1EdTech has created, is creating, and will create, service-oriented and message-exchange interoperability specifications. These specifications recommend or require several different security patterns: for example, the use of OAuth 1.0 based message signing, OAuth 2 based authentication and authorization, and so forth. The 1EdTech Security Framework defines a set of patterns for security that all of its specifications SHOULD use (only in special circumstances will we consider exceptions). These security patterns are based upon the appropriate standards and specifications published by other organizations: for example, the Internet Engineering Task Force (IETF) and its Requests For Comments (RFCs). The aim is to make use of the appropriate solutions and best practices already adopted in the IT sector as a whole. The security framework has three basic patterns for adoption: (a) use of the OAuth 2.0 Client Credential Grant mechanism to secure web services between trusted systems; (b) use of the OAuth 2.0 Authorization Code Grant mechanism to secure web services between systems where there is no pre-established trust relationship; and (c) use of OpenID Connect with JWT-based message exchanges to secure browser-instigated exchanges between a tool and the launching platform.
