InformationModel/model/security/Token.ttl at develop · International-Data-Spaces-Association/InformationModel · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix dct: <http://purl.org/dc/terms/> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
@prefix ids: <https://w3id.org/idsa/core/> .

#@prefix credential: <http://www.daml.org/services/owl-s/security/credential.owl#> .

# Classes
# -------

ids:Token
    a owl:Class;
    rdfs:label "Token."@en;
    rdfs:comment "A token (e.g., for authorization) mediated as part of the message."@en ;
.

ids:DynamicAttributeToken
    a owl:Class;
    rdfs:subClassOf ids:Token;
    rdfs:label "Dynamic Attribute Token (DAT)."@en;
    rdfs:comment "A JSON Web Token (e.g., for authorization) mediated as part of the message, formerly known as the 'DAPS Token'. The complete JWT *including* header, payload and signiture is referenced by this class and *not* only the JSON element in the payload. See ids:DatPayload for the payload definition."@en ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519> ;
    rdfs:seeAlso ids:DatPayload ;
    .


ids:TokenFormat a owl:Class;
    rdfs:label "Token format"@en;
    rdfs:comment "Possible formats for (security-related) tokens."@en.


ids:JwtPayload a owl:Class ;
    rdfs:label "JWT Payload"@en ;
    rdfs:comment "The payload of an JSON Web Token as a RDF class. Is used as the common parent of e.g., DatPayload and DatRequestPayload."@en ;


    .

ids:transportCertsSha256 a owl:DatatypeProperty;
    rdfs:domain ids:JwtPayload ;
    rdfs:range xsd:string;
    rdfs:label "transportCertsSha256"@en;
    rdfs:comment "Separate certificates for IDS identification and transport encryption opens an attack vector for relay attacks. In order to prevent these attacks, a binding of this transport certificates to the connector is required. The inclusion of SHA256 fingerprints of currently valid transport certificates, mainly into the DAT, enables the client to relate the transport layer security with the IDS interactions."@en.

ids:DatPayload
    a owl:Class ;
    rdfs:subClassOf ids:JwtPayload ;
    rdfs:label "DAT Payload"@en ;
    rdfs:comment "The Dynamic Attribute Token (DAT) Payload is the JSON Element of any DAT containing the claims of the token bearer. This payload itself is a JSON-LD encoded RDF class with a defined set of attributes. These attributes are either defined by RFC 7519 or by the IDS Information Model. As a direct consequence of regarding the DAT Payload as JSON-LD, *all* DAT Payloads must have exactly one \"@context\" attribute with the IDS context URI as its value and a \"@type\" with ids:DatPayload as its value."@en ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519> ;

.


ids:DatRequestPayload
    a owl:Class ;
    rdfs:subClassOf ids:JwtPayload ;
    rdfs:label "DAT Request Payload"@en ;
    rdfs:comment "The Dynamic Attribute Token (DAT) *Request* Payload is the JSON Element of any DAT containing the claims of the token bearer. This payload itself is a JSON-LD encoded RDF class with a defined set of attributes. These attributes are either defined by RFC 7519 or by the IDS Information Model. As a direct consequence of regarding the DAT Payload as JSON-LD, *all* DAT Payloads must have exactly one \"@context\" attribute with the IDS context URI as its value and a \"@type\" with ids:DatPayload as its value. Note that, different to the DatPayload, the DatRequestPayload contains the *self-claims* of a connector and is not yet signed by any DAPS. Consequently, no other connector must accept a DatRequest object as a DAT. A DatRequest and its contained DatRequestPayload is *only* intended for interactions with a DAPS and *nothing else*!"@en ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519> ;
    .


ids:Audience
    a owl:Class ;
    rdfs:label "Audience"@en ;
    rdfs:comment "The class of audiences (recipients) used in the JWT. "@en ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519> ;
    .


# Properties
# ----------


ids:aud a owl:ObjectProperty;
    rdfs:label "aud"@en;
    rdfs:domain ids:JwtPayload;
    rdfs:range ids:Audience ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519#section-4.1.3> ;
    rdfs:comment "The 'aud' (audience) claim identifies the recipients that the JWT is intended for."@en.

ids:exp a owl:DatatypeProperty;
    rdfs:label "exp"@en;
    rdfs:domain ids:JwtPayload;
    rdfs:range xsd:integer ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519#section-4.1.4> ;
    rdfs:comment "The 'exp' (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing."@en.

ids:iat a owl:DatatypeProperty;
    rdfs:label "iat"@en;
    rdfs:domain ids:JwtPayload;
    rdfs:range xsd:integer ;
    rdfs:comment "The 'iat' (issued at) claim contains the point in time when the JWT was created."@en.

ids:iss a owl:DatatypeProperty;
    rdfs:label "iss"@en;
    rdfs:domain ids:JwtPayload;
    rdfs:range xsd:string ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519#section-4.1.1> ;
    rdfs:comment "The 'iss' (issuer) claim identifies the principal that issued the JWT."@en.

ids:nbf a owl:DatatypeProperty;
    rdfs:label "nbf"@en;
    rdfs:domain ids:JwtPayload;
    rdfs:range xsd:integer ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519#section-4.1.5> ;
    rdfs:comment "The 'aud' (audience) claim identifies the recipients that the JWT is intended for."@en.

ids:referringConnector a owl:DatatypeProperty;
    rdfs:label "referringConnector"@en;
    rdfs:domain ids:JwtPayload;
    rdfs:range ids:Connector;
    rdfs:comment "The RDF connector entity as referred to by the DAT, with its URI included as the value. The value MUST be its accessible URI."@en.

ids:scope a owl:DatatypeProperty;
    rdfs:label "scope"@en;
    rdfs:domain ids:JwtPayload;
    rdfs:range xsd:string ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519#section-4.1.2> ;
    rdfs:comment "Currently, the scope is limited to 'Connector' but can be used for scoping purposes in the future. Scope is currently fixed to 'https://w3id.org/idsa/core/Connector'."@en.

ids:sub a owl:DatatypeProperty;
    rdfs:label "sub"@en;
    rdfs:domain ids:JwtPayload;
    rdfs:range xsd:string ;
    rdfs:seeAlso <https://tools.ietf.org/html/rfc7519#section-4.1.2> ;
    rdfs:comment "The 'sub' (subject) claim identifies the principal that is the subject of the JWT."@en.

ids:tokenValue a owl:DatatypeProperty;
    rdfs:label "tokenValue"@en;
    rdfs:domain ids:Token;
    rdfs:range xsd:string ; # xsd:base64Binary;
    rdfs:comment "An authentication token value like JSON Web Token."@en.

ids:tokenFormat a owl:ObjectProperty;
    rdfs:label "tokenFormat"@en;
    rdfs:domain ids:Token;
    rdfs:range ids:TokenFormat;
    rdfs:comment "Describes the format of the authentication token."@en.