv2IaEbMd+fV/Uf8kPkzTtKlttdqiixoIqycXMEgBaSgkub7XoQ6K26tRPJ0w5Qkuuh3MKtGEWfW7EEGmpnCqjOv6/rAMJiMWyh1IgLgNBUPP7zaVPpDAtC88OSJQIDAQABo4GsMIGpMBIGA1UdEwEB/wQIMAYBAf8CAQEwHwYDVR0jBBgwFoAU4ubX0p6DVjN9DKtOWWMYAs+HxdQwGAYDVR0gBBEwDzAFBgNVHSAwBgYEVR0gADApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcKAwwwHQYDVR0OBBYEFLMaT0JA6dh4nWv//CSwELE0PPCJMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAZv5Gukx0PEvVREIt8MTaPfCH4awyiiYyi17h6R5LLk1rerwQsSSSHfVqftdwRF0ocLp2PXJhe075qV406C04CjamNk3ez9ZiNHCNjPtfid6oOxqz1Xk8XPjNYElbAFmP7eKl/441vZhGuk/RhXGNxQbto0Q16g8IRcGDvWgNhtrtB1G2xSmtB1S2uUpSaiZVNOrkdzThiEJseURBoXxUXIqpLyPTRl6MMgVaLGRYRc3vYij4B7M2hBN7/cjnGLsMVtgbOv6CV21g2SXowbgOqzByH51UTR6ObHiGj0kSCALG14IQPkzQPiSpju++9M2jAjPM3o421ZOUDMP246CsqPXrTAbPXJVUR/gi4u53kmzC210jvVq9hHwelxQOTPFhlM6E1Ch4Jb4PQRLKDPFl+5NW4Fy2JADjyupyVHncdLEuPy0PgCL2Yo147HSpPj4u7jc1RmHU7NO12EV2ZCMfFlRwdGv6if8qO7s/6lpZJjpPtLEObA5tD4ahc+aPNAi9WCk0peRm1KE5VGDWKFNSNAiLJNzP7m2Q6y8fOy38cNgFBhGOF/KgEIsT10V+5K5o+ylVVtPVeRRENEvKO9ELkze0IHgsTB/6cwOij4pxM9Jvauj06GglhIhiIA6q0iDUqB1MUR0HziY9BsnWY9kR8hwV3OW+nsmztQwGVEw2kjU=",
                        "MIIFjjCCA3agAwIBAgIUFj9/3jGORhtIpZ98OLRtRHs0AYswDQYJKoZIhvcNAQELBQAwQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMB4XDTIzMDgyNTA5MDA0NFoXDTQ4MDgyNTA5MDAwNVowQjEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9TdWJDQUczMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7nzkyoFXWg1ghdG6fnuzuvAdMWsm/I+mX3Dbz3I/KyqLdWt7XG3OWVSnhosAD2W2SXnlGXqxye0hPtEgkQIdel7FnFosWWrsEOratgXlnM4NWpYDKMWEVYro7hzHgCZ126ZPQULls52NcvpRM8S3dZk+XK1kf3VeS0J2hUSFEAZHLyXCXkhTnUI7qo1ur1TmDWYsNQwxDGOu7CQyZYdKIwKqI9eGsRLgM6PQlg3vZCropOodM7loTuirCl3UKw4HrGk2cOiAf4Id//eaVCafwkjKsJTQuAahuRz4qMsHYA3kDQz+0+hgnR74r+iLr+8lr044glnaWIWvrEGciRR+PectfrLOQQIW7ha13dzWozkT0agnT1Lk/CGrgNXVqhosGC0ruAQPI6DcPNy2INM9JgtCmBsSjMM185FIBX4Cy17m73h9rKjXZMxb6TxX7CIZyesgAS0bBRb6xIpKsZrlrjEazsjC2VHRRWOMJWYqcXLD5ZNzGMZUr6Tt2yCUAtamecDATKN6/Gbsxe0tABN0pk0rx5ic+4TXdBroN9OAZchH4tJCsOCKonCzApPxVThDNMxsooyFq9DmgXhyEUOOoeS+Fr4FgH+jSANm/l178Jh9epfXQ9gE/6aqPxYjNSBgS60S1EVqCpxw2rT1mUYeGfwibVm53ixGptR8kte70nAgMBAAGjfTB7MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU2LubNS1bP+/ha8vMDM+iLrppeowwGAYDVR0gBBEwDzAFBgNVHSAwBgYEVR0gADAdBgNVHQ4EFgQU4ubX0p6DVjN9DKtOWWMYAs+HxdQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQB8jqYUw7Tv+W4ZH06PraF6zfdCxT03DhRChw4Z/Qm0XVS2gRyRwcMptQFERhPNOA221u9LqozZ1aK3B35wkcGD/dFJgJCJB96SMttQl2Hp/EiQz9PFF02dBSruXhIaraPbM+NIGdmyN2ZywGGXI1aU7JD3XG29Sh2AAdOkv8dI6gEgzt/DHSIIbakbaLdEIc7WB95GUHcHnNj58TzTSyVfBmtb3vBK9JG0Io6NAPWQYx2VP8+fIylja2d128hgh0dsDrXFAM+9AX8hae5vvxVi8TWs/z2ing+k+immtSNfzzKMiO7r5wJAkyjwtUBlBStKIA6Zer22pmSTZZeucHdEThabcWQidVZmMP3If6ix5UeyX8V6OAw0gsI3IUb91Q76d4sLWbzoGNONAYFC1Iyz0xWj47Zd6P7Z2Gfh1ViIbMxViFDlNmbEZflpES87K/yhBUQ/tnCNGQoSdtsuyuWg3NfWbyJoNZzlU96JWxcqSaXkzse9j8wahayKNM6SWKSY1Z05h8JScOCmFB5F8V3bd5nP/uKja7H8O4GOAAPM3OtG+eq37xW/xN0oAsjbvt4ojnUbJs2kiAxEdwXx0K7mcPeS7zWmVt8h4RdcDm/PGTDa9m8OqhQuck80QnuxIUWVr7GWadh1Ly/tl0+bvmkcnO2ybRJ+gbqREHDTe0sxsw==",
