openid4vc
openid4vc copied to clipboard
Published
20 hours ago •
impierce
impierce
Support OID4VCI Authorization Code Flow
Description
+--------------+ +-----------+ +-------------------+
| User | | Wallet | | Credential Issuer |
+--------------+ +-----------+ +-------------------+
| | |
| interacts | |
|--------------->| |
| | (1) Obtains Issuer's Credential Issuer metadata |
| |<-------------------------------------------------->|
| | |
| | (2) Authorization Request |
| | (type(s) of Credentials to be issued) |
| |--------------------------------------------------->|
| | |
| User Authentication / Consent |
| | |
| | (3) Authorization Response (code) |
| |<---------------------------------------------------|
| | |
| | (4) Token Request (code) |
| |--------------------------------------------------->|
| | Token Response (access_token) |
| |<---------------------------------------------------|
| | |
| | (5) Credential Request (access_token, proof(s)) |
| |--------------------------------------------------->|
| | Credential Response |
| | (credential(s) OR transaction_id) |
| |<---------------------------------------------------|
Figure 1: Issuance using Authorization Code Flow
- The Wallet uses the Credential Issuer's metadata Section 10.2 to learn what credential types and formats the Credential Issuer supports and to determine the issuer URL of the OAuth 2.0 Authorization Server the Credential Issuer relies on. Note in this example, the Credential Issuer also provides the OAuth 2.0 Authorization Server. This specification enables deployments where the Credential Issuer API and the Authorization Server are different services, perhaps even provided by different entities.
- The Wallet sends an Authorization Request to the Authorization Endpoint. The Authorization Endpoint processes the Authorization Request, which typically includes user authentication and gathering of user consent.
- The Authorization Endpoint returns an Authorization Response with the Authorization Code upon successfully processing the Authorization Request.Note: steps (2) and (3) happen in the frontchannel, by redirecting the End-User via the User Agent. Those steps are defined in Section 5.
- The Wallet sends a Token Request to the Token Endpoint with the Authorization Code obtained in step (3). The Token Endpoint returns an Access Token in the Token Response upon successfully validating Authorization Code. This step happens in the backchannel using server to server communication. This step is defined in Section 6.
- The Wallet sends a Credential Request to the Credential Issuer's Credential Endpoint with the Access Token and (optionally) the proof of possession of the public key to which the the issued VC shall be bound to. Upon successfully validating Access Token and proof, the Credential Issuer returns a VC in the Credential Response if it is able to issue a Credential right away. This step is defined in Section 7.
Motivation
No response
Resources
https://openid.bitbucket.io/connect/openid-4-verifiable-credential-issuance-1_0.html#name-authorization-code-flow
To-do List
- [ ] Support OID4VCI Authorization Code Flow
