OpenID4VCI icon indicating copy to clipboard operation
OpenID4VCI copied to clipboard

Published 20 hours ago verified publisher icon openid

OIDC4VCI should allow authorization pending for authz code grant type

Open OIDF-automation opened this issue 2 years ago • 3 comments

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1924

Original Reporter: oliver-terbu

In the current spec, there is no standardized way for a wallet to initiate an OIDC4VCI flow with the credential issuer to support deferred authorization. This is because:

  • There is no standardized endpoint for the wallet to retrieve a credential offer from the credential issuer if pre-authz code flow should be used for deferred authorization. The issuer will need to know where to send the credential offer after the pre-authz code got issued.
  • Authz code cannot be used with deferred authorization.

For reference, there are two ways to support deferred issuance: 1) deferred authorization via authorization pending error response from token endpoint which applies to pre-authz code flow only, 2) deferred credential endpoint where the credential endpoint would return an acceptance token (or as proposed in a pending PR a transaction id).

Wallets and issuers that support pre-authz code flow and authorization code flow with deferred issuance would need to implement two different ways of handling that (see 1) and 2) above). For that reason, we should add deferred authorization also to the authorization code grant type to unify that behaviour. Currently, deferred authorization is only possible with pre-authz code flow.

OIDF-automation avatar May 04 '23 20:05 OIDF-automation

Imported from AB/Connect bitbucket - Original Commenter: mbj

Having multiple ways to do something is generally a red flag and can result in interop problems. How can we get down to one way to support deferred issuance?

OIDF-automation avatar Aug 15 '23 20:08 OIDF-automation

Imported from AB/Connect bitbucket - Original Commenter: danielfett

I see that the transaction_id is not included in the possible responses of the pre-auth code flow, but I couldn’t find normative language preventing deferred issuance (this seems to be a separate issue).

What is the purpose of the authorization_pending/slow_down responses if we have deferred issuance?

OIDF-automation avatar Aug 16 '23 09:08 OIDF-automation

authorization_pending might be removed based on the outcome of #60. blocked by that issue

Sakurann avatar Sep 07 '23 05:09 Sakurann

authorization_pending was removed

Sakurann avatar Oct 28 '24 19:10 Sakurann