China: TC260 closes consultation on national standard on information security technology open third-party resource authorisation protocol

On 26 October 2025, the Chinese National Network Security Standardization Technical Committee Secretariat (TC260) closes the consultation on the national standard on information security technology open third-party resource authorisation protocol. The standard is addressed to professionals and organisations involved in cybersecurity, identity authentication, and secure communication system development in China. The GB/T (non-binding) standard defines a third-party resource authorisation protocol tailored for cross-domain identity authentication and authorisation services on the Internet. It specifies authorisation flows, grant types, endpoint functions, and message formats between system entities. Drawing from protocols such as OAuth 2.0 and OAuth 2.1, it incorporates China's national cryptographic algorithms and replaces Transport Layer Security with the Secure Sockets Layer VPN protocol specified in domestic cryptographic standards. The document introduces digital certificate-based client authentication and provides requirements for signing and encrypting access tokens. It is applicable to the development, testing, and evaluation of secure authorisation services within the framework of China’s cybersecurity policies.