Closed iamseanodentity closed 3 weeks ago
For clarity's sake, the proposal here is to:
txn
a required top-level claim of the SET for all SSF events (top-level meaning it nests at the same level as iss
and aud
in the SET json).txn
in any non-normative examples of events.txn
in the non-normative examples.Is that correct?
PR submitted
The
txn
claim is called out as optional on RFC 8417 but is not referenced on CAEP / RISC Events or in the general SSF documentation. With the new CAEP Event being introduced,session established
, it feels like introducingtxn
now is the right time before v1 is established. This speaks to how a transmitter(SST) and receiver(SSR) can co-op using a standard JWT claim.SST -> session revoked CAEP Event -> SSR with txn: 123. The SSR that received the SET can then send back, acting as a SST, a session revoked event to the Transmitter which is now acting as a SSR. This is a good example of auditing and accounting practices. This also helps inform a SST that the signals it is emititng to the SSR's are still accurate and not subjective noise to a SSR (i.e. the underlying data powering the SST is valid and accurate...which is important).
Would like to update the open-id-caep-spec (Sections 2 and 3), open-id-risc-spec (Sections 2 and 3) and open-id-sharedsignals-framework-1.0 (Section 5) md files. In the events I think we would want to call out the specifics to use the
txn
claim and not have it optional for all events.