Open gerardsn opened 1 year ago
Are there any issues on the OpenID Connect bugtracker regarding the inconsistencies?
proof_type_values_supported
should be proof_type
?
proof_type_values_supported
should beproof_type
?
Current strategy is to support all options described in other wallets, and clean up things once the specs are clearer/consistent on the parameter names.
We have also opted for "jwt_vp_json"
and "jwt_vc_json"
since this is in the openid4vp spec, but that doesn't match the DIF claim format registry used everywhere else. Also, the j
in jwt
stands for json
Maybe just add both for now, for the sake of compaitibility?
Maybe just add both for now, for the sake of compaitibility?
that never hurts
The OpenID4VP spec is unclear on how to advertise what data formats are supported. We will need decide what to do for our implementation and document this. Below is an overview of the bits of available information with followed by a proposal at the end.
Authorization Server metadata
According to the OpenID4VP specification the OAuth Authorization Server metadata MUST contain parameter
vp_formats_supported
and provides non-normative example:Here and in appendix A the OpenID4VP spec uses formats
jwt_vc_json
andjwt_vp_json
, which are said to use the JSON Web Signature and Encryption Algorithms registry. For Linked data protected formats the spec describesldp_vc
andldp_vp
, which should use their own cipher suite registry: Linked Data Cryptographic Suite Registry The rest of the spec provides no example of what the LD(P) notation for thevp_formats_supported
metadata field should look like. It is also inconsistent in applying its own notation. Based on the available information the generic format should be:Which would look something like this
Client metadata
The OpenID4VP spec also describes the corresponding
vp_formats
field of type object that MUST be present without defining its format. It does contain an example using client metadata in the following body for an authorization request:The client metadata looks nothing like what is specced for AS metadata, but it is consistent with the spec for Presentation Exchange. Example from Presentation Exchange 2.0.0:
Summarize
The spec is clearly unfinished on this part, so what are we going to implement? It looks like the OpenID4VP spec is converging towards what is described for the presentation exchange. Based on this I propose to implement the Presentation Exchange and Client Metadata as described, and make the following adjustments to the AS metadata:
_json
from the JWT versions:jwt_vc
andjwt_vp
. (EBSI also did this)alg_values_supported
toproof_type_values_supported
forldp_*
formats. This matches PE and is also consistent with the"alg"
field injwt
s and"proof": { "type":...
in the VC DATA model. (I cannot find any examples forldp_*
formats)The only weird-ish things remaining are that
alg_values_supported
andproof_type_values_supported
are nested undervp_formats_supported
, andThe decision should be clearly documented in the NUTS profile until the OpenID4VCI spec is clarified.
OpenID4VP - https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-1_0.html EBSI - https://api-conformance.ebsi.eu/docs/ct/providers-and-wallets-metadata Presentation Exchange - https://identity.foundation/presentation-exchange/spec/v2.0.0/#presentation-definition