search

eu-digital-identity-wallet / eudi-srv-pid-issuer

A micro-service acting like PID/mDL Issuer according to OpenID4VCI
Apache License 2.0
16 stars 8 forks source link

Batch Credentials endpoint #6

Closed babisRoutis closed 4 months ago

babisRoutis commented 11 months ago

Batch Credential Request

It seems that the implementation is straight forward, at least for the happy path.

A batch credential request is a container for one or more individual credentials requests. The same is true for the response.

Considerations: Given that the batch issuance follows an or all or none approach, there is the unhappy path that while serving a batch request, there are some credentials issued and at least one that fails.

This means that either a. Issuance of each specific credential should have NO permanent side effects, or b. Issuance should have some compensation function to immediately cancelled an issued credential.

I believe that (a) cannot be met.

For instance, to fully comply with SD-JWT-VC the issue must add revocation information to the credential which requires the permanent association of the credential to a JWT-CWT Status list, which is a permanent side-effect.

dzarras commented 8 months ago

Some extra points that I believe require clarification, are the following:

  1. Concerning c_nonce and c_nonce_expires_in: Do we include it in every individual Credential Response or it just the Batch Credential Response (i.e. the top level container)?
  2. What is the structure of a Batch Credential Error Response? Reading the spec, I get the impression that the structure of a Batch Credential Error Response is the same as a Credential Error Response. (i.e an error response for a single Credential Request) If the above is true, this raises the following question: In case we fail to issue multiple Credentials, whose error do we report? The first one that failed?
babisRoutis commented 8 months ago

Some extra points that I believe require clarification, are the following:

  1. Concerning c_nonce and c_nonce_expires_in: Do we include it in every individual Credential Response or it just the Batch Credential Response (i.e. the top level container)?

I think the VCI is clear. It even provides some batch response examples which include the c_nonce & c_nonce_expires_in as top-level attributes.

2. What is the structure of a Batch Credential Error Response?
   Reading the spec, I get the impression that the structure of a Batch Credential Error Response is the same as a Credential Error Response. (i.e an error response for a single Credential Request)
   If the above is true, this raises the following question: In case we fail to issue multiple Credentials, whose error do we report? The first one that failed?

With regards to error response we can return just the first one error and error_description. This is not clearly stated in the VCI but practically, there is not another option

dzarras commented 8 months ago

Some extra points that I believe require clarification, are the following:

  1. Concerning c_nonce and c_nonce_expires_in: Do we include it in every individual Credential Response or it just the Batch Credential Response (i.e. the top level container)?

I think the VCI is clear. It even provides some batch response examples which include the c_nonce & c_nonce_expires_in as top-level attributes.

Not necessarily, at least in my opinion. The examples might be straightforward, but the spec states here for Batch Credential Response:

credential_responses: REQUIRED. Array that contains Credential Response objects, as defined in Section 7.2, and/or Deferred Credential Response objects, as defined in Section 9.1. Every entry of the array corresponds to the Credential Request object at the same array index in the credential_requests parameter of the Batch Credential Request.

If we interpret this literally, we're not restricted from providing c_nonce and c_nonce_expires_in in each individual Credential Response. Does it make sense to do so? Probably not. 

2. What is the structure of a Batch Credential Error Response?
   Reading the spec, I get the impression that the structure of a Batch Credential Error Response is the same as a Credential Error Response. (i.e an error response for a single Credential Request)
   If the above is true, this raises the following question: In case we fail to issue multiple Credentials, whose error do we report? The first one that failed?

With regards to error response we can return just the first one error and error_description. This is not clearly stated in the VCI but practically, there is not another option

Agreed

babisRoutis commented 8 months ago

@dzarras About c_nonce please implemented as I described it.

The part that you provided, from VCI, is full of errors since 7.2 and 9.1 are pointing to credential request & deferred credential request, respectively

babisRoutis commented 8 months ago

@dzarras Just added an issue to the protocol authors https://github.com/openid/OpenID4VCI/issues/273

babisRoutis commented 8 months ago

@dzarras Just added an issue to the protocol authors openid/OpenID4VCI#273

It seems that VCI authors acknowledged the issue

babisRoutis commented 7 months ago

To implement batch endpoint we need to clarify what happens with the response encryption. @vafeini opened https://github.com/openid/OpenID4VCI/issues/286 to sort this out.

babisRoutis commented 5 months ago

An update

To watch https://github.com/openid/OpenID4VCI/pull/319. It clarifies the credential_response_encryption

babisRoutis commented 4 months ago

It seems that batch endpoint will be removed from VCI specification in a forthcoming draft. Closing this.