search

openid / OpenID4VCI

64 stars 18 forks source link

forcing the Wallet to use batch endpoint #36

Closed OIDF-automation closed 1 month ago

OIDF-automation commented 1 year ago

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1936

Original Reporter: KristinaYasuda

What if the Wallet sent the request to the credential endpoint, but the Issuer wants the Wallet to use Batch endpoint, but credential endpoint? Should there be a credential error response/token error response that tells the wallet to send batch credential endpoint?

(cc @{63696ff6c383ad8421462592} )

OIDF-automation commented 1 year ago

Imported from AB/Connect bitbucket - Original Commenter: David-Luna-ForgeRock

The more spec-defined error codes the better imo. It’s a bother, but really helps resolve integration issues down the road. I think this is a suitable case for such an additional code.

OIDF-automation commented 1 year ago

Imported from AB/Connect bitbucket - Original Commenter: authlete-taka

Out of curiosity, is it something that is realistically necessary, or is it just a discussion about hypothetical possibilities?

BTW, it can be achieved by making the credential_endpoint issuer metadata OPTIONAL. The issuer that wants wallets to use the batch credential endpoint instead of the credential endpoint can indicate it by including batch_credential_endpoint and not including credential_endpoint in its metadata.

OIDF-automation commented 1 year ago

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

@{557058:5ac0eada-9199-4cf8-a9b7-ced6b4d483a1} support for the Credential Endpoint is mandatory for every implementation right now from the interoperability perspective. we can revisit this but I see the benefit of an endpoint both sides can fall back to..

OIDF-automation commented 1 year ago

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

from what I understood this is the issue @{63696ff6c383ad8421462592} 's team has faced.

OIDF-automation commented 1 year ago

Imported from AB/Connect bitbucket - Original Commenter: oliver-terbu

In our case, there is a more tight integration between the wallet and the issuer. In that particular example, the issuer doesn’t support single credential endpoint, only the batch credential endpoint and the wallet is aware of that.

To force the wallet to use batch instead of single if there is no such relationship like I explained above, I’d prefer either 1) to make the credential endpoint optional AND to have either batch or single credential endpoint in the metadata OR 2) to merge credential and batch credential endpoint into one endpoint.

OIDF-automation commented 1 year ago

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

the issuer doesn’t support single credential endpoint, only the batch credential endpoint and the wallet is aware of that.

this is technically, out of compliance with the spec, which mandates credential endpoint..

I am not comfortable with neither of the choices you propose.. making credential endpoint interop will kill minimum interop and merging them will overload one endpoint, which is against the original design goal.

I was thinking more in line of the wallet trying to use credential endpoint and receiving a response that tells the wallet to use batch endpoint…

jogu commented 1 month ago

https://github.com/openid/OpenID4VCI/pull/364 has removed the batch credential endpoint (now that the normal credential endpoint can issue batches of a single credential there was no clear need for an endpoint that issued different datasets in a single request, and there were lots of unsolved problems with doing so so the working group agreed removing was the best way forward).

Hence closing this issue. Feel free to comment/reopen if I missed some aspect that's still applicable.