-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OID4VP profile for the W3C Digital Credentials API #155
Merged
Merged
Changes from all commits
Commits
Show all changes
44 commits
Select commit
Hold shift + click to select a range
fb86e55
added sequence diagram for request uri flow
tlodderstedt e6c090a
first draft oid4vp profile for dc api
tlodderstedt 4c11ded
fixed formatting
tlodderstedt 95a4c0f
fixed typo
tlodderstedt f5ba49f
changed request to object
tlodderstedt 278c475
updated PR based on IIW discussion on 04-18
tlodderstedt 24b0573
modified JS code examples
tlodderstedt 25702e0
Update openid-4-verifiable-presentations-1_0.md
tlodderstedt 144f78b
reworked examples and added signed request sequence diagram
tlodderstedt 0cfeb87
Merge branch 'browser_api' of https://github.com/openid/OpenID4VP int…
tlodderstedt baf35c9
Apply editorial suggestions from code review
Sakurann 4a9f607
resolve merge conflict
96bf495
Apply text improvement suggestions from code review
Sakurann 8d8d9dc
response is always json
Sakurann cb18fc2
how the wallet recieves origin info is out of scope of this profile
Sakurann ec2bb01
clarify there are two types of allowed request parameters
Sakurann 40c9d11
merge remote
a264071
reference example file from the text
c85f012
remove a redundant example and extend one of the examples.
242fa62
move signed and unsigned request sections and clarify JARM and respon…
2907e60
Apply suggestions from Sam's code review
Sakurann f5f199c
merge main
4122a95
add a history entry
6d58f69
change to the request member of the API and use openid4vp instead of …
53fb19a
fix indentation
72f75c4
Apply suggestions from joseph's code review
Sakurann d89cd9c
fix request and response examples
9e583fd
move examples and clarify client_id is not allowed over the unsigned …
fbf9fe9
JSON -> JS object
ec75040
update examples
a15c41c
Apply suggestions from code review
Sakurann 35af423
dropping client_id and client_id_scheme with signed requests
Sakurann 81bfbb0
Apply suggestions from joseph's code review
Sakurann 31ef192
Merge branch 'main' into browser_api
Sakurann af88822
Apply editorial suggestions from code review
Sakurann 772f537
Apply editorial suggestions from code review
Sakurann 792010e
more editorial. combining suggestions of multiple reviewers
Sakurann 9a160de
remove a confusing expected_origins requirements
Sakurann 084f112
Apply editorial suggestions from code review
Sakurann ffe96e5
Apply editorial suggestion from code review
Sakurann cf6aa75
change urn:openid.net:oid4vp to openid4vp
Sakurann 13da249
removing "MUST contain a valid" openid4vp request
Sakurann 4dd3893
changing the error handling
Sakurann e42c69b
in the examples change urn:openid.net:oid4vp to openid4vp and add res…
Sakurann File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| ```plantuml | ||
| @startuml | ||
|
|
||
| autonumber | ||
|
|
||
| participant "User" as u | ||
|
|
||
| participant "Verifier Site" as r | ||
|
|
||
| participant "Web Platform" as wp | ||
|
|
||
| participant "App Platform" as ap | ||
|
|
||
| participant "Wallet" as w | ||
|
|
||
| u --> r : use | ||
| activate r | ||
|
|
||
| r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post, \npresentation_definition") | ||
|
|
||
| deactivate r | ||
| activate wp | ||
|
|
||
| wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition") | ||
| deactivate wp | ||
| activate ap | ||
|
|
||
| ap -> ap: match wallet | ||
| ap -> u: use this wallet? | ||
| u -> ap: confirmation | ||
|
|
||
| ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition") | ||
| deactivate ap | ||
|
|
||
| activate w | ||
| w --> w: [optional. Check client_id with trust framework] | ||
| note over r,w | ||
| Note that the client_id is self asserted by the verifier.However as the request was dispatched through the browser API, the user consented to forward | ||
| the Verifier's request to the wallet. So even if the client_id is not trusted yet, the wallet might proceed and request the signed request object. | ||
| end note | ||
| w --> r: POST **request_uri** ([wallet_metadata][, wallet_nonce]) | ||
| r -> r: create and sign (and optionally encrypt) request object | ||
| r --> w: **signed (optionally encrypted) request object** (client_id, client_id_scheme, wallet_nonce, nonce, \npresentation_definition, state) | ||
| w -> w: authenticate and\n authorize Verifier | ||
|
|
||
| note over u, w: User authentication and Credential selection/confirmation | ||
|
|
||
| w -> w: create credential presentation(s) \nassociated with nonce | ||
| w --> ap: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state) | ||
| ap -> wp: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state) | ||
| wp -> r: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state) | ||
| r -> r: check state | ||
| activate r | ||
| r -> r: validate presentation \n(incl. nonce binding) | ||
| r -> r: use presented credential | ||
| @enduml | ||
| ``` | ||
57 changes: 57 additions & 0 deletions
57
diagrams/request_uri_mode_post_through_browser_api.plantuml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| ```plantuml | ||
| @startuml | ||
|
|
||
| autonumber | ||
|
|
||
| participant "User" as u | ||
|
|
||
| participant "Verifier Site" as r | ||
|
|
||
| participant "Web Platform" as wp | ||
|
|
||
| participant "App Platform" as ap | ||
|
|
||
| participant "Wallet" as w | ||
|
|
||
| u --> r : use | ||
| activate r | ||
|
|
||
| r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post, \npresentation_definition") | ||
|
|
||
| deactivate r | ||
