Align OpenID4VCI client with implementers draft #3152
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
An Implementers Draft has been released for OpenID4VCI. This is the version that will be supported for a longer time by implementing parties for interoperability and is in the DIIP profile. We should align our implementation with this version of the spec. Since the Nuts node only implement the client side for OpenID4VCI this is even more relevant.
The summary below contains the points (using spec section numbering) where the Nuts node does not comply with the spec or where additional features could simplify things. This should be fixed when we have implemented and OpenID4VCI issuer, or see if we can collaborate with a party that has a DIIP compliant issuer.
5 Authorization Endpoint
Recommended to use PKCE (implemented) and PAR (not implemented. mostly useful for applications (mobile wallets) without a domain to host the
request_uriof a JAR).Credentials can be requested using
authorization_detailsandscopes.5.1.1 request credentials using
authorization_detailsRFC9396Only supported option. Supported credentials are listed in the credential issuer metadata. We currently require the
authorization_detailsto be provided by the user, meaning that the user needs to figure out the details using some out of bound method. It would be better to only provide the credential issuer and then present the user with available options, but this works for now.authorization_servers: "the authorization detail's locations common data field MUST be set to the Credential Issuer Identifier value."authorization_detailsis currently sent as query param in the request. Browser redirects may fail if it contains too many chars. JAR/PAR may be needed.5.1.2 request credentials using
scopesNot implemented, but is the simplest option. This may require a change to the API we provide for credential requests.
5.1.4 Pushed Authorization requests
Recommended, but not implemented.
6 Token Endpoint
For the
authorized_codeflow this the request is the default per RFC67496.1 confusing. extensions mentioned probably not relevant to the
authorization_codeflow6.2 Token response
RFC6749 + some extra response params:
authorization_details: REQUIRED whenauthorization_detailsparameter is used to request issuance of a certain Credential type as defined in Section 5.1.1credential_identifiers: using this makes for a simpler credential request when usingauthorization_details, but is OPTIONAL.7 Credential Endpoint
7.2 credential request
formatorcredential_identifierMUST be present)proof_types_supported(we only supportjwt) andproof_signing_alg_values_supportedare not checked.proofissuestypMUST beopenid4vci-proof+jwt(currentlyjwt)iatjtiaud== credential issuer identifier: "11.2.1 A Credential Issuer is identified by a case sensitive URL using thehttpsscheme that contains scheme, host and, optionally, port number and path components, but no query or fragment components." Currently contains a DID, should be did:web URL.7.3 Credential Response
transaction_idif issuer is using deferred flow. This is currently not supported, but should be detected and return an appropriate error.11 Metadata
11.2 credential issuer metadata:
/.well-known/openid-credential-issuerFor correct interpretation of the issuers's capabilities and intentions we need to add the following parameters
credential_identifiers_supported, but only if we want to use this in §6.2signed_metadataOPTIONAL just for convenience as it eliminates one call in the flow if presentcredential_configurations_supportedwhich is REQUIRED and shows the capabilities of the issuer11.3 authorization server metadata:
/.well-known/authorization-serverpre-authorized_grant_anonymous_access_supported==trueis incorrectly added to our metadata since we do not supportpre-authorized_codeflow4, 8-10 Credential Offer, Batch, Deferred, and Notification Endpoints are not supported
The text was updated successfully, but these errors were encountered: