Versions Compared

Old Version 1

changes.mady.by.user Lautamäki Petra (DVV)

Saved on

compared with

New Version 2

changes.mady.by.user Lautamäki Petra (DVV)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Standards and supported versions

StandardAcronym(s)VersionReference
OpenID for Verifiable PresentationsOpenID4VPdraft 20https://openid.net/specs/openid-4-verifiable-presentations-1_0-20.html
Presentation Exchange
2.0.0https://identity.foundation/presentation-exchange/spec/v2.0.0/
Did:web method

https://w3c-ccg.github.io/did-method-web/
JWT Secured Authorization Response Mode for OAuth 2.0JARM
https://openid.net/specs/oauth-v2-jarm-final.html
Selective Disclosure for JWTsSD-JWTdraft 05https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-05.html
Self-Issued OpenID Provider v2SIOPv2Not supportedhttps://openid.net/specs/openid-connect-self-issued-v2-1_0-12.html

Implementation profile

This section provides an overview of the EUDIW Demo implementation profile, detailing the technical choices that have been selected and incorporated into the implementation and addresses the optional requirements specified in the OpenID4VP specification

...

draw.io Diagram
bordertrue
diagramNameauthentication_sequenceNimetön kaavio
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth950
revision1


#StepExample
1User initiates authentication sequence from the Verifier web site.
2

Verifier starts the authentication and creates:

  • an authentication transaction
  • an authentication request (Wallet Invocation URL) with openid4vp:// authorization endpoint containing following parameters:
    • client_id: Verifier's did:web identifier
    • client_id_scheme: did
    • request_uri: an URI corresponding the authentication transaction that can be used by EUDIW Demo application to fetch JWT-Secured Authorization Request (JAR)
Example Wallet Invocation URL
3

Verifier forwards the authentication request for EUDIW Demo application by

  • presenting Wallet Invocation URI as QR code to user, or
  • redirecting to Wallet Invocation URL


4

EUDIW Demo application receives the Wallet Invocation

  • by receiving URL redirection from scanning the QR code with device camera
  • by redirection from the browser
  • by scanning the QR code with in-app QR code scanner

5

EUDIW Demo application receives the Wallet Invocation and reads it's parameters


6

EUDIW Demo application performs did:web read -operation for the client_id -parameter and receives the DID document from the Verifier.

client_id: did:web:example.com => GET https://example.com/.well-known/did.json

Example DID document

7

EUDIW Demo application validates the DID document. The id of the DID document must correspond with the client_id of the Wallet Invocation.


8

EUDIW Demo application sends HTTP GET -request to URI addressed by the request_uri to fetch a JWT-Secured Authorization Request (JAR). Verifier responds with JWT-Secured Authorization Request (JAR).

Example JWT-Secured Authorization Request (JAR)
9

EUDIW Demo application verifies JAR signature.


10

EUDIW Demo application presents authentication request with details and Verifier info to user. User accepts the authentication request.


11

EUDIW Demo application evaluates presentation_definition and creates a presentation of user's credentials to form a vp_token.

If presentation_definition is unsatisfiable, authentication flow ends in an error indicating that the credentials are insufficient.


12

EUDIW Demo application presents requested credentials to user. User accepts sending the credentials.


13

EUDIW Demo application creates

  • vp_token, a SD-JWT presentation with matched disclosures & KB-JWT, that is signed using holder's key
  • presentation_submission, containing mapping of the presentation_definition's input descriptors to the vp_token

EUDIW Demo application creates Authorization Response (JARM payload):

  • vp_token
  • presentation_submission
  • state
Example Authorization Response
14

EUDIW Demo application creates the encrypted Authorization Response (JWE).

Example JWE


15

EUDIW Demo application sends authentication response to Verifier as defined in JAR.payload.response_mode.

Currently, only direct_post.jwt is supported, so response is sent as HTTPS POST to response_uri.


16Verifier validates the received response.
17Verifier responds with redirect_uri containing a response_code generated by the verifier.
18EUDIW Demo application opens the received redirect_uri in a new browser session. 
19Redirect_uri opened in the browser contains a confirmation request. User is requested to verify the session to mitigate possible session fixation attacks.
20After receiving user confirmation, the response_code is posted from the browser to the verifier.
21Verifier validates the received response_code.
22

Verifier performs custom authentication functionalities as needed.


Wallet Metadata (Authorization Server Metadata, ASM)

...

Code Block
titleStatic OAuth 2.0 Authorization Server Metadata (JSON)
{
  "authorization_endpoint": "openid4vp://",
  "client_id_schemes_supported": [
	"did"
  ],
  "request_object_signing_alg_values_supported": [
    "ES384",
    "ES256",
    "PS512",
    "PS384",
    "PS256"
  ],
  "response_types_supported": [
    "vp_token",
  ],
  "response_modes_supported": [
    "direct_post.jwt"
  ],
  "scopes_supported": [
    "openid" // unused, reserved for SIOPv2 
  ],
  "presentation_definition_uri_supported": false,
  "vp_formats_supported": {
    "sd_jwt": {
      "alg_values_supported": [
        "ES384"
      ]
    },
    "hb_jwt": {
      "alg_values_supported": [
        "ES256"
      ]
    }
  },
  "authorization_signing_alg_values_supported": [], // JARM is not signed. It is only encrypted.
  "authorization_encryption_alg_values_supported": [
    "ECDH-ES"
  ],
  "authorization_encryption_enc_values_supported": [
    "A256CBC-HS512"
  ]
}


Changelog

VersionDateChanges
12023-10-18First published version
22024-04-05

Document updated to follow OpenID4VP draft 20 implementation.

Notable changes in implementation:

  • Added requirement for client_id_scheme parameter & it's value
  • Changed to use response_uri parameter
  • Use of redirect_uri Authorization Request parameter with response_mode direct_post.jwt is now forbidden
  • Changed format of Presentation Submission descriptor_map[].path values to $
  • Verifier may return redirect_uri from response_uri  to mitigate session fixation attacks. Upon receiving redirect_uri from response_uri, EUDIW Demo applications will redirect to browser using platform APIs.