Authorization - Reference Context: Clause 6.4 of ETSI TS 119 478 (Draft V0.0.3)
Title
Authorization – Reference Context: Clause 6.4 of ETSI TS 119 478 (Draft V0.0.3)
Submitted for:
Mobil Krankenkasse – Statutory public body under German law
Contact: Sascha Block, IT Architect
Scope and Content
Clause 6.4 defines the OAuth 2.0–based authorization framework governing the interaction between qualified trust service providers (QTSPs), authorization servers, and authentic sources.
It covers:
- Use of IETF RFC 6749 (OAuth 2.0 Authorization Framework) for the authorization process.
- Implementation of JWT-based client authentication (RFC 7523) and JWT-based access tokens (RFC 9068).
- Dynamic client registration according to RFC 7591.
- Application of X.509-based certificates (e.g. ETSI TS 119 411-8 – Wallet Relying Party Access Certificates, WRPAC).
- The Authorization Code Flow as defined in RFC 6749 § 4.1.
Figures and Subsections:
- Figure 3 – Dynamic Client Registration
- Figure 4 – Overall Authorization Code Flow
- Clause 6.4.3 – Security Considerations for the Authorization Server
Relevance and Context
Clause 6.4 provides the technical foundation for secure and interoperable authorization in the EUDI Wallet ecosystem.
It defines how trust service providers, wallets, and public authentic sources exchange verified attributes and identity data in a standardized and auditable way.
This is directly relevant for the implementation of Qualified Electronic Signatures (QES) in EUDI Wallets, as these rely on OAuth 2.0 / JWT-based flows to:
- establish trusted sessions between wallet and QTSP,
- manage consent and user authentication securely, and
- ensure attribute integrity during verification and issuance processes.
Experience from national infrastructures (e.g. the German Telematikinfrastruktur) shows that security assumptions in OAuth/JWT implementations require independent validation and operational guidance, especially regarding:
- token lifecycle management and replay prevention,
- key material handling (X.509 / WRPAC trust chains),
- and authorization flow resilience across multiple domains.
Issue Statement
References to “Clause 6.4” within this or related documents explicitly refer to the technical implementation and security framework for OAuth 2.0 and JWT, as specified in ETSI TS 119 478 (Draft V0.0.3).
Given its central role for QES integration, attribute verification, and digital trust assurance, this clause should be subject to:
-
Independent Security Review – to validate conformity with RFC 6749, 7523, 7591, 9068, and 5280,
including operational aspects such as token handling and client registration security. - Operational Guidance – to define reference architectures and audit criteria for compliant implementations in cross-border environments.
- Transparency Alignment – to ensure interoperability with the OpenCode-based EUDI Wallet architecture repository and the EU Catalogue of Attributes (CIR (EU) 2025/1569).
Expected Benefits
- Strengthened trust and reliability in QES and EUDI Wallet implementations.
- Reduced operational risk from inconsistent or incomplete OAuth/JWT integrations.
- Harmonized cross-border interoperability and verifiable security assurance.
- Establishment of clear guidance for Member States, QTSPs, and Wallet Providers.
Recommended Wording
Independent security review and operational guidance for OAuth 2.0 / JWT authorization as defined in Clause 6.4 of ETSI TS 119 478 (Draft V0.0.3).
References
- ETSI TS 119 478 (Draft V0.0.3) – Clause 6.4 (Authorization)
- ETSI TS 119 411-8 – Wallet Relying Party Access Certificates (WRPAC)
- ETSI TS 119 475 – Wallet Relying Party Registration Certificates (WRPRC)
- IETF RFC 6749 / 7523 / 7591 / 9068 / 5280 – OAuth 2.0, JWT, Client Registration, X.509
- CIR (EU) 2025/1569 – Catalogue of Attributes
- EUDI Wallet Architecture Concept – OpenCode Repository
- ISO/IEC 27001 – Security Management Framework