The reference implementation of the Nuts specification. A decentralized identity network based on the w3c ssi concepts with practical functionality for the healthcare domain.
To prove the node is compatible with OpenID4VCI, it should be able to issue credentials to a generic wallet. This requires the following:
[ ] Support API call returning credential_offer for QR code rendering (we only have support sending the credential offer to a wallet's offer endpoint)
[ ] Support having the OpenID4VCI endpoints publicly accessible, instead of (only?) under /n2n
[ ] Have the node support producing did:web documents
[ ] Have a demo-app through which the VC is issued
Actual use case/demo
Allow users to log into Demo EHR using an EmployeeCredential in their wallet. The pre-authorized code flow for issuing VCs applies to this use case, so we don't need the authorization code flow in this case. However, we currently issue the credential before offering it to the wallet. Since we don't know the mobile wallet's DID upfront (e.g. did:jwk) we can only issue it when the wallet requests the credential (since it contains proof containing the wallet's DID).
This requires additionally:
[ ] Specifying the credential
[ ] Have Demo EHR issue the credential (maybe after the user is logged in?)
[ ] OpenID4VP support for logging in with the credential in Demo EHR
[ ] Support issuing VC when wallet requests the credential, instead of pre-emptively.
We demo-ed this with Sphereon Wallet, MS Authenticator didn't work at that time (since it doesn't support OpenID4VCI). There are new POCs that do this.
To prove the node is compatible with OpenID4VCI, it should be able to issue credentials to a generic wallet. This requires the following:
/n2n
Actual use case/demo
Allow users to log into Demo EHR using an EmployeeCredential in their wallet. The pre-authorized code flow for issuing VCs applies to this use case, so we don't need the authorization code flow in this case. However, we currently issue the credential before offering it to the wallet. Since we don't know the mobile wallet's DID upfront (e.g.
did:jwk
) we can only issue it when the wallet requests the credential (since it contains proof containing the wallet's DID).This requires additionally: