Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add RFC021 vp_token-brearer grant type for oauth2 #265

Merged
merged 28 commits into from
Nov 29, 2023
Merged
Changes from 3 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
3055386
add RFC021 vp_token-brearer grant type for oauth2
woutslakhorst Sep 12, 2023
ac52094
update vp_formats format
woutslakhorst Sep 12, 2023
ae71774
fixed technical comments from PR
woutslakhorst Sep 14, 2023
ac552e2
some fixes
woutslakhorst Sep 15, 2023
41918d8
fix PE version
woutslakhorst Sep 15, 2023
d6dbbf8
stuff
woutslakhorst Sep 15, 2023
4995470
add scope param to example
woutslakhorst Sep 20, 2023
fdb9f2c
PR feedback
woutslakhorst Sep 20, 2023
a4d5481
PR feedback
woutslakhorst Sep 27, 2023
0d04aa2
PR feedback
woutslakhorst Oct 2, 2023
cc3d2e4
changed use of jti/challenge over nonce and more strict scope usage
woutslakhorst Oct 3, 2023
9c39be2
added error codes
woutslakhorst Oct 9, 2023
60d54cc
PR feedback
woutslakhorst Oct 12, 2023
4716cea
added empty scope
woutslakhorst Oct 12, 2023
d5ed03d
some small privacy related things
woutslakhorst Oct 17, 2023
e70e169
remove parsing detection
woutslakhorst Oct 17, 2023
6e8d31b
Removed scope chapter
woutslakhorst Oct 24, 2023
04021d5
small things
woutslakhorst Oct 26, 2023
3797e92
added client_id to introspection
woutslakhorst Oct 27, 2023
b82d74f
PR feedback
woutslakhorst Nov 3, 2023
3186b22
PR feedback
woutslakhorst Nov 8, 2023
39ee82d
added presentation_submission to introspectin
woutslakhorst Nov 14, 2023
c0b8639
fields as fields
woutslakhorst Nov 16, 2023
8af6a96
PR feedback
woutslakhorst Nov 20, 2023
38a97c8
redefine assertion param
woutslakhorst Nov 23, 2023
67c6ae1
PR feedback
woutslakhorst Nov 27, 2023
062a5e7
jti to nonce
woutslakhorst Nov 28, 2023
221c386
Update rfc/rfc021-vp_token-grant-type.md
woutslakhorst Nov 29, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
160 changes: 160 additions & 0 deletions rfc/rfc021-vp_token-grant-type.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
# RFC021 VP Token Grant Type

| | |
|:--------------------------|:-----------------|
| Nuts foundation | W.M. Slakhorst |
| Request for Comments: 021 | Nedap |
| | September 2023 |

## VP Token Grant Type

### Abstract

This specification defines the use of a Verifiable Presentation Bearer
Token as a means for requesting an OAuth 2.0 access token.

### Status of document

This document is currently in draft.

### Copyright Notice

![](../.gitbook/assets/license.png)

This document is released under the [Attribution-ShareAlike 4.0 International \(CC BY-SA 4.0\) license](https://creativecommons.org/licenses/by-sa/4.0/).

## 1. Introduction

A Verifiable Presentation [VP] is an encoding that enables identity and security information base on Verifiable Credentials to be shared across security domains.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
A security token is generally issued by an Identity Provider and consumed by a Relying Party that relies on its content to identify the token's subject for security-related purposes.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
In the case of Verifiable Credentials, the identity provider role is fulfilled by the holder using a wallet. The relying party role equals the verifier role as defined by the Verifiable Credentials specification.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
gerardsn marked this conversation as resolved.
Show resolved Hide resolved

The OAuth 2.0 Authorization Framework [RFC6749] provides a method for making authenticated HTTP requests to a resource using an access token.
Access tokens are issued to third-party clients by an authorization server (AS) with the (sometimes implicit) approval of the resource owner.
In OAuth, an authorization grant is an abstract term used to describe intermediate credentials that represent the resource owner authorization.
An authorization grant is used by the client to obtain an access token. Several authorization grant types are defined to support a wide range of client types and user experiences.
OAuth also allows for the definition of new extension grant types to support additional clients or to provide a bridge between OAuth and other trust frameworks.
Finally, OAuth allows the definition of additional authentication mechanisms to be used by clients when interacting with the authorization server.

"Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants" [RFC7521] is an abstract extension to OAuth 2.0 that provides a general framework for the use of assertions (a.k.a. security tokens) as client credentials and/or authorization grants with OAuth 2.0.
This specification profiles the OAuth Assertion Framework [RFC7521] to define an extension grant type that uses a Verifiable Presentation Bearer Token to request an OAuth 2.0 access token.

