clarify wallet invocation when credential offer is sent #246
Conversation
Sakurann
requested review from
awoie,
bc-pi,
c2bo,
danielfett,
decentralgabe,
jogu,
paulbastian,
peppelinux,
tlodderstedt and
tplooker
jogu
left a comment
jogu
left a comment
There was a problem hiding this comment.
I think if we're going to make changes to this section then it needs a bigger rework.
The credential offer endpoint is a specific thing - we are defining the properties of the credential_offer_endpoint entry in the client meta data. In my opinion, the metadata for a client probably shouldn't ever be openid-credential-offer:// as this value is only expected to be used when there isn't client meta data available for the wallet.
Section 4 should probably be renamed from 'Credential Offer Endpoint' to just 'Credential Offer', and a new 4.1 added called something like 'Credential Offer Endpoint' that explicitly defines credential_offer_endpoint metadata. Or the text that has been added to section 4 should instead be in section 11.1 where the credential_offer_endpoint is defined (and the IANA section should be updated to reference 11.1 instead of 4 as it does currently).
Finally, the 'no specific value' case should be better defined if we want interoperability. I think it is implying that the endpoint URL is treated as the empty string and hence the qr code would contain start with '?' but this isn't actually stated, i.e.
?credential_offer=%7B%22credential_issuer%22:%22https://credential-issuer.example.com%22,%22credentials%22:%5B%22org.iso.18013.5.1.mDL%22%5D,%22grants%22:%7B%22urn:ietf:params:oauth:grant-type:pre-authorized_code%22:%7B%22pre-authorized_code%22:%22oaKazRN8I0IbtZ0C7JuMn5%22,%22tx_code%22:%7B%22input_mode%22:%22text%22,%22description%22:%22Please%20enter%20the%20serial%20number%20of%20your%20physical%20drivers%20license%22%7D%7D%7D%7D
|
@jogu I am simply trying to resolve issue #201, because the issue rightly pointed out that HTTP GET and redirect is not what most implementers use - QR code is much more used, so it felt that the spec better reflect the reality. you are making valid points, if you could open the issues, we can address them accordingly, but I am not convinced this PR cannot go in without larger changes you suggest. |
sure, this can be clarified, but why use |
The minimum would be to move the newly added text that is defining properties of credential_offer_endpoint to section 11.1 and to reference that section from section 4 but really all the points I make apart from the existing issue with the IANA considerations pointing to the wrong place are issues newly created by adding in the non specific url qr codes option. |
That was my attempt to interpet what the currently proposed text means. I think the reason to use a '?' would be because we're still expecting everything in the offer parameters to be URL encoded as if it was present in the URL query, and included a leading '?' means that it is a valid relative URL. It could work either way, and it would probably be good to know what implementers using this option actually do - but if we're adding it to the spec I believe we should be very clear about how it works otherwise implementations won't be interoperable. |
| ## Credential Offer {#credential-offer} | ||
|
|
||
| The Credential Issuer sends Credential Offer using an HTTP GET request or an HTTP redirect to the Wallet's Credential Offer Endpoint defined in (#client-metadata). | ||
| The Credential Issuer sends the Credential Offer using one of the following mechanisms: |
There was a problem hiding this comment.
The reference to (#client-metadata) (where credential_offer_endpoint is defined) has been removed here but needs to be kept somewhere in this section.
| - A case sensitive URL using the `https` scheme that contains scheme, host and, optionally, port number and path components, but no query or fragment components. | ||
| - Custom URL scheme. For example, `openid-credential-offer://` as defined in (#client-metadata-retrieval). | ||
| - Domain-bound Universal Links/App link. | ||
| - No specific value. The issuer displays a QR code containing the Credential Offer, which the user can scan with a manually opened Wallet, or an arbitrary camera application on the user-device. |
There was a problem hiding this comment.
If there's no specific value, it only works in a wallet (or at least some app that is aware of the VCI spec), it wouldn't work in an arbitrary camera app.
There was a problem hiding this comment.
I know that our Android wallet app has a "Scan QR code" option inside it, so this definitely works. I "think" that our IoS phone allowed the camera to scan the QR code and then it automatically launched the wallet app, but I am no longer able to test this.
There was a problem hiding this comment.
@David-Chadwick Interesting. Can you give an example of QR code contents that didn't use a https url nor a custom url scheme and resulted in the system camera app launching the wallet?
There was a problem hiding this comment.
I think my conclusion (after asking on the WG calls) was that this 'No specific value' option isn't used by anyone so I think we should omit it (both here and in VP).
