Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add transaction_data #197

Merged
merged 32 commits into from
Oct 21, 2024
Merged
Show file tree
Hide file tree
Changes from 28 commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
b2f69ec
add transaction_data
Jun 18, 2024
7d47e4b
add error codes
Jun 18, 2024
1f15ab3
update correct reference.
Sakurann Aug 8, 2024
76380c6
rename response parameter to tx_data_hashes
Sakurann Aug 13, 2024
351bf76
Apply editorial suggestions from code review
Sakurann Aug 22, 2024
923aabd
renaming to requested_credential_ids
Sakurann Aug 22, 2024
cc55aa3
reflect WG feedback
Sakurann Sep 11, 2024
681677f
change tx_data_hashes to transaction_data_hashes
Sakurann Sep 11, 2024
bd9b35b
fix transaction_data_hashes parameters in the kb jwt
Sakurann Sep 11, 2024
6d871c8
add transaction_data_hashes_alg
Sep 11, 2024
8e5792f
add a change log
Sep 11, 2024
dab521c
add credential being issued to be used for transaction data text
Sep 11, 2024
2e29da5
Merge branch 'main' into transaction_data
Sakurann Sep 11, 2024
0acd29a
add examples
Sep 11, 2024
159617f
Merge branch 'main' into transaction_data
Sakurann Oct 3, 2024
27d541b
Merge branch 'main' into transaction_data
Sakurann Oct 10, 2024
3672f78
clarify transaction data is not ignored when not recognized
Oct 10, 2024
9f39e70
add e.g. and Apply suggestions from code review
Sakurann Oct 10, 2024
fd86bb6
Apply suggestions from Joseph's code review
Sakurann Oct 15, 2024
4c5542d
change IANA reference
Sakurann Oct 15, 2024
98e9108
Clarify that the wallet must use only one of the credentials if there…
Sakurann Oct 15, 2024
425fa60
Apply suggestions from Christian's code review
Sakurann Oct 17, 2024
2d39362
clarify the processing rules
Sakurann Oct 18, 2024
6b3418e
IANA.Hash.Algorithms
Sakurann Oct 18, 2024
28733aa
Merge branch 'main' into transaction_data
jogu Oct 18, 2024
1d902fc
Fix compile error with vp_query ref (with Kristina's permission)
jogu Oct 18, 2024
466ba1d
Fix compile error with IANA.Hash.Algorithms reference
jogu Oct 18, 2024
352a6e8
Apply suggestions from Paul's code review
Sakurann Oct 21, 2024
be9f30b
minor nit
Sakurann Oct 21, 2024
5419a0e
add transaction data content example
Oct 21, 2024
2517679
Apply suggestions from final code review
Sakurann Oct 21, 2024
c2e593c
Remove #vp_query reference so spec compiles
jogu Oct 21, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion examples/response/kb_jwt_unsecured.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,6 @@
"nonce": "n-0S6_WzA2Mj",
"aud": "https://example.com/verifier",
"iat": 1709838604,
"sd_hash": "Dy-RYwZfaaoC3inJbLslgPvMp09bH-clYP_3qbRqtW4"
"sd_hash": "Dy-RYwZfaaoC3inJbLslgPvMp09bH-clYP_3qbRqtW4",
"transaction_data_hashes": [ "fOBUSQvo46yQO-wRwXBcGqvnbKIueISEL961_Sjd4do" ]
}
57 changes: 50 additions & 7 deletions openid-4-verifiable-presentations-1_0.md
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,10 @@ Depending on the Client Identifier Scheme, the Verifier can communicate a JSON o

This specification enables the Verifier to send both Presentation Definition JSON object and Client Metadata JSON object by value or by reference.

Additional request parameters, other than those defined in this section, MAY be defined and used, as described in [@!RFC6749].
The Wallet MUST ignore any unrecognized parameters, other than the `transaction_data` parameter.
One exception to this rule is `transaction_data` parameter, and the wallets that do not support this parameter MUST reject requests that contain it.

