search

eu-digital-identity-wallet / eudi-lib-jvm-openid4vci-kt

Implementation of OpenID for Verifiable Credential Issuance protocol (wallet's role) in Kotlin
Apache License 2.0
17 stars 7 forks source link

Align Token Request to Draft 13 #148

Closed babisRoutis closed 5 months ago

babisRoutis commented 7 months ago

We should pass tx_code instead of user_pin

vafeini commented 7 months ago

Draft 13 mentions the following:

"If the Token Request contains an authorization_details parameter (as defined by [RFC9396]) of type openid_credential and the Credential Issuer's metadata contains an authorization_servers parameter, the authorization_details object MUST contain the Credential Issuer's identifier in the locations element."

It must be investigated if authorization_details should also be supported when placing the request to /token endpoint.

babisRoutis commented 7 months ago

I think that we should NOT include authorization_details when placing a token request.

Here is the reason for this omission

RFC9396 indeed suggests that a token request may included an authorization_details (reference). This option allows the caller (the wallet in our case) to get an access_token with reduced authorizations compared to the ones the user authorized.

I see no real use of this feature in the context of OpenId4VCI given that what the user authorizes is driven by the credential offer