Open ejossev opened 1 month ago
is there a reason why you want to combine transaction data with SIOP and not lower assurance EAAs presentation in OpenID4VP? Sounds like you have in mind a mechanism that is not payments nor QES and information in self-issued ID Token (which is pretty much self-attested data + identifier) is enough..?
Sometimes you don't need EEAs... Just stable ID is enough. As far as I understand, SIOPv2 is OID4VP without credential, and that is how we use it. This way, mobile application can use SIOP as a decentralized login to backend services (and that is all you need - to provide stable identifier, and strong authentication, without a need to manage centralized user accounts), but sometimes, you really want user to provide consent or confirm certain transaction explicitly.
So why not still use OID4VP then? You can use it for self-asserted EAAs/credentials as well. The benefit of that is that you would still be able to leverage the credential query (PE) capabilities as a RP
@nklomp That's something we can do, of course, I just see it as a hack to overcome meaningless limitation...
Hi, I believe having transaction data in SIOPv4 authentication flow, similarly to OID4VP, can greatly improve user experience. There are implementation when SIOPv2 is used as passwordless authentication mechanism into a cloud service. However, the consent (to data processing, T&C etc) needs to be handled separately. This can improve the trustworthiness of such a consent, as well as improve user experience. Other possible use cases: questionnaire/form submissions, where a more robust data verification is required, but PID is a bit too much (such as online shop orders), performing sensitive operations on a cloud service ("do you really wanna delete this account?") etc.