add an option to use credential_configuration_id in credential request #392
Conversation
Sakurann
requested review from
danielfett,
jogu,
tlodderstedt,
selfissued,
c2bo,
tplooker,
paulbastian,
awoie and
bc-pi
Co-authored-by: Joseph Heenan <[email protected]>
There was a problem hiding this comment.
My understanding from the discussion around #294 was that credential_configuration_idoption replaces the format option. I would rather replace an option than adding a third one. Apart from them, everything seems fine to me.
|
This is missing an entry for the document history |
I don't think we can do it without removing format option in authorization request |
|
discussed in the WG call, ask the ML if implementers using format + type would be against removing that option in favor of using credential_configuration_id only. and that does not necessarily mean that implementations that do not use issuer metadata are not allowed because we could say that implementations that do not use issuer metadata should define the mapping between scope (optionally), format, type and credential_configuration_id out of band. @pmhsfelix pointed out that after ID-1 we have already made a change that prohibited using format + type with RAR. |
Email sent to mailing list requesting feedback within the next week: https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20240923/000455.html |
|
I think that
|
I couldn't agree more |
|
Wasn't the |
I would suggest creating a particular issue for removing the |
Good morning, @awoie For every feature/option removed there was an implementation.
The |
|
@babisRoutis @paulbastian i am repeating myself, but what you are suggesting needs to be done in conjunction with the changes to the format+type option in the authorization request and text explaining how the protocol works without issuer metadata, for example by saying that |
Looks like a good suggestion to me. Anything else that would be missing apart from clarifications that issuer metadata or similar conventions could be communicated out of band? |
|
We still need to allow some format specific parameters on authorization requests using RAR, such as:
PS. And for credential requests, when a |
|
Talked to @tlodderstedt, who said that it is better to close this PR and keep things as-is, because...
|
I don't agree on closing the PR. VCI is all about allowing wallet to place a credential request. It doesn't seem consistent that throughout the issuance process (offer, If there isn't a consensus to remove format + type from credential request, at least , we should have the alternative option to use |
What do you expect the wallet to know, when it starts the process? I would expect the wallet to know format and type of the credential the holder is looking for. That's what is being standardized not a credential configuration id. Just as an example, ISO 18013-05 defines the mDL doc type. It does not define how the credential configuration id of an OID4VCI issuer supporting this doc types is. As this is a most likely locally defined metadata identifier. And it is protocol specific. So how to cope with this situation?
What would you prefer and why? |
I think option 1 is the way to go. For an issuance process, that is initiated at issuer's site, wallet's participation begins with a credential offer (No format/type) On the other hand, for a wallet-initiated issuance, wallet should know (or could search, to a local or trusted registry of issuers, for):
Of course, holder is interested to get a specific credential type, from a trusted issuer. Few would care or even understand about formats. With these three values, wallet can "assemble" on its own a stateless credential offer as follows:
So, actually, I believe that wallet has to have always a credential offer (issuer provided or locally created) to interact with the issuer. Format/type can be used as criteria to just query issuer's metadata. With this problem solved, I find no reason to use format/type in any of the subsequent steps (authorization, authorization_details & credential request), should this PR be accepted. |
I find it ready for implementation 😄 |
… identified throughout the Issuance flow.
|
honestly, it feels weird AS returning credential_identifier in the aurhorization_details object in the token response, when AS uses scopes (and not authorization details) in the authorization request, but guess that is the least optionality. Also added a section summarizing all of the options for clarity: https://github.com/openid/OpenID4VCI/pull/392/files#diff-1f424614b35a9899813079f1b1f6218631a2aedd993368ccb89bb81a9eda0289R189 |
| `credential_configuration_id` parameter(s) or `format` and other Credential Format | ||
| specific parameter to identify requested Credential(s). In which case, | ||
| the Authorization Server MUST return `credential_identifiers` parameter | ||
| in the `authorization_details` parameter in theToken Response, |
There was a problem hiding this comment.
| in the `authorization_details` parameter in theToken Response, | |
| in the `authorization_details` parameter in the Token Response, |
| and the Wallet uses those `credential_identifier` values in the Credential Request. | ||
| - When the Wallet uses `scope` parameter in the Authorization Request, the `scope` value(s) | ||
| are used to identify requested Credential(s). In this case, Authorization Server has two two options. | ||
| If the Authorization Server supports returning top-level`credential_identifiers` parameter |
There was a problem hiding this comment.
| If the Authorization Server supports returning top-level`credential_identifiers` parameter | |
| If the Authorization Server supports returning a top-level `credential_identifiers` parameter |
| @@ -665,8 +688,11 @@ The Authorization Server might decide to authorize issuance of multiple instance | |||
|
|
|||
| In addition to the response parameters defined in [@!RFC6749], the Authorization Server MAY return the following parameters: | |||
|
|
|||
| * `authorization_details`: REQUIRED when the `authorization_details` parameter is used to request issuance of a certain Credential Configuration as defined in (#authorization-details). It MUST NOT be used otherwise. It is an array of objects, as defined in Section 7 of [@!RFC9396]. In addition to the parameters defined in (#authorization-details), this specification defines the following parameter to be used with the authorization details type `openid_credential` in the Token Response: | |||
| * `authorization_details`: REQUIRED when the `authorization_details` parameter is used to request issuance of a Credential of a certain Credential Configuration as defined in (#authorization-details). It is an array of objects, as defined in Section 7 of [@!RFC9396]. In addition to the parameters defined in (#authorization-details), this specification defines the following parameter to be used with the authorization details type `openid_credential` in the Token Response: | |||
There was a problem hiding this comment.
Some definition of what applies when the condition after "REQUIRED" is not met should be provided.
| * `credential_identifiers`: REQUIRED. Array of strings, each uniquely identifying a Credential Dataset that can be issued using the Access Token returned in this response. Each of these Credential Datasets corresponds to the same Credential Configuration in the `credential_configurations_supported` parameter of the Credential Issuer metadata. The Wallet MUST use these identifiers together with an Access Token in subsequent Credential Requests. | ||
| * `credential_identifiers`: OPTIONAL when `scope` parameter was used to request issuance of a Credential of a certain Credential Configuration. Array of strings as defined for the `credential_identifiers` parameter in the `authorization_details` parameter. |
There was a problem hiding this comment.
What if the condition after "OPTIONAL" is not met?
This reverts commit 861b305.
|
discussed on the WG call, agreed to use credential_identifiers in the authorization_details in the token response even when AS used scopes in the authotization request. |
Co-authored-by: Daniel Fett <[email protected]>
Closes one remaining item from PR #294 as agreed on May 29th 2024 call.
Closes #132
Closes #175
enables to use credential_configuration_id in the credential request.
I am increasingly in favor of dropping an option to use format + type in authorization request and credential request, and instead clarify that implementations that do not use issuer metadata should define the mapping between scope (optionally), format, type and credential_configuration_id out of band? #234 is the related issue though it proposes a different solution. (probably needs discussion with torsten on the call)
also resolves #342