WebAPI & OIDC

[advatar]

Hi

Building an app from this base. I noticed that WebAPI and OIDC has not been implemented. Do you happen to have the spec for this protocols so I can build it myself?

[davidz25]

Hi. Thanks for your email. I'm not sure we're ever going to support for 'online' in these applications (except that we may add support for it in the mDL reader part). The reason is that we don't think 'online' is good for user privacy.

As for the spec, I'm assuming you are referring to 18013-5. This is not yet an international standard (it's currently at the DIS stage) so it's not generally available and I'm not sure I'm allowed to share the draft that I have. I think you can get a copy from your national standards body.

[advatar]

Thanks, I have one draft standard PDF. I agree, traditional "online" is not very interesting. I will instead support DID-SIOP https://identity.foundation/did-siop/ for web2app use cases. The other online part I am interested in is the provisioning/issuing API which. Thought maybe that was a part of the WebAPI.

[davidz25]

FWIW, ISO 18013-5 is only concerned with standardizing/normalizing presentation, not provisioning. Currently you need to adapt the application to work with whatever provisioning system the issuer is using. Additionally, our provisioning APIs are structured to take advantage of Android-specific features such as attestation.

There's an effort in ISO/IEC JTC 1/SC 17 WG 4 to standardize provisioning (in what will be ISO 23220-3) but there's quite a lot of work left...