Skip to content

Commit

Permalink
add text and diagram for siopv2 conditional cred req flow
Browse files Browse the repository at this point in the history
  • Loading branch information
@decentralgabe
decentralgabe committed May 16, 2024
1 parent 9a8ac76 commit 6ca5b92
Showing 1 changed file with 89 additions and 1 deletion.
90 changes: 89 additions & 1 deletion openid-4-verifiable-presentations-1_0.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1769,7 +1769,7 @@ Note: The Key Binding JWT `nonce` claim contains the value of the `nonce` from t

## Combining this specification with SIOPv2

This section shows how SIOP and OpenID for Verifiable Presentations can be combined to present Verifiable Credentials and pseudonymously authenticate an end-user using subject controlled key material.
This section shows how [@!SIOPv2] and OpenID for Verifiable Presentations can be combined to present Verifiable Credentials and pseudonymously authenticate an end-user using subject controlled key material.

### Request {#siop_request}

Expand Down Expand Up @@ -1821,6 +1821,90 @@ The following is a non-normative example of the payload of a Self-Issued ID Toke

Note: The `nonce` and `aud` are set to the `nonce` of the request and the Client Identifier of the Verifier, respectively, in the same way as for the Verifier, Verifiable Presentations to prevent replay.

### Conditional Credential Request Flow

When combining OpenID for Verifiable Presentations with [@!SIOPv2], the server has the flexibility to determine whether to request credentials based on the authenticated user's context. The aforementioned flow can be modified as follows:

1. The user initiates the authentication process with the server.
2. The server starts the [@!SIOPv2] flow and sends an Authentication Request to the user's Wallet, omitting the `presentation_definition` and `presentation_definition_uri` parameters.
3. The Wallet processes the Authentication Request and performs user authentication using the [@!SIOPv2] mechanism.
4. Upon successful authentication, the Wallet sends the Authentication Response back to the server, including the `id_token`.
5. The server validates the `id_token` and extracts the necessary information to identify the user.
6. Based on the user's identity and the server's context, the server determines whether additional credentials are required.
- If no additional credentials are needed, the server proceeds with issuing the authentication token to the user.
- If additional credentials are required, the server initiates the OpenID for Verifiable Presentations flow by sending a new Authorization Request with the `presentation_definition` or `presentation_definition_uri` parameter.
7. The Wallet processes the Authorization Request, requests the necessary presentation from the user, and sends the Authorization Response back to the server.
8. The server validates the presentation and issues the authentication token to the user.

This flow allows the server to make an informed decision about requesting credentials based on the authenticated user's context.

!---
~~~ ascii-art
+------+ +----------+ +--------+
| User | | Verifier | | Wallet |
+------+ +----------+ +--------+
| | |
| 1. Initiate Authentication | |
|-------------------------------->| |
| | |
| | 2. Start SIOPv2 Flow |
| | (Authentication Request) |
| |----------------------------------------->|
| | |
| | | 3. Perform User
| | | Authentication
| | | (SIOPv2 Mechanism)
| | |-------+
| | | |
| | |<------+
| | |
| | 4. Send Authentication Response |
| | (id_token) |
| |<-----------------------------------------|
| 5. Validate id_token and | |
| identify user | |
| +-------| |
| | | |
| +------>| |
| | |
| 6. Determine if additional | |
| credentials are required | |
| +-------| |
| | | |
| +------>| |
| | |
| | 6a. If no additional credentials needed, |
| | issue access token |
| |----------------------------------------->|
| | |
| | |
| | 6b. If additional credentials required, |
| | send Authorization Request |
| | (presentation_definition or |
| | presentation_definition_uri) |
| |----------------------------------------->|
| | |
| | | 7. Process Authorization
| | | Request and request
| | | presentation from user
| | |-------+
| | | |
|<---------------------------------------------------------------------------|-------+
| | |
| | 7. Send Authorization Response |
| | (VP Token) |
| |<-----------------------------------------|
| | |
| 8. Validate presentation | |
| and issue access token | |
| +-------| |
| | | |
| +-------|----------------------------------------->|
| | |
~~~
!---
Figure: Reference Design for SIOPv2 Conditional Credential Request Flow

# IANA Considerations

## Response Types
Expand Down Expand Up @@ -1894,6 +1978,10 @@ The technology described in this specification was made available from contribut

[[ To be removed from the final specification ]]

-22

* added conditional credential request flow when using SIOPv2

-21

* added references to ISO/IEC 23220 and 18013 documents
Expand Down

0 comments on commit 6ca5b92

Please sign in to comment.