## New Parameters {#new_parameters}
This specification defines the following new request parameters:

Expand All @@ -277,7 +281,16 @@ This specification defines the following new request parameters:
: OPTIONAL. A string determining the HTTP method to be used when the `request_uri` parameter is included in the same request. Two case-sensitive valid values are defined in this specification: `get` and `post`. If `request_uri_method` value is `get`, the Wallet MUST send the request to retrieve the Request Object using the HTTP GET method, i.e., as defined in [@RFC9101]. If `request_uri_method` value is `post`, a supporting Wallet MUST send the request using the HTTP POST method as detailed in (#request_uri_method_post). If the `request_uri_method` parameter is not present, the Wallet MUST process the `request_uri` parameter as defined in [@RFC9101]. Wallets not supporting the `post` method will send a GET request to the Request URI (default behavior as defined in [@RFC9101]). `request_uri_method` parameter MUST NOT be present if a `request_uri` parameter is not present.

If the Verifier set the `request_uri_method` parameter value to `post` and there is no other means to convey its capabilities to the Wallet, it SHOULD add the `client_metadata` parameter to the Authorization Request.
This enables the Wallet to assess the Verifier's capabilities, allowing it to transmit only the relevant capabilities through the `wallet_metadata` parameter in the Request URI POST request.
This enables the Wallet to assess the Verifier's capabilities, allowing it to transmit only the relevant capabilities through the `wallet_metadata` parameter in the Request URI POST request.

`transaction_data`:
Sakurann marked this conversation as resolved.
Show resolved Hide resolved
: OPTIONAL. Array of strings, where each string is a base64url encoded JSON object that contains a typed parameter set with details about the transaction that the Verifier is requesting the End-User to authorize. See (#transaction_data) for details. The Wallet MUST return an error if a request contains even one unrecognized transaction data type or transaction data not conforming to the respective type definition. Each object consists of the following parameters:
jogu marked this conversation as resolved.
Show resolved Hide resolved
Sakurann marked this conversation as resolved.
Show resolved Hide resolved

* `type`: REQUIRED. String that identifies the type of transaction data . This value determines parameters that can be included in the `transaction_data` object. The specific values are out of scope of this specification. It is RECOMMENDED to use collision-resistant names for `type` values.
* `credential_ids`: REQUIRED. Array of strings each referencing a Credential requested by the Verifier that can be used to authorize this transaction. In Presentation Exchange, the string matches the `id` field in the Input Descriptor. In Verifiable Presentation Query Language (defined in (#vp_query)), the string matches the `id` field in the Credential Query. If there is more than one element in the array, the Wallet MUST use only one of the referenced Credentials for transaction authorization.
* `transaction_data_hashes_alg`: OPTIONAL. Array of strings each representing a hash algorithm identifier, one of which MUST be used to calculate hashes in `transaction_data_hashes` response parameter. The value of the identifier MUST be a hash algorithm value from the "Hash Name String" column in the IANA "Named Information Hash Algorithm" registry [@IANA.Hash.Algorithms] or a value defined in another specification and/or profile of this specification. If this parameter is not present, a default value of `sha-256` MUST be used. To promote interoperability, implementations MUST support the sha-256 hash algorithm.

Sakurann marked this conversation as resolved.
Show resolved Hide resolved
Each document specifying details of a transaction data type defines what Credential(s) can be used to authorize those transactions. Those Credential(s) can be issued specifically for the transaction authorization use case or re-use existing Credential(s) used for user identification. A mechanism for Credential Issuers to express that a particular Credential can be used for authorization of transaction data is out of scope for this specification.

## Existing Parameters

Expand All @@ -295,10 +308,6 @@ The following additional considerations are given for pre-existing Authorization
`client_id`:
: REQUIRED. Defined in [@!RFC6749]. This specification defines additional requirements to enable the use of Client Identifier Schemes as described in (#client_metadata_management).

Additional request parameters MAY be defined and used,
as described in [@!RFC6749].
The Wallet MUST ignore any unrecognized parameters.

c2bo marked this conversation as resolved.
Show resolved Hide resolved
## Examples

The following is a non-normative example of an Authorization Request:
Expand All @@ -312,7 +321,7 @@ GET /authorize?
&nonce=n-0S6_WzA2Mj HTTP/1.1
```

The following is a non-normative example of an Authorization Request with a `request_uri_method` parameter (including the additional `client_metadata` parameter):
The following is a non-normative example of an Authorization Request with a `request_uri_method` parameter (including the additional `client_metadata`):

```
GET /authorize?
Expand Down Expand Up @@ -809,6 +818,17 @@ The following is a non-normative example of the payload of the JWT used in the e

<{{examples/response/jarm_jwt_vc_json_body.json}}

## Transaction Data {#transaction_data}

The transaction data mechanism enables a binding between the user's identification/authentication and the user’s authorization, for example to complete a payment transaction, or to sign specific document(s) using QES (Qualified Electronic Signatures). This is achieved by signing the transaction data used for user authorization with the user-controlled key used for proof of possession of the Credential being presented as a means for user identification/authentication.

