Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID4VP and SIOPv2 #2451

Open
4 of 10 tasks
reinkrul opened this issue Aug 30, 2023 · 2 comments
Open
4 of 10 tasks

OpenID4VP and SIOPv2 #2451

reinkrul opened this issue Aug 30, 2023 · 2 comments
Labels
epic

Comments

@reinkrul
Copy link
Member

reinkrul commented Aug 30, 2023
edited by woutslakhorst
Loading

OpenID4VP provides a way for VC verifiers to request a one or more credentials, in the form of a presentation, from a wallet. For Nuts, this is applicable in data exchanges where a user is required to be present (since it's a flow for when a browser is involved). E.g., when the receiving care organization wants to read medical data at the sender organization's systems. The flow is used during an OAuth2 Authorization Code flow (to get an access token) to authenticate the end-user on the requester's side. The wallet yields 2 response tokens:

  • vp_token containing proof of the requester's care organization (at first, NutsOrganizationCredential, ideally a trusted-third party issuer)
  • id_token containing proof about the end-user's identity (name, role)

id_token

This token is negotiated through the SIOPv2 protocol.

vp_token

This token is negotiated through OpenID4VP using a DIF Presentation Exchange. In the Nuts use cases it will (probably) be a scope, mapped to a presentation definition, yielding a NutsOrganizationCredential.

Work items

Core protocol

  • Support direct_post mode for sending the authorization response from wallet to verifier, instead of having it as parameters on the redirect back to the verifier.
  • Replace hardcoded metadata URLs with the ones specified by #2443)
  • Validate redirect URI sent by verifier
  • Implement id_token (needs design work)
  • Implement /token path
  • Match Presentation Definition with credentials in wallet, instead of just loading credentials from VCR store (requires #2389)

UI

  • Do some styling of the HTML templates for the "WOW!" factor
  • i18n HTML templates (we should at least support Dutch) Openid4vp i18n #2449

Other nice to have's (not required for eOverdracht, compatibility with third parties or systems)

  • Support VPs in JWT format (consuming and producing), for compatibility with non-Nuts nodes (VCR: JWT support for credentials and presentations #2520)
  • Support presentation_definition and presentation_definition_uri, so the presentation definition can be specified there (by the verifier) instead of mapping it from scope.
@reinkrul reinkrul added the epic label Aug 30, 2023
@woutslakhorst
Copy link
Member

Support presentation_definition and presentation_definition_uri, so the presentation definition can be specified there (by the verifier) instead of mapping it from scope.

The RP will use scopes and not a definition, so there always be a mapping?

@reinkrul
Copy link
Member Author

reinkrul commented Sep 5, 2023

In case of Nuts use case, being it part of an access token flow to request access to an API (FHIR resource), but I can imagine other use cases where presentation definitions could be used; e.g., issuance of credential by a third party which requires authentication of the holder with a VC (care organization credential or use case-credential).

But we can postpone support for that one for now. I'll reorder the list for priority.

@reinkrul reinkrul changed the title OpenID4VP OpenID4VP and SIOPv2 Sep 12, 2023
@reinkrul reinkrul mentioned this issue Sep 29, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
epic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@woutslakhorst @reinkrul