Open Sakurann opened 6 months ago
I would feel more comfortable with the AS issuing the credential identifiers that can be used with the credential issuer. However since that is impossible for MSFT (and perhaps other existing OAuth deployments), adding the credential configuration id to the credential request is the second best option (even though it means to add a third option to specify the credential the wallet wants to obtain).
So I'm supporting this proposal.
I think this is generally a good change to make given the limitations of existing OAuth servers, I do wonder if we actually need to add this as a 3rd option or could remove (or at least discourage the user of) the option where format
is passed.
The parameter name should probably be credential_configuration_id which is what is used in RAR. I don't think credential_identifier should be reused because that one has a distinct meaning and purpose
Strongly agree with this.
I also think that it makes sense to replace the combination of format
parameter & some format-specific values in the credential request with credential_configuration_id
.
Whether the Credential request should contain one of (mutually exclusive) credential_configuration_id
and credential_identifier
or, alternatively, use a single credential_configuration_id
that can carry either identifiers, is perhaps a matter of taste.
Personally, I like the clarity of having two different and mutually exclusive attributes.
Yet the problem for me is not the credential request. Rather it has to do with the way the wallet becomes aware of these credential_identifiers
, if any.
Currently, credential_identifiers
are communicated via token response, in case there was an authorization request that used authorization_details
.
I find this very restrictive.
For starters, in pre-authorized code flow, it is not clear whether the token response can use authorization_details
with credential_identifiers
(there is not authorization request). If credential_identifiers
were added in the a credential offer (for pre-authorized code) then it would be straightforward to support use cases where a holder visits an issuer site and selects to issue one or more credentials of the same type.
There is rough consensus that it is a good idea to use credential_configuration_id in the credential request (tho credential_identifiers from the token andpoint are probably preferred...) so the credential request would look like this:
{ "credential_configuration_id": "org.iso.18013.5.1.mDL", "proof": { "proof_type": "cwt", "cwt": "..." } }
Currently, Credential Request has two options to specify which credential is being requested:
credential_identifier
or combination offormat
and credential format specificcredential_definition
.We (Microsoft) are currently implementing VCI and we use
scopes
and cannot returncredential_identifier
from the token endpoint (because of the limitations of a big AS we are using), but we found that the performance (especially for the wallet) is better when identifier in thecredential_configurations_supported
issuer metadata is used in the credential request instead of format/type combination: it saves from comparing the combination of format and type (that is mapped to an identifier anyway) and helps prevent errors. (I think this is also what @pmhsfelix suggested at IIW)The flow would look like:
credential_configurations_supported
issuer metadataThe parameter name should probably be
credential_configuration_id
which is what is used in RAR. I don't thinkcredential_identifier
should be reused because that one has a distinct meaning and purpose.Credential Request will look pretty simple:
(mandating to return
credential_identifier
from the token response is not an option because some ASs cannot make breaking changes and cannot returncredential_identifiers
in the Token Endpoint.)