oid4vc-haip-sd-jwt-vc icon indicating copy to clipboard operation
oid4vc-haip-sd-jwt-vc copied to clipboard

Published 20 hours ago verified publisher icon openid

Make Issuer metadata normative

Open paulbastian opened this issue 1 year ago • 5 comments

As I stated in the WG Call, I believe that credential_configuration_id is the better choice. In general, I have trouble understanding how OpenID4VCI works well without metadata, as the Wallet needs to known:

  • the credential endpoint
  • supported proof types
  • supported credentials and formats
  • display data for the issuer and the credential

Therefore I believe in productive environment it will be very common that the Issuer has the ability to host metadata.

Originally posted by @paulbastian in https://github.com/openid/OpenID4VCI/pull/219#pullrequestreview-1833193401

As stated in openid/OpenID4VCI#219 I believe that Credential Issuer metadata should be mandatory, it just doesn't make sense to me with the current specification otherwise.

paulbastian avatar Jan 25 '24 16:01 paulbastian

As mentioned in https://github.com/openid/OpenID4VCI/pull/219#issuecomment-1902864880 I think there are two separate but related questions:

  1. Are credential issuers required to have metadata?
  2. Does credential issuer metadata need to list all the credentials the issuer supports?

People were reluctant to agree to '2', and there's precdent for this in OAuth, e.g. in https://datatracker.ietf.org/doc/html/rfc8414#section-2 the AS isn't required to list every supported scope in scopes_supported.)

jogu avatar Jan 30 '24 11:01 jogu

OAuth being framework, I am hesitant to require all issuers to have metadata. I think think discussion in issue openid/OpenID4VCI#82 made it clear that some implementers want to have out of band discovery of the issuer metadata, and I don't see any reason why we should prohibit that.

Sakurann avatar Jan 30 '24 20:01 Sakurann

Can this be closed in favor of openid/OpenID4VCI#392, too? do we want a small PR clarifying that issuers do not have to list all credentials in the issuer metadata (which kind of implies the wallet has ways to obtain those credential configurations using means other than issuer metadata)?

Sakurann avatar Nov 18 '24 16:11 Sakurann

closing in a week unless objections. another option can be to move this issue to HAIP. @paulbastian let us know the preference

Sakurann avatar Mar 17 '25 22:03 Sakurann

It seems reasonable to me to have this requirement in HAIP

paulbastian avatar Mar 18 '25 16:03 paulbastian

Discussed the above two questions on today's WG call:

  1. Are credential issuers required to have metadata?

Consensus that this must be required.

  1. Does credential issuer metadata need to list all the credentials the issuer supports?

How the wallet gets the information about credentials could be from the .well-known, or from some (out of scope of the specification) out-of-band mechanism.

jogu avatar Jul 03 '25 16:07 jogu