search

openid / OpenID4VP

49 stars 18 forks source link

JWT Handling of edge case VCs #1

Closed OIDF-automation closed 5 months ago

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1339

Original Reporter: dwc8

It is expected that the majority of VCs will hold attributes about a single subject and consequently have a single subject ID. When this is secured as a JWT, the subject ID is turned into the sub claim. However, there are some exceptions.

  1. Bearer VCs have no subject ID
  2. Some VCs may have two or more subject IDs e.g. a marriage certificate.

How are bearer credentials and multi-subject credentials to be converted into a JWT for inclusion in the VP? What value should the sub claim contain?

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: dwaite40

I assume you are speaking to the sub claim within the JWT VP, and not of the id_token?

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: dwc8

Actually I mean the sub claim in the JWT VC. But I see from RFC 7519 that the sub claim is optional. So this can deal with bearer VCs as there is no subject ID.

Would it be possible to deal with multi-subject VCs by having multiple sub claims in a JWT?

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: dwc8

p.s. I am currently writing PRs to the W3C VC Data Model v1.1 and I can write these JWT clarifications into the W3C VC spec.

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: mbj

Looked at on the 20-Sep-21 working group call.

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

I believe this issue is out of scope for OpenID Connect and should be dealt with W3C as long as it remains VC specific. If we generalize and rephrase the question to “how to support multi-subject claims and bearer claims in OIDC”, it might become in-scope.

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: dwc8

Certainly I propose to add text to the revised VC spec to clarify these two edge cases, but I wanted to be sure that by having no sub claim or having multiple sub claims, we would not break OIDC for VPs.

awoie commented 9 months ago

The specification currently says:

The Wallet MUST link every Verifiable Presentation returned to the Verifier in the VP Token to the client_id and the nonce values of the respective Authentication Request.

The Verifier MUST validate every individual Verifiable Presentation in an Authorization Response and ensure that it is linked to the values of the client_id and the nonce parameter it had used for the respective Authorization Request.

I'm not sure if your use case is supported by the OID4VP specification. Unless the bearer VC itself contains the nonce/client_id.

awoie commented 8 months ago

potential duplicate of #6

Sakurann commented 5 months ago

Bearer VCs have no subject ID

-> duplicate of #6

Some VCs may have two or more subject IDs e.g. a marriage certificate.

it should be clear to the wallet which key(s) to use to proof possession of that credential (potentially multiple signatures for proof of possession). this is at the credential format level and not oid4vp level and this use-case is already supported by oid4vp.