Security concerns
Security concepts
the section focuses on the use of security protocols and techniques based on the manipulation of network messages. The section will also refer to how the security requirements can be variable depending on the application scenario and the use case. |
Security
This document describes the security profiles identified by AgID that the providers must use to satisfy the needs expressed through functional and non-functional requirements. |
| Channel security and / or identification of organizations |
| User (consumer) access |
Integrity of SOAP message
This profile extends IDAS01 or IDAS02 , adding to the communication between user and provider at the message level integrity of the message payload. |
Integrity of REST message
This profile extends IDAR01 or IDAR02 , adding to the communication between user and provider at the message level integrity of the message payload. |
| Confidentiality and user (consumer) authentication |
| Non repudiation of transactions |
REST API safety
JOSE, JWT |
SOAP service safety
The Basic Security Profile 1.1, based on the WS-Security extension, suggests the use of SAML 2.0. As mentioned, with respect to authentication and authorization technologies, there are some application domains for which OAuth2 or OpenID are more appropriate. |
| 3.1 Security |
3.2 Authentication and Representation
The REST API MUST use OAuth2 implementation for user authentication and authorization, exclusively |
| 3.6.8 Safe and Non-Safe Methods |
Caching
External APIs must always use TLS so only direct clients or trusted intermediaries who have our certificates (CDNs, typically) will be able to view the content |