I think the only thing people might be doing is potentially ignoring the custom scheme when scanning a QR code in a wallet. Seems reasonable to mention that wallets might choose to do that.
|
|
||
| - A case sensitive URL using the `https` scheme that contains scheme, host and, optionally, port number and path components, but no query or fragment components. | ||
| - Custom URL scheme. For example, `openid-credential-offer://` as defined in (#client-metadata-retrieval). | ||
| - Domain-bound Universal Links/App link. |
There was a problem hiding this comment.
I think this is still a https url as per the first bullet, I would incorporate this into the first bullet but add "This may be a Claimed "https" Scheme URI as described in https://datatracker.ietf.org/doc/html/rfc8252#section-7.2" (and that RFC explains about Universal Links, App links, etc).
|
|
||
| Credential Offer Endpoint can take one of the following values: | ||
|
|
||
| - A case sensitive URL using the `https` scheme that contains scheme, host and, optionally, port number and path components, but no query or fragment components. |
There was a problem hiding this comment.
I don't think 'case sensitive' is needed or helps here (the case sensitivity & insensitivity of the various different parts of a URL are already well defined). (Disallowing a URL query is also technically a normative change unrelated to the issue we're trying to solve - the current spec doesn't really say that anywhere.)
| The Credential Issuer sends Credential Offer using an HTTP GET request or an HTTP redirect to the Wallet's Credential Offer Endpoint defined in (#client-metadata). | ||
| The Credential Issuer sends the Credential Offer using one of the following mechanisms: | ||
|
|
||
| - Render a link that the End-User can click resulting in an HTTP GET request to the Credential Offer Endpoint. |
There was a problem hiding this comment.
I don't think there is any reason to restrict this to a link. (A button would be fine.)
I think something like "Sends the user agent to the Credential Offer Endpoint" (i.e. similar language to how OAuth 2 talks about the redirect url) is sufficient, which covers all possible cases include a HTTP redirect. (It'd be fine to include "For example, a link ... or a HTTP redirect...".)
There was a problem hiding this comment.
I agree that this has to changed. But opening a native app is technically not sending the user agent to the credential offer endpoint. It is also not following a redirect nor a HTTP GET request.
What about:
| - Render a link that the End-User can click resulting in an HTTP GET request to the Credential Offer Endpoint. | |
| - Render a link that the End-User can click resulting in following the link to the Credential Offer Endpoint. |
| This endpoint is used by a Credential Issuer that is already interacting with an End-User who wishes to initiate a Credential issuance. It is used to pass available information relevant for the Credential issuance to ensure a convenient and secure process. | ||
| Credential Offer Endpoint is used by a Credential Issuer that is already interacting with an End-User who wishes to initiate a Credential issuance. It is used to pass available information relevant for the Credential issuance to ensure a convenient and secure process as defined in (#credential-offer). | ||
|
|
||
| Credential Offer Endpoint can take one of the following values: |
There was a problem hiding this comment.
In this context the Credential Offer Endpoint is not a parameter thus it can't have a value. This is ideal as a description of a metadata parameter.
What we need in this section is an explanation that the Wallet has such endpoint and that it is used to pass the Credential Offer to the wallet. This section doesn't say that now.
| # Credential Offer Endpoint {#credential-offer-endpoint} | ||
|
|
||
| This endpoint is used by a Credential Issuer that is already interacting with an End-User who wishes to initiate a Credential issuance. It is used to pass available information relevant for the Credential issuance to ensure a convenient and secure process. | ||
| Credential Offer Endpoint is used by a Credential Issuer that is already interacting with an End-User who wishes to initiate a Credential issuance. It is used to pass available information relevant for the Credential issuance to ensure a convenient and secure process as defined in (#credential-offer). |
There was a problem hiding this comment.
| Credential Offer Endpoint is used by a Credential Issuer that is already interacting with an End-User who wishes to initiate a Credential issuance. It is used to pass available information relevant for the Credential issuance to ensure a convenient and secure process as defined in (#credential-offer). | |
| Wallet exposes the Credential Offer Endpoint, enabling the Credential Issuer to pass the Credential Offer to the Wallet, thereby initiating the Credential Issuance process. In this way, the Credential Issuer, which an End-User interacts with, uses Credential Offer to pass to the Wallet information necessary for convenient and secure Credential Issuance process defined in (#credential-offer) . |
I would apply this change and in the line below indicated that there are several strategies Credential Offer Endpoint strategies like link, custom scheme, qr code and so on.
|
i need to update this PR - will do next week, sorry. |
|
I believe this has been superseded by #380 - closing on that basis to keep the PR list to items we're actively working on, please feel free to reopen if I'm mistaken. |
resolves issue #201.