                        "MIIFczCCA1ugAwIBAgIUCvfSvQerjFDmM2LvmjoTDOInLAwwDQYJKoZIhvcNAQELBQAwQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMB4XDTIzMDgyNTA5MDAwNloXDTQ4MDgyNTA5MDAwNVowQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxVMKI9RMhnOSA2LorgEC3YDNd2itn72LOdfRRUu45fG70Iev+E4kRrzJ1k23WXH5sHTbcslpETeAZnj0/xKBYdELuwe6HX8kIwd1s6WGlZc0l7ki1fmj4HqSstGJ/BKGj1a7236WwPJEWEHqfx9QMEeuJKlUSVFFyE4jMsfYp87ifIpuwE8oLOw4ykDDOP52Td06vHCIYrqDBrvxFdAuEnFxNxlPXRE4gLsygg62HOxOuGmhWfsy6TccIp5XIOdj2CzeoXJ82m5/imBPJvkefnrjEQXziSE2mi2IBDtGP/AwFWI7WpsEyDXWImMSR0T3CuDmkeQ14pNmcqMp/bqX3i1aetadFTWsuhl0nH2iRqKZDJxZlScu99toq5GrdcFUcxGRQyl+sFhUh3XcBWJV7Y2wnFL2tY7thtQ8ZPmzTO8kPKCbEl5U6gCSIkpRPNZBPG4dT0qu+8Bd71Pu7nAy1iB4U6ys34cFlOlJpGM0FGr35LefbPR8bgz6M9XNjRbgMDQcXDMnfiDJ7E81oVBpCXN9ydHi1blhakuEBaoa9M/kazipGPmAuxrWBMmp2q0wzQp9GS2e8keJIDwJuyzELaRZC4yjVsVZQMK//D+4J3boU5drCmmm6C1rwNRfSZuFGNcIYDZeHteGoCF4EA5jcgdFaIYrDej6VAab42vN5LUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTYu5s1LVs/7+Fry8wMz6Iuuml6jDAdBgNVHQ4EFgQU2LubNS1bP+/ha8vMDM+iLrppeowwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQBbcHyV2b5mGwHWxCSbDwr5V7PgSZIJa1scrCnIHD3Z/yxG7Xp5cIlBj4My4lRHjZtJVvUfTjFpsEDEv/PAq74OIolN/kPdMfTczFBGpvsZr0x2yUPEJzQsTSLx0gwZ+wvoKHWE0C7GqgkABNrFW8FLqRzNqXsmM5oI4c3V5syxwBYFDUY5MPWdqJEDfRvjjJPCXmKOP1lO+i+E07vsFpDzHS2FKB5c6sTIZkvt+H/CG4hVu6ZvcFXXzv2JK/EoVZ6wUdClt4pLgTQZ/W0qQCJ3GjFe/PZ74mckW1x/zk9z0VQjUpTqz3AjPLIjj60nMLTLp50oFcMLjuXss0vv4tUjCTps2Qg9n0GwLlDR42Nyw2TKcMMB6ycEoNiUEu0lga1JM0SVSsFP7GSU/W9VqatK7xp/XW9/GDvgp3Z/pPM0E3i1tqp/nOU43Yof8Wi4JJ6zOgXBzqQxO6MILZJ4qEfenAtI7o95Ty5yk9vRboUstywsfC6CVsu08NL/ttw4OSXOvbkQ+7zMxCYT9YyQD5l/ltC3bgdj/lBZznsBuGYNOB16wDNcGpuuaeksfQfBDPHT+vR6gPVFZpyVwy/tzH6NTpUGDjoHVsCxUjY870OM4D2Jcj9OIqqdlkCoWO6i4Vec7sTzxiX39oNSr1G7Cobc3sYdhnxg/vlg1BeCJ87p0A=="
                      ]",
              "x5t#s256": "893aad639bf8b0958edbcf7d719023077d15828701a0a6fcc6d54a0684ce940d"
          }
      ],
      "roles": [
          {
              "role": "ServiceConsumer",
              "start_date": "2023-01-31T00:00:00.000Z",
              "end_date": "2024-01-31T00:00:00.000Z",
              "loa": "High",
              "compliancy_verified": "yes",
              "legal_adherence": "yes"
          },
          {
              "role": "ServiceProvider",
              "start_date": "2023-01-31T00:00:00.000Z",
              "end_date": "2024-01-31T00:00:00.000Z",
              "loa": "High",
              "compliancy_verified": "yes",
              "legal_adherence": "yes"
          },
          {
              "role": "EntitledParty",
              "start_date": "2023-01-31T00:00:00.000Z",
              "end_date": "2024-01-31T00:00:00.000Z",
              "loa": "High",
              "compliancy_verified": "yes",
              "legal_adherence": "yes"
          }
      ],
      "authregistery": []
  }
}

