Open awoie opened 4 years ago
OR13
commented
4 years ago Seems good... I implemented a CHAPI SIOP hacky demo a few weekends ago here: https://github.com/OR13/chapi-siop.did.ai
I would love to take a PR that updated the URIs for SIOP to be more realistic, I didn't put a lot of effort into making them correct, only showing how they might work with CHAPI.
kimdhamilton
commented
2 years ago to discuss 10/7: do we want to bring this in scope?
FYI @csuwildcat @brentzundel
awoie
commented
2 years ago to discuss 10/7: do we want to bring this in scope?
FYI @csuwildcat @brentzundel
IMO, we should. We are working on examples and have already some. We want to wait at least after IIW. We (OIDC4SSI OIDF/DIF WG) want to host a couple of IIW sessions to figure the best way out.
We already have an adopted OIDF draft that shows how to use DIF PE with OIDC: https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html independent of the actual OIDC flow.
kimdhamilton
commented
2 years ago agreed; we'll discuss at IIW. @JaceHensley proposed adding a parallel doc with embed examples -- follow up on this
kimdhamilton
commented
2 years ago See Tim's example (note: currently outdated) https://github.com/decentralized-identity/presentation-exchange/issues/101#issuecomment-693701768.
Can close #101 as dupe
nklomp
commented
2 years ago Actually the above example by Tim is for a VP in the id_token and missing the outer verifiable_presentations and claims keys around the presentation_definition. See https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html#name-self-issued-openid-provider
The other SIOP flow is using the vp_token (basically the VP itself) in the claims param: https://openid.net/specs/openid-connect-4-verifiable-presentations-1_0.html#name-siop-with-vp_token
The spec is a bit inconsistent and contains some errors (plurals but without arrays and the other way around. How do I know? Because we have a SIOP V2 lib with our PE integrated at: https://github.com/Sphereon-Opensource/did-auth-siop (Still very much a WIP)
Sakurann
commented
2 years ago Thank you, Niels! I was about to make a similar comment. Would be great if you could file issues for the errors in the bitbucket: https://bitbucket.org/openid/connect/issues?status=new&status=open
In the examples section, we should probably also add one example that shows support for a normal OIDC flow.
Given the following OIDC auth request:
The above would benefit from the normalization of a new scope
verifiable_presentationthat indicates that the response will contain a W3C Verifiable Presentation.Note, if required, one could add the
submission_requirementsparameter which would result in something like the following:Currently, the Presentation Exchange spec assumes there is only the distributed claims approach which is not really standardized in the OIDC core spec. It leaves a lot of room how people would interpret "reference". We should still certainly support that.
However, something simpler could also be done. According to OIDC core, the claims can be either included in the
id_tokenor through the user info endpoint. Note, the OIDC code flow concludes with an access_token to access the user info endpoint.Additionally, the current OIDC examples don't provide verifiable presentations, they only provide verifiable credentials. We could include verifiable presentations by using the
client_idas thedomainproperty andnonce|at_hashas thechallengeproperty.Example using
id_token:Example using user info:
@OR13 @wyc @csuwildcat any thoughts?