...
Standards and supported versions
Standard | Acronym(s) | Version | Reference |
---|---|---|---|
OpenID for Verifiable Presentations | OpenID4VP | draft 20 | https://openid.net/specs/openid-4-verifiable-presentations-1_0-20.html |
Presentation Exchange | 2.0.0 | https://identity.foundation/presentation-exchange/spec/v2.0.0/ | |
Did:web method | https://w3c-ccg.github.io/did-method-web/ | ||
JWT Secured Authorization Response Mode for OAuth 2.0 | JARM | https://openid.net/specs/oauth-v2-jarm-final.html | |
Selective Disclosure for JWTs | SD-JWT | draft 05 | https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-05.html |
Self-Issued OpenID Provider v2 | SIOPv2 | Not supported | https://openid.net/specs/openid-connect-self-issued-v2-1_0-12.html |
Implementation profile
This section provides an overview of the EUDIW Demo implementation profile, detailing the technical choices that have been selected and incorporated into the implementation and addresses the optional requirements specified in the OpenID4VP specification
...
draw.io Diagram | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
# | Step | Example | |
---|---|---|---|
1 | User initiates authentication sequence from the Verifier web site. | ||
2 | Verifier starts the authentication and creates:
| Example Wallet Invocation URL | |
3 | Verifier forwards the authentication request for EUDIW Demo application by
| ||
4 | EUDIW Demo application receives the Wallet Invocation
| ||
5 | EUDIW Demo application receives the Wallet Invocation and reads it's parameters | ||
6 | EUDIW Demo application performs did:web read -operation for the client_id -parameter and receives the DID document from the Verifier. | client_id: did:web:example.com => GET https://example.com/.well-known/did.json | |
7 | EUDIW Demo application validates the DID document. The id of the DID document must correspond with the client_id of the Wallet Invocation. | ||
8 | EUDIW Demo application sends HTTP GET -request to URI addressed by the request_uri to fetch a JWT-Secured Authorization Request (JAR). Verifier responds with JWT-Secured Authorization Request (JAR). | Example JWT-Secured Authorization Request (JAR) | |
9 | EUDIW Demo application verifies JAR signature. | ||
10 | EUDIW Demo application presents authentication request with details and Verifier info to user. User accepts the authentication request. | ||
11 | EUDIW Demo application evaluates presentation_definition and creates a presentation of user's credentials to form a vp_token. If presentation_definition is unsatisfiable, authentication flow ends in an error indicating that the credentials are insufficient. | ||
12 | EUDIW Demo application presents requested credentials to user. User accepts sending the credentials. | ||
13 | EUDIW Demo application creates
EUDIW Demo application creates Authorization Response (JARM payload):
| Example Authorization Response | |
14 | EUDIW Demo application creates the encrypted Authorization Response (JWE). | Example JWE | |
15 | EUDIW Demo application sends authentication response to Verifier as defined in JAR.payload.response_mode. Currently, only direct_post.jwt is supported, so response is sent as HTTPS POST to response_uri. | ||
16 | Verifier validates the received response. | ||
17 | Verifier responds with redirect_uri containing a response_code generated by the verifier. | ||
18 | EUDIW Demo application opens the received redirect_uri in a new browser session. | ||
19 | Redirect_uri opened in the browser contains a confirmation request. User is requested to verify the session to mitigate possible session fixation attacks. | ||
20 | After receiving user confirmation, the response_code is posted from the browser to the verifier. | ||
21 | Verifier validates the received response_code. | ||
22 | Verifier performs custom authentication functionalities as needed. |
Wallet Metadata (Authorization Server Metadata, ASM)
...
Code Block | ||
---|---|---|
| ||
{ "authorization_endpoint": "openid4vp://", "client_id_schemes_supported": [ "did" ], "request_object_signing_alg_values_supported": [ "ES384", "ES256", "PS512", "PS384", "PS256" ], "response_types_supported": [ "vp_token", ], "response_modes_supported": [ "direct_post.jwt" ], "scopes_supported": [ "openid" // unused, reserved for SIOPv2 ], "presentation_definition_uri_supported": false, "vp_formats_supported": { "sd_jwt": { "alg_values_supported": [ "ES384" ] }, "hb_jwt": { "alg_values_supported": [ "ES256" ] } }, "authorization_signing_alg_values_supported": [], // JARM is not signed. It is only encrypted. "authorization_encryption_alg_values_supported": [ "ECDH-ES" ], "authorization_encryption_enc_values_supported": [ "A256CBC-HS512" ] } |
Changelog
Version | Date | Changes |
---|---|---|
1 | 2023-10-18 | First published version |
2 | 2024-04-05 | Document updated to follow OpenID4VP draft 20 implementation. Notable changes in implementation:
|