italia / eudi-wallet-it-docs

Italian EUDI Wallet Technical Specifications
Creative Commons Zero v1.0 Universal
57 stars 20 forks source link

Credential Data Model IDA #202

Closed fmarino-ipzs closed 9 months ago

fmarino-ipzs commented 10 months ago

The current Digital Credential Data Model, draws from the OpenID Identity Assurance Profile [OIDC.IDA], needs the changes described below:

As a potential solution, we could consider modifying the data model in the following way, providing in the JSON top-level the user claims (that then results duplicated within the verified_claims.claims objects):

{
  "unique_id": "xxxxxxxx-xxxx-xxx",
  "given_name": "Mario",
  "family_name": "Rossi",
  "birth_date": "1980-01-10",
  "email": "verified@email.example.org",
  "birth_place": {
    "country": "IT",
    "locality": "Rome"
  },
  "verified_claims":
    {
      "verification": {
        "trust_framework": "eidas",
        "assurance_level": "high",
        "evidence": [
          {
            "type": "electronic_record",
            "record": {
              "type": "https://eudi.wallet.cie.gov.it",
              "source": {
                "organization_name": "Ministero dell'Interno",
                "organization_id": "m_it",
                "country_code": "IT"
              }
            }
          }
        ],
        "claims": {
          "unique_id": "xxxxxxxx-xxxx-xxx",
          "given_name": "Mario",
          "family_name": "Rossi",
          "birth_date": "1980-01-10",
          "birth_place": {
            "country": "IT",
            "locality": "Rome"
          }
        }
      }
    }
}

This implies that verified_claims is an additional claim given as a JSON object that an RP adopting IDA is able to process and an RP is not interested in the IDA profile may ignore it without breaking changes. The cons of this proposal is that we have the User Claims duplicated in the Credential.

In case we may have user claims coming from different Authentic Sources we can consider having verified_claims as an array of JSON Objects as in the following example

{
  "unique_id": "xxxxxxxx-xxxx-xxx",
  "given_name": "Mario",
  "family_name": "Rossi",
  "birth_date": "1980-01-10",
  "email": "verified@email.example.org",
  "birth_place": {
    "country": "IT",
    "locality": "Rome"
  },
  "verified_claims": [
    {
      "verification": {
        "trust_framework": "eidas",
        "assurance_level": "high",
        "evidence": [
          {
            "type": "electronic_record",
            "record": {
              "type": "https://eudi.wallet.cie.gov.it",
              "source": {
                "organization_name": "Ministero dell'Interno",
                "organization_id": "m_it",
                "country_code": "IT"
              }
            }
          }
        ],
        "claims": {
          "unique_id": "xxxxxxxx-xxxx-xxx",
          "given_name": "Mario",
          "family_name": "Rossi",
          "birth_date": "1980-01-10",
          "birth_place": {
            "country": "IT",
            "locality": "Rome"
          }
        }
      }
    },
    {
    "verification": { ... ,
    "claims": {
      "email": "verified@email.example.org",
      }
    }
    }
  ]
}
peppelinux commented 10 months ago

Additional requirements and implementation considerations include:

peppelinux commented 9 months ago

Over the past few weeks, my team has addressed the following:

To overcome these limitations, we've decided to:

Below I share a pull request that introduces this "feature" within the OpenID4VCI metadata (and divides AS metadata from OpenID4VCI metadata as well). A subsequent pull request will modify the PID data model.

https://github.com/italia/eudi-wallet-it-docs/pull/217