Support EmployeeID authentication means for OpenID4VP - Githubissues

nuts-foundation / nuts-node

The reference implementation of the Nuts specification. A decentralized identity network based on the w3c ssi concepts with practical functionality for the healthcare domain.

https://nuts-foundation.gitbook.io

GNU General Public License v3.0

23 stars 15 forks source link

Support EmployeeID authentication means for OpenID4VP #2901

Closed woutslakhorst closed 4 months ago

woutslakhorst commented 6 months ago

For the 'old' flow a credential was created on the fly after the user clicked on OK. Any information is passed to the other side for auditing purposes. We need a new (temporary) way to transfer user information to the other side as long as there's no (Q)EAA credential in a user wallet.

woutslakhorst commented 6 months ago

The preferred way is to forward the user to a node user page (for example for starting OpenID4VP). The node should support OIDC and custom params via the initial API for development. The OIDC flow will return claims that can be used to generate a VC. When the user first goes to the node user page, the node will create a did:jwk and issue a EmployeeCred from the Organization to the did:jwk using data from OIDC ID_TOKEN. The did:jwk and credential are stored in the session store. In the OpenID4VP flow, this user wallet is also allowed to be used for matching against PEX.

This way the ephemeral did:jwk wallet can be extended to a cloud user wallet using webauthn. Development effort is significant but is most future proof.

woutslakhorst commented 6 months ago

[x] design user flow, currently there's one entry point 'startOpenID4VP'. Another one will be added for OpenID4VCI. For each user flow:
- [x] check if user has a wallet
- [x] if not (default for now), create a did:jwk
- [x] issue a NutsEmployeeCredential to the did:jwk
  - [x] at first; user details provided by calling XIS
  - [ ] later; OpenID Connect support to integrate with party's Identity Provider
- [x] store key and VC in session store
[x] token introspection not compatible with multiple sets of PD/PS/VPs
[x] extend OpenID4VP to support multiple consecutive flows (request and check) (#2973)
[x] extend PEX configuration to allow for multiple flows. (#2973)
[x] send openid4vp:// url to wallet which triggers the user wallet (if multipex user type present)

woutslakhorst commented 6 months ago

1 PD per scope and send multiple scopes or 1 scope maps to multiple PDs? Current logic only supports a single scope to be sent by the RP.

woutslakhorst commented 6 months ago

An option for the verifier is to send the 2nd authorization request as a openid4vp://?request_uri= redirect in response to the post response. The openid4vp can be picked up by nuts-node and used to activate the user cloud wallet or render a QR code (because the user cloud wallet doesn't have it or the user selected to use a cross device wallet)

reinkrul commented 5 months ago

The current NutsEmployeeCredential is wrong:

We use Person/Initials, which isn't defined in the schema.org context
The context defines "schema" as @vocab which causes anything to be mapped to the schema.org context (so we don't actually use it).

We should probably introduce a new EmployeeCredential(2024?) that reads as follows:

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "http://schema.org",
    {
      "nuts": "https://www.nuts.nl",
      "EmployeeCredential2024": "nuts:EmployeeCredential",
      "employee": "nuts:employee"
    }
  ],
  "credentialSubject": {
    "id": "did:jwk:employeeid",
    "employee": {
      "identifier": "1234567890",
      "name": "Titus Tester",
      "roleName": "f"
    }
  },
  "type": [
    "VerifiableCredential",
    "EmployeeCredential"
  ]
}