## 2. Terminology

All terms are as defined in the following specifications: "The OAuth 2.0 Authorization Framework" [RFC6749], the OAuth Assertion Framework [RFC7521] "JSON Web Token (JWT)" [JWT], Verifiable Credentials Data Model 1.1 [VC-DATA-MODEL], Verifiable Credentials Presentation Exchange [PE], JSON Web Signature 2020 [JSONWebSignature2020], Decentralized Identifiers 1.0 [DID].
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

## 3. HTTP Parameter Bindings for Transporting Assertions

The OAuth Assertion Framework [RFC7521] defines generic HTTP parameters for transporting assertions (a.k.a. security tokens) during interactions with a token endpoint.
This section defines specific parameters and treatments of those parameters for use with VP Bearer Tokens as Authorization Grants.

To use a VP as an authorization grant, the client uses an access token request as defined in Section 4 of the OAuth Assertion Framework [RFC7521] with the following specific parameter values and encodings.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the grant always contain a single VP (makes sense for s2s flow) or can it contain a VP array as in OpenID4VP?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Theoretically a server could combine multiple wallets... (like vendor and tenant). Let's start with 1 and see how far we get.


The value of the "grant_type" is "vp_token-bearer".
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

The value of the "assertion" parameter MUST contain a Verifiable Presentation. The Verifiable Presentation MUST be encoded as either:
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

* The Verifiable Presentation is encoded as JSON using the application/x-www-form-urlencoded content type.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
* The Verifiable Presentation is encoded as JWT according to section §6.3.1 of the Verifiable Credentials Data Model 1.1 [VC-DATA-MODEL].
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

The "scope" parameter MUST be used, as defined in the OAuth Assertion Framework [RFC7521], to indicate the requested scope.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
The scope parameter determines the set of credentials the authorization server expects.

The "presentation_submission" parameter MUST be used, as defined in Presentation Exchange [PE], to indicate how the VP matches the requested Verifiable Credentials.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
The Presentation Submission MUST be encoded using the application/x-www-form-urlencoded content type.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but it's JSON?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, so correct escaping is required.

woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

The following example demonstrates an access token request with a VP as an authorization grant (with extra line breaks for display purposes only):

POST /token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Avp_token-bearer
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
&assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.
eyJpc3Mi[...omitted for brevity...].
J9l-ZhwP[...omitted for brevity...]
&presentation_submission= {..}
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

## 3.1 Assertion Encoding

As stated in the previous section, the assertion parameter can either be encoded in JSON or JWT.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
The authorization server determines the encoding by adding the correct parameters to the authorization server metadata [RFC8414]].
The following parameter MUST be added:

* `vp_formats`: An object defining the formats and proof types of Verifiable Presentations and Verifiable Credentials that a Verifier supports as stated by §9 of the OpenID for Verifiable Presentations specification [OIDC4VP].
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

When processing the assertion the authorization server can detect the used format by checking the initial character.
A JSON encoded assertion starts with a '{' character or '%7B' when urlencoded.

## 4. Processing requirements

In order to issue an access token response as described in OAuth 2.0 [RFC6749], the authorization server MUST validate the VP.
The validation requirements are split into three paragraphs. The first paragraph describes the requirements that apply to all VP's.
The second paragraph describes the requirements that apply to JWT encoded VP's. The third paragraph describes the requirements that apply to JSON encoded VP's.

### 4.1 General requirements

1. The authorization server MUST validate the Presentation Submission according to section 6 of the Presentation Exchange [PE] specification.
2. The authorization server MUST validate the VP according to section 6.1 of the Presentation Exchange [PE] specification.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

section 6.1 != section 6?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, 6 describes things in general and broader, 6.1 has the exact list of points to check

woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
3. The Presentation Submission MUST be an answer to the Presentation Definition that corresponds with the requested scope.
How an authorization server determines the Presentation Definition based on scope is out of scope of this specification.
However, a request to the Presentation Definition endpoint MUST result to the same Presentation Definition as the Presentation Definition that is used to validate the VP.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
4. The Verifiable Presentation MUST be not be valid for more than 15 minutes.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
5. A clock skew of no more than 5 seconds MAY be applied when validating the Verifiable Presentation.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

