openid / OpenID4VCI

68 stars 20 forks source link

Clarification on credential_identifier(s) parameter #399

Open fmarino-ipzs opened 1 month ago

fmarino-ipzs commented 1 month ago

In the latest draft (14), the parameter credential_identifier(s) was introduced.

We are somewhat confused about the relationship between credential_configuration_id and credential_identifier(s). Additionally, while credential_configuration_id is clearly mapped in the metadata of the credential issuer, we didn't understand how credential_identifier(s) is mapped within the metadata.

Probably we are missing something, could you please explain the meaning of the credential_identifier(s) parameter, the relationship with credential_configuration_id (and with scope as well), and how to use it?

jogu commented 1 month ago

Additionally, while credential_configuration_id is clearly mapped in the metadata of the credential issuer, we didn't understand how credential_identifier(s) is mapped within the metadata.

credential_identifiers are not in the meta data.

Probably we are missing something, could you please explain the meaning of the credential_identifier(s) parameter, the relationship with credential_configuration_id (and with scope as well), and how to use it?

A credential identifier represents the combination of a credential configuration and a credential data set.

To explain it another way, imagine a credential issuer is issuing passports, and the end user is authorised to hold passports for themselves and their two children.

The issuer would list a single passport in their issuer metadata, perhaps with credential_configuration_id "iso-passport".

When the end user requests "iso-password" using authorization_details they will get back 3 credential_identifers - perhaps "passport-john", "passport-cindy", "password-sarah".

They would then call the credential endpoint 3 times, one for each of "passport-john", "passport-cindy", "password-sarah".

Does that help?

fmarino-ipzs commented 1 month ago

Thank you @jogu for the clarification, now it is more clear the meaning and the scope of the parameter. I have still a couple of questions.

  1. following your example:

To explain it another way, imagine a credential issuer is issuing passports, and the end user is authorised to hold passports for themselves and their two children.

as far as I understand, you are assuming that the CI knows in advance that the user is authorised to hold passports for their children as well. A privacy preserving approach could require that the CI knows anything about the User ex ante. In some cases a CI required some other Credentials in order to authorize the User to request a specific credential_identifier. Probably, the CI should know which credential_identifier the user wants to obtain during the authorization phase.

  1. Why do you introduce a new parameter and not use the scope parameter for doing this? Is there any technical reason? It seams to me that using scope parameter in combination with credential_configuration_id could solve your use case easily, but probably I'm missing something.

thanks again for the support.

jogu commented 1 month ago

as far as I understand, you are assuming that the CI knows in advance that the user is authorised to hold passports for their children as well. A privacy preserving approach could require that the CI knows anything about the User ex ante. In some cases a CI required some other Credentials in order to authorize the User to request a specific credential_identifier. Probably, the CI should know which credential_identifier the user wants to obtain during the authorization phase.

If we stick with the passport example (and I can only really comment on the UK as that is the country I am familiar with), then yes, what you say it true - but actually this is situation in the pre-digital-credentials world as well. When you apply for the childs passport in the UK, my understanding is that it is issued to a parent, not to the child. So the issuer of passport inherently knows who is authorised to hold that child's passport, at least at the time it is issued.

But this is all really out of scope of VCI - what we know in VCI is that a user can be sent to the issuer's nominated oauth server, will have some interactions with that server, and at the end of those interactions will be granted access to 0 or more credentials belonging to 0 or more natural persons / legal entities. If the issuer only ever wants to return credentials that are directly linked to the end-user requesting them, that's a policy decision for the issuer - VCI just supports the flexibility for the issuer to make either decision.

Why do you introduce a new parameter and not use the scope parameter for doing this? Is there any technical reason? It seams to me that using scope parameter in combination with credential_configuration_id could solve your use case easily, but probably I'm missing something.

scopes are not really "per-user", and although you could definitely invent scopes that are ("passport:john", "passport:cindy" etc) it's not a great solution and this kind of unnatural/complicated use of scopes is the reason why https://datatracker.ietf.org/doc/html/rfc9396 was invented as a way to communicate this data in a structured way.

fmarino-ipzs commented 1 month ago

Given a credential type, a CI may issue

I see the benefits of having credential_identifiers for handling the first case, while the second case probably would require an authorization step. In this case the scope parameter could be for example 'children' or 'delegation'.

Regarding the first case I see 2 options:

  1. The user select one or more credential instances directly through the UI of the CI. This should be done in the authorization phase as we have the redirect.
  2. The user is informed that the CI has 1 or more credential instances at the token response with the current credential_identifiers param (btw I suggest to rename (credential_instances?) it in order to avoid confusion with credential id). In this case the UI is provided by the Wallet Instance.

I think that both options could be enabled but, in order to make able the user to clearly understand which credential instance is going to obtain the only credential identifier is not enough. We probably need some additional information such as a human readable description that the Wallet Instance could prompt to the user. WDYT?

babisRoutis commented 6 days ago

Regarding the first case I see 2 options:

1. The user select one or more credential instances directly through the UI of the CI. This should be done in the authorization phase as we have the redirect.

2. The user is informed that the CI has 1 or more credential instances at the token response with the current credential_identifiers param (btw I suggest to rename (`credential_instances`?) it in order to avoid confusion with credential id). In this case the UI is provided by the Wallet Instance.

Dear @fmarino-ipzs

IMHO, there are several business use cases where credential_identifier(s) are pertinent. I think though that only the first option is viable for such issuance flows, exactly because it allows the holder to peek specific instances, or to put it differently, to authorize the issuance of specific instances.

To my understanding there are threes ways to implement this, with the following credential offers:

  1. Using per-authorized code grant
  2. Using authorization code grant and no issuer_state
  3. Using authorization code grant and issuer_state

(1)

(2)

(3)

In summary, if you accept that a credential offer mainly conveys credential_configuration_id(s) and not credential_identifier(s), then it seems natural that the the choice of specific credential_identifiers can occur during authorization or pre-authorization.