Closed OIDF-automation closed 1 year ago
“Credential endpoint should not care about the grant type”
SIOP call: the suggested action is to "add a text in the spec clarifying the value, without mentioning an option to send pre-auth code directly to the credential endpoint"
I think issue answered a question on why token endpoint very well, and there has been less questions on this topic. closing for now.
Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1790
Original Reporter: KristinaYasuda
Talking to the current/potential implementors, a question, “why not send pre-authorized code directly to the Credential Endpoint?“ keeps popping up. Sure, one can design an OAuth 2.0 Token Exchange style “credential issuance“ (thought experiment here), but I strongly believe in the flexibility and extensibility that Token Endpoint brings. Below are few bullet points why - would love feedback/discussion if the WG agrees with the reasoning and if I am missing something:
Different function, different endpoint. Without Token Endpoint, Credential Endpoint will have to take care of all of the security aspects of the protocol flow (ie User authentication, Client authentication, validation of a pre-authorized code, validation of user_pin, etc.), instead of being focused on validating a proof for holder binding and issuing a credential (ie getting the user data, signing it, etc.).
increased security when Wallet needs to be accessed at the Credential Endpoint, since Access Token can be made sender-constrained and be refreshed. Pre-authorized code that can be communicated to the wallet via the means that can be intercepted, such as email, physical mail, QR code, etc. is insecure and unreliable when Access Token can be made sender-constraint, or can be refreshed using a Refresh Token. This is especially important in the following scenarios where user consent to issue multiple credentials in three scenarios is communicated via a pre-authorized code:
Credential Endpoint should not care the grant type, when issuing VCs. I might be wrong, but majority of implementations would need both authorization code grant and pre-auth code grant. Without access token in a pre-auth grant, credential endpoint would have to consume access token in authorization code grant - architecture becomes much simpler if Credential Endpoint just have to consume an access token.
I think the main point I am trying to make is that pre-authorized code is not a security token that is not suitable to protect an API (Credential Endpoint), but I might need help using correct terms…