Closed OIDF-automation closed 5 months ago
I assume you are speaking to the sub
claim within the JWT VP, and not of the id_token
?
Actually I mean the sub claim in the JWT VC. But I see from RFC 7519 that the sub claim is optional. So this can deal with bearer VCs as there is no subject ID.
Would it be possible to deal with multi-subject VCs by having multiple sub claims in a JWT?
p.s. I am currently writing PRs to the W3C VC Data Model v1.1 and I can write these JWT clarifications into the W3C VC spec.
Looked at on the 20-Sep-21 working group call.
I believe this issue is out of scope for OpenID Connect and should be dealt with W3C as long as it remains VC specific. If we generalize and rephrase the question to “how to support multi-subject claims and bearer claims in OIDC”, it might become in-scope.
Certainly I propose to add text to the revised VC spec to clarify these two edge cases, but I wanted to be sure that by having no sub claim or having multiple sub claims, we would not break OIDC for VPs.
The specification currently says:
The Wallet MUST link every Verifiable Presentation returned to the Verifier in the VP Token to the client_id and the nonce values of the respective Authentication Request.
The Verifier MUST validate every individual Verifiable Presentation in an Authorization Response and ensure that it is linked to the values of the client_id and the nonce parameter it had used for the respective Authorization Request.
I'm not sure if your use case is supported by the OID4VP specification. Unless the bearer VC itself contains the nonce/client_id.
potential duplicate of #6
Bearer VCs have no subject ID
-> duplicate of #6
Some VCs may have two or more subject IDs e.g. a marriage certificate.
it should be clear to the wallet which key(s) to use to proof possession of that credential (potentially multiple signatures for proof of possession). this is at the credential format level and not oid4vp level and this use-case is already supported by oid4vp.
Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1339
Original Reporter: dwc8
It is expected that the majority of VCs will hold attributes about a single subject and consequently have a single subject ID. When this is secured as a JWT, the subject ID is turned into the sub claim. However, there are some exceptions.
How are bearer credentials and multi-subject credentials to be converted into a JWT for inclusion in the VP? What value should the sub claim contain?