China opens public consultation on new cybersecurity standard for online authorisation

The Chinese National Network Security Standardization Technical Committee Secretariat (TC260) has launched a public consultation on a draft national standard for online authorisation protocols, aimed at strengthening cybersecurity and identity authentication across China’s digital ecosystem. The consultation period runs until 26 October 2025.

The proposed GB/T (non-binding) standard outlines a technical framework for third-party resource authorisation on the internet, focusing on secure cross-domain identity authentication and authorisation services. It is primarily intended for cybersecurity professionals, software developers, and organisations working on secure communication systems.

Building on widely used international protocols such as OAuth 2.0 and OAuth 2.1, the draft standard adapts these mechanisms to China’s cybersecurity requirements. Notably, it integrates national cryptographic algorithms and replaces the commonly used Transport Layer Security (TLS) with the Secure Sockets Layer VPN protocol specified under domestic encryption standards.

Key features of the proposal include:

• Digital certificate-based client authentication for improved security.
• Signing and encryption requirements for access tokens.
• Defined authorisation flows, grant types, end point functions, and message formats between interacting systems.

The standard will serve as a reference for the development, testing, and evaluation of secure authorisation services in line with China’s broader cybersecurity policies. Although non-binding, such GB/T standards often become influential benchmarks for technology providers operating within the country’s regulatory framework.