diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md index 3c8a0ddc..85c1956d 100644 --- a/openid-4-verifiable-presentations-1_0.md +++ b/openid-4-verifiable-presentations-1_0.md @@ -1769,7 +1769,7 @@ Note: The Key Binding JWT `nonce` claim contains the value of the `nonce` from t ## Combining this specification with SIOPv2 -This section shows how SIOP and OpenID for Verifiable Presentations can be combined to present Verifiable Credentials and pseudonymously authenticate an end-user using subject controlled key material. +This section shows how [@!SIOPv2] and OpenID for Verifiable Presentations can be combined to present Verifiable Credentials and pseudonymously authenticate an end-user using subject controlled key material. ### Request {#siop_request} @@ -1821,6 +1821,90 @@ The following is a non-normative example of the payload of a Self-Issued ID Toke Note: The `nonce` and `aud` are set to the `nonce` of the request and the Client Identifier of the Verifier, respectively, in the same way as for the Verifier, Verifiable Presentations to prevent replay. +### Conditional Credential Request Flow + +When combining OpenID for Verifiable Presentations with [@!SIOPv2], the server has the flexibility to determine whether to request credentials based on the authenticated user's context. The aforementioned flow can be modified as follows: + +1. The user initiates the authentication process with the server. +2. The server starts the [@!SIOPv2] flow and sends an Authentication Request to the user's Wallet, omitting the `presentation_definition` and `presentation_definition_uri` parameters. +3. The Wallet processes the Authentication Request and performs user authentication using the [@!SIOPv2] mechanism. +4. Upon successful authentication, the Wallet sends the Authentication Response back to the server, including the `id_token`. +5. The server validates the `id_token` and extracts the necessary information to identify the user. +6. Based on the user's identity and the server's context, the server determines whether additional credentials are required. + - If no additional credentials are needed, the server proceeds with issuing the authentication token to the user. + - If additional credentials are required, the server initiates the OpenID for Verifiable Presentations flow by sending a new Authorization Request with the `presentation_definition` or `presentation_definition_uri` parameter. +7. The Wallet processes the Authorization Request, requests the necessary presentation from the user, and sends the Authorization Response back to the server. +8. The server validates the presentation and issues the authentication token to the user. + +This flow allows the server to make an informed decision about requesting credentials based on the authenticated user's context. + +!--- +~~~ ascii-art ++------+ +----------+ +--------+ +| User | | Verifier | | Wallet | ++------+ +----------+ +--------+ + | | | + | 1. Initiate Authentication | | + |-------------------------------->| | + | | | + | | 2. Start SIOPv2 Flow | + | | (Authentication Request) | + | |----------------------------------------->| + | | | + | | | 3. Perform User + | | | Authentication + | | | (SIOPv2 Mechanism) + | | |-------+ + | | | | + | | |<------+ + | | | + | | 4. Send Authentication Response | + | | (id_token) | + | |<-----------------------------------------| + | 5. Validate id_token and | | + | identify user | | + | +-------| | + | | | | + | +------>| | + | | | + | 6. Determine if additional | | + | credentials are required | | + | +-------| | + | | | | + | +------>| | + | | | + | | 6a. If no additional credentials needed, | + | | issue access token | + | |----------------------------------------->| + | | | + | | | + | | 6b. If additional credentials required, | + | | send Authorization Request | + | | (presentation_definition or | + | | presentation_definition_uri) | + | |----------------------------------------->| + | | | + | | | 7. Process Authorization + | | | Request and request + | | | presentation from user + | | |-------+ + | | | | + |<---------------------------------------------------------------------------|-------+ + | | | + | | 7. Send Authorization Response | + | | (VP Token) | + | |<-----------------------------------------| + | | | + | 8. Validate presentation | | + | and issue access token | | + | +-------| | + | | | | + | +-------|----------------------------------------->| + | | | +~~~ +!--- +Figure: Reference Design for SIOPv2 Conditional Credential Request Flow + # IANA Considerations ## Response Types @@ -1894,6 +1978,10 @@ The technology described in this specification was made available from contribut [[ To be removed from the final specification ]] + -22 + + * added conditional credential request flow when using SIOPv2 + -21 * added references to ISO/IEC 23220 and 18013 documents