mattrglobal / oidc-portable-identities

oidc-portable-identities
https://mattrglobal.github.io/oidc-portable-identities/
3 stars 3 forks source link

Trust framework and credential type decoupling #6

Open Sakurann opened 3 years ago

Sakurann commented 3 years ago

Capturing the discussion we had so far. This started as part of Discovery mechanism discussion, but now it is touching upon mechanisms RP use to request claims including query language.

@tlodderstedt

tlodderstedt commented 3 years ago

@Sakurann thanks for filling the ticket. It captures the challenge well.

I suggest to consider Presentation Exchange as well as OpenID Connect 4 Identity Assurance (https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID2.html#name-requesting-verified-claims) for designing a suitable solution.

Sakurann commented 3 years ago

yes, one inspiration could be 6.8. Self-Issued OpenID Connect Provider and External Claims in identity assurance spec that uses Aggregated/Distributed Claims mechanism for SIOP to communicated verified claims attested by Claims Provider (self-attested claims by SIOP would not meet trust framework requirements). Though Aggregated/Distributed Claims do not support VCs, if VCs support verified claims, they could be included in verified-claims parameters I assume.

tlodderstedt commented 3 years ago

I think mechanically it is easy to add another channel "verifiable_credential" beside "id_token" and "userinfo" to the claims request parameter in order to request a VC. The not so easy question is the syntax underneath "verifiable_credential". Perhaps, the standard OIDC syntax needs to be enriched with Presentation Exchange. Let's see.