OID4VP profile for the W3C Digital Credentials API

diagrams/request_uri_mode_post_through_browser_api.md

@@ -0,0 +1,57 @@
+```plantuml
+@startuml
+
+autonumber
+
+participant "User" as u
+
+participant "Verifier Site" as r
+
+participant "Web Platform" as wp
+
+participant "App Platform" as ap
+
+participant "Wallet" as w
+
+u --> r : use
+activate r
+
+r -> wp: navigator.identity.get(\nprotocol="urn:openid.net:oid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post, \npresentation_definition")
+
+deactivate r
+activate wp
+
+wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="urn:openid.net:oid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition")
+deactivate wp
+activate ap
+
+ap -> ap: select wallet
+ap -> u: use this wallet?
+u -> ap: confirmation
+
+ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="urn:openid.net:oid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition")
+deactivate ap
+
+activate w
+w --> w: [optional. Check client_id with trust framework]
+note over r,w
+    Note that the client_id is self asserted by the verifier.However as the request was dispatched through the browser API, the user consented to forward 
+    the Verifier's request to the wallet. So even if the client_id is not trusted yet, the wallet might proceed and request the signed request object.
+end note
+w --> r: POST **request_uri** ([wallet_metadata][, wallet_nonce])
+r -> r: create and sign (and optionally encrypt) request object 
+r --> w: **signed (optionally encrypted) request object** (client_id, client_id_scheme, wallet_nonce, nonce, \npresentation_definition, state)
+w -> w: authenticate and\n authorize Verifier
+
+note over u, w: User authentication and Credential selection/confirmation
+
+w -> w: create credential presentation(s) \nassociated with nonce
+w --> ap: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state)
+ap -> wp: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state)
+wp -> r: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state)
+r -> r: check state
+activate r
+r -> r: validate presentation \n(incl. nonce binding)
+r -> r: use presented credential 
+@enduml
+```

diagrams/request_uri_mode_post_through_browser_api.plantuml

@@ -0,0 +1,57 @@
+```plantuml
+@startuml
+
+autonumber
+
+participant "User" as u
+
+participant "Verifier Site" as r
+
+participant "Web Platform" as wp
+
+participant "App Platform" as ap
+
+participant "Wallet" as w
+
+u --> r : use
+activate r
+
+r -> wp: navigator.identity.get(\nprotocol="urn:openid.net:oid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post, \npresentation_definition")
+
+deactivate r
+activate wp
+
+wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="urn:openid.net:oid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition")
+deactivate wp
+activate ap
+
+ap -> ap: select wallet
+ap -> u: use this wallet?
+u -> ap: confirmation
+
+ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="urn:openid.net:oid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition")
+deactivate ap
+
+activate w
+w --> w: [optional. Check client_id with trust framework]
+note over r,w
+    Note that the client_id is self asserted by the verifier.However as the request was dispatched through the browser API, the user consented to forward 
+    the Verifier's request to the wallet. So even if the client_id is not trusted yet, the wallet might proceed and request the signed request object.
+end note
+w --> r: POST **request_uri** ([wallet_metadata][, wallet_nonce])
+r -> r: create and sign (and optionally encrypt) request object 
+r --> w: **signed (optionally encrypted) request object** (client_id, client_id_scheme, wallet_nonce, nonce, \npresentation_definition, state)
+w -> w: authenticate and\n authorize Verifier
+
+note over u, w: User authentication and Credential selection/confirmation
+
+w -> w: create credential presentation(s) \nassociated with nonce
+w --> ap: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state)
+ap -> wp: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state)
+wp -> r: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state)
+r -> r: check state
+activate r
+r -> r: validate presentation \n(incl. nonce binding)
+r -> r: use presented credential 
+@enduml
+```

diagrams/signed_request_uri_through_browser_api.plantuml

@@ -0,0 +1,54 @@
+```plantuml
+@startuml
+
+autonumber
+
+participant "User" as u
+
+participant "Verifier Site" as r
+
+participant "Web Platform" as wp
+
+participant "App Platform" as ap
+
+participant "Wallet" as w
+
+u --> r : use
+activate r
+
+note over r,wp
+    Note that the signed request object contains the Verifier's origin.
+end note
+r -> wp: navigator.identity.get(\nprotocol="urn:openid.net:oid4vp",\nrequest="client_id,[client_id_scheme,] request")
+
+deactivate r
+activate wp
+
+wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="urn:openid.net:oid4vp",\nrequest="client_id,[client_id_scheme,] request")
+deactivate wp
+activate ap
+
+ap -> ap: select wallet
+ap -> u: use this wallet?
+u -> ap: confirmation
+
+ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="urn:openid.net:oid4vp",\nrequest="client_id,[client_id_scheme,] request")
+deactivate ap
+
+activate w
+w -> w: authenticate Verifier by validating request signature (including trust chain)
+w -> w: compare origin to origin in signed request
+
+note over u, w: User authentication and Credential selection/confirmation
+
+w -> w: create and encrypt credential presentation(s) \nassociated with nonce
+w --> ap: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state)
+ap -> wp: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state)
+wp -> r: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state)
+r -> r: decrypt response
+r -> r: check state
+activate r
+r -> r: validate presentation \n(incl. nonce binding)
+r -> r: use presented credential 
+@enduml
+```

examples/digital_credentials_api/request_value.json

@@ -0,0 +1,8 @@
+{
+    "response_type": "vp_token",
+    "nonce": "n-0S6_WzA2Mj",
+    "client_metadata": {...
+    },
+    "presentation_definition": {...
+    }
+}

examples/digital_credentials_api/response_value.json

@@ -0,0 +1,4 @@
+{
+    "presentation_submission": "...",
+    "vp_token": "..."
+}

examples/digital_credentials_api/signed_request_payload.json

@@ -0,0 +1,31 @@
+{
+  "client_id": "client.example.org",
+  "client_id_scheme": "entity_id",
+  "expected_origins": [
+    "https://origin1.example.com",
+    "https://origin2.example.com"
+  ],
+  "response_type": "vp_token",
+  "nonce": "n-0S6_WzA2Mj",
+  "client_metadata": {
+    "vp_formats": {
+      "vc+sd-jwt": {
+        "sd-jwt_alg_values": [ "PS256" ],
+        "kb-jwt_alg_values": [ "PS256" ]
+      }
+    },
+    "jwks": {
+      "keys": [
+        {
+          "kty": "EC",
+          "crv": "P-256",
+          "x": "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
+          "y": "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
+          "use": "enc",
+          "kid": "1"
+        }
+      ]
+    }
+  },
+  "presentation_definition": {...}
+}