-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[OpenID4VP] Wallet Instance metadata discovery #28
Comments
Imported from AB/Connect bitbucket - Original Commenter: peppelinuxan alternative would be getting the request_uri with HTTP GET and including the wallet instance attestation as Authorization DPoP token and a DPoP proof as HTTP headers for the proof of possession of the wallet instance attestation. |
Imported from AB/Connect bitbucket - Original Commenter: tlodderstedtCan you pleas shed some light on why the wallet metadata must be asserted by a third party? I’m asking since metadata typically is configuration/capability data that the respective provider publishes itself. |
Imported from AB/Connect bitbucket - Original Commenter: peppelinuxThank you for asking, here some objective assumptions:
there some open points to be addressed:
the metadata can be:
regardless of the model used and the publication mechanism, this issue wants to identify the the way the metadata discovery can be done, without relying to abstract out of band or out of scope weak pointers. the proposal is to allow forwarding of the attestation/metadata to the request_uri endpoint, or the definition of a new endpoint RP side for this scope. For the first solution, related to the request_uri endpoint, it is necessary to provide a token, and the WAI is a token. let's talk about it, let's understand together how to proceed |
+1 for this. Original question:
Related discussion: POST authorization endpoint could solve the problem. In this case request_uri can be omitted. @peppelinux what you're describing is something that we covered: https://api-pilot.ebsi.eu/docs/ct/verifiable-presentation-exchange-guidelines-v3 and application of the flow is in the B2B VC exchange: https://api-pilot.ebsi.eu/docs/ct/verifiable-presentation-exchange-guidelines-v3; except that here we as for an id token, not a vp token. Flow would essentially be: at the end of the VP flow, the wallet receives the authorisation request bound to the first call - optionally, the wallet could be sent back to the authorise endpoint (with a state-bound identifier) |
Is this addressed by PR #45 that Alen linked above? |
Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1967
Original Reporter: peppelinux
In Section 8.2 - “ 8.2. Obtaining Wallet's Metadata “ we read
at the implementation level I am looking for a solution to satisfy the following requirement:
The Relying Party must obtain the Wallet Instance metadata in the form of a verifiable attestation issued by a trusted third party (Wallet Instance Attestation issued by the Wallet Provider), before it emits the request object.
The requirement is motivated by the RP that must known the wallet instance metadata, supported algs, supported credential formats, response_types_supported, request_object_signing_alg_values_supported.
considering that RFC8414 should not be applied, since it would force the wallet provider to publish the wallet instance metadata (or wallet instance attestation).
considering that an out of band mechanisms should be explorated, as also the strategy to pre-obtain the static wallet metadata/attestation.
in my team there is a tendency to use the request_uri endpoint as a vehicle for forwarding the wallet instance attestation, accompanied by a client_assertion that proves possession, vit HTTP POST, making the RP to issue the request object after having processed the wallet instance attestation.
This is undoubtedly non-standard, the request_uri being an protected endpoint and only consumable via HTTP GET.
I ask the working group for an idea, a vision, an alternative that can contribute to the specification or only to the satisfaction of the requirement without any improper adoption of the standards.
The text was updated successfully, but these errors were encountered: