search

openid / federation-wallet

Defines how to perform trust establishment for Wallet ecosystems with OpenID Federation
4 stars 3 forks source link

Authorized Credental within OpenID4VP metadata using Duckle #39

Open peppelinux opened 3 weeks ago

peppelinux commented 3 weeks ago

RP Entity Configuration + Subordinate Statements adding authorized data in the request

{
  "typ": "entity-statement+jwt",
  "alg": "ES256",
  "kid": "2HnoFS3YnC9tjiCaivhWnXAdNuA",
}
.
{
    "iat": 1718207217,
    "exp": 1749743216,
    "iss": "https://verifier.example.org",
    "sub": "https://verifier.example.org",
    "authority_hints": [
        "https://trust-anchor.example.org"
    ],
    "jwks": {
        "keys": [
            {
                "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
                "kty": "EC",
                "crv": "P-256",
                "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
            }
        ]
    },
    "trust_marks": [
      {id: ... , trust_mark: $JWT}
    ],
    "metadata": {
        "federation_entity": {
            "homepage_uri": "https://verifier.example.org",
            "organization_name": "Organization Name",
            "contacts": [
                "informazioni@example.it",
                "protocollo@pec.example.it"
            ],
            "tos_uri": "https://verifier.example.org/public/info_policy.html",
            "policy_uri": "https://verifier.example.org/public/privacy_policy.html",
            "logo_uri": "https://verifier.example.org/public/logo.svg"
        },
        "openid_credential_verifier": {
            "application_type": "web",
            "client_name": "Organization Name",
            "contacts": [
                "informazioni@example.it"
            ],
            "authorization_signed_response_alg": "ES256",
            "vp_formats": {
                "vc+sd-jwt": {
                    "sd-jwt_alg_values": [
                        "ES256",
                        "ES384",
                        "ES512"
                    ]
                }
            },
            "jwks": {
                "keys": [
                    {
                        "kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
                        "kty": "EC",
                        "crv": "P-256",
                        "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                        "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
                    }
                ]
            }
        }
    }
}

Superior's Subordinate Statement


{
  "typ": "entity-statement+jwt",
  "alg": "ES256",
  "kid": "XFW2HnoF",
}
.
{
    "iat": 1718207217,
    "exp": 1749743216,
    "iss": "https://trust-anchor.example.org",
    "sub": "https://verifier.example.org",
    "jwks": {
        "keys": [
            {
                "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
                "kty": "EC",
                "crv": "P-256",
                "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
            }
        ]
    },
    "metadata": {
        "openid_credential_verifier": {

            "client_name": "RP 1",

  // Intended Usage
  "intended_usage": [{
    "loan":    {
      // Using Duckle (DCQL) in the Credential Verifier metadata
      "id": "that_credential_id",
      "format": "vc+sd-jwt",
      "meta": {
        "vct_values": [ "https://credentials.example.com/identity_credential" ]
      },
      "claims": [
          {"path": ["last_name"]},
          {"path": ["first_name"]},
          {"path": ["address", "street_address"]}
      ]
    },
// end duckle ,
    "kyc": { ... Duckle statement}
  }],
    }
}
  ]
}
selfissued commented 5 days ago

We briefly discussed this on today's OpenID Connect WG call. These examples seem reasonable. What additional explanatory text do think should accompany them so that readers understand what's being illustrated by these examples?

jogu commented 4 days ago

We need to resolve how this works when the browser API is in use without requiring comparison of JSON (which has many of the same problems as canonicalisation of json). I don't think we should be adding things to the spec that only work when the browser API is not in use.

A solution would be to require that the necessary statements are passed in the OID4VP request by defining new parameters. I'm not sure this is the best way.

Leaving that aside, I'm also not sure how this works without the browser API - i.e. what you pass in oid4vp request.