owned this note
owned this note
Published
Linked with GitHub
# Credential Provider Sketch
## Option 1: Client requests VC (w/o providing further data)
Difference to Credential Provider Draft (https://mattrglobal.github.io/oidc-client-bound-assertions-spec/):
* credential type is requested using `claims`parameter
* proof of possession for holder key material using additional `proof` parameter
* Credential also from token endpoint
### Authentication Request
```
GET /authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fwallet.example.org%2Fcb
&scope=openid
&claims=%7B%22vc_token%...%2dp_vc%22%7D%7D%5D%7D%7D
&nonce=n-0S6_WzA2Mj HTTP/1.1
Host: server.example.com
```
#### `claims` parameter
```json
{
"id_token": {
"email":null
},
"vc_token": {
"input_descriptors": [
{
"format": { "ldp_vc": {} },
"constraints": {
"types": [
{
"path": ["$.type[*]"],
"filter": {
"type": "string",
"pattern": "https://www.w3.org/2018/credentials/examples/v1/UniversityDegreeCredential"
}
}
],
"fields": [
{...},
{...}
]
}
}
]
}
}
```
the simplest ver
```json=
{
"vc_token":{
"type": ["uri":"..."]
}
}
```
### Token Request
```
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&proof=%7B%22type%22:%22...-ace0-9c5210e16c32%22%7D
```
#### `proof` parameter
```json
{
"type": "Ed25519Signature2018",
"created": "2020-04-10T21:35:35Z",
"verificationMethod": "did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1",
"proofPurpose": "assertionMethod",
"jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..l9d0YHjcFAH2H4dB9xlWFZQLUpixVCWJk0eOt4CXQe1NXKWZwmhmn9OQp6YxX0a2LffegtYESTCJEoGVXLqWAA",
"nonce": "fbe22300-57a6-4f08-ace0-9c5210e16c32"
}
```
### Token Response
```
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ",
"token_type": "bearer",
"expires_in": 86400,
"id_token": "eyJodHRwOi8vbWF0dHIvdGVuYW50L..3Mz",
"vc_token" : {
"format":"ldp_vc",
"credential": {...}
}
}
```
#### `vc_token` parameter
```json
{
"format": "ldp_vc",
"credential": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"id": "http://example.gov/credentials/3732",
"type": [
"VerifiableCredential",
"UniversityDegreeCredential"
],
"issuer": "did:key:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"issuanceDate": "2020-03-10T04:24:12.164Z",
"credentialSubject": {
"id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
"givenName": "John",
"familyName": "Doe",
"degree": {
"type": "BachelorDegree",
"name": "Bachelor of Science and Arts"
}
},
"proof": {
"type": "Ed25519Signature2018",
"created": "2020-04-10T21:35:35Z",
"verificationMethod": "did:key:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd#z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd",
"proofPurpose": "assertionMethod",
"jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..l9d0YHjcFAH2H4dB9xlWFZQLUpixVCWJk0eOt4CXQe1NXKWZwmhmn9OQp6YxX0a2LffegtYESTCJEoGVXLqWAA"
}
}
}
```
### Credential Request
```
POST /credential HTTP/1.1
Host: server.example.com
Content-Type: application/json
Authorization: BEARER eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ
{
"credential_format": "ldp_vc",
"proof": {
"type": "Ed25519Signature2018",
"created": "2020-04-10T21:35:35Z",
"verificationMethod": "did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1",
"proofPurpose": "assertionMethod",
"jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..l9d0YHjcFAH2H4dB9xlWFZQLUpixVCWJk0eOt4CXQe1NXKWZwmhmn9OQp6YxX0a2LffegtYESTCJEoGVXLqWAA",
"nonce": "fbe22300-57a6-4f08-ace0-9c5210e16c32"
}
}
```
Two sequesce diagrams
Token Endpoint
![](https://i.imgur.com/A0zQYqv.png)
Additional Endpoint
![](https://i.imgur.com/i3tU2OU.png)
### Credential Response
```
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"vc_token": {
"format": "ldp_vc",
"credential": {...}
}
}
```
## Option 2: Utilize Credential Manifest
### Additional OP Discovery metadata
`credential_manifest_uris` that is an array of credential manifests. Each credential manifest would map manifest_id to a credential type, and describe inputs required from the user if any.
