1F/ OpenID Connect Credential Provider

From IIW

OpenID Credential Provider


Tuesday 1F

Convener: Tobias Looker

Notes-taker(s): Lionello Lunesu

Tags for the session - technology discussed/ideas considered:

OpenID Connect, Credential https://mattrglobal.github.io/oidc-client-bound-assertions-spec/


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Extension to the OpenID Connect Core spec

New scope: “openid_credential”

Adds “sub_jwk” and/or “did” to request object = used to sign the request object and the public key to be used for the response

Adds “credential” to the request object “claims” (in addition to “userinfo” and “id_token”)

Discussions around having both/either “sub_jwk” vs “did”

Using the “did” as the “kid” inside “sub_jwk”?

New OpenID Discovery fields: “dids_supported”, “did_methods_supported”, “credential_supported”, “credential_format_supported”

Question around necessity of having new scope, new “credential” response


Zoom chat:


From Lio Lunesu : OK if I take some notes in the google form?

From Wayne Chang : No apologies necessary, I prefer ascii art!!

From Orie Steele : Can we get w3cvc-jsonld -> w3c-vc-jsonld :)

From Dmitri Zagidulin : and waste an extra character??

From Dmitri Zagidulin : think of the bandwidth and/or the children!

From Nat Sakimura : It could be ephemeral as well.

From Wayne Chang : imo, it’s a different trust model between just using the included key vs. DID resolution

From Wayne Chang : specifically if you rely on sub_jwk then you are trusting the direct presenter, whilst with the DID you are trusting the DID method’s resolution process

From Dmitri Zagidulin : for an introduction to dpop - https://link.medium.com/B1c7jI94Jab

From Oliver Terbu : Well, you have to trust the authentication step in OIDC. I assume this can be anything from social login to a national eID scheme.

From Dmitri Zagidulin : tobias - this vc request spec syntax is fabulous. I’d love to unify/integrate it with the CCG vp-request-spec

From Oliver Terbu : The provider knows the user and issues a VC to the wallet

From Wayne Chang : https://openid.net/wg/ekyc-ida/

From Sascha Preibisch : I do not see a hands-up icon

From David Waite : in the participants list

From Wayne Chang : @sasha, you may need to open the participants list

From Xavier Vila : Click on participants button, From Wayne Chang : hah From Sascha Preibisch : thanks

From Wayne Chang : https://xkcd.com/927/ <- glad we’re moving to prevent this

From Nat Sakimura : FYI: eKYC/IDA WG product that Wayne mentioned: https://bitbucket.org/openid/ekyc-ida/src/master/openid-connect-4-identity-assurance.md

From Orie Steele : Massive ID tokens

From Orie Steele : Nested base64url is one of my least favorite things

From Lio Lunesu : :D

From Nat Sakimura : What Lio talked about is called distributed claims.

From Lio Lunesu : correct From Nat Sakimura : It is like “claims by reference”. It is got many nice characteristics if you are not concerned about the RP anonymity towards the CP.

From Vittorio Bertocci : it seems what yu want is response_type; scope isn't really the right place

From Sascha Preibisch : That comes close, yes

From Wayne Chang : +1 to embedding things as a workable path

From Orie Steele : I think its more likely That DIF PE would offer this as a channel

From Wayne Chang : Just need to be super explicit about the layers of trust here and how they’re transversed by different pieces

From Vittorio Bertocci : did I read "auth0" in the URL? :)

From Oliver Terbu : haha

From Orie Steele : yep

From Nat Sakimura : bit.ly/3jhuRF6

From Orie Steele : userinfo seems like maybe a better place

From Orie Steele : But then the id_token still needs to be updated in some way I think.

From Wayne Chang : Without getting too ahead of ourselves, I feel that a keycloak module would be a powerful demonstration for this

From Lio Lunesu : Please, folks, check and add to the notes

From Orie Steele : “Use the protocol features, don’t overload unless you are forced to"

From Lio Lunesu : The notes I took might be biased to things I noted

From Dmitri Zagidulin : @Lio - do you have a link to the notes?

From Lio Lunesu : It’s in the qiqo, click on Session 1F On top

From Dmitri Zagidulin : thx

From Oliver Terbu : OIDC CP = issuance flow

From Alec Laws : Thanks! Very interesting

From Richard Astley : Thanks Tobias, great session.

From Thomas (Evidence) : Thanks ! Was very nice !

From Wayne Chang : tyty; Great stuff

Retrieved from "https://iiw.idcommons.net/index.php?title=1F/_OpenID_Connect_Credential_Provider&oldid=23217"