BS ISO 20078-3:2019 pdf download – Road vehicles — Extended vehicle (ExVe) web services Part 3: Security
This document defines how to authenticate users and Accessing Parties on a web services interface. It also defines how a Resource Owner can delegate Access to its Resources to an Accessing Party. Within this context, this document also defines the necessary roles and required separation of duties between these in order to fulfil requirements stated on security, data privacy and data protection. All conditions and dependencies of the roles are defined towards a reference implementation using OAuth 2.0 compatible framework and OpenID Connect 1.0 compatible framework.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 20078‑1, Road vehicles — Extended vehicle (ExVe) ‘web services’ — Content
3 Terms, definitions and abbreviations
For the purposes of this document, the terms, definitions and abbreviations given in ISO 20078‑1 and following apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at
— ISO Online browsing platform: available at
3.1 Identity Token ID Token digitally signed JWT and contains claims about the authenticated Resource Owner
3.2 Access Token AT digitally signed JWT issued by the Identity Provider or Authorization Provider and consumed by the Resource Provider Note 1 to entry: An Access Token represents an authorization that is issued to the client and limited by scope and has a defined expiration time.
3.3 Refresh Token RT credential (string) issued to the Accessing Party by the Identity Provider or the Authorization Provider and used to obtain a new Access Token when the currently used AT expires, or to obtain additional ATs depending on the intended scope of use
5.2 Authentication The Identity Provider is responsible for authenticating the Resource Owner and managing the Resource Owner profile, based on the Resource Owner registration. The Resource Owner credentials are revealed only to the Identity Provider, and the Identity Provider confirms a successful authentication to concerned parties. If the Resource Owner has given consent, the Accessing Party will be authorized to access the Resource Owner’s profile (Figure 2).BS ISO 20078-3 pdf download.