2E/ OpenID Connect 4 SSI

From IIW

Open ID Connect for SSI

Tuesday 2E

Convener: Kristina Yasuda, Torsten Lodderstedt

Notes-taker(s): Andrew Hughes

Tags for the session - technology discussed/ideas considered:

SSI, OpenID Connect, VCs

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Presentation here:

https://openid.net/wordpress-content/uploads/2021/09/OIDF_OIDC4SSI-Update_Kristina-Yasuda-Torsten-Lodderstedt.pdf

  • https://github.com/microsoft/VerifiableCredential-SDK-Android

  • https://github.com/microsoft/VerifiableCredential-SDK-Android

  • Torsten explains the rationale for OIDC for SSI

  • [[File:./media/image2.jpeg|624x357px]]

  • Simplicity is a key success factor

  • The components:

    • SIOP v2 (Self issued OP)

    • OIDC for VP (for presentation

    • Claims aggregation (issuance)

  • [[File:./media/image4.jpeg|624x357px]]

  • This part of the presentation focuses on SIOP v2

  • [[File:./media/image10.jpeg|624x357px]]

  • Comparison of typical OIDC flow vs SIOP flow - example is SIOP as Native app on mobile device

  • Trust model requires Trust on First Use for the RP - no prior awareness

  • Same-device and cross-device SIOP behave slightly differently - different controls and information are available in each mode

[[File:./media/image11.jpeg|624x322px]]

Kyle Den Hartog To Everyone, 12:54:23 PM

I noticed the self issued identifiers work isn’t mentioned here. Is that being delayed at this point while these work items move forward?

Kristina Yasuda (US) To Everyone, 12:54:45 PM

which draft do you have in mind?

Kyle Den Hartog To Everyone, 12:54:53 PM

https://bitbucket.org/openid/connect/src/master/SIOP/draft-jones-self_issued_identifier.md

That’s the only one I could find

[[File:./media/image5.jpeg|624x357px]]

  • Note that Form POST and redirect are not possible cross-device

  • Note that the sub: in response is critical to the SIOP model

  • [[File:./media/image1.jpeg|624x357px]]

  • If you need to assert 3rd party attested claims, OIDC4VP comes into play

  • DIF PE is a rich syntax

  • [[File:./media/image3.jpeg|624x357px]]

  • Note the “claims”: this structure is new

    • “Presentation_definition” is a result of lots of discussion with DIF PE wg

  • The example is out of date…

DEMO

Discussion

  • Q: what’s the history of rolling self-issued identifiers into SIOP?

    • Thinking about replacing the sub identifiers that are scoped to the OP in a way that allows it to be globally unique to allow migration of identifiers to other OPs

    • A: Portable Identifiers (abandoned draft) - allowed traditional OPs to assert sub values that are ‘portable’ under user’s control. Was abandoned because WG didn’t see a use case

    • Is the question about normal OPs? Or SIOP OPs?

      • Primary case would be to migrate from Login with xxx to a SIOP

      • But sounds like focus on VP first then if portable identifiers turn out to be useful then work on that

  • Q: in the OIDC4VP req-res example slide

    • The response sub: does not have to match the did in the Response VP (verificationMethod)

  • Q: is it theoretically possible to implement SIOP as a hosted service e.g. hosted wallets?

    • A: a limiting factor is use of custom scheme

    • But use cases do exist

  • Q: is SIOP focused mainly on same-device flows?

    • A: Look at the PARM PR

    • Also security considerations are very different between same/cross device

    • SIOP is optimized for the situation where the OP cannot receive connections

Zoom chat (edited):

09:48:56 From Kristina Yasuda (US) to Everyone:

@Paul - https://github.com/microsoft/VerifiableCredential-SDK-Android

09:49:04 From Kristina Yasuda (US) to Everyone:

https://github.com/microsoft/VerifiableCredential-SDK-iOS

09:49:42 From Kristina Yasuda (US) to Everyone:

it's open for transparency, but please do not take dependency, we might be introducing breaking changes

09:54:23 From Kyle Den Hartog to Everyone:

I noticed the self issued identifiers work isn’t mentioned here. Is that being delayed at this point while these work items move forward?

09:54:45 From Kristina Yasuda (US) to Everyone:

which draft do you have in mind?

09:54:53 From Kyle Den Hartog to Everyone:

https://bitbucket.org/openid/connect/src/master/SIOP/draft-jones-self_issued_identifier.md

09:54:58 From Kyle Den Hartog to Everyone:

That’s the only one I could find

10:03:27 From Markus Sabadello to Everyone:

The nonce doesn't match here?

10:06:28 From Torsten Lodderstedt1 to Everyone:

correct. Thanks for pointing out.

10:11:40 From Kristina Yasuda (US) to Everyone:

nonce in VP token and ID Token?

10:11:51 From Kyle Den Hartog to Everyone:

Nonce in the request and response

10:12:01 From Kyle Den Hartog to Everyone:

For the SIOP example

10:12:09 From Kristina Yasuda (US) to Everyone:

it did not match in the example? oops, it should, pardon

10:12:50 From Kyle Den Hartog to Everyone:

Was the subject did in the response supposed to match the client_id as well? I wasn’t sure about that part

10:14:00 From Kristina Yasuda (US) to Everyone:

sub in the response is user DID. aud matches redirect_uri of the RP

10:15:36 From Kristina Yasuda (US) to Everyone:

iss (who is issuing the ID Token) - self-issued aka SIOP

sub (about whom ID Token is issued) - holder DID

aud (intended recipient of the ID Token) - verifier RP's identifier (redirect_uri)

10:16:06 From Dirk Balfanz to Everyone:

In OIC, normally the Issuer signs the ID Token. I assume this isn’t the case here? Is the subject (which is a DID, so it has a signing key) signing the ID token instead?

10:17:12 From Kristina Yasuda (US) to Everyone:

yes, ID Token is self-attested, signed by the user controlled key material (JWK thumbprint or DID), hence self-issued flow

10:17:41 From Kristina Yasuda (US) to Everyone:

@kyle, re self-issued identifier draft, it has been absorbed into SIOP spec

10:17:43 From Dick Hardt to Everyone:

Please post demo links to chat

10:18:01 From Kristina Yasuda (US) to Everyone:

On device: https://youtu.be/gDg2ma7TwWU

10:18:07 From Kristina Yasuda (US) to Everyone:

Cross device: https://youtu.be/hC3VQE-vMnQ

10:18:24 From Kyle Den Hartog to Everyone:

Ahh ok that makes sense - is the general assumption that current OIDC providers won’t want self issued identifiers?

10:18:37 From Kristina Yasuda (US) to Everyone:

why?

10:19:05 From Kyle Den Hartog to Everyone:

One of the things I was thinking might be done is the current OPs add support for self issued identifiers which then allow for migration between OPs including migrating to a SIOP provider

10:19:06 From David Waite to Everyone:

Dirk: SIOP is self-asserted authentication and self-asserted claims. Verifiable Presentations enable us to also present third party claims

10:19:50 From Dick Hardt to Everyone:

I scanned the QR code that was shown, and the MS Authenticator app was loaded on iOS. Hmmm!

10:20:06 From Kristina Yasuda (US) to Everyone:

migration is another interesting topic. I would assume SIOP and 3P OPs will co-exist depending on a use-case for a certain period - given we get ISOP correctl

10:20:07 From David Waite to Everyone:

Formerly if you wanted claims by a particular party, you typically had to SSO directly with them.

10:20:37 From David Waite to Everyone:

Dick the wonder of the openid:// uri scheme 😄

10:20:45 From Kristina Yasuda (US) to Everyone:

SIOP discovery on iOS is the known issue - why we recommend universal links in the spec

10:20:46 From Vittorio Bertocci to Everyone:

"for a certain periond"? Do you expect SIOP to replace existing tech?

10:20:58 From Kyle Den Hartog to Everyone:

Yup agree with that assessment

10:21:32 From Kristina Yasuda (US) to Everyone:

Android, allows wallet selection even among same custom schemas

10:22:52 From Kristina Yasuda (US) to Everyone:

-05 https://openid.bitbucket.io/connect/openid-connect-4-verifiable-presentations-1_0.html

10:23:55 From Markus Sabadello to Everyone:

Anoncreds over OIDC? wow!

10:23:59 From Kristina Yasuda (US) to Everyone:

thank you PE for allowing to request not just VCs, but also anon creds is the trick here I guess

10:29:12 From Ivan Basart to Everyone:

Please, don’t forget to share the ppt! Is a great presentation :)

10:29:27 From Kristina Yasuda (US) to Everyone:

https://openid.net/wordpress-content/uploads/2021/09/OIDF_OIDC4SSI-Update_Kristina-Yasuda-Torsten-Lodderstedt.pdf

10:31:15 From Oliver Terbu to Everyone:

imo, they do not necessarily have to match

10:31:47 From Kristina Yasuda (US) to Everyone:

the examples in the one above are a little outdated - will put a link to an updated one in the slides to the updated one

10:32:18 From Kyle Den Hartog to Everyone:

You could use the subject did in the ID Token as a communication did, where as the verificationMethod is a persistent did used for different personas

10:32:33 From Kyle Den Hartog to Everyone:

The separation allows for crossing personas if needed

10:32:41 From Oliver Terbu to Everyone:

in case VCs have DIDs (pairwise), and one want to have a pairwise DID per RP, then all DIDs don’t have to match. sure, it will at least those DIDs but would preserve privacy in case you don’t use bbs+ w/ privacy-preserving holder binding

10:34:25 From Markus Sabadello to Everyone:

Thanks, makes sense

Retrieved from "https://iiw.idcommons.net/index.php?title=2E/_OpenID_Connect_4_SSI&oldid=23945"