search

nuts-foundation / nuts-node

The reference implementation of the Nuts specification. A decentralized identity network based on the w3c ssi concepts with practical functionality for the healthcare domain.
https://nuts-foundation.gitbook.io
GNU General Public License v3.0
22 stars 14 forks source link

IAM: client_id is assumed to be did:web DID in OpenID4VP flow #3216

Open reinkrul opened 6 days ago

reinkrul commented 6 days ago

When an auth server received an OAuth2 Authz Code Flow request, it switches to OpenID4VP to request a presentation from the client requesting the access token. For this, it needs the AS metadata of the client, to sent the OpenDI4VP Authz Request to.

The metadata URL is determined by taking the client_id, which currently always is a did:web DID, converting it to a URL and then fetching the metadata from the well-known endpoint. Since we're moving towards explicitly specifying Auth Server URLs, away from assuming convertability from the DID to a URL, this should be changed.

Options:

reinkrul commented 2 days ago

Chosen solution is to take the client_id from the initial OAuth2 Authorization Code flow, but then as URL. This can then be used to "return to sender" OpenID4VP Authorization Requests.

client_id is currently a DID, which has to be changed to issuer URL.