vc-authn-oidc icon indicating copy to clipboard operation
vc-authn-oidc copied to clipboard

Published 20 hours ago verified publisher icon bcgov

id_token Is Issued for Revoked Credentials

Open MonolithicMonk opened this issue 2 years ago • 1 comments

Issue: VC-Authn issues id_token to clients when revoked credentials are used to respond to proof request. Further, there is no notification to clients that a revoked credential was used.

Proposal: Due to the critical nature of Authentication / Authorization flows using vc-authn, I recommend that vc-authn should conduct a revocation check prior to id_token issuance and deny issuance to revoked tokens

Compromise: I'm not aware of any mechanism in openid to alert clients that the issued id_token is based on revoked credentials. Therefore an invalid credentials notification should be the appropriate response for revoked credentials.

MonolithicMonk avatar Jul 07 '22 12:07 MonolithicMonk

Revocation is implemented in the feature/revocation-support branch of vc-authn. Authentication will fail if the provided credential is revoked, however due to the underlying layer in Indy NOT returning information about what failed in the proof we only are able to receive a success/failure type of response and block the authentication flow if the verification was not successful for any reason.

esune avatar Jul 18 '22 22:07 esune

Closing as I have not heard back, please reopen if necessary.

esune avatar Jan 18 '23 20:01 esune