Simple SSI User Authentication

[domwoe]

In addition to the powerful OIDC integration we want to provide a simple addition to the local authentication strategy.

In addition to user name/password the login page should provide the possibility to login using a proof request encoded in a QR code. This should provide a lightweight demonstration of VC-based login without any other external dependencies.

• The QR code should either be a connection-less proof request or an OOB proof request supporting connection reuse.
• The proof template should be configurable

[swcurran]

I'd suggest not using a connection-less proof and use a connection instead, assuming OOB and connection reuse is possible. If you use a connection, you have certainty that the proofs are always coming from the same party, and knowledge of the party builds. Further, if you subsequently issue on the same connection, you have certainty that the credential is going to the same party.

I think that a cookie in the browser that allows the BPA to link the browser to a connection could be very useful here so that there is no need for a scan of a QR code on every visit.

That said, the vc-authn-oidc implementation BC Gov has done would allow using the OIDC integration using VCs via connection-less proofs.

[domwoe]

Thanks for your input. That's great! We need to check if the smartphone wallets already support OOB and we'd need to prepare https://github.com/hyperledger-labs/acapy-java-client to support OOB.

@parc-jason has already implemented an OIDC integration that would allow to use VC-AuthN-OIDC, but I think it make sense to provide a lightweight SSI authentication method without additional dependencies as well.

[domwoe]

@ntsbs Could you notify us here when OOB is getting close? :)