Closed woutslakhorst closed 4 months ago
The preferred way is to forward the user to a node user page (for example for starting OpenID4VP). The node should support OIDC and custom params via the initial API for development. The OIDC flow will return claims that can be used to generate a VC. When the user first goes to the node user page, the node will create a did:jwk and issue a EmployeeCred from the Organization to the did:jwk using data from OIDC ID_TOKEN. The did:jwk and credential are stored in the session store. In the OpenID4VP flow, this user wallet is also allowed to be used for matching against PEX.
This way the ephemeral did:jwk wallet can be extended to a cloud user wallet using webauthn. Development effort is significant but is most future proof.
1 PD per scope and send multiple scopes or 1 scope maps to multiple PDs? Current logic only supports a single scope to be sent by the RP.
An option for the verifier is to send the 2nd authorization request as a openid4vp://?request_uri=
redirect in response to the post response. The openid4vp
can be picked up by nuts-node and used to activate the user cloud wallet or render a QR code (because the user cloud wallet doesn't have it or the user selected to use a cross device wallet)
The current NutsEmployeeCredential
is wrong:
@vocab
which causes anything to be mapped to the schema.org context (so we don't actually use it).We should probably introduce a new EmployeeCredential(2024?)
that reads as follows:
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"http://schema.org",
{
"nuts": "https://www.nuts.nl",
"EmployeeCredential2024": "nuts:EmployeeCredential",
"employee": "nuts:employee"
}
],
"credentialSubject": {
"id": "did:jwk:employeeid",
"employee": {
"identifier": "1234567890",
"name": "Titus Tester",
"roleName": "f"
}
},
"type": [
"VerifiableCredential",
"EmployeeCredential"
]
}
For the 'old' flow a credential was created on the fly after the user clicked on OK. Any information is passed to the other side for auditing purposes. We need a new (temporary) way to transfer user information to the other side as long as there's no (Q)EAA credential in a user wallet.