- Can we activate OAuth PAR using AGOV? => not planned
- Can we use OAuth DPoP tokens? => not planned
- Can we request phishing resistant authentication => not clear yet
- Can we use client assertions instead of shared secrets? Yes, but not supported at present
- Which client claims returned from AGOV are E-ID claims => defined in the AGOV specs
- Zero knowledge proofs, how will this be supported in AGOV => not planned in AGOV
- AGOV support for E-ID: Release around start of 2027
urn:qa.agov.ch:names:tc:ac:classes:500 => AGOV & E-ID
urn:qa.agov.ch:names:tc:ac:classes:600 => Only E-ID only claims E-ID AGOV (pass through)
confidential client using OpenID Connect code flow with PKCE. Using a shared secret.
- same as authentication flow, AGOV has no state.
AGOV
link to required E-ID
Does not work, please create AGOV account first
just works, only claims from E-ID returned. Not possible to do a Zero knowledge proof.
As AGOV has no state, this should just work with every challenge.
Unclear which LoA to use if phishing resistant is required.
- urn:qa.agov.ch:names:tc:ac:classes:100
- urn:qa.agov.ch:names:tc:ac:classes:200
- urn:qa.agov.ch:names:tc:ac:classes:300
- urn:qa.agov.ch:names:tc:ac:classes:400
- urn:qa.agov.ch:names:tc:ac:classes:500 => request for E-ID identity
- urn:qa.agov.ch:names:tc:ac:classes:600 => E-ID pass through, requests claims from user
https://trustbroker-idp.agov-epr-lab.azure.adnovum.net/
https://trustbroker.agov-epr-lab.azure.adnovum.net/.well-known/openid-configuration