### 4.2 JWT requirements

woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
1. The assertion MUST be a valid JWT according to §6.3.1 of the Verifiable Credentials Data Model 1.1 [VC-DATA-MODEL].
2. The `vp` field of the JWT MUST be valid according to §4.10 the Verifiable Credentials Data Model 1.1 [VC-DATA-MODEL].
gerardsn marked this conversation as resolved.
Show resolved Hide resolved
3. The `nonce` of the JWT MUST be a string that is unique for each request.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
4. The `iss` field MUST be a Decentralized Identifier [DID].
5. The `kid` field MUST be a DID URL and MUST resolve to a verificationMethod in the DID Document. The DID part of the DID URL MUST match the `iss` field.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
6. The `sub` field MUST match the `credentialSubject.id` field from all the Verifiable Credentials that are used to request the access token.
7. The `aud` field MUST be a DID under control of the Authorization Server.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

### 4.3 JSON requirements

1. The assertion MUST be a valid JSON object according to §4.10 the Verifiable Credentials Data Model 1.1 [VC-DATA-MODEL].
2. The proof of the VP MUST be a valid [JSONWebSignature2020] object.
3. The `challenge` field of the JSON object MUST be a string that is unique for each request.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
4. The `domain` field of the JSON object MUST be a DID under control of the Authorization Server.
5. The `verificationMethod` field of the Proof MUST be a DID URL.
6. The `holder` field if present MUST match the `credentialSubject.id` field from all the Verifiable Credentials that are used to request the access token.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
7. The `verificationMethod` field of the proof MUST match the `credentialSubject.id` field from all the Verifiable Credentials that are used to request the access token.

## 5. Presentation Definition endpoint

In order for a client to know which Presentation Definition [PE] to use, the authorization server MUST provide a Presentation Definition endpoint.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
The Presentation Definition endpoint MUST be registered as a `presentation_definition_endpoint` in the authorization server metadata [RFC8414].
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
The Presentation Definition endpoint MUST return a Presentation Definition that corresponds with the requested scope.

## 6. Access Token Introspection
gerardsn marked this conversation as resolved.
Show resolved Hide resolved

The authorization server MUST support the access token introspection endpoint as defined in OAuth 2.0 [RFC7662].
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
The introspection endpoint MUST return the following fields:
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

* `iss`: The issuer of the access token.
* `sub`: The subject of the access token.
* `exp`: The expiration time of the access token.
* `iat`: The time the access token was issued.
* `scope`: The granted scope.
* `vcs`: The Verifiable Credentials that were used to request the access token.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

## 7. Security Considerations
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved

The nonce/challenge (nonce) is used to prevent replay attacks. The nonce is a random string that is generated by the client.
The nonce is included in the signed data. The authorization server MUST reject any request that uses a nonce that has been used before.
The authorization server MAY reduce storage requirements by only storing the nonce for the lifetime of the Verifiable Presentation.

## 8. References

* [RFC6749] D. Hardt, "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012, <https://www.rfc-editor.org/info/rfc6749>.
* [RFC7521] D. Campbell, Ed., B. Zaninovich, Ed., "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants", RFC 7521, DOI 10.17487/RFC7521, May 2015, <https://www.rfc-editor.org/info/rfc7521>.
* [JWT] M. Jones, J. Bradley, N. Sakimura, "JSON Web Token (JWT)", RFC 7519, May 2015, <https://www.rfc-editor.org/info/rfc7519>.
* [VC-DATA-MODEL] M. Sporny, D. Longley, D. Chadwick, "Verifiable Credentials Data Model 1.1", W3C Recommendation, 3 March 2022, <https://www.w3.org/TR/vc-data-model/>.
* [PE] D. Buchner, B. Zundel, M. Riedel, K.H. Duffy, "Presentation Exchange 2.X.X", 12 September 2023, <https://identity.foundation/presentation-exchange>.
* [JSONWebSignature2020] O. Steel, M. Prorock, C.E. Lehner, "JSON Web Signature 2020", W3C Community Group Report, 21 July 2022, <https://w3c-ccg.github.io/lds-jws2020/>.
* [OIDC4VP] O. Terbu, T. Lodderstedt, K. Yasuda, T. Looker, "OpenID for Verifiable Presentations Draft 18", OpenID connect working group, 21 April 2023, <https://openid.net/specs/openid-4-verifiable-presentations-1_0.html>.
woutslakhorst marked this conversation as resolved.
Show resolved Hide resolved
* [RFC8414] M. Jones, N. Sakimura, J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, June 2018, <https://www.rfc-editor.org/info/rfc8414>.
* [RFC7662] J. Richer, "OAuth 2.0 Token Introspection", RFC 7662, October 2015, <https://www.rfc-editor.org/info/rfc7662>.
* [DID] M. Sporny, D. Longley, M. Sabadello, D. Reed, O. Steele, C. Allen, "Decentralized Identifiers (DIDs) v1.0", W3C Recommendation, 19 July 2022, <https://www.w3.org/TR/did-core/>.