The Wallet that received the `transaction_data` parameter in the request MUST include in the response a `transaction_data_hashes` parameter defined below. If the wallet does not support `transaction_data` parameter, it MUST return an error.

Where to include the`transaction_data_hashes` parameter in the response is specific to each credential format and is defined by the Credential Format Profile, such as those in (#alternative_credential_formats).

* `transaction_data_hashes`: Array of hashes, where each hash is calculated using a hash function over the strings received in the `transaction_data` request parameter. Each hash value ensures the integrity of, and maps to, the respective transaction data object. Where in the response this parameter is included is defined by each Credential Format Profile, but it has to be included in the mechanism used for the proof of possession of the Credential that is signed using the user-controlled key.
* `transaction_data_hashes_alg`: REQUIRED when this parameter was present in the `transaction_data` request parameter. String representing the hash algorithm identifier used to calculate hashes in `transaction_data_hashes` response parameter.

## Error Response {#error-response}

The error response follows the rules as defined in [@!RFC6749], with the following additional clarifications:
Expand Down Expand Up @@ -854,11 +874,21 @@ This document also defines the following additional error codes and error descri

- The value of the `request_uri_method` request parameter is neither `get` nor `post` (case-sensitive).

`invalid_transaction_data`:

- any of the following is true for at least one object in the `transaction_data` structure:
- contains an unknown or unsupported transaction data type value,
- is an object of known type but containing unknown fields,
- contains fields of the wrong type for the transaction data type,
- contains fields with invalid values for the transaction data type, or
- is missing required fields for the transaction data type.
Sakurann marked this conversation as resolved.
Show resolved Hide resolved
- the credential_ids does not match
- the referenced Credential is not available in the Wallet
Sakurann marked this conversation as resolved.
Show resolved Hide resolved

`wallet_unavailable`:

- The Wallet appears to be unavailable and therefore unable to respond to the request. It can be useful in situations where the user agent cannot invoke the Wallet and another component receives the request while the End-User wishes to continue the journey on the Verifier website. For example, this applies when using claimed HTTPS URIs handled by the Wallet provider in case the platform cannot or does not translate the URI into a platform intent to invoke the Wallet. In this case, the Wallet provider would return the Authorization Error Response to the Verifier and might redirect the user agent back to the Verifier website.


## VP Token Validation

Verifiers MUST validate the VP Token in the following manner:
Expand Down Expand Up @@ -1609,6 +1639,15 @@ issuers in Self-Sovereign Identity ecosystems using TRAIN</title>
</front>
</reference>

<reference anchor="IANA.Hash.Algorithms" target="https://www.iana.org/assignments/named-information/named-information.xhtml">
<front>
<title>Named Information Hash Algorithm Registry</title>
<author>
<organization>IANA</organization>
</author>
</front>
</reference>

# OpenID4VP profile for the W3C Digital Credentials API

This section defines a profile of OpenID4VP for use with the W3C Digital Credentials API [@!w3c.digital_credentials_api].
Expand Down Expand Up @@ -2003,6 +2042,8 @@ Setting `limit_disclosure` property defined in [@!DIF.PresentationExchange] to `

A non-normative example of the Authorization Response would look the same as in the examples of other Credential formats in this Annex.

The `transaction_data_hashes` response parameter defined in (#transaction_data) MUST be included in the Key Binding JWT as a top level claim. This means that transaction data mechanism cannot be used with SD-JWT VCs without cryptographic key binding and, therefore, do not use KB JWT.

The following is a non-normative example of the content of the `presentation_submission` parameter:

<{{examples/response/ps_sd_jwt_vc.json}}
Expand Down Expand Up @@ -2317,6 +2358,8 @@ The technology described in this specification was made available from contribut

-22


* add transaction data mechanism
* remove `client_id_scheme` and turn it into a prefix of the `client_id`; this addresses a security issue with the previous solution
* Clarified what can go in the `client_metadata` parameter
* Fixed #227: Enabled non-breaking extensibility.
Expand Down
Loading