Human to Machine (H2M) Authentication

Besides Machine2Machine interaction, it can occur that it is relevant if a specific person requests data or a service. In order to provide a Service Provider with identity information about a human subject, iSHARE refers to the OpenID Connect 1.0 protocol.

  • Clients (a.k.a. service providers) MUST NOT be pre-registered. A look-up in the iSHARE adherence registry is sufficient. It is up to the server to create a new entry for Clients that perform requests for the first time.

  • Servers SHALL NOT issue refresh tokens.

Generic Authentication Flow

Based on the described standards and specifications in this scheme, the generic iSHARE Human2Machine Authentication flow is described in the following sequence diagram.

The sequence diagram shows how the Service Provider interacts with an Identity Provider in order to receive identity information on the human user (who uses a browser to interact with the Service Provider). The specific details of the steps in this authentication flow are described in the generic API documentation of iSHARE:

A few remarks regarding this flow:

  • Human user might interact with Service Provider in a different way than using a web browser.

  • After the Service Provider initiates a POST /token request, the Identity Provider can verify their iSHARE Adherence with the Participant Registry. Adherence checks or certificate validation is not displayed in this flow as this flow only describes the generic OpenID Connect 1.0 flow

In the demo section you can find that demo this authentication flow from the perspective of a Service Provider.

It is always the responsibility of the receiving iSHARE Party to verify the certificate and the status of the requesting iSHARE Party. During conformance testing (see ) it can only be tested how test-certificates are validated. It is important to make sure that real certificates are validated in a proper way, as described below.

Send a request to the of the Participant Registry. Parameter party_id value should be client_id from request (it should be equal to iss or sub in client_assertion).

The iSHARE use of OpenID Connect 1.0 is based on the requirements from the . In addition to the OpenID Connect 1.0 specification, the following requirements apply:

The client_id MUST contain the valid of the client.

This flow only describes Identification & Authentication of a human user, while in iSHARE it is always relevant that their Authorization (acting on behalf of an organization) is also verified. This process is described in the .

Postman Collections
Conformance Test Tool
/parties endpoint
official standard
Party Identifier
/identity_provider/authorize
/service_provider/openid_connect1.0/return
/identity_provider/token
/identity_provider/userinfo
oauth.net
Party Identifier
access token section
Framework and Roles page
Human Authorization section
iSHARE M2M Generic Authentication Flow
Flowchart for validating an iSHARE Access Token
iSHARE Generic H2M Authentication FLow