Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorized Credental within OpenID4VP metadata using Duckle #39

Open
peppelinux opened this issue Oct 31, 2024 · 2 comments
Open

Authorized Credental within OpenID4VP metadata using Duckle #39

peppelinux opened this issue Oct 31, 2024 · 2 comments
Assignees
@peppelinux

Comments

@peppelinux
Copy link
Member

peppelinux commented Oct 31, 2024
edited
Loading

RP Entity Configuration + Subordinate Statements adding authorized data in the request

{
  "typ": "entity-statement+jwt",
  "alg": "ES256",
  "kid": "2HnoFS3YnC9tjiCaivhWnXAdNuA",
}
.
{
    "iat": 1718207217,
    "exp": 1749743216,
    "iss": "https://verifier.example.org",
    "sub": "https://verifier.example.org",
    "authority_hints": [
        "https://trust-anchor.example.org"
    ],
    "jwks": {
        "keys": [
            {
                "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
                "kty": "EC",
                "crv": "P-256",
                "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
            }
        ]
    },
    "trust_marks": [
      {id: ... , trust_mark: $JWT}
    ],
    "metadata": {
        "federation_entity": {
            "homepage_uri": "https://verifier.example.org",
            "organization_name": "Organization Name",
            "contacts": [
                "[email protected]",
                "[email protected]"
            ],
            "tos_uri": "https://verifier.example.org/public/info_policy.html",
            "policy_uri": "https://verifier.example.org/public/privacy_policy.html",
            "logo_uri": "https://verifier.example.org/public/logo.svg"
        },
        "openid_credential_verifier": {
            "application_type": "web",
            "client_name": "Organization Name",
            "contacts": [
                "[email protected]"
            ],
            "authorization_signed_response_alg": "ES256",
            "vp_formats": {
                "vc+sd-jwt": {
                    "sd-jwt_alg_values": [
                        "ES256",
                        "ES384",
                        "ES512"
                    ]
                }
            },
            "jwks": {
                "keys": [
                    {
                        "kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
                        "kty": "EC",
                        "crv": "P-256",
                        "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                        "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
                    }
                ]
            }
        }
    }
}

Superior's Subordinate Statement


{
  "typ": "entity-statement+jwt",
  "alg": "ES256",
  "kid": "XFW2HnoF",
}
.
{
    "iat": 1718207217,
    "exp": 1749743216,
    "iss": "https://trust-anchor.example.org",
    "sub": "https://verifier.example.org",
    "jwks": {
        "keys": [
            {
                "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
                "kty": "EC",
                "crv": "P-256",
                "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
            }
        ]
    },
    "metadata": {
        "openid_credential_verifier": {
           
            "client_name": "RP 1",

  // Intended Usage
  "intended_usage": [{
    "loan":    {
      // Using Duckle (DCQL) in the Credential Verifier metadata
      "id": "that_credential_id",
      "format": "vc+sd-jwt",
      "meta": {
        "vct_values": [ "https://credentials.example.com/identity_credential" ]
      },
      "claims": [
          {"path": ["last_name"]},
          {"path": ["first_name"]},
          {"path": ["address", "street_address"]}
      ]
    },
// end duckle ,
    "kyc": { ... Duckle statement}
  }],
    }
}
  ]
}
@selfissued
Copy link
Member

We briefly discussed this on today's OpenID Connect WG call. These examples seem reasonable. What additional explanatory text do think should accompany them so that readers understand what's being illustrated by these examples?

@selfissued selfissued mentioned this issue Nov 19, 2024
Open
@jogu
Copy link

jogu commented Nov 19, 2024

We need to resolve how this works when the browser API is in use without requiring comparison of JSON (which has many of the same problems as canonicalisation of json). I don't think we should be adding things to the spec that only work when the browser API is not in use.

A solution would be to require that the necessary statements are passed in the OID4VP request by defining new parameters. I'm not sure this is the best way.

Leaving that aside, I'm also not sure how this works without the browser API - i.e. what you pass in oid4vp request.

@peppelinux peppelinux moved this to Todo in Federation Wallet Jan 15, 2025
@peppelinux peppelinux moved this from Todo to In Progress in Federation Wallet Jan 15, 2025
@peppelinux peppelinux moved this from In Progress to Todo in Federation Wallet Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peppelinux peppelinux

Labels
None yet
Projects
Federation Wallet
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jogu @peppelinux @selfissued