OAuth usage in government

[Leonardo Alexandre Ferreira Leite]

Hello!

Does anyone know about OAuth usage in government (in any country)? I mean... third-party application invokes government system to access citizen information in such way the citizen itself authorizes such access.

I have found MyUSA: https://alpha.my.usa.gov/developer
But it looks like for me that MyUSA is more about single sing-on. However, in the developer page there is a talk about OAuth, which is confusing. I have understood that the provided "scopes" would be citizen information in the MyUSA profile. So it would not be a channel for third-party application accessing citizen information kept by governmental agencies.

Thank you for your attention,
Leonardo Leite

[Gabriel Arellano]

Leonardo:

Chile is using OpenId Connect.
More info: https://www.claveunica.gob.cl/

--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.

--

Gabriel Arellano.
Laboratorio de Ing. en Sistemas de Información
U.T.N. - F.R. C. del Uruguay
Linux Registered User #188284

----BEGIN GEEK CODE BLOCK----
Version: 3.1
GCS/ED d-- s: s- a C+++ UL++++$ P+>+++ L+++$>++++ E- W+++ w--- PS++ PE
Y++ PGP++ t+++ 5- X++++ R++ tv+++ b+++ DI+++ D++++ G+ e++>++++ h+ r* y--
-----END GEEK CODE BLOCK-----

[Jørn Wildt]

In Denmark we have "NemID" (Easy ID). Every Dane has a digital identity and has to use this on all national services (and many local services too). The login procedure is two-factor with the second factor being a one time paper pad with 100 codes and the first factor being the social security number and a password.

The one *huge* caveat is that it uses public/private cryptography with the private part of the keys stored on a central national server ... from a security/privacy perspective its awful but from a practical perspective its easy to use - and the security of that server is obviously a lot higher than what you find on the PCs of Mr. and Mrs. KnowNothing :-) It makes sense as long as you trust your government 110% See for instance https://www.nemid.nu/dk-en/about_nemid/citizen/

/Jørn

--

[Simon Renoult]

Hi,

In France, there is France Connect which allows several governemental identity provider (healthcare, taxes) to access each other data.

[Gopi Suvanam]

India uses Aadhar.. it has more than one billion registered citizens. Authentication can be done through Iris scan finger print or a secret PIN or OTP .. This API is creating a revolution in India especially in the fintech space. check out these links:

https://uidai.gov.in/beta/about-uidai/about-uidai/uidai-ecosystems.html
https://developer.uidai.gov.in/book/export/html/18

https://uidai.gov.in/beta/about-uidai/about-uidai.html

PS: Aadhar means Base/Basis in many indian languages

[Antony Pulicken]

I think www.iwelcome.com has few customers (government) in Europe who is using OAuth. You can try getting in touch with them for more details.

Regards,

Antony.

--

[Leonardo Alexandre Ferreira Leite]

Hey guys!

Thank you so much!

I will analyze the linked material... it will be much valuable for me!

Tks!

--
You received this message because you are subscribed to a topic in the Google Groups "API Craft" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/api-craft/GTfowYRH3eI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to api-craft+unsubscribe@googlegroups.com.

[Leonardo Alexandre Ferreira Leite]

Hi!

I have read all the links, and I've got a good insight from all of them.

In the authorization perspective (oauth), the closest what I search is the France Connect.

It seems to provide a full authorization mechanism.

However, the use case available (https://franceconnect.gouv.fr/usages/telepoints) seems to demonstrate only authentication.

Would France Connect already have a fully authorization use case implemented?

I've mailed them, but maybe some of you already have some knowledge about it.

Thank you so much!!!

Leonardo Leite

[Simon Renoult]

Hi Leonardo,

What do you mean by "fully authorization use case" ?

To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.

Visit this group at https://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "API Craft" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/api-craft/GTfowYRH3eI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to api-craft+...@googlegroups.com.

[Leonardo Alexandre Ferreira Leite]

I mean the usage of the oauth "scopes".

So, the citizen allows some service provider to access only the specified resource provided by a data provider.

Tks!

To unsubscribe from this group and all its topics, send an email to api-craft+unsubscribe@googlegroups.com.

[Leonardo Alexandre Ferreira Leite]

Actually, I have another doubt about France Connect.

It seems any organization, public or private, can be Service Providers, Identity Providers or Data Providers. Is it really this? However, the listed partners seem to be public organizations. So I did not get if it's exclusive for gov entities, or just more oriented towards them.

tks!