Sakurann
commented
10 months ago In the current specifications, it's stated that the "Wallet acts as an OAuth 2.0 Authorization Server (AS)." It could be beneficial to review the usage and context of the term AS throughout the document.
I think this is a remainder of the text copied from openid4vp. and is merely an error
In the current specifications, it's stated that the "Wallet acts as an OAuth 2.0 Authorization Server (AS)." It could be beneficial to review the usage and context of the term AS throughout the document.
From the perspective of the Verifiable Credential Issuer (VCI) specifications, a Credential Issuer technically functions as a Resource Server (RS) that may or may not incorporate an AS, as it could depend on an external AS. This RS only requires a valid Access Token to provide the protected resources to a consumer (Client).
However, from the Verifier's viewpoint, the Wallet acts more like an identity provider, supplying verifiable data (Verifiable Credentials) about its owner on their behalf. The interactions between a Verifier and a Wallet, while conceptually similar, are technically distinct considering the flows and artifacts defined in SIOPv2 and OpenID4VP, the wallet metadata, etc. These extend, modify, and replace several aspects defined in RFC6749, resulting in similarities between the profiles that, however, may be superficial or in apparence.
For instance, from the Verifier perspective with OpenID4VP, the flows: auth code flow, implicit, hybrid ... Or the token endpoint, something at the base of RFC6749 are now removed and not mentioned, since not needed. The OpenID4VC specs are actually different, even if not so far from OAuth 2.0 in a way to be still considered within its ecosystem but in a specific place with specialized term, flows, metadata ... A completely new paradigm in a completely new model, so many things, similar but different.
side note: The resource owner of the protected resource (VCI) is the user. I love to think that the credential endpoint is something similar to the OIDC userinfo endpoint, and all this makes a VCI more similar to an OpenID Provider than to a AS. Considering that OpenID deals with digital identities of persons.
If there's room for this kind of analysis, we might consider producing a PR to provide more clarity on these fundamental aspects of the roles within the ecosystem and their interactions.
this issue has born here: