Self-Issued OpenID Connect (SIOP) DID Auth Flavor
From IIW
Self-Issued OpenID Connect (SIOP) DID Auth Flavor
Tuesday 4F
Convener:Oliver Terbu
Notes-taker(s): Oliver Terbu
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
The session was organized to move forward with the Self-Issued OpenID Connect Provider (SIOP) Profile for DID Auth and clarify a few questions. We discussed the basic SIOP flow and that it would be a good fit for DID Auth for web applications as DID Auth has two major tasks to solve:
- - Proof of possession of a DID
- - Exchange DID + other info that allows two parties to communicate with their service endpoints or in general with each other
- - Focus on Authentication rather than Authorization
The following items were discussed in particular:
- - SIOP mandates specific crypto algorithm, which is RSA and ECC P-256. The conclusion was it should be fine if the SIOP responds with different algorithms if the DID Auth profile is used.
- - Although SIOP is not a mandatory feature of the OIDC spec and therefore has not as many implementations as the Authorization code flow, it uses the same message format and shares request and response messages. For that reason, OIDC clients won’t have an issue with adding this feature.
- - There was a debate whether or not an RP has to implement both flows, plain OIDC, DID Auth enabled. The conclusion was that this is not needed and we anticipate clients that have DID Auth support opting in for the DID Auth profile only. In general that discussion triggered questions on what does it mean to RPs to integrate DID Auth which was then topic of another session on the next day.
- - Similar to Identity Wallet providers. They can opt in for implementing the DID Auth based approach only, but to comply with the plain OIDC spec, they would need to be backward compatible. An RP that uses DID Auth will likely also use the service endpoints to interact with the user.