Closed ArPhil closed 4 months ago
ArPhil
commented
5 months ago The openID4VCI spec seems to allowe both, authorization details and scope to be present in the authorization request (see here). But it rather expects, that it is the "scope" of a credential, not something else (like a DIDComm channel).
But still, this just covers the authorization code flow, not the pre-authorized code flow.
void1042
commented
5 months ago The OID4VC specification is unclear on whether it allows a scope to be included in the pre-auth token request.
On one hand it requires the request to be "[...] made as defined in Section 4.1.3 of [RFC6749]", which does not include a scope parameter, and does not extend the request with a scope parameter in the following paragraph.
On the other hand, it implies the possible use of a scope parameter by stating "If the Token Request contains a scope value related to Credential issuance and the Credential Issuer's metadata contains an authorization_servers parameter, it is RECOMMENDED to use a resource parameter [...]".
Generally, as per OAuth2 spec, both the authorization and token endpoint support the scope parameter
janawueTUB
commented
5 months ago As @void1042 stated before, the spec is not clear regarding the scope. In our biweekly call, the CTO from Sphereon mentioned that it is no problem to use the scope parameter in die Token Request if wanted.
ArPhil
commented
4 months ago closed.
The openID4VC spec allows the data of the reqsted credential in the authorization request in the authorization code flow be transmitted in two way:
Our current approach telling the issuer, that this is an OpenIDIDComm Credential request (meaning, that the wallet is aware of the fact, that it has to establish a DIDComm channel before the credential gets issued) is based on the scope(s). However, in 1. using authorization details there is no scope.
Also we do not have an authorization request in the pre-authorized code flow, meaning, that the wallet cannot indicate, that it wants to establish a DIDComm channel with the scope, since no scope is transmitted in the token request.
How do we align with these scenarios?