| activate wp | ||
|
|
||
| wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition") | ||
| deactivate wp | ||
| activate ap | ||
|
|
||
| ap -> ap: match wallet | ||
| ap -> u: use this wallet? | ||
| u -> ap: confirmation | ||
|
|
||
| ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] \nrequest_uri, request_uri_method=post,\n presentation_definition") | ||
| deactivate ap | ||
|
|
||
| activate w | ||
| w --> w: [optional. Check client_id with trust framework] | ||
| note over r,w | ||
| Note that the client_id is self asserted by the verifier.However as the request was dispatched through the browser API, the user consented to forward | ||
| the Verifier's request to the wallet. So even if the client_id is not trusted yet, the wallet might proceed and request the signed request object. | ||
| end note | ||
| w --> r: POST **request_uri** ([wallet_metadata][, wallet_nonce]) | ||
| r -> r: create and sign (and optionally encrypt) request object | ||
| r --> w: **signed (optionally encrypted) request object** (client_id, client_id_scheme, wallet_nonce, nonce, \npresentation_definition, state) | ||
| w -> w: authenticate and\n authorize Verifier | ||
|
|
||
| note over u, w: User authentication and Credential selection/confirmation | ||
|
|
||
| w -> w: create credential presentation(s) \nassociated with nonce | ||
| w --> ap: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state) | ||
| ap -> wp: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state) | ||
| wp -> r: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state) | ||
| r -> r: check state | ||
| activate r | ||
| r -> r: validate presentation \n(incl. nonce binding) | ||
| r -> r: use presented credential | ||
| @enduml | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| ```plantuml | ||
| @startuml | ||
|
|
||
| autonumber | ||
|
|
||
| participant "User" as u | ||
|
|
||
| participant "Verifier Site" as r | ||
|
|
||
| participant "Web Platform" as wp | ||
|
|
||
| participant "App Platform" as ap | ||
|
|
||
| participant "Wallet" as w | ||
|
|
||
| u --> r : use | ||
| activate r | ||
|
|
||
| note over r,wp | ||
| Note that the signed request object contains the Verifier's origin. | ||
| end note | ||
| r -> wp: navigator.identity.get(\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] request") | ||
|
|
||
| deactivate r | ||
| activate wp | ||
|
|
||
| wp -> ap: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] request") | ||
| deactivate wp | ||
| activate ap | ||
|
|
||
| ap -> ap: match wallet | ||
| ap -> u: use this wallet? | ||
| u -> ap: confirmation | ||
|
|
||
| ap -> w: forward request (\norigin="example.verifier.com",\nprotocol="openid4vp",\nrequest="client_id,[client_id_scheme,] request") | ||
| deactivate ap | ||
|
|
||
| activate w | ||
| w -> w: authenticate Verifier by validating request signature (including trust chain) | ||
| w -> w: compare origin to origin in signed request | ||
|
|
||
| note over u, w: User authentication and Credential selection/confirmation | ||
|
|
||
| w -> w: create and encrypt credential presentation(s) \nassociated with nonce | ||
| w --> ap: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state) | ||
| ap -> wp: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state) | ||
| wp -> r: send response \n(vp_token(credential presentation(s)),\n presentation_submission, state) | ||
| r -> r: decrypt response | ||
| r -> r: check state | ||
| activate r | ||
| r -> r: validate presentation \n(incl. nonce binding) | ||
| r -> r: use presented credential | ||
| @enduml | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| { | ||
| "response_type": "vp_token", | ||
| "nonce": "n-0S6_WzA2Mj", | ||
| "client_metadata": {...}, | ||
| "presentation_definition": {...} | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| { | ||
| "presentation_submission": "...", | ||
| "vp_token": "..." | ||
| } |
32 changes: 32 additions & 0 deletions
32
examples/digital_credentials_api/signed_request_payload.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| { | ||
Sakurann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "client_id": "client.example.org", | ||
Sakurann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "client_id_scheme": "entity_id", | ||
| "expected_origins": [ | ||
| "https://origin1.example.com", | ||
| "https://origin2.example.com" | ||
| ], | ||
| "response_type": "vp_token", | ||
Sakurann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "response_mode": "w3c_dc_api.jwt", | ||
| "nonce": "n-0S6_WzA2Mj", | ||
| "client_metadata": { | ||
| "vp_formats": { | ||
| "vc+sd-jwt": { | ||
| "sd-jwt_alg_values": [ "PS256" ], | ||
| "kb-jwt_alg_values": [ "PS256" ] | ||
| } | ||
| }, | ||
| "jwks": { | ||
| "keys": [ | ||
| { | ||
| "kty": "EC", | ||
| "crv": "P-256", | ||
| "x": "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", | ||
| "y": "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", | ||
| "use": "enc", | ||
| "kid": "1" | ||
| } | ||
| ] | ||
| } | ||
| }, | ||
| "presentation_definition": {...} | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what happens to these files? asking for a friend
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same question (possibly same friend!) :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I checked this with Torsten - he would like these diagrams to be in the specification, but wasn't sure how to actually achieve that.
I've opened an issue - hopefully someone might be able to help us achieve that without any manual steps: #206