BS ISO 20078-3:2021 pdf download – Road vehicles — Extended vehicle (ExVe) web services Part 3: Security
This document defines how to authenticate users and accessing parties on a web-services interface. It also defines how a resource owner can delegate access to its resources to an accessing party. Within this context, this document also defines the necessary roles and required separation of duties between these in order to fulfil requirements stated on security, data privacy and data protection.
All conditions and dependencies of the roles are defined towards a reference implementation using OAuth 2.0 [1] compatible framework and OpenID Connect 1.0 [2] compatible framework.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 20078‑1, Road vehicles — Extended vehicle (ExVe) web services — Content and definitions
3 Terms and definitions
For the purposes of this document, the convention, terms and definitions given in ISO 20078‑1 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at
— IEC Electropedia: available at
identity token
ID token
digitally signed JWT and contains claims (3.3) about the authenticated resource owner
authorization code
intermediate result of a successful resource‑owner authorization process and that is used by authorized clients to obtain access tokens and optionally refresh tokens
asserted information about a certain entity
EXAMPLE ROID, resource owner’s first name, last name, address, connected vehicle’s capability and/or other attributes.
token issuer
entity that generates and provides identity tokens (3.1), access tokens, and refresh tokens
5? Basic? communication? flow
5.1 Offering party authorization domain
5.1.1 General
This document separates the activities necessary for authentication, authorization and resource access into three distinct communication flows with separate duties (see Figure 1).
5.1.2 Authentication
The identity provider is responsible for authenticating the resource owner and managing the resource owner profile, based on the resource owner registration. The resource owner credentials are revealed only to the identity provider, and the identity provider confirms a successful authentication to concerned parties. If the resource owner has given consent, the accessing party will be authorized to access the resource owner’s profile (Figure 2).
5.1.3 Authorization
The client application as a component of the accessing party requires access to resources on behalf of the resource owner. At the authorization step, the accessing party requests authorization to access the resources provided by the resource provider (offering party). The required authorization is requested at the authorization provider, providing the intended scope. By the consent of the resource owner, the authorization provider returns a limited authorization to the client application of the accessing party. Using the obtained authorization, the client application can access resources. authorization to access resources is done in the same way regardless, if the resources are fetched by the accessing party using request/reply or pushed by the offering party (see Figure 3). See ISO 20078‑2 for details regarding request/reply and push.BS ISO 20078-3 pdf download.