Below is an example of a credential_manifest that maps `manifest_id`="WA-DL-CLASS-A" to a credential type "http://washington-state-schemas.org/1.0.0/driver-license.json" :
```json
{
"id": "WA-DL-CLASS-A",
"version": "0.1.0",
"issuer": {
"id": "did:example:123?linked-domains=3",
"name": "Washington State Government",
"styles": {}
},
"output_descriptors": [
{
"type": "http://washington-state-schemas.org/1.0.0/driver-license.json",
"display": {
"title": {
"path": [
"$.name",
"$.vc.name"
],
"fallback": "Washington State Driver License"
},
"subtitle": {
"path": [
"$.class",
"$.vc.class"
],
"fallback": "Class A, Commercial"
},
"description": {
"text": "License to operate a vehicle with a gross combined weight rating (GCWR) of 26,001 or more pounds, as long as the GVWR of the vehicle(s) being towed is over 10,000 pounds."
},
"properties": [
{
"path": [
"$.donor",
"$.vc.donor"
],
"fallback": "Unknown",
"label": "Organ Donor"
}
]
},
"styles": {}
}
],
"presentation_definition": {"inputs required from the user to receive this credential"}
}
```
### Credential application
Credential application is what in the issuance flow corresponds to presentation_definition in OIDC4VP.
`manifest_id` maps to a certain credential type that the Issuer can issue.
Suggestion would be to add OP Discovery metadata `credential_manifest` which is a file that maps `manifest_id`s that that Issuer issues to the credential types, and inputs required from the user if any.
```json=
{
"vc_token": {
"credential_application": {
"id": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
"manifest_id": "WA-DL-CLASS-A",
"format": {
"ldp_vc": {
"proof_type": [
"JsonWebSignature2020",
"EcdsaSecp256k1Signature2019"
]
}
}
}
}
}
```
The sequence diagram would look like:
![](https://i.imgur.com/pd4Vway.png)
```
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ",
"token_type": "bearer",
"expires_in": 86400,
"id_token": "eyJodHRwOi8vbWF0dHIvdGVuYW50L..3Mz",
"vc_token" : {
"credential_fulfillment": {
"id": "a30e3b91-fb77-4d22-95fa-871689c322e2",
"manifest_id": "WA-DL-CLASS-A",
"descriptor_map": [
{
"id": "driving_license_1",
"format": "ldp_vc",
"path": "$.verifiableCredential[0]"
}
]
},
"verifiableCredential":{...}
}
}
```
Kristina: per example in the Token Response section, another option is to use `credential_fulfillment` instead of the `format`.
```
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"vc_token" : {
"credential_fulfillment": {
"id": "a30e3b91-fb77-4d22-95fa-871689c322e2",
"manifest_id": "WA-DL-CLASS-A",
"descriptor_map": [
{
"id": "driving_license_1",
"format": "ldp_vc",
"path": "$.verifiableCredential[0]"
}
]
},
"verifiableCredential":{...}
}
}
```
## Option 2 + Client is submitting information based on which it requests a certain VC
Client has obtained credential_manifest from the OP metadata.
### Authentication Request
```
GET /authorize?
response_type=code
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fwallet.example.org%2Fcb
&scope=openid
&claims=%7B%22vc_token%...%2dp_vc%22%7D%7D%5D%7D%7D
&nonce=n-0S6_WzA2Mj HTTP/1.1
Host: server.example.com
```
#### `claims` parameter
Client is submitting three VCs in the presentation_submission as the input for the OP to issue a VC under this manifest_id.
```json=
{
"vc_token": {
"credential_application": {
"id": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
"manifest_id": "WA-DL-CLASS-A",
"format": {
"ldp_vc": {
"proof_type": [
"JsonWebSignature2020",
"EcdsaSecp256k1Signature2019"
]
}
}
},
"presentation_submission": {
"id": "a30e3b91-fb77-4d22-95fa-871689c322e2",
"definition_id": "32f54163-7166-48f1-93d8-ff217bdb0653",
"descriptor_map": [
{
"id": "input_1",
"format": "jwt_vc",
"path": "$.verifiableCredential[0]"
},
{
"id": "input_2",
"format": "ldp_vc",
"path": "$.verifiableCredential[1]"
},
{
"id": "input_3",
"format": "ldp_vc",
"path": "$.verifiableCredential[2]"
}
]
}
}
}
}
```
Token Request, `proof` parameter are same as above