Open ejossev opened 1 month ago
Sakurann
commented
1 month ago is there a reason why you want to combine transaction data with SIOP and not lower assurance EAAs presentation in OpenID4VP? Sounds like you have in mind a mechanism that is not payments nor QES and information in self-issued ID Token (which is pretty much self-attested data + identifier) is enough..?
ejossev
commented
1 month ago Sometimes you don't need EEAs... Just stable ID is enough. As far as I understand, SIOPv2 is OID4VP without credential, and that is how we use it. This way, mobile application can use SIOP as a decentralized login to backend services (and that is all you need - to provide stable identifier, and strong authentication, without a need to manage centralized user accounts), but sometimes, you really want user to provide consent or confirm certain transaction explicitly.
nklomp
commented
1 month ago So why not still use OID4VP then? You can use it for self-asserted EAAs/credentials as well. The benefit of that is that you would still be able to leverage the credential query (PE) capabilities as a RP
ejossev
commented
1 month ago @nklomp That's something we can do, of course, I just see it as a hack to overcome meaningless limitation...
Hi, I believe having transaction data in SIOPv4 authentication flow, similarly to OID4VP, can greatly improve user experience. There are implementation when SIOPv2 is used as passwordless authentication mechanism into a cloud service. However, the consent (to data processing, T&C etc) needs to be handled separately. This can improve the trustworthiness of such a consent, as well as improve user experience. Other possible use cases: questionnaire/form submissions, where a more robust data verification is required, but PID is a bit too much (such as online shop orders), performing sensitive operations on a cloud service ("do you really wanna